Privacy Policy

1. Introduction

MapleBooks is a GST/HST-aware finance tracker for self-employed Canadians. This policy explains what personal information we collect, why we collect it, who we share it with, and what rights you have over it.

We are committed to complying with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and, for residents of Quebec, An Act Respecting the Protection of Personal Information in the Private Sector (Law 25). If you have questions or concerns, contact us at privacy@maplebooks.ca.

2. What we collect

We collect only what is necessary to run the service. Here is what that looks like in practice:

Account data

• Email address — used to identify your account and send password-reset emails.
• Password — stored as a bcrypt hash. We never store or see your plaintext password.
• Session cookies — a signed, HTTP-only cookie keyed to your active session. Used only for authentication. Expires when you sign out.

Business profile

• Province or territory, business type, GST/HST registration status and registration date, fiscal-year start month, and tax set-aside percentage.
• Business name (optional). You don't have to provide one.

Financial records

• Transactions imported from CSV or entered manually: date, amount, description, merchant name, tax amounts (GST/HST/PST/QST), and income/expense classification.
• Bank account names (you label them — we don't connect to your bank).
• Categories, auto-classification rules, and import batch metadata.
• Monthly close records and GST/HST filing summaries.

Receipts

• Image or PDF files you upload (JPG, PNG, PDF). Stored on a Railway-mounted volume via Active Storage.
• OCR-extracted field values (vendor, date, total, tax) if you run the Anthropic OCR feature.

Vehicle records

• Trip logs: date, start/end odometer, distance, purpose.
• Vehicle expenses: date, amount, category, description.

What we do not collect

• No banking credentials or direct bank connections.
• No analytics SDKs, no advertising identifiers, no fingerprinting.
• No social login data.

3. How we use your information

We use your data only to operate and improve MapleBooks:

• Authenticate you and maintain your session.
• Calculate and display your GST/HST position, tax reserve estimates, and T2125 export.
• Process receipt uploads and, when enabled, run OCR to pre-fill transaction fields.
• Generate your data export ZIP on request.
• Send transactional emails (password resets). We do not send marketing email.
• Manage your subscription via Stripe, if billing is enabled.

We do not profile you for advertising, sell your data to third parties, or use your financial records to train machine-learning models.

4. Third-party processors

We work with a small number of infrastructure providers. Each receives only the data needed to perform their specific function.

Anthropic (receipt OCR)

When you use the OCR feature on a receipt, the image bytes are sent to the Anthropic Messages API (Claude Haiku model) to extract vendor, date, total, and tax fields. This only happens if the workspace operator has configured an Anthropic API key. If no key is set, receipt images never leave our servers. Anthropic processes data under their Privacy Policy. Anthropic does not use API inputs to train their models by default.

Stripe (billing)

If billing is enabled, subscription payments are processed by Stripe. Stripe stores your payment method details; we store only a stripe_customer_id reference and subscription status. We never see or store full card numbers. Stripe is PCI-DSS Level 1 certified.

Railway (hosting infrastructure)

MapleBooks is hosted on Railway. Your SQLite database and Active Storage files (including receipts) reside on Railway-managed volumes. Railway operates data centres in the United States. By using MapleBooks, you acknowledge that your data is stored in the US under Railway's infrastructure agreement.

We have no other third-party processors. No analytics vendor. No ad network. No CDN with tracking pixels.

5. Data location and storage

• Data is stored on Railway-managed volumes in the United States.
• The database is SQLite, stored as a file on an encrypted Railway volume.
• Receipt files are stored via Rails Active Storage with the disk service on the same volume.
• All data in transit is protected by TLS (HTTPS). We redirect HTTP to HTTPS.

6. Retention

Your data is retained for the life of your account. When you delete your account (Settings → Danger Zone), all of the following are permanently erased: your user record, business profile, all transactions, accounts, categories, rules, receipts (including uploaded files), and vehicle records.

Infrastructure-level backups held by Railway may retain copies of data for up to 30 days after deletion, after which they are automatically purged according to Railway's retention policy.

7. Your rights under PIPEDA

As a Canadian resident, you have the following rights under PIPEDA:

• Right of access — you may request a copy of the personal information we hold about you. Use the ZIP export at Settings → Export, or email us.
• Right of correction — you may update your email address, business profile, and all financial records directly in the app at any time.
• Right to withdraw consent — you may delete your account at any time. Withdrawal of consent means we can no longer provide the service.
• Right to complain — if you believe we have mishandled your personal information, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC).

To exercise any of these rights, email privacy@maplebooks.ca. We will respond within 30 days.

8. Your rights under Quebec Law 25

If you are a Quebec resident, Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25 / Bill 64) gives you additional rights:

• Right to know — you have the right to know what personal information we collect, how we use it, and with whom we share it. This policy fulfills that obligation.
• Right of access — you may request a structured copy of your personal information. Use the ZIP export or email us.
• Right to rectification — you may correct inaccurate or incomplete information at any time within the app.
• Right to erasure (right to be forgotten) — you may request deletion of your personal information. Use Settings → Danger Zone, or email us. We will confirm erasure within 30 days.
• Right to data portability — you may download a complete, machine-readable copy of your data (JSON + CSV + receipt files) via Settings → Export your data → Download ZIP export.
• Right to withdraw consent — you may withdraw consent at any time; this results in account deletion.

Data protection contact: MapleBooks is a small operator. We have not designated a separate data protection officer for Quebec. The privacy contact email privacy@maplebooks.ca handles all privacy requests, including those arising under Law 25.

9. Cookies and tracking

MapleBooks uses one cookie: a signed, HTTP-only session cookie named session_id. It is essential for authentication. We do not use:

• Analytics cookies (no Google Analytics, no Mixpanel, no Segment).
• Advertising cookies or tracking pixels.
• Third-party cookies of any kind.

Because we use only an essential session cookie, we are not required to show a cookie consent banner under PIPEDA or Law 25. We do not, however, operate without cookies — the app will not function if you block all cookies.

10. Security

• In transit: all traffic is encrypted via TLS/HTTPS.
• Passwords: stored as bcrypt hashes with a cost factor sufficient for modern hardware. We never have access to your plaintext password.
• Sessions: session cookies are signed, HTTP-only, and use SameSite=Lax.
• At rest: data is stored on Railway volumes. Railway encrypts volumes at rest.
• Receipt files: stored via Active Storage on the same encrypted volume, not publicly accessible without a signed URL.

No security measure is perfect. If you discover a vulnerability, please disclose it responsibly to privacy@maplebooks.ca.

11. Children

MapleBooks is a business finance tool intended for adults operating a self-employed or freelance business in Canada. We do not knowingly collect personal information from anyone under the age of 16. If you believe a minor has created an account, contact us and we will delete it promptly.

12. Changes to this policy

If we make material changes to this policy — such as adding a new third-party processor or changing how we use your data — we will:

• Display an in-app notice the next time you log in.
• Send an email to the address on your account.

Minor clarifications (grammar, formatting, adding links) may be made without notice. The effective date at the top of this page always reflects the most recent revision.

13. Contact

For any privacy questions, access requests, or complaints:

MapleBooks Privacy
privacy@maplebooks.ca

You may also contact the Office of the Privacy Commissioner of Canada or, for Quebec residents, the Commission d'accès à l'information du Québec (CAI).