PRIVACY POLICY

1. ACCOUNTABILITY

Grinbuck Technologies Inc. is responsible for the personal information under its control. The person with overall accountability for Grinbuck's compliance with this Privacy Policy and applicable privacy legislation is:

Privacy Officer
Grinbuck Technologies Inc.
Victoria, British Columbia, Canada
Email: legal@grinbuck.com

Questions, concerns, access requests, and complaints regarding personal information should be directed to the Privacy Officer at the contact information above.

2. WHAT PERSONAL INFORMATION WE COLLECT

We collect the following categories of personal information:

2.1 ACCOUNT INFORMATION

• Full name and email address (obtained from your Google account upon sign-in via Google OAuth)
• Profile photo URL (obtained from your Google account, optional)

2.2 BUSINESS INFORMATION

• Business legal name and incorporation number (where applicable)
• Entity type and jurisdiction
• Incorporation date (where applicable)
• Province of registration
• Fiscal year end date
• GST/HST registration status, GST number, and reporting period (if provided)
• BC PST registration status and PST number (if provided)
• Business address, phone number, website, and contact email (if provided)

2.3 FINANCIAL AND OPERATIONAL DATA

• Expense records including date, amount, vendor, category, and optional notes
• Receipt images uploaded by you (stored in Supabase Storage, Canada region)
• Invoice and quotation data including line items, amounts, tax lines, and status
• Client records including name, email, phone, address, and notes
• Filing status records you create or update within the Service
• Dates and timestamps of your interactions with the Service

2.4 PAYMENT INFORMATION

• Subscription plan and billing status
• Stripe customer ID and subscription ID
• We do not store credit card numbers or full payment card details. Payment processing is handled entirely by Stripe, Inc.

2.5 CLIENT DATA YOU ENTER

• When you add clients to the Service, you provide us with personal information about those individuals or businesses (name, email, phone, address). You are responsible for ensuring you have the appropriate authority or consent to enter that information into the Service.

2.6 TECHNICAL DATA

• IP address and browser information (collected by our hosting provider, Vercel)
• Cookies and session tokens necessary to maintain your authenticated session

We collect only the minimum personal information necessary to provide the Service.

3. HOW WE COLLECT PERSONAL INFORMATION

We collect personal information:

• Directly from you when you create an account, complete the onboarding process, log expenses, create invoices or quotes, or add clients
• Automatically through your use of the Service (session data, technical data)
• From Google, via OAuth authentication, at the time of sign-in
• From OrgBook BC, a publicly available provincial registry, when you search for your business during onboarding (BC businesses only). You may also choose to enter business details manually.

4. PURPOSES FOR COLLECTION, USE, AND DISCLOSURE

We collect, use, and disclose your personal information only for the following purposes:

4.1 To provide the Service, including expense tracking, invoice and quotation creation, client management, and computing and displaying estimated filing deadline dates.

4.2 To send you email reminders before estimated filing deadlines (Pro subscribers only).

4.3 To deliver invoices and quotations to your clients on your behalf via email, using the client email addresses you provide.

4.4 To send you owner copies of invoices and quotations you send through the Service.

4.5 To process and manage your subscription and payments through Stripe, including the collection of applicable taxes (GST/HST and BC PST) through Stripe Tax.

4.6 To communicate with you regarding your account, changes to the Service, or updates to these policies.

4.7 To maintain the security and integrity of the Service.

4.8 To comply with applicable legal obligations.

We do not sell, rent, or trade your personal information to third parties. We do not use your personal information for advertising or marketing purposes beyond communicating about your own account and the Service you use.

5. DISCLOSURE TO THIRD PARTIES

We disclose personal information only to the following categories of third parties, and only to the extent necessary to provide the Service:

5.1 SUPABASE INC. — Our database, authentication, and file storage infrastructure provider. Your data, including uploaded receipt images and generated PDF files, is stored in a Supabase-managed PostgreSQL database and Supabase Storage in the Canada (Central) region (ca-central-1). Supabase acts as a data processor on our behalf. Data stored with Supabase remains within Canada.

5.2 VERCEL INC. — Our hosting and deployment provider. Your requests to the Service are processed through Vercel's infrastructure. Vercel may process certain technical data (including IP addresses) in the United States. Vercel maintains SOC 2 Type II certification and appropriate data processing agreements.

5.3 STRIPE INC. — Our payment processor and tax collection provider. When you subscribe to the Pro plan, your payment information is processed by Stripe. Stripe also calculates and collects applicable GST/HST and BC PST on your subscription through Stripe Tax. Stripe processes data in the United States. Stripe maintains PCI DSS Level 1 certification. We share your email address and a Stripe customer identifier with Stripe solely for payment processing and tax collection purposes.

5.4 RESEND INC. — Our transactional email provider. Your email address, and the email addresses of clients you add to the Service, are shared with Resend for the purpose of delivering transactional emails. These include: filing deadline reminders (Pro subscribers only), invoice and quotation emails sent to your clients, owner copies of sent documents, and account notifications. Resend processes data in the United States.

5.5 GOOGLE LLC — Authentication is handled via Google OAuth. We do not control Google's data practices. Your use of Google Sign-In is subject to Google's Privacy Policy and Terms of Service.

5.6 LAW ENFORCEMENT AND LEGAL PROCESS. We may disclose your personal information if required to do so by law, court order, or governmental authority, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

We do not disclose personal information to any other third parties.

6. CROSS-BORDER TRANSFERS

Some of our third-party service providers (Vercel, Stripe, Resend) process data outside of Canada, primarily in the United States. When personal information is transferred outside Canada, we take steps to ensure that it receives a comparable level of protection, including through contractual safeguards with our service providers.

By using the Service, you acknowledge that your personal information may be transferred to and processed in countries outside Canada, including the United States, which may have different privacy laws than Canada.

7. DATA RETENTION

We retain your personal information for as long as your account remains active and as necessary to provide the Service. If you close your account:

• Your personal information will be deleted or anonymized within 90 days of account closure, subject to any legal obligations requiring longer retention.
• Business profiles, expense records, invoice and quotation data, client records, receipt images, and filing records will be deleted as part of account closure.
• We may retain certain information for longer periods where required by applicable law (for example, payment transaction records).

You may request deletion of your personal information at any time by contacting our Privacy Officer at legal@grinbuck.com.

8. SAFEGUARDS

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, disclosure, alteration, or destruction, including:

• All data transmitted to and from the Service is encrypted in transit using TLS
• Data at rest in our database and file storage is encrypted by our hosting provider
• Authentication is handled via Google OAuth — we do not store passwords
• Access to production database credentials is restricted to authorized personnel only
• Row-Level Security (RLS) is enforced at the database level, ensuring each user can only access their own data
• Receipt images and PDF files are stored in private storage buckets accessible only to the account owner
• Subscription and payment data is written only by server-side processes using restricted access keys

No security measures are perfect. In the event of a security breach that creates a real risk of significant harm to you, we will notify you and the applicable privacy regulator as required by law.

9. YOUR RIGHTS

Under BC PIPA and PIPEDA, you have the following rights with respect to your personal information:

9.1 RIGHT OF ACCESS. You have the right to request access to the personal information we hold about you. We will respond to access requests within 30 days.

9.2 RIGHT TO CORRECTION. You have the right to request that we correct any inaccurate or incomplete personal information we hold about you.

9.3 RIGHT TO WITHDRAW CONSENT. You may withdraw your consent to our collection, use, or disclosure of your personal information at any time, subject to legal and contractual restrictions. Withdrawal of consent may result in termination of your ability to use the Service.

9.4 RIGHT TO COMPLAIN. You have the right to file a complaint with the applicable privacy regulator:

• British Columbia: Office of the Information and Privacy Commissioner for BC (oipc.bc.ca)
• Federal (Canada): Office of the Privacy Commissioner of Canada (priv.gc.ca)

To exercise any of these rights, please contact our Privacy Officer at legal@grinbuck.com. We will acknowledge your request promptly and respond within 30 days.

10. COOKIES AND SESSION TOKENS

The Service uses cookies and session tokens solely to maintain your authenticated session. We do not use tracking cookies, advertising cookies, or analytics cookies. We do not use third-party advertising networks.

The session cookies used by the Service are necessary for the Service to function. By using the Service, you consent to the use of these essential cookies.

11. CHILDREN'S PRIVACY

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that personal information has been collected from a minor, we will delete it promptly.

12. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Updated policies will be posted to the Service with a revised "Last Updated" date. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy. We will make reasonable efforts to notify you of material changes by email.

13. CONTACT US

For questions, concerns, access requests, or complaints regarding this Privacy Policy or our privacy practices, please contact:

Privacy Officer
Grinbuck Technologies Inc.
Victoria, British Columbia, Canada
Email: legal@grinbuck.com

We will acknowledge your inquiry promptly and respond within 30 days.