Privacy Policy
Effective: April 25, 2026 · Compliant: Law 25 (Quebec) + PIPEDA (Canada)
🍁 In short
Your data stays in Canada (Supabase ca-central-1, Montreal). No banking data is collected. You can export or delete your data at any time from your settings or by emailing support@mywealthwise.ca.
Table of contents
1. Data collected
1.1 What you provide
| Data | Purpose | Legal basis |
|---|---|---|
| Email, name | Account creation | Explicit consent |
| Password (bcrypt hashed) or Google OAuth | Authentication | Contract performance |
| Symbols, quantities, purchase prices | Portfolio analysis | Contract performance |
| Financial goals (FIRE, retirement) | Personalized projections | Consent |
| Preferences (language, currency, alerts) | Personalization | Consent |
1.2 Automatic collection
- IP, User-Agent, timestamps: security logs (90 days)
- Session cookies: authentication persistence (30 days)
1.3 What we NEVER collect
- ❌ Banking data (account number, transit, PIN)
- ❌ SIN, tax identifiers, biometric data
- ❌ Real-time geolocation
- ❌ External browsing history (no cross-site tracking)
2. Processing purposes
- Contract performance: create your account, calculate your portfolio, display your alerts.
- Legal obligations: retain transactions for tax obligations (CRA / Revenu Québec).
- Legitimate interests: security, anti-fraud, performance.
- Explicit consent: newsletters, AI improvements via anonymized data.
3. Third-party sharing
Your data is shared only with strictly necessary subprocessors:
| Third party | Data | Country |
|---|---|---|
| Supabase (database hosting) | All (except password) | 🍁 Canada (ca-central-1) |
| Google Gemini API | Anonymized portfolio (no email/identity) | 🇺🇸 United States |
| Stripe (Premium payments) | Email, subscription amount | 🇺🇸 United States |
| Resend (transactional emails) | Email + action link | 🇺🇸 United States |
| Yahoo Finance API | Public symbols only | 🇺🇸 United States |
Transfers outside Canada are governed by standard contractual clauses (SCCs) and the EU-US Data Privacy Framework. No broker, no fund, no advertiser receives your data.
4. Data retention
| Data | Duration |
|---|---|
| Active account | Duration of contract + 30 days |
| Portfolio & transactions | Contract + 6 years (tax obligation) |
| Access logs (IP) | 90 days |
| Session cookies | Session or 30 days |
5. Your rights (Law 25, art. 9)
- Right of access: receive a copy of all your data. 30-day delay, free.
- Right of rectification: correct your data from the app or by email.
- Right to erasure: delete your account. 30-day delay (except transactions subject to tax retention).
- Right to portability: export everything in JSON / CSV from your settings.
- Right to object: unsubscribe from marketing emails at any time.
- Right to restrict processing: request a suspension by email.
To exercise a right: support@mywealthwise.ca — response within 30 days.
6. Security
- ✅ Encryption in transit (TLS 1.3) and at rest (Supabase Postgres)
- ✅ Passwords hashed with bcrypt (10+ rounds)
- ✅ Row-Level Security (16 RLS policies) — you only see your own portfolios
- ✅ Rate limiting + audit logs
- ✅ Notification to the CAI within 72 hours in case of incident (Law 25, art. 13)
7. Cookies
| Cookie | Use | Consent |
|---|---|---|
session_id | Authentication | Required (essential) |
language_pref | Language (FR/EN) | Implicit |
theme | Light/dark mode | Implicit |
| Google Analytics (if enabled) | Anonymous statistics | 🟡 Opt-in |
8. Contact & DPO
Data controller: WealthWise (publisher of the service)
Data Protection Officer (DPO): reachable at support@mywealthwise.ca
Postal address: 1101, rue des Cèdres, Frontenac (Quebec) G6B 2S1, Canada
Email: support@mywealthwise.ca
Supervisory authority: Commission d'accès à l'information du Québec (CAI) — you may file a complaint there if you are not satisfied with our response.
Changes to this policy
Any material change will be notified by email at least 30 days before it takes effect.