AuroSave Logo

Privacy Policy

Last Updated: March 2026 | Valid under PIPEDA (Personal Information Protection and Electronic Documents Act)

At AuroSave, we value your privacy above all else. Because we process personal financial information for Canadian users, compliance with PIPEDA is mandatory and treated as our highest priority.

1. Information We Collect

We collect the following personal information to provide our core services:

  • Account Information: Email address, Name (from OAuth or manual entry), hashed passwords, account creation/login timestamps.
  • Financial Information: Transaction amounts, transaction dates, merchant names, user-defined categories, masked bank accounts.
  • Documentation: Uploaded receipt images, paystubs, and tracked income sources.
  • Usage Information: General analytics, anonymized error logs, and login footprint security trails.

2. How We Use Your Information

AuroSave only uses your data for explicit, stated purposes in accordance with PIPEDA Principle 2 (Identifying Purposes):

  • To extract transaction data (merchant, amount, date, items) automatically.
  • To automatically categorize spending and provide custom insights.
  • To authenticate your identity and provide secure technical support.
  • To maintain financial records critical for your Canadian Tax compliance.

We NEVER use your data to train AI models globally, we NEVER sell your financial information to third parties, and we NEVER use your data for external marketing purposes.

3. Receipt Processing & Security

When you upload receipts to AuroSave:

  • Storage & Encryption: Stored securely in Cloudflare R2 (Western North America, USA). All images are encrypted at rest using AES-256 encryption and encrypted in transit using TLS 1.3 (HTTPS).
  • AI Processing: Receipt images are securely processed by Google Gemini (USA) purely to extract structured data (API mode only—zero external training retention). Google processes data strictly on our behalf under a signed Data Processing Agreement.
  • Access Controls: Access to uploaded receipts is restricted to you (the owner) and authorized AuroSave technical systems via strictly scoped, time-limited credentials enforcing the Principle of Least Privilege.

4. Data Retention

By default, financial records and receipt imagery are retained for a minimum of 7 years, fulfilling requirements set out by the Canada Revenue Agency (CRA) for tax compliance. You may request deletion of data at any time via your account settings; however, certain transaction ledgers may enter a 30-day grace period or be forcibly retained strictly to satisfy legal tax-retention obligations before being permanently destroyed.

5. Sharing with Third Parties & Subprocessors

To operate securely at scale, we utilize industry-leading cloud platforms based in the United States and Canada. Data processing agreements (DPAs) are verified against these vendors to ensure PIPEDA equivalent fidelity across borders:

  • Supabase / AWS (USA): Identity Authentication.
  • Cloudflare (USA): Edge protection, DDoS filtering, and R2 Object Storage (Encrypted at Rest).
  • Google Gemini (USA): Zero-retention AI Extraction API.

6. Internal Security & Safeguards

AuroSave maintains robust internal Insider Threat Safeguards. All database access is restricted via Row Level Security (RLS) policies. Direct engineering access is strictly audited, logged in immutable infrastructure, requires 2FA+VPN, and undergoes quarterly review. Security alerts actively monitor for bulk abstraction or anomalous patterns.

7. Your PIPEDA Rights

Under PIPEDA legislation, you hold the right to:

  • Openness & Access: Request a complete machine-readable export of all your tracked data and receipts.
  • Accuracy: Edit and correct any dynamically categorized or parsed merchant details.
  • Challenge Compliance: Lodge an official inquiry regarding our compliance implementations to the AuroSave Privacy Officer, or escalate to the Privacy Commissioner of Canada (https://www.priv.gc.ca).

8. Cookie Usage

We use essential security tokens and diagnostic cookies solely to maintain your authentication session securely and combat cross-site scripting risks. We do not place third-party marketing tracking cookies on your device.

9. Contact Us

Should you have any concerns regarding how your personal information is protected, please contact our designated Privacy Officer at:
Email: privacy@aurosave.ca