ClaimableClaimable
Log InStart for Free

Privacy Policy

Last updated: April 12, 2026

1. Overview

Claimable ("the Service", "we", "us", "our") is a cloud-based application designed to help Canadian individuals and businesses track tax-deductible expenses. This Privacy Policy explains how we collect, use, store, and protect your information when you use Claimable.

By creating an account or using the Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Display name
  • Province or territory of residence (used for tax rate calculation)
  • Password (stored in hashed form only - we never store or have access to your plain-text password)

Financial Records

When you use the Service, you may provide:

  • Income source details (business names, GST/HST registration numbers)
  • Expense records (dates, vendors, amounts, descriptions, payment methods)
  • Vehicle trip logs and home office measurements
  • Capital cost allowance (CCA) asset records

Receipt Files

  • Images and PDFs of receipts you upload
  • Text extracted from receipts via optical character recognition (OCR)
  • SHA-256 integrity hashes computed for verification purposes

Usage Data

We automatically collect limited technical data to maintain and improve the Service:

  • IP address and approximate location (country/region level)
  • Browser type and device information
  • Pages visited and feature usage patterns
  • Timestamps of account activity

Payment Information

If you subscribe to a paid plan, payment processing is handled by our third-party payment processor. We do not store your full credit card number, CVV, or bank account details. We receive only a transaction identifier, plan type, and billing status from the payment processor.

3. How We Use Your Information

We use the information we collect to:

  • Provide and operate the Service, including expense tracking, receipt scanning, tax calculations, and report generation
  • Authenticate your identity and secure your account
  • Calculate GST/HST, exchange rates, CCA depreciation, and other tax-related values
  • Generate export packages (PDF, CSV, audit reports) at your request
  • Process subscription payments and manage your account
  • Send transactional emails (account verification, password resets, billing receipts)
  • Monitor and improve the performance, reliability, and security of the Service
  • Comply with legal obligations

4. How We Protect Your Information

We implement industry-standard security measures to protect your data:

  • All data is encrypted in transit using TLS 1.2 or higher
  • Data at rest is encrypted using AES-128 (Fernet) authenticated encryption
  • Passwords are hashed using bcrypt with per-user salts
  • Receipt files are verified using SHA-256 integrity hashes
  • Access to production systems is restricted and monitored
  • Regular security audits and vulnerability assessments are conducted

5. Data Sharing and Disclosure

We do not sell your personal or financial information to third parties.

We may share limited information with:

  • AI processing (OpenAI) - when you use receipt or document scanning, your uploaded files are sent to OpenAI for data extraction. See Section 6 for full details on what is sent and how it is handled
  • Payment processors - to process subscription payments (they receive only the data necessary to complete the transaction)
  • Infrastructure providers - our hosting and database providers process your data on our behalf under strict data processing agreements
  • Law enforcement - if required by a valid legal process (subpoena, court order, or equivalent) under Canadian law. We will notify you of such requests unless legally prohibited from doing so

6. External Services and Third-Party Processors

Bank of Canada Valet API

When you record an expense in a foreign currency (e.g., USD), we fetch the daily exchange rate from the Bank of Canada's public Valet API. This request includes only the date and currency pair — no personal or financial data is transmitted.

Receipt and Document Scanning (OpenAI)

When you use the receipt or document scanning feature, your uploaded files are sent to OpenAI (OpenAI, L.L.C., San Francisco, CA, USA) for processing via their API. This includes:

  • Receipt and invoice images or extracted text from PDFs
  • Business context (e.g., your business description) to improve categorization accuracy

OpenAI processes this data solely to extract structured information (vendor names, dates, amounts, tax breakdowns, and suggested CRA categories) and return it to us. Under OpenAI's API data usage policy, data submitted via the API is not used to train their models. OpenAI may retain API inputs for up to 30 days for abuse and misuse monitoring, after which it is deleted.

Scanning is entirely optional — you can enter all expense and invoice data manually without using this feature. The first time you use scanning, you will be asked to acknowledge this data processing.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Financial records use soft deletes - when you delete an expense or record, it is marked as deleted but retained for audit trail purposes. This is by design, as the CRA requires that you maintain records for a minimum of seven years.

If you close your account, we will delete your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., billing records, fraud prevention). You may request a full data export before closing your account.

8. Your Rights

You have the right to:

  • Access - request a copy of the personal data we hold about you
  • Export - download all of your data at any time through the built-in export functionality
  • Correction - update or correct inaccurate information in your account
  • Deletion - request deletion of your account and associated data
  • Portability - receive your data in a structured, commonly used format (CSV, PDF)

To exercise any of these rights, contact us at the email address listed below. We will respond to requests within 30 days.

9. Cookies

We use essential cookies to maintain your authentication session and remember your preferences (such as dark/light mode). We do not use third-party advertising or tracking cookies. Analytics cookies, if used, are anonymized and do not track you across other websites.

10. Children's Privacy

Claimable is a business tool intended for adults filing Canadian tax returns. The Service is not directed at children under 18, and we do not knowingly collect information from minors. If we learn that we have collected personal data from a child under 18, we will delete that data promptly.

11. International Data Transfers

Your account data, financial records, and encrypted receipt files are stored and processed in Canada. However, when you use the receipt scanning feature, your uploaded files are transmitted to OpenAI's servers in the United States for processing (see Section 6). This transfer is necessary to provide the scanning functionality and is subject to OpenAI's data handling commitments.

If you access the Service from outside Canada, your information will be transferred to and processed in Canada (and the United States for scanning), which may have different data protection laws than your jurisdiction.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice within the Service at least 14 days before the changes take effect. The "Last updated" date at the top indicates the most recent revision.

13. Contact

If you have questions about this Privacy Policy or how Claimable handles your data, please contact us at:

Email: [email protected]