Privacy Policy
Effective Date: March 1, 2026 — Last updated: May 1, 2026
NorthOS is operated by Apex North Enterprise, a sole proprietorship registered in Ontario, Canada.
1. Information We Collect
- Account Information — name and email via Google OAuth. We do not store your Google password.
- Business Data — transactions, revenue, expenses, business type, province, and GST/HST registration status you enter.
- Usage Data — anonymized analytics on the marketing site (northos.ca) via Google Analytics and DataFast. No tracking inside the dashboard or ledger.
- Technical Data — session tokens for authentication, which expire automatically.
2. How We Use Your Information
We use your information to provide NorthOS services, calculate tax estimates and T2125 working papers, maintain your transaction history, improve the service, and communicate important updates. We never use your financial data for advertising purposes.
3. How We Store Your Information
Your data is stored in a secured cloud database with HTTPS encryption and session-based authentication. Servers are located in Canada or the United States.
4. Sharing Your Information
We do not sell or rent your personal or business data. We may share limited information only with:
- Service Providers — Google OAuth for authentication, cloud hosting providers.
- Legal Requirements — when required by law or to protect our rights.
- Business Transfer — in connection with a merger, acquisition, or sale of assets.
5. Your Rights Under PIPEDA
Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:
- Access your personal information
- Correct inaccurate information
- Withdraw consent for data processing
- Request deletion of your data
Contact hello@northos.ca to exercise these rights. We respond within 30 days.
6. Data Retention
We retain personal data only as long as necessary for the purpose it was collected, consistent with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Québec's Act respecting the protection of personal information in the private sector (Law 25). The following schedule applies:
| Data type | Retention period |
|---|---|
| Active account & business data | Duration of active account |
| Transaction & tax records | 7 years from the end of the relevant tax year (aligned with CRA's 6-year requirement plus a one-year buffer) |
| Inactive accounts (no login) | Warning sent at 18 months of inactivity; account scheduled for deletion at 24 months. Active or paying subscribers are exempt. |
| Deleted account data | Permanently deleted within 30 days of deletion request |
| Session tokens | Expire automatically after 7 days |
| Proof-of-deletion audit log | Retained indefinitely as a hashed, non-identifiable record (no PII) |
When an account is deleted, all associated data — transactions, receipts, invoices, chat history, and session records — is permanently purged. A hashed audit record with no personally identifiable information is retained as proof of deletion.
7. Children's Privacy
NorthOS is intended for adults aged 18 and older. If you believe a minor has created an account, please contact hello@northos.ca.
8. Third-Party Services
NorthOS uses the following third-party services:
- Google OAuth — for secure authentication. We do not store your Google password.
- Google Analytics (GA4) — anonymized analytics on the marketing site only. No tracking inside the dashboard or ledger.
- DataFast — anonymized analytics on the marketing site (northos.ca) to understand which channels bring visitors to NorthOS. DataFast may set cookies (
datafast_visitor_id,datafast_session_id) on northos.ca. No personal data is transmitted. - Stripe — payment processing for subscriptions. Stripe handles all card data directly; NorthOS never sees or stores card numbers. Stripe's processing is governed by their Privacy Policy.
- Resend — transactional email delivery (welcome emails, account notifications). Your email address is transmitted to Resend solely to deliver messages you have requested.
9. Third-Party AI Processing
NorthOS uses Google Gemini to power the Document Scanner and the North AI assistant. To provide these features, certain data — including receipt images, invoice content, and financial summaries relevant to your query — is transmitted to and processed by Google LLC, which may process this data outside of Canada, including in the United States. Google's processing is governed by their Privacy Policy and Terms of Service.
Your core business data, including transactions, GST records, and account information, is stored on servers located in Toronto, Canada (Microsoft Azure Canada Central) and does not leave Canada except as described above.
You may disable AI features individually at any time in Settings.
10. Changes to This Policy
We will notify you of material changes via email. The updated policy will be posted at northos.ca/privacy.