Privacy Policy
Effective Date: March 1, 2026 — Last updated: June 25, 2026
NorthOS is operated by Apex North Enterprise, a sole proprietorship registered in Ontario, Canada.
1. Information We Collect
- Account Information — name and email via Google OAuth. We do not store your Google password.
- Business Data — transactions, revenue, expenses, business type, province, and GST/HST registration status you enter.
- Financial Account Data (optional): if you choose to connect a bank or credit card account, we import your transaction history and account balances through our provider Plaid to keep your books up to date. This connection is read-only, and NorthOS cannot move money. You can disconnect at any time in Settings. See Section 8 for details.
- Usage Data — anonymized analytics on the marketing site (northos.ca) via Google Analytics and DataFast. No tracking inside the dashboard or ledger.
- Technical Data — session tokens for authentication, which expire automatically.
2. How We Use Your Information
We use your information to provide NorthOS services, calculate tax estimates and T2125 working papers, maintain your transaction history, improve the service, and communicate important updates. We never use your financial data for advertising purposes.
3. How We Store Your Information
Your data is stored in a secured cloud database with HTTPS encryption and session-based authentication. Your core business data — transactions, accounts, and tax records — is stored in Toronto, Canada (Microsoft Azure Canada Central). Certain data may be processed outside Canada when using AI features; see Section 9 (Third-Party AI Processing) for details.
4. Sharing Your Information
We do not sell or rent your personal or business data. We may share limited information only with:
- Service Providers — Google OAuth for authentication, cloud hosting providers.
- Legal Requirements — when required by law or to protect our rights.
- Business Transfer — in connection with a merger, acquisition, or sale of assets.
5. Your Rights Under PIPEDA
Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:
- Access your personal information
- Correct inaccurate information
- Withdraw consent for data processing
- Request deletion of your data
Contact hello@northos.ca to exercise these rights. We respond within 30 days.
6. Data Retention
We retain personal data only as long as necessary for the purpose it was collected, consistent with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Québec's Act respecting the protection of personal information in the private sector (Law 25). The following schedule applies:
| Data type | Retention period |
|---|---|
| Active account & business data | Duration of active account |
| Transaction & tax records | 7 years from the end of the relevant tax year (aligned with CRA's 6-year requirement plus a one-year buffer) |
| Inactive accounts (no login) | Warning sent at 18 months of inactivity; account scheduled for deletion at 24 months. Active or paying subscribers are exempt. |
| Deleted account data | Permanently deleted within 30 days of deletion request |
| Session tokens | Expire automatically after 7 days |
| Proof-of-deletion audit log | Retained indefinitely as a hashed, non-identifiable record (no PII) |
When an account is deleted, all associated data — transactions, receipts, invoices, chat history, and session records — is permanently purged. A hashed audit record with no personally identifiable information is retained as proof of deletion.
7. Children's Privacy
NorthOS is intended for adults aged 18 and older. If you believe a minor has created an account, please contact hello@northos.ca.
8. Third-Party Services
NorthOS uses the following third-party services:
- Google Sign-In — for secure authentication. We do not store your Google password.
- Google Drive — when you connect Google Drive, NorthOS creates a folder (
NorthOS/Receipts/) in your Drive and stores copies of your approved receipt photos there as a CRA audit trail. If you enable the inbox feature, NorthOS also reads new files you place in your NorthOS folder to automatically queue them for review. We access only files within the NorthOS folder. We do not read, access, or store any other files in your Google Drive. You can disconnect Google Drive at any time in Settings, which immediately revokes our access. - Google Analytics (GA4) — anonymized analytics on the marketing site only. No tracking inside the dashboard or ledger.
- DataFast — anonymized analytics on the marketing site (northos.ca) to understand which channels bring visitors to NorthOS. DataFast may set cookies (
datafast_visitor_id,datafast_session_id) on northos.ca. No personal data is transmitted. - Stripe — payment processing for subscriptions. Stripe handles all card data directly; NorthOS never sees or stores card numbers. Stripe's processing is governed by their Privacy Policy.
- Plaid: if you connect a bank or credit card account, NorthOS uses Plaid Inc. to securely retrieve your account and transaction information on your behalf. Plaid provides read-only access and does not allow NorthOS to move money. We use this information only to import and categorize your transactions, calculate the GST/HST and income tax you owe, and prepare your CRA tax forms, and we never sell it. If you use the AI features, transactions imported from a connected account may be processed by Google as a service provider on our behalf, as described in Section 9. You can disconnect a connected account at any time in Settings, which stops further access. Plaid's handling of your information is governed by the Plaid End User Privacy Policy.
- Resend — transactional email delivery (welcome emails, account notifications). Your email address is transmitted to Resend solely to deliver messages you have requested.
NorthOS's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
9. Third-Party AI Processing
NorthOS uses the Google Gemini API to power the Document Scanner and the North AI assistant. To answer your questions and read your receipts, these features transmit the information relevant to your request (such as your transactions, including transactions imported from a connected bank account, receipt images, invoice content, and financial summaries) to Google LLC for processing. Google may process this data outside of Canada, including in the United States. NorthOS uses the paid Gemini API: under Google's Gemini API Additional Terms of Service, Google does not use this data to train or improve its models, and retains it only for a limited time to monitor for abuse and meet legal requirements. Google's broader data practices are described in its Privacy Policy.
Your core business data, including transactions, GST records, and account information, is stored on servers located in Toronto, Canada (Microsoft Azure Canada Central) and does not leave Canada except as described above.
You may disable AI features individually at any time in Settings.
10. North Scan Mobile App
North Scan is our mobile app for tracking business mileage and scanning receipts. In addition to the practices above, the app collects the following with your permission:
- Location Data— with your permission, North Scan collects precise location data during business trips you start, to measure distance for your CRA mileage logbook. This includes collection in the background, even when the app is closed or not in use, so a trip keeps recording with your phone in your pocket. Tracking runs only during trips you start and stops when you end the trip. Only the trip summary (date, distance, destination, and purpose) is saved to your account; the underlying GPS points stay on your device and are discarded once the trip is saved. You can decline location access and enter trips manually instead.
- Camera and Photos— used only when you scan a receipt or invoice, or attach an existing photo. Receipt images are processed by our AI provider to extract the purchase details (see Section 9), and we do not retain the image on our servers after processing. If you connect Google Drive, a copy of each scanned receipt is saved to your own Drive, under your control.
- Sign-In Tokens— signing in with Google or Apple sends us a one-time identity token so we can verify your email. We do not receive or store your Google or Apple password.
Mileage trips logged without an account stay on your device until you sign up. All other sections of this policy, including your PIPEDA rights and deletion rights, apply equally to data collected through the app.
11. Changes to This Policy
We will notify you of material changes via email. The updated policy will be posted at northos.ca/privacy.