Privacy Policy
Paarify (“we,” “us,” or “our”) is operated by FinAssessor Ltd, a company incorporated in Ontario, Canada (the "Controller" / "Business"). Paarify operates the Paarify mobile application and related services (collectively, the “Service”). Paarify is a financial intelligence platform; it is not an accounting system, bookkeeping service, or regulated financial institution. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service.
This policy is designed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada, the EU/UK General Data Protection Regulation (GDPR) to the extent it applies to incidental EU/UK users, and the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA).
By using Paarify, you agree to the collection and use of information in accordance with this policy.
Who we are and how to contact us
Data Controller / Business: FinAssessor Ltd, Ontario, Canada.
Privacy Officer: privacy@paarify.com
EU/UK matters: For incidental users in the EEA/UK, the Privacy Officer above acts as the point of contact. We have not appointed an Article 27 GDPR representative because we do not target the EEA/UK market; if you are based in the EEA or UK and wish to exercise your rights, contact privacy@paarify.com and we will respond in accordance with Articles 12–22 GDPR.
California privacy matters: privacy@paarify.com (subject line: “California Privacy Request”).
1. Information We Collect
1.1 Account Information
When you create an account, we collect your full name, email address, password (stored in hashed form — we never store or access your plaintext password), and optionally your business name, business type, and industry. We also assign you a unique account identifier used to associate your data with your account.
1.2 Financial and Business Data
When you use our Service, you may provide or we may process:
- Receipt and invoice data: Images you upload or scan, including merchant names, amounts, dates, line items, tax, tips, and payment methods extracted through OCR and AI processing.
- Expense and income records: Transaction descriptions, amounts, categories, dates, and notes you capture or import.
- Inventory and cost data: Product names, quantities, costs, and cost-of-goods-sold records you maintain for your own operational purposes.
- Financial intelligence outputs: KPIs, benchmarks, forecasts, AI-generated insights, anomaly alerts, and other analytics derived from data you provide or connect.
1.3 Bank and Financial Account Data (via Plaid)
If you connect a bank account, we use Plaid, Inc. to securely access your financial institution. Through Plaid, we may collect account names and types, transaction history, account balances, and institution identifiers.
We do not collect or store your bank login credentials. Plaid handles authentication directly. Plaid’s use of your data is governed by the Plaid End User Privacy Policy.
1.4 Accounting Software Data (via QuickBooks)
If you connect QuickBooks, we access selected accounting-related data authorized through Intuit’s OAuth integration, such as your category structure, transaction records, and invoice data. The QuickBooks sync is read-only: Paarify reads data from QuickBooks for analytics purposes and does not write any data back to QuickBooks. You can disconnect at any time.
1.5 Payment and Billing Data (via Stripe)
Payment processing is handled by Stripe, Inc. We do not store your full credit card number. Through Stripe, we receive card brand and last four digits, billing history, and subscription status. Subscriptions are billed in US dollars (USD); applicable taxes, including Canadian GST/HST for customers in Canada, are calculated by Stripe Tax based on your location and added at checkout. See the Stripe Privacy Policy.
1.6 Device and Usage Data
We automatically collect device type, OS, app version, crash reports (via Sentry), general usage patterns, and IP address. We do not use this data for advertising.
1.7 Camera and Photo Library Access
Paarify requests camera and photo library access solely for scanning receipts and invoices. We do not access your camera or photos for any other purpose.
1.8 Cookies, SDKs, and Mobile Identifiers, and Similar Technologies
This section serves as our cookie and tracking-technology notice for purposes of Article 5(3) of the ePrivacy Directive (as implemented in EU/UK law), PIPEDA Principle 3 (Consent), and CCPA/CPRA §§ 1798.100 and 1798.135.
A. On the paarify.com website, we use the following categories of cookies and similar technologies:
| Category | Examples | Purpose | Legal basis (GDPR) | Consent required |
|---|---|---|---|---|
| Strictly necessary | session cookie, CSRF token, load-balancer cookie | Authentication, security, basic site functionality | Art. 6(1)(f) legitimate interests | No |
| Functional | — | Not currently used on the website. Any future functional cookies will be limited to remembering user choices. | n/a | n/a |
| Analytics | — | Not currently used. We do not run analytics cookies or third-party analytics SDKs on the website. | n/a | n/a |
| Marketing / advertising | — | Not used. We do not run advertising cookies, retargeting pixels, or third-party advertising SDKs. | n/a | n/a |
B. In the Paarify mobile application, we use:
Authentication tokens (stored locally on your device via secure storage) to keep you signed in. Strictly necessary; no consent required.
Mobile device identifiers (e.g., advertising identifiers, device fingerprints) only as required by the operating system or by our crash-reporting provider (Sentry) for diagnostic purposes. On iOS, App Tracking Transparency (ATT) is not triggered because we do not track users across apps or websites owned by third parties.
Embedded SDKs from our service providers (currently Sentry for error monitoring) which may collect device and diagnostic data as described in their respective privacy policies.
C. We do not use cookies, SDKs, or mobile identifiers for cross-site tracking, behavioral advertising, marketing analytics, or sale/sharing of personal information as those terms are defined under CCPA/CPRA § 1798.140.
D. Managing your choices. We use only strictly necessary cookies, which are exempt from prior consent under Article 5(3) of the ePrivacy Directive and equivalent guidance because they are essential to provide the service you request. We do not currently use analytics, marketing, or advertising cookies, and we do not deploy third-party tracking SDKs on the website; accordingly, no cookie consent banner is presented. You may block or delete cookies through your browser settings; doing so may affect site functionality. If we introduce non-essential cookies in the future, we will update this Policy and, where required, present a consent mechanism before such cookies are set.
2. How We Use Your Information
- The table below sets out each purpose for processing and, where applicable, the legal basis under GDPR Article 6(1) for users to whom GDPR applies.
| Purpose | GDPR legal basis |
|---|---|
| Provide and operate the Service (account, receipts, KPIs, forecasts, sync) | Art. 6(1)(b) — performance of a contract |
| Per-account learning to improve categorization accuracy | Art. 6(1)(b) — performance of a contract |
| Billing and payment processing via Stripe | Art. 6(1)(b) — performance of a contract |
| Transactional emails, security alerts, service notices | Art. 6(1)(b) — performance of a contract |
| Fraud detection, abuse prevention, network and information security | Art. 6(1)(f) — legitimate interests |
| Legal and regulatory compliance, tax recordkeeping | Art. 6(1)(c) — legal obligation |
| Defending or bringing legal claims | Art. 6(1)(f) — legitimate interests |
| Optional product-update or marketing emails (if introduced) | Art. 6(1)(a) — consent (opt-in) |
- Provide the Service: Process receipts, categorize transactions, generate KPIs, benchmarks, forecasts, and insights, read-only sync with connected accounts, manage your subscription.
- Improve accuracy within your account: The Service may use your prior categorizations and corrections within your account to improve categorization consistency for your future transactions. This per-account learning is not shared with other users and is not used to train any third-party AI model.
- Process payments: Manage billing through Stripe.
- Communicate: Send transactional emails and security alerts.
- Security: Detect and prevent fraud and unauthorized access.
- Legal compliance: Meet applicable regulatory requirements.
- We do not use your personal information for any purpose materially different from those disclosed above without first providing notice and, where required, obtaining your consent (PIPEDA Principle 5; GDPR Art. 5(1)(b); CCPA § 1798.100(b)).
3. How We Share Your Information
We do not sell personal information. We do not use customer financial data for targeted advertising. We do not rent, trade, or otherwise commercialize your data. For purposes of CCPA/CPRA § 1798.140(ad)–(ah), we do not “sell” or “share” personal information, and we have not done so in the preceding twelve (12) months. We also do not use or disclose sensitive personal information (which, for Paarify, includes account log-in credentials and financial account information) for any purpose other than those permitted under CCPA § 1798.121(a). We share data only with the service providers listed below, and only to the extent necessary to provide the Service:
| Provider | Purpose | Data Shared | Role | Location |
|---|---|---|---|---|
| Amazon Web Services | Cloud hosting, storage | All service data (encrypted) | Processor / Service provider | Canada (ca-central-1) |
| Stripe | Payment processing | Email, name, payment details | Processor / Service provider | US / IE |
| Plaid | Bank connections | Account and transaction data | Processor / Service provider | US |
| Intuit (QuickBooks) | Accounting sync (read-only) | Financial records you authorize | Independent controller for its platform; processor of data you authorize Paarify to read | US |
| OpenAI / Anthropic | AI receipt scanning | Receipt images (metadata-stripped; see below) | Processor / Service provider (no training on customer data; DPA in place) | US |
| Sentry | Error tracking | Device info, anonymized errors | Processor / Service provider | US |
| Pinecone | RAG vector index for benchmark matching | De-identified embeddings derived from your inputs | Processor / Service provider | US |
| AWS SES | Transactional email delivery | Email address, message content | Processor / Service provider | Canada |
All of the above providers act as our processors (GDPR) / service providers (CCPA) under written agreements that include the safeguards required by Art. 28 GDPR and CCPA § 1798.140(ag), including confidentiality, security, sub-processor controls, assistance with data-subject requests, deletion or return at end of contract, and prohibition on processing for any purpose other than providing the Service to us.
3.2 Categories of Personal Information We Collect (CCPA/CPRA disclosure)
For purposes of CCPA § 1798.110, in the preceding 12 months we have collected the following categories of personal information from California residents who use the Service. We have disclosed these categories only to the service providers listed in Section 3. We have not sold or shared any of these categories.
| Category (Cal. Civ. Code § 1798.140(v)) | Collected | Source | Purpose |
|---|---|---|---|
| A. Identifiers (name, email, account ID, IP address) | Yes | You; device | Provide Service |
| B. Customer records (signed agreement, billing info) | Yes | You; Stripe | Billing |
| C. Protected classifications | No | — | — |
| D. Commercial information (subscription history) | Yes | You; Stripe | Billing |
| E. Biometric information | No | — | — |
| F. Internet/network activity (device, OS, app usage) | Yes | Device | Diagnostics |
| G. Geolocation (coarse, derived from IP) | Yes | Device | Security, fraud prevention |
| H. Audio/visual (receipt images you upload) | Yes | You | OCR / data extraction |
| I. Professional/employment information | No | — | — |
| J. Education information | No | — | — |
| K. Inferences (KPIs, forecasts, anomaly flags) | Yes | Derived | Provide Service |
| L. Sensitive PI — account log-in credentials and financial account information (§ 1798.140(ae)(1)(A)–(B)) | Yes | You; Plaid | Authentication; provide Service. Used only as permitted under § 1798.121(a). |
3.3 AI-Powered Receipt and Document Processing
When you use Paarify’s receipt or document scanning features, the image you capture is sent to our AI processing partners (OpenAI and Anthropic) to extract text and structured data such as merchant names, dates, line items, and totals.
Before transmission , we automatically strip image metadata, including GPS location, device identifiers, and timestamps. Information printed on the receipt itself (such as partial card numbers or merchant addresses) may remain visible in the image.
Our AI partners process this data under Data Processing Agreements (DPAs) that contractually:
- Prohibit them from using your data to train their AI models
- Prohibit them from selling or sharing your data with third parties
- Restrict them from retaining your data beyond limited periods required for abuse monitoring and operational security, after which it is deleted in accordance with their published policies
The extracted text and structured data are stored in your Paarify account. Raw AI processing responses are retained for up to 90 days for accuracy verification and dispute resolution, then deleted. You can delete your account and all associated data at any time (see Section 6).
We may also disclose information when required by law, to protect our rights, prevent fraud, or in connection with a business transfer (merger, acquisition).
3.4 Automated Decision-Making and AI Assistance
Paarify uses AI to extract data, categorize transactions, generate insights, produce benchmarks, run forecasts, and detect anomalies. We do not make any solely automated decisions that produce legal or similarly significant effects on you within the meaning of Article 22(1) GDPR. All Service outputs — including AI categorizations, insights, forecasts, and benchmarks — are informational and are intended to support, not replace, your judgment. You can review, correct, or override any AI-generated output before relying on it, and you may contact privacy@paarify.com to discuss any AI-generated output that you believe is materially inaccurate.
4. Data Security
We implement industry-standard security measures including:
- TLS encryption for all data in transit
- Field-level encryption for sensitive tokens and credentials
- Private S3 storage with time-limited signed URLs
- JWT authentication with token rotation and blacklisting
- Rate-limited login attempts and account lockout protection
- HSTS, CSRF protection, and CORS whitelisting
- These measures are implemented in accordance with PIPEDA Principle 7 (Safeguards), GDPR Article 32 (Security of processing), and CCPA § 1798.150 (reasonable security procedures and practices). In the event of a personal data breach that creates a real risk of significant harm, we will notify the Office of the Privacy Commissioner of Canada and affected individuals as required by PIPEDA s. 10.1, and supervisory authorities and affected EEA/UK data subjects as required by GDPR Articles 33–34.
While we use commercially reasonable measures, no method of electronic transmission or storage is 100% secure.
5. Data Retention
- Account data: Retained while your account is active. Deleted within 30 days of account deletion, except where required by law.
- Receipt images: Stored until you delete them or your account.
- OCR raw processing data: AI processing responses are deleted within 90 days. Your extracted receipt data (merchant name, amounts, categories, etc.) is retained separately as part of your account.
- Payment history: Retained as required for financial compliance (typically 7 years).
- Aggregated and de-identified analytics: May be retained indefinitely for product improvement, provided the data cannot be reasonably linked to you.
- Retention periods are set in accordance with PIPEDA Principle 5 (Limiting Use, Disclosure, and Retention) and GDPR Article 5(1)(e) (storage limitation). After the relevant retention period, personal information is securely deleted or irreversibly de-identified.
6. Your Rights and Choices
You can access, correct, export (CSV/PDF), and delete your data at any time within the app. You can disconnect any third-party integration at any time. Account deletion is available under Settings.
Depending on where you live, you may have the following additional rights. We will respond to verifiable requests within the timeframes required by applicable law and free of charge, except where requests are manifestly unfounded or excessive.
6.1 If you are in Canada (PIPEDA)
Under PIPEDA you have the right to:
Access your personal information held by us and be informed of its use and disclosure (Principle 9 — Individual Access);
Challenge the accuracy of your information and have it amended (Principle 9);
Withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice (Principle 3);
Challenge our compliance with PIPEDA by contacting our Privacy Officer (Principle 10).
If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.
6.2 If you are in the EEA or the UK (GDPR / UK GDPR)
Subject to the conditions and limits in the GDPR / UK GDPR, you have the right to:
Be informed about the processing of your data (Articles 13–14);
Access your data (Article 15);
Rectification of inaccurate or incomplete data (Article 16);
Erasure / "right to be forgotten" (Article 17);
Restriction of processing (Article 18);
Data portability in a structured, commonly used, machine-readable format (Article 20);
Object to processing based on legitimate interests (Article 21);
Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Article 22);
Withdraw consent at any time where processing is based on consent, without affecting prior processing (Article 7(3));
Lodge a complaint with your local supervisory authority (Article 77). In the UK, this is the Information Commissioner's Office (ICO).
6.3 If you are in California (CCPA/CPRA)
Subject to verification and the exceptions set out in CCPA/CPRA, California residents have the right to:
Know what categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties to whom we disclose it (§§ 1798.100, 1798.110, 1798.115);
Delete personal information we have collected, subject to statutory exceptions (§ 1798.105);
Correct inaccurate personal information (§ 1798.106);
Opt-out of "sale" or "sharing" of personal information (§ 1798.120; § 1798.135). Paarify does not sell or share personal information, so there is currently nothing to opt out of; if this ever changes we will provide a "Do Not Sell or Share My Personal Information" link in the website footer and honor Global Privacy Control (GPC) signals;
Limit the use of sensitive personal information (§ 1798.121). Because we only use sensitive personal information for permitted purposes under § 1798.121(a), this right does not change how we process your data;
Non-discrimination for exercising any of the above rights (§ 1798.125).
Authorized agents. You may designate an authorized agent to submit a request on your behalf in accordance with 11 CCR § 7063.
How to exercise these rights. Submit a request through the in-app Settings, or email privacy@paarify.com. We will verify your identity using information already associated with your account and respond within statutory deadlines (typically 30 days for PIPEDA, one month for GDPR (extendable by two further months), and 45 days for CCPA, extendable by an additional 45 days).
7. Children’s Privacy
Paarify is not intended for individuals under 18. We do not knowingly collect data from children, including “children” within the meaning of COPPA (under 13) or “children” within the meaning of Article 8 GDPR (under 16, or such lower age between 13 and 16 as set by an EU/EEA Member State). If we become aware that we have collected personal information from a person under 18, we will delete it without undue delay.
8. International Data Transfers
Paarify’s primary infrastructure is hosted on Amazon Web Services in the Canada (Central) region (ca-central-1). Your core service data — account information, receipts, transactions, and financial intelligence outputs — is stored in Canada.
Certain service providers that support the operation of the Service may process limited categories of your information outside of Canada. Specifically:
- OpenAI and Anthropic (AI processing) may process receipt images and prompts in the United States
- Stripe (payment processing) may process payment data in the United States, Ireland, or other regions where Stripe operates
- Plaid (bank connections) may process transaction data in the United States
- Sentry (error tracking) may process diagnostic data in the United States
- Pinecone (vector index) may process de-identified embeddings in the United States
Each of these providers operates under Data Processing Agreements with us and under their own published privacy policies.
Transfer safeguards. For transfers of personal data of EEA/UK individuals to the United States or to other countries that have not received an adequacy decision from the European Commission or the UK Information Commissioner, we rely on the European Commission's Standard Contractual Clauses (SCCs) (Decision (EU) 2021/914) and, for UK transfers, the UK International Data Transfer Addendum to those SCCs, in each case supplemented by additional technical and organizational measures (encryption in transit and at rest, access controls, metadata stripping for AI processing). For Canadian customers, transfers comply with PIPEDA's accountability principle (Principle 1): we remain accountable for personal information transferred to a third party for processing and use contractual means to provide a comparable level of protection.
By using the Service, you consent to the transfer and processing of your information in Canada and in the other jurisdictions identified above, in each case subject to the protections described in this Privacy Policy.
9. Changes to This Policy
We may update this policy and will notify you of material changes within the app and by email to the address associated with your account, at least 30 days before the changes take effect, unless the change is required to address a legal or security issue. Continued use after changes constitutes acceptance.
10. Contact Us
Paarify (operated by FinAssessor Ltd, Ontario, Canada)
Email: privacy@paarify.com
Website: https://www.paarify.com
Privacy Officer (PIPEDA): privacy@paarify.com
California requests: privacy@paarify.com (subject: “California Privacy Request”)
EEA/UK requests: privacy@paarify.com