Privacy Policy

1. Introduction

RISA Capital Inc., a Canadian federal corporation, operates the RISA Docs platform at risadocs.ca ("Service"). This Privacy Policy explains what personal information we collect, how we use and protect it, who we share it with, and your rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

We are committed to transparent data practices. If anything in this policy is unclear, contact us at privacy@risadocs.ca.

2. Information We Collect

2.1 Account Information

• Email address, username, and organization name (provided during registration)
• Password (stored as an irreversible bcrypt hash — we never store your actual password)
• Two-factor authentication settings (TOTP secret, encrypted at rest)
• User role and permissions within your organization

2.2 Documents and Financial Data

• Documents you upload (invoices, receipts, bills, statements, and other business documents)
• Data extracted from documents via OCR: vendor names, invoice numbers, dates, line items, amounts, addresses, tax amounts, and currency
• Expense account classifications and categorizations generated by AI
• Corrections you make to AI-generated classifications (used to improve accuracy for your organization)
• Bill tracking data synced with your connected accounting software

2.3 Email Scanning Data

If you enable email scanning:

• Email metadata: sender address, subject line, received date, folder name
• Email attachments (extracted and processed as documents)
• Email body content (scanned for inline invoices only — not stored after processing)
• We do not read, store, or process emails that do not contain document attachments or inline invoices

2.4 Integration Credentials

• OAuth tokens for connected services (Zoho Books, Zoho WorkDrive, and other providers you connect)
• IMAP credentials for email scanning (email address, server settings)
• All credentials are encrypted at rest using Fernet (AES-128-CBC) and decrypted on-demand only when needed to perform an action you have authorized

2.5 Usage and Security Logs

• Login timestamps, IP addresses, and user agent strings (for security and audit purposes)
• Authentication events: login attempts (successful and failed), password changes, 2FA setup, account lockouts
• Document processing events: upload, classification, routing, correction timestamps
• Credential access logs: when encrypted credentials are decrypted and for what purpose
• We do not log personally identifiable information (PII), document content, or credentials in our application logs

2.6 Session and Cookie Data

• A single session cookie (session_id) used for authentication
• Session data: user ID, organization ID, login timestamp, last activity timestamp
• We do not use tracking cookies, analytics cookies, advertising cookies, or any third-party cookies

3. How We Use Your Information

• Service delivery: To process, categorize, and store your documents; to automate bookkeeping entries in your connected accounting software; to scan your email for documents at your direction.
• Authentication and security: To verify your identity, maintain session state, enforce access controls, detect unauthorized access, and protect against fraud.
• Improvement: To improve classification accuracy for your organization based on your corrections. We do not use your data to train AI models or improve the Service for other customers.
• Transactional communications: To send password reset emails, security alerts, billing notifications, and service announcements. We do not send marketing emails.
• Legal compliance: To comply with applicable laws, including CRA record-keeping requirements and PIPEDA obligations.

4. Legal Basis for Processing (PIPEDA)

Under PIPEDA, we process your personal information based on the following principles:

• Consent: You provide express consent when you create an account, accept our Terms of Service, connect third-party integrations, and enable features like email scanning or Smart Categorization.
• Contractual necessity: Processing your documents and financial data is necessary to provide the Service you have subscribed to.
• Legitimate interest: Security logs, audit trails, and authentication records are collected to protect you, other users, and the integrity of the Service.
• Legal obligation: Certain data is retained to comply with CRA record-keeping requirements (7-year retention for financial documents).

5. Sub-Processors and Data Sharing

We share your data only with the third-party services listed below, and only to the extent necessary to provide the Service. We do not sell, rent, or trade your personal information.

5.1 Data Flow Details

• Document OCR: By default, documents are sent to Microsoft Azure AI Document Intelligence for text extraction, processed in Canadian data centres (Toronto or Quebec City). If you opt in to Claude Vision OCR in your Document Processing settings, document images may also be sent to Anthropic's US-based API for extraction. Claude Vision OCR is disabled by default and requires your explicit consent.
• Smart Categorization (opt-in): When enabled, only extracted text fields (vendor name, amounts, line items — never original documents) are sent to Anthropic's Claude AI for expense categorization and classification. This feature requires your explicit consent and can be disabled at any time.
• AI Folder Organization (opt-in): When enabled, vendor names and folder structure names are sent to Anthropic's Claude AI to intelligently organize your document folders and prevent duplicates. No document content, financial data, or personal information is sent. This feature requires your explicit consent.
• Vendor Lookup: When processing new vendors, vendor names (business entity names only) may be sent to Anthropic's Claude AI to look up publicly available business contact information (address, phone, website). No document content or financial data is sent.
• Accounting integrations: When you connect Zoho Books or another accounting provider, we send bill details (vendor name, date, amounts, line items) to create bookkeeping entries at your direction. We request only the minimum permissions needed (read and create — we do not request delete permissions).
• No other external services receive your data. All other processing occurs within our Canadian infrastructure.

6. Data Residency

All data under RISA Docs' direct control is stored in Canada (DigitalOcean Toronto region). This includes your database records, uploaded files, encrypted credentials, and session data.

Cross-border data transfer occurs only in these scenarios:

1. Anthropic Claude AI (US): When you opt in to Claude Vision OCR, Smart Categorization, AI Folder Organization, or Vendor Lookup. Each feature requires explicit consent and can be disabled independently. Anthropic maintains a zero-retention policy for API data — your data is not stored, logged, or used for model training.
2. Third-party integrations: When you connect an accounting or storage provider whose API is hosted outside Canada (e.g., Zoho Books US datacenter). Only the data required for the integration is transmitted, at your direction.

We do not use external CDNs, analytics services, error reporting tools, or any other service that would route your data through non-Canadian servers.

7. Data Retention

• Documents and financial records: Retained for 7 years from the document date to comply with Canada Revenue Agency (CRA) record-keeping requirements. This period is configurable per organization (minimum 7 years for CRA compliance).
• Account data: Retained while your account is active. Deleted within 30 days of account closure upon request, except where retention is required by law.
• Security and audit logs: Retained for 2 years for security investigation and compliance purposes, then permanently deleted.
• Session data: Automatically expired after 8 hours (default) or 30 days (with "remember me" enabled). Expired sessions are permanently deleted.
• Integration credentials: Deleted immediately when you disconnect a third-party integration or close your account.
• Consent records: Retained for the duration of your account plus 2 years, to demonstrate compliance with PIPEDA consent requirements.

8. Security

• Encryption at rest: Sensitive credentials (OAuth tokens, IMAP passwords, TOTP secrets) encrypted using Fernet (AES-128-CBC). Documents stored encrypted on DigitalOcean Spaces.
• Encryption in transit: All connections use TLS 1.2 or higher.
• Tenant isolation: PostgreSQL Row-Level Security (RLS) ensures each organization's data is isolated at the database level. Every query is scoped to your organization.
• Authentication: bcrypt password hashing (12 rounds), optional TOTP two-factor authentication, automatic account lockout after 5 failed login attempts (15-minute cooldown).
• Access control: Role-based access (user, admin, super_admin) with principle of least privilege.
• Input validation: All database queries use parameterized statements. File uploads validated against an allowlist. File paths checked for traversal attacks.

9. Breach Notification

In the event of a data breach involving your personal information:

• We will notify the Office of the Privacy Commissioner of Canada within 72 hours of becoming aware of the breach, as required by PIPEDA.
• We will notify affected users as soon as feasible, including a description of the breach, the types of information involved, and steps we are taking to address it.
• We will maintain a record of all breaches for a minimum of 24 months.

10. Your Rights (PIPEDA)

Under PIPEDA, you have the right to:

• Access: Request a copy of the personal information we hold about you. We will respond within 30 days.
• Correction: Request correction of inaccurate or incomplete personal information.
• Deletion: Request deletion of your personal information, subject to CRA retention requirements for financial documents and any other legal obligations.
• Data portability: Request an export of your data in a standard, machine-readable format (CSV or JSON). We will provide your data within 30 days.
• Withdraw consent: Withdraw consent for optional processing (e.g., Smart Categorization, email scanning) at any time through your account settings. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
• Complaint: File a complaint with us or directly with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated.

To exercise any of these rights, contact us at privacy@risadocs.ca.

11. Children

The Service is designed for business use and is not intended for individuals under 18 years of age. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from a person under 18, we will delete that information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to you via email or through the platform dashboard at least 30 days before they take effect. The version number and "last updated" date at the top of this page will be updated accordingly. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

13. Contact

For privacy inquiries, data access requests, or complaints:
RISA Capital Inc.
Privacy Officer
Email: privacy@risadocs.ca
Website: risadocs.ca

If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada.