Privacy Policy

CRA Navigator is operated by its founder, who serves as the designated Privacy Officer. The Privacy Officer is responsible for ensuring compliance with this policy and with the Personal Information Protection and Electronic Documents Act (PIPEDA).

You can reach the Privacy Officer at any time: privacy@cranavigator.ca

We collect and use your personal information only for the purposes described here, before or at the time of collection:

• To analyze your CRA letter and return a plain-English summary, deadline, and action plan.
• Your letter text is sent to Claude AI (operated by Anthropic, Inc.) for analysis. Anthropic processes it on our behalf under a data processing agreement. Your data is not used to train Anthropic's AI models.
• Analyzed letters are stored encrypted in our database (Supabase, hosted on AWS infrastructure) so you can access them again from your account.
• Letter data is automatically deleted after 2 years of inactivity.
• Payment information is processed by Stripe and never stored on our servers.
• Your data is never sold, rented, or shared with advertisers or third parties for their own purposes.

We require your explicit consent before you upload or paste any letter. A consent checkbox appears on every upload form and must be checked before analysis can begin. By checking that box, you confirm you have read this policy and agree to the described uses.

You may withdraw consent at any time by deleting your account or emailing us. Withdrawal does not affect analysis already completed.

We collect only the information we actually need:

• Your email address and password (for account creation and login).
• The text of CRA letters you choose to submit.
• Payment details (handled entirely by Stripe — we never see or store card numbers).
• Basic usage data (which letters were analyzed, when) to operate the service.

Social Insurance Numbers (SINs) are automatically detected and stripped from your letter text before it is sent to Claude AI or stored anywhere. We never retain your SIN.

Your letter data is used only to perform the analysis you requested. Specifically:

• Letter content is never used to train AI models (ours or Anthropic's).
• Letter content is never shared with third parties except Anthropic (analysis) and Supabase (storage) — both acting as processors under contractual obligations.
• We do not disclose your information to the CRA, government, or law enforcement except where required by law and after receiving a valid legal order.
• Letters are retained for 2 years from last activity, then permanently deleted.

You can view, correct, or delete your letters and account data at any time from your dashboard. If you believe information we hold about you is inaccurate, contact us and we will correct it promptly.

We use technical and organizational safeguards appropriate to the sensitivity of your information:

• All data in transit is encrypted via HTTPS/TLS.
• Letter text is encrypted at rest using AES-256 encryption (via pgcrypto). The encryption key is never stored in the database.
• Database Row Level Security (RLS) ensures you can only access your own data — even at the application layer.
• Social Insurance Numbers are stripped before any storage or AI processing.
• Access to production systems is restricted to the Privacy Officer.
• Stripe handles all payment data under PCI-DSS Level 1 compliance.

This privacy policy is publicly available at cranavigator.ca/privacy. We will notify registered users by email of any material changes to this policy at least 14 days before changes take effect.

You have the right to access a copy of the personal information we hold about you. To request a copy, email privacy@cranavigator.ca with the subject line “Data Access Request.” We will respond within 30 days.

You also have the right to request deletion of all your personal data. You can delete individual letters from your dashboard, or request full account deletion by emailing us. Deletion is permanent and irreversible.

If you believe we have not complied with this policy or with PIPEDA, you may file a complaint with us first. Send your complaint to privacy@cranavigator.ca. We will investigate and respond within 30 days.

If you are not satisfied with our response, you may escalate your complaint to the Office of the Privacy Commissioner of Canada at priv.gc.ca.