Privacy Policy
Folio AI ("we", "our", or "us") is committed to protecting the personal information of our users and their clients in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. This policy explains what information we collect, how we use it, and your rights regarding that information.
1. Information we collect
We collect information in three categories:
- Account information — name, email address, firm name, and billing details provided when you create an account or subscribe to a plan.
- Uploaded documents — receipts, invoices, tax slips, and other financial documents that your firm uploads to the platform for processing. These documents may contain personal information about your clients and their employees. You are the controller of that information; we process it on your behalf as a data processor.
- Usage and technical data — log data, IP addresses, browser type, pages visited, and feature usage. This data is used to maintain service reliability and improve the platform.
2. How we use your information
- To provide, maintain, and improve the Folio AI platform.
- To process uploaded documents using our AI extraction pipeline.
- To send transactional emails (account confirmations, billing receipts, error alerts).
- To respond to support requests.
- To comply with legal obligations.
We do not sell personal information. We do not use your uploaded financial documents to train general-purpose AI models without your explicit consent.
3. Data storage and residency
All data — including uploaded documents, extracted data, and account information — is stored in Amazon Web Services infrastructure located in the ca-central-1 (Canada) region. Data does not leave Canada except where you explicitly configure a third-party integration (such as QuickBooks Online) that routes data through Intuit's infrastructure.
4. Data retention
- Uploaded documents and extracted data — retained according to the retention period configured by your firm (default: 7 years to align with CRA record-keeping requirements). Firms can shorten this period in settings.
- Application and access logs — retained for 90 days, then deleted automatically.
- Account information — retained for the duration of your subscription and deleted within 30 days of account closure upon request.
5. Third-party sub-processors
We use third-party services to operate the platform. A complete list of sub-processors is available at legal/sub-processors. Key sub-processors include Amazon Web Services (infrastructure), and optionally Intuit QuickBooks Online (where you enable the integration).
6. Your rights
Under PIPEDA and applicable provincial law, you have the right to:
- Access — request a copy of the personal information we hold about you.
- Correction — request correction of inaccurate information.
- Deletion — request deletion of your personal information, subject to legal retention requirements.
- Withdraw consent — withdraw consent for processing where consent is the legal basis, which may affect your ability to use the service.
To exercise any of these rights, contact us at s95.adnan@gmail.com or use the contact form. We will respond within 30 days.
7. Security
We implement appropriate technical and organizational measures to protect personal information against unauthorized access, disclosure, alteration, or destruction. Measures include encryption at rest and in transit, access controls, audit logging, and regular security reviews. For details, see our security page.
8. Changes to this policy
We may update this policy from time to time. Material changes will be communicated by email to account holders at least 14 days before taking effect. The effective date at the top of this page reflects the most recent revision.
9. Contact
Questions or concerns about this policy can be directed to our Privacy Officer at s95.adnan@gmail.com.