Privacy Policy

1. Plain-language summary

We collect the minimum data needed to run your account: your email, business info, what you do on the platform, and (if you connect them) read-only access to your bank, POS, and Google Business profiles. We never sell your data. We never see your bank password (Plaid handles that). You can export or delete everything at any time. We store data on Canadian and US servers operated by reputable processors. We comply with Canada's PIPEDA.

2. Who we are

Clariva & Solvera ("we", "us", "our") is operated by Hussien Issa, doing business in Ontario, Canada. We are the data controller for the personal information described in this policy.

3. What we collect

You give us directly

• Account information. Name, email, password (hashed), business name, business address, industry, team size, province, primary goal.
• Payment information. Processed by Stripe — we receive a customer ID and last 4 digits of your card, never the full card number or CVC. Stripe holds full card data, not us.
• Content you upload. POS reports (CSV/XLSX), receipts, documents (leases, insurance, contracts) you choose to store in Clariva.
• Messages. Any message you send our AI co-pilot, in support tickets, or via contact forms.

From third-party integrations you authorize

• Plaid: read-only bank account info (balances, transactions, account holder name). Plaid handles your bank credentials. We receive an access token and the bank data Plaid permits — never your username or password.
• Square / Shopify / Lightspeed POS: read-only sales, items, customers, employees, vendors. OAuth tokens granted by you to us.
• Google Business Profile: read-only profile info, reviews, queries, posts. Requires your OAuth consent.

Automatically

• Usage data. Which pages you view, which features you use, error logs. Used to improve the product and debug issues.
• Device + technical info. Browser type, OS, IP address, timezone, screen resolution. Used for security (detecting unusual logins) and analytics.
• Cookies. See section 6.

4. Why we collect it (legal basis)

Under PIPEDA, we collect personal information for purposes that are reasonable and to which you have given consent. Specifically:

• To provide the service — without your account info, integrations, and uploaded data, the product literally cannot work.
• To bill you — we share your email and the amount with Stripe to process subscription payments.
• To improve the product — aggregate, anonymized usage patterns. We never look at your individual data without your explicit support request.
• To communicate — service updates, security alerts, feature announcements (you can opt out of marketing emails).
• To comply with the law — tax records, response to lawful subpoenas, anti-money-laundering checks where applicable.

5. Third parties we share data with

We only share data with processors required to deliver the service. Each one operates under contracts that meet PIPEDA's "comparable level of protection" requirement.

• Stripe (USA) — payment processing. stripe.com/privacy
• Plaid (USA, CA region) — bank connections. plaid.com/legal
• Anthropic (USA) — AI co-pilot and content optimization. Your queries are processed by Claude. anthropic.com/legal/privacy
• Render (USA, EU regions) — backend hosting + Postgres database.
• Netlify (USA, global CDN) — frontend hosting.
• Square / Shopify / Lightspeed — POS data flows through their APIs at your direction.
• Google — Business Profile API, PageSpeed Insights, optionally Search Console.
• SerpApi / DataForSEO (USA) — when used for SERP tracking; only your tracked keywords are sent, never personal data.

We do not sell your data. Ever. No exceptions. The list above are operational processors, not buyers.

6. Cookies & analytics

We use a small number of cookies:

• Session cookies — to keep you logged in.
• CSRF tokens — security only.
• Preference cookies — to remember your custom dashboard layout, theme choice, etc.

We currently use only first-party analytics (server-side logging). We do not use Google Analytics, Facebook Pixel, or any cross-site advertising tracker without your explicit opt-in.

7. Where data is stored

By default, your data is stored on servers physically located in Canada (Render's Oregon region for backend; we are migrating to Toronto region for Canadian customers as of mid-2026). Some processors store data in the USA — those transfers occur under PIPEDA-compliant safeguards.

All data is encrypted in transit (TLS 1.3) and at rest (AES-256-CBC for sensitive tokens; Render's Postgres uses encrypted volumes).

8. How long we keep your data

• Active accounts — for as long as you have a subscription, plus 30 days after cancellation to allow re-activation.
• After deletion — operational data is purged within 30 days. Backups are rotated out within 90 days.
• Tax / financial records — retained for 7 years to meet Canadian tax law requirements (CRA).
• Audit logs — webhook events and admin actions retained for 1 year for security purposes.

9. Security

We protect your data with industry-standard measures:

• TLS 1.3 in transit, AES-256 at rest for sensitive tokens (Plaid access tokens, OAuth refresh tokens).
• Webhook signature verification on every inbound event (Stripe, Plaid, Square, Shopify).
• CSRF protection on every OAuth flow.
• Rate limiting and anomaly detection on API endpoints.
• Principle of least privilege — Plaid + POS access is always read-only. We cannot move money or modify your store.
• Regular security reviews and dependency audits.

No system is 100% secure. If we discover a breach affecting your personal information, we will notify you within 72 hours per PIPEDA's mandatory breach notification rule.

10. Your rights under PIPEDA

As a Canadian resident (or anyone whose data we hold), you have the right to:

• Access — request a copy of all personal data we hold about you.
• Correction — fix anything that's wrong.
• Deletion — request we delete your account and all associated data.
• Portability — export your data in a machine-readable format (CSV / JSON).
• Withdraw consent — at any time, with reasonable notice. Some withdrawals end your ability to use the service.
• Complain — to the Office of the Privacy Commissioner of Canada, if you believe we've mishandled your data.

To exercise any of these rights, email privacy@clariva.app. We respond within 30 days as PIPEDA requires.

11. Children

This service is intended for business owners and operators. We do not knowingly collect data from anyone under 18. If you believe a child has submitted data, contact us and we will delete it.

12. Changes to this policy

We may update this policy. Material changes will be announced by email to active customers at least 30 days in advance. The "Last updated" date at the top of this page always reflects the current version. Previous versions are available on request.

13. Contact us

Privacy questions or requests: privacy@clariva.app

General contact: hello@clariva.app

Mailing: Clariva & Solvera, Newcastle, Ontario, Canada