Privacy Policy

Effective: April 16, 2026 · Last updated: April 16, 2026

CropBook is operated out of Alberta, Canada, and is aligned with the Personal Information Protection and Electronic Documents Act (PIPEDA). This policy explains what we collect, why we collect it, who has access to it, and what you can do about it.

1. What we collect

• Account data: email address, name, and authentication credentials.
• Farm data: farm name, province, GST number (if you provide one), and fiscal year end.
• Receipts and transactions: images and PDFs you capture, plus the vendor, date, amount, tax, and CRA box codes extracted from them.
• Diagnostics: crash reports and anonymous performance data so we can find and fix bugs.

2. Why we collect it

• To provide the core bookkeeping and tax export features.
• To improve classification accuracy over time.
• To diagnose crashes and performance issues.

We do not sell your data, rent it, or use it for advertising. We do not perform cross-site tracking.

3. Where your data lives

Your account, farm records, and receipt images are stored in Supabase (PostgreSQL + object storage) in the ca-central-1 region (Montréal, Canada). Backups remain inside Canada.

4. Subprocessors

We share only what each service needs to do its job:

• Supabase — database, authentication, and receipt image storage (Canada).
• Google Gemini (Generative Language API)— receipt image parsing. Images are sent for inference and are not used to train Google's models (per the Gemini API terms).
• Sentry — anonymized crash and error telemetry.
• Vercel — website hosting (cropbook.ca).

5. How long we keep it

We keep your data as long as your account is active. When you delete your account, we permanently delete your personal data, farm records, receipt images, and transactions within 30 days. Anonymized, aggregate usage metrics may be retained.

6. Your rights

Under PIPEDA, you may:

• Access the personal information we hold about you.
• Ask us to correct inaccurate information.
• Delete your account at any time from Settings → Delete Account (web or iOS).
• Export your ledger at any time as CSV, PDF (T2042), or XLSX.
• File a complaint with the Office of the Privacy Commissioner of Canada.

7. Security

All traffic is encrypted in transit (TLS). Passwords are never stored in plaintext. On-device receipt data is stored in an encrypted SQLite database. Authentication sessions are kept in the OS secure enclave (Keychain on iOS).

8. Children

CropBook is not directed at children under 13 and we do not knowingly collect data from them.

9. Changes to this policy

We will post any material changes here and, for account-impacting changes, send notice to your account email at least 30 days in advance.

10. Contact

Privacy questions, access requests, or complaints: [email protected].