Effective date: 2026-06-09

HEIGHTLY SOFTWARE INC.

Privacy Policy

Effective date: 2026-06-09

This Privacy Policy explains how Heightly Software Inc. ("Heightly," "we," "us," or "our"), a corporation incorporated in British Columbia, Canada, collects, uses, retains, discloses, and protects personal information in connection with the Heightly Tax Prep Report software application (the "Service").

This Privacy Policy is incorporated into and forms part of the Heightly Terms of Service. Defined terms in the Terms of Service have the same meaning in this Privacy Policy unless otherwise stated. By using the Service, you consent to the collection, use, retention, and disclosure of personal information as described in this Policy.

Heightly handles personal information in accordance with applicable Canadian privacy laws, which may include the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA”) and the Personal Information Protection Act (British Columbia) (“BC PIPA”). Heightly has designated a Privacy Officer responsible for privacy compliance and for responding to privacy requests and complaints. The Service is not available to residents of the Province of Quebec; this Policy does not address Quebec's Law 25.

Privacy Snapshot. Heightly collects your email address, eligibility information, uploaded financial records, transaction data, categorization decisions, payment-related information, and technical usage information to provide the Service. We use automated processing and AI-assisted categorization to generate working-paper reports. We do not sell personal information. We do not use Customer financial records to train general-purpose AI models, and we do not permit our subprocessors to do so. Some subprocessors process personal information outside Canada, including in the United States. Uploaded source files are deleted 90 days after report delivery, and generated reports are retained for 12 months unless earlier deletion is requested and legally permitted. Automated processing is used to assist with transaction extraction, categorization, review prompts, and report generation. The Service does not make final legal, tax, credit, employment, insurance, or similarly significant decisions about individuals.

1. Personal Information We Collect

We collect personal information that you provide to us directly when you use the Service, and a limited amount of technical information that is collected automatically when you access the Service. We use the term "personal information" in the sense of PIPEDA: information about an identifiable individual.

1.1 Information you provide

  • Contact information — your email address, used to authenticate you (via passwordless magic link) and to send report-delivery and support communications.

  • Eligibility information — country of residence, province or state, industry, business profile (e.g., sole proprietor type, GST/HST registration status), and confirmation that the Customer or Customer's client is not a resident of the Province of Quebec.

  • Financial records — business bank account statements and credit card statements you upload to the Service (PDF or CSV). These records contain transaction data and may contain your name, masked or partial account numbers, merchant names, transaction amounts, and dates.

  • Self-reported business data — home office square footage and home expense totals (if applicable), off-bank revenue amounts and descriptions, off-bank expense entries, and any other inputs you provide during onboarding or report review.

  • Categorization decisions — your review decisions, overrides, and confirmations made within the Service for each transaction the Service surfaces for review.

  • Payment information — billing details collected at checkout. Heightly does not store full payment card numbers. Stripe Payments Canada, Ltd. processes and stores all cardholder data.

  • Professional user information — if you use the Service as an accountant, bookkeeper, or other professional user on behalf of a client, we collect your professional contact information and the client information described above with respect to your client.

1.2 Information collected automatically

  • Session and authentication metadata — magic-link tokens (single-use, time-limited), session identifiers, authentication timestamps.

  • Technical information — IP address, browser type and version, operating system, time zone, and general geographic region (used for eligibility verification including Quebec exclusion, fraud prevention, and analytics).

  • Usage information — pages visited within the Service, features used, error logs, processing times, and other operational diagnostics.

  • Cookies and similar technologies — a session cookie required to maintain your authenticated session. See Section 12 (Cookies).

2. How We Use Personal Information (Identifiable Purposes)

Under PIPEDA Principle 2 (Identifying Purposes), Heightly identifies the purposes for which personal information is collected at or before the time it is collected. The purposes are:

(a) To provide the Service — to authenticate you, accept your uploads, parse and categorize your transactions, generate the PDF report and Excel workbook, deliver the outputs to you, and respond to your requests for support;

(b) To process payment — to charge the report fee through Stripe and to refund payments where eligible;

(c) To verify eligibility — to confirm that you (or your client, if you are a professional user) meet the eligibility criteria in the Terms of Service, including the Quebec exclusion;

(d) To maintain security and prevent fraud — to detect and prevent unauthorized access, abuse, fraud, and security incidents;

(e) To improve the Service — to analyze usage patterns and product performance in an aggregated and de-identified form. Heightly does not use Customer financial records to train any general-purpose AI model. Heightly does not permit its sub-processors to do so either;

(f) To meet legal obligations — to comply with applicable laws, regulations, court orders, and legitimate requests from public authorities, and to respond to legal claims.

If we wish to use personal information for a purpose not identified in this Policy, we will identify that purpose and obtain your knowledge and consent before doing so, except where required or permitted by law.

3. Consent

We obtain meaningful consent for the collection, use, and disclosure of personal information. Because the Service processes financial records that may contain sensitive personal information, we generally rely on express consent.

(a) Express consent — You provide express consent when you click “I agree” to the Terms of Service and this Privacy Policy at checkout or before uploading records, and at any other consent prompt within the Service. Click-through acceptance is logged with a timestamp, the version of the documents accepted, and your IP address.

(b) Upload authorization — By uploading financial records after providing express consent, you authorize Heightly to process those records for the purposes described in this Policy, including automated processing and AI-assisted categorization where necessary to provide the Service.

(c) Professional users — If you use the Service as an accountant, bookkeeper, tax preparer, or other professional user on behalf of a client, you represent that you have provided any required privacy notices to the client and obtained all authority and consent required to upload the client’s personal information and financial records to the Service, disclose that information to Heightly and its subprocessors, receive the Service’s outputs, and use those outputs in providing your own professional services.

(d) Withdrawal — You may withdraw consent at any time by emailing team@heightly.ai. Withdrawing consent may mean that we can no longer provide the Service to you. Withdrawal is subject to legal or contractual restrictions, including record-retention obligations under applicable law.

If you use the Service as a professional user on behalf of a client, you represent that you have provided any required privacy notices to the client and obtained all authority and consent required to upload the client’s personal information and financial records to the Service, disclose that information to Heightly and its subprocessors, and receive and use the Service’s outputs in providing your own professional services.

4. Limited Collection

Under PIPEDA Principle 4 (Limiting Collection), we collect only the personal information that is necessary for the purposes identified in Section 2 of this Policy. We do not collect Social Insurance Numbers, Social Security Numbers, government-issued identification, biometric information, health information, sexual orientation, racial or ethnic information, religious beliefs, political opinions, or other categories of sensitive information that are not necessary to provide the Service.

We do not require you to provide more information than is necessary. If a field in the Service is optional, that will be indicated.

You should not upload documents containing Social Insurance Numbers, Social Security Numbers, government identification numbers, health information, or other information not required to provide the Service. If such information appears in uploaded records, Heightly will process it only as necessary to provide the Service and will delete it according to this Policy.

5. Retention

Under PIPEDA Principle 5 (Limiting Use, Disclosure, and Retention), personal information is retained only for as long as necessary to fulfill the identifiable purposes for which it was collected, or as required or permitted by applicable law.

Heightly's retention schedule is:

Information typeRetention period
Uploaded source files (bank and credit card statements)90 days after report delivery
Generated reports (PDF and Excel)12 months after generation, then deleted
Account metadata (email, payment receipt)7 years, to align with Canadian record-retention norms under Income Tax Act (Canada) s. 230(4) or such longer period as required or permitted by applicable law
Magic-link tokens and authentication logs30 days from issuance
Server logs and operational diagnostics90 days from creation
Audit logs (consent, deletion requests, security events)7 years, for accountability

You may request earlier deletion of personal information using the self-serve deletion flow at heightly.ai/app/account/delete (if you have an active session) or by emailing team@heightly.ai. We honour deletion requests within thirty (30) days, subject to retention required by applicable law. See Section 10 (Your Rights) for the deletion process.

6. Security Safeguards

Under PIPEDA Principle 7 (Safeguards), we protect personal information by security safeguards appropriate to its sensitivity. The Service handles financial records, which we treat as sensitive personal information.

Our safeguards include:

Encryption in transit — all communications between your browser and the Service use Transport Layer Security (TLS) 1.2 or higher.

Encryption at rest — financial records, generated reports, and account metadata are encrypted at rest using AES-256 by our infrastructure providers (Supabase for database and storage), in a Canadian region.

Access controls — access to production data is restricted to authorized Heightly personnel under least-privilege principles. Administrative access requires multi-factor authentication.

Scoped sub-processor access — each sub-processor receives only the data it needs for its specific function, authenticated by service-specific credentials. For example, our AI sub-processor receives transaction descriptions and amounts for categorization but not authentication metadata; our email sub-processor receives email addresses and message contents but not financial records.

Audit logging — administrative actions, consent events, deletion requests, and security events are logged for review.

Regular security review — security and dependency reviews are performed regularly, and incident response procedures are documented.

No safeguard is perfect. By using the Service, you acknowledge that no method of transmission over the internet or method of electronic storage is 100% secure.

7. Sub-processors and Service Providers

Heightly uses the following sub-processors to deliver the Service. Each sub-processor is bound by written contractual obligations to protect personal information, to use it only for the specified purpose, and to apply security measures comparable to ours. We do not permit sub-processors to use your information to train general-purpose models or for any purpose unrelated to the Service.

Sub-processorService providedData locationPersonal Information Shared
Supabase, Inc.Database, storage, and authentication infrastructureCanada (Heightly's project region)Uploaded files, transaction data, reports, authentication data
Vercel, Inc.Application hosting and edge runtimeUnited StatesIP address, request metadata, application logs
Anthropic, PBCAI-assisted transaction categorization (Claude API)United StatesTransaction descriptions, merchant names, amounts, dates, context needed for categorization; ideally not full bank statements unless required
Stripe Payments Canada, Ltd. and affiliatesPayment processingCanada and United StatesBilling/contact/payment metadata, not uploaded financial statements
Resend, Inc.Transactional email (magic links, report delivery)United StatesEmail address, magic link/report delivery metadata

Heightly updates this list when a sub-processor is added, replaced, or removed. The current list is available on this page. Material changes will be communicated by email or a click-through prompt as described in Section 15 (Changes to this Policy).

8. International Data Transfers

Some of our sub-processors operate or store data outside of Canada (primarily in the United States). When personal information is transferred outside Canada, the receiving service provider is bound by contractual safeguards designed to provide a comparable level of protection.

While personal information is in another jurisdiction, it may be subject to the laws of that jurisdiction, including lawful access by courts, law enforcement, and government authorities. By using the Service, you acknowledge this. Some international transfers are necessary to provide the Service. If you do not consent to these transfers, Heightly may be unable to provide the Service.

9. Accuracy

Accuracy. Heightly relies on the Customer to provide accurate and complete information and to review and correct categorization suggestions and extracted data. Heightly takes reasonable steps to keep account, payment, consent, and operational records accurate for the purposes for which they are used. Customers may request correction of personal information as described in Section 10.

10. Your Rights

Under PIPEDA Principle 9 (Individual Access) and applicable BC privacy law, you have the following rights with respect to your personal information:

(a) Access — you may request a copy of the personal information we hold about you. We will respond within thirty (30) days, subject to legal exceptions.

(b) Correction — if any personal information we hold about you is inaccurate or incomplete, you may request a correction. We will correct the information or, if we disagree, note your correction request on the record.

(c) Deletion — you may request deletion of personal information we hold about you. You may use the self-serve deletion flow at heightly.ai/app/account/delete if you have an active session, or email team@heightly.ai at any time. We will honour the request within thirty (30) days, subject to retention required by applicable law. We will confirm deletion by email.

(d) Withdrawal of consent — you may withdraw consent to the processing of personal information at any time, subject to legal or contractual restrictions. Withdrawing consent may mean we can no longer provide the Service to you.

(e) Portability — you may request a copy of the report we generated for you in a structured, commonly used format (PDF and Excel are available on report delivery).

To exercise any of these rights, use the self-serve deletion flow at heightly.ai/app/account/delete (for deletion requests with an active session) or email team@heightly.ai. We may ask you to verify your identity before we act on a request (for example, by sending a magic link to the email address associated with the request).

If personal information was uploaded by a professional user on behalf of a client, Heightly may need to verify the requester’s identity and authority and may coordinate with the professional user before responding, where appropriate and permitted by law. Heightly will not disclose personal information to an unverified requester.

11. Disclosure to Third Parties

Heightly does not sell personal information. We disclose personal information only:

  • To sub-processors, as described in Section 7, to provide the Service to you

  • To you, when you request access to your own personal information

  • To a third party you direct us to share with (for example, sharing your generated report with your accountant at your request)

  • To advisors, accountants, or auditors of Heightly, under confidentiality obligations, for legitimate business purposes

  • To an acquirer or successor in connection with a merger, acquisition, reorganization, or sale of all or substantially all of Heightly's assets, subject to the acquirer agreeing to be bound by terms no less protective than this Policy

  • As required or permitted by law, including in response to a valid legal process, to comply with a regulatory obligation, or to protect the rights, safety, or property of Heightly, our customers, or others

    Once you download, send, or otherwise share a generated report or workbook, Heightly is not responsible for the recipient’s handling of that information unless Heightly directly transmitted it to that recipient on your instruction and an error was attributable to Heightly.

12. Cookies and Similar Technologies

The Service uses a small number of cookies to function. These are strictly necessary cookies: they are required to maintain your authenticated session, to record your acceptance of the Terms of Service and Privacy Policy, and to protect against cross-site request forgery.

Heightly does not use advertising cookies, tracking pixels, or third-party analytics cookies for marketing or behavioural advertising. If we add analytics cookies in the future, we will update this Policy and obtain consent where required by law.

13. Breach Notification

Under PIPEDA section 10.1, if a breach of security safeguards involving personal information creates a real risk of significant harm to an individual, Heightly will:

  • Notify the affected individual as soon as feasible after determining that a breach has occurred

  • Report the breach to the Office of the Privacy Commissioner of Canada (OPC)

  • Notify any organization or government institution that may be able to reduce the risk of harm

  • Maintain a record of every breach of security safeguards for at least 24 months

Notification will include a description of the breach, the personal information involved, the steps Heightly is taking to address the breach, and the steps you can take to reduce the risk of harm (such as monitoring your accounts for unusual activity). Heightly may also notify applicable provincial privacy regulators where required or appropriate.

14. Children

The Service is not directed to, and is not intended for use by, individuals under the age of majority in their jurisdiction of residence. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will delete it as soon as reasonably practicable.

15. Changes to this Policy

Heightly may update this Privacy Policy from time to time. The updated version will be posted on Heightly's website with an updated effective date. Material changes will be communicated to customers with active reports by email or by a click-through prompt at the next login. Continued use of the Service after the effective date of any change constitutes acceptance of the updated Policy.

16. Privacy Officer and Contact

Under PIPEDA Principle 1 (Accountability), Heightly has designated a Privacy Officer responsible for compliance with this Policy and applicable privacy law. Questions, requests, or concerns should be sent to:

**Privacy Officer — Heightly Software Inc.
**British Columbia, Canada
team@heightly.ai with subject line “Privacy Request”

17. Complaints

If you believe that Heightly has not handled your personal information in accordance with this Policy or applicable law, please contact the Privacy Officer first. We will investigate and respond to your complaint within thirty (30) days.

If you are not satisfied with our response, you may file a complaint with:

**Office of the Privacy Commissioner of Canada
**30 Victoria Street
Gatineau, Quebec K1A 1H3
Toll-free: 1-800-282-1376
Website: priv.gc.ca

BC residents may also contact the Office of the Information and Privacy Commissioner for British Columbia (oipc.bc.ca).

End of Privacy Policy