Skip to content

The Posture · Security & privacy

What we will, and will not, do with your household data.

The covenant

Six commitments we hold ourselves to.

  1. 01

    No bank-login scraping

    No third-party bank-aggregation APIs. No read-write integration into your accounts. You upload statements you already receive (CSV, PDF, screenshot); the parser runs in the browser when the layout allows and on a server worker only when it must.

  2. 02

    Row-level security on every read

    Every user-scoped table has RLS enabled with policies scoped to auth.uid() = user_id. API routes apply defense-in-depth with explicit .eq() filters on top of RLS, so a misconfigured policy cannot leak another household's data.

  3. 03

    Canadian residency, by design

    Supabase Canadian region. Postgres, Auth and Storage all colocated. We do not ship data outside the Canadian boundary for hosting, backups or analytics.

  4. 04

    Encryption end-to-end

    TLS 1.3 in transit. AES-256 at rest. Database backups encrypted with managed keys. API keys and the Anthropic dispatch credential are encrypted environment variables, never committed to the repo.

  5. 05

    Educational guidance only

    We are not a registered investment dealer, IIROC member, or licensed CFP. AI dispatches are planning models, not advice to buy or sell a security. We will not recommend specific products by ticker; we will explain the categories and trade-offs.

  6. 06

    Data export + delete on request

    Member dashboard offers a one-click export of every row tied to your account (JSON + CSV). Account deletion permanently removes those rows; deleted data is gone from primary storage and rotated out of encrypted backups on the next cycle.

Compliance

The Canadian regulatory frame we operate inside.

  1. 01

    PIPEDA-aligned

    Federal Personal Information Protection and Electronic Documents Act. Consent at signup, purpose limitation, retention policies documented in /privacy.

  2. 02

    No data resale

    We have no advertising surface, no third-party tracker resale, no "anonymised aggregate" data product. The business model is paid subscription only.

  3. 03

    AI dispatch audit log

    Every AI dispatch (Anthropic Claude call) writes an audit row: which agent, character counts in + out, tool calls, linter flags. You can review your own log in /dashboard/settings.

  4. 04

    Consent-gated tools

    Agents only see your transaction or net-worth data after you grant explicit consent. Until then they answer general questions only, no tool access.

Quebec Law 25

Quebec residents have stricter rights than federal PIPEDA grants. Here is how we honour them.

  1. 01

    Privacy Officer appointed

    Robin Raju, founder of Invest Wise Way, serves as the designated Privacy Officer under Quebec Law 25 section 8.1 and PIPEDA Schedule 1 Principle 1. Reachable at privacy@investwiseway.ca or via the intake form at /privacy-requests. Acknowledgement inside 24 hours; substantive reply inside the statutory 30-day window.

  2. 02

    Privacy Impact Assessment on transfer

    AI dispatches reach Anthropic compute outside Quebec. A PIA documents the legal basis, contractual safeguards (Zero Data Retention agreement), and risk assessment. Available on request.

  3. 03

    Express consent per purpose

    Quebec residents receive a per-purpose consent prompt at signup: account, AI dispatch, billing, and optional product analytics each consented separately. Implied consent (PIPEDA-acceptable) is not used inside Quebec.

  4. 04

    Automated decision transparency

    AI dispatches are planning models, not binding decisions, and we mark them as such. Where a dispatch influences a numbered recommendation, we surface the inputs used, the model that produced it, and the path to ask for a human review.

Internal access

Who at Invest Wise Way can read what, and under which controls.

  1. 01

    Need-to-know access

    Production database access is restricted to two named operators with audited credentials. No developer reads household data on their laptop. Support escalations require a per-incident, time-boxed grant that the member can revoke.

  2. 02

    Zero shoulder-surfing of dispatches

    AI dispatches stream directly between your browser and Anthropic via our backend. They are not surfaced to a moderation team. The audit log captures metadata (agent, token counts, latency) only, not the dispatch body.

  3. 03

    Vendor minimisation

    Three vendors only: Supabase (Canadian region, hosting), Anthropic (Zero Data Retention dispatch agreement), Stripe (payments). No analytics SDK, no session-replay tool, no marketing tag manager loaded on authenticated pages.

  4. 04

    Background-checked operators

    Anyone with production access has signed a confidentiality agreement and is named on the trust page on request. We are a small team and we mean small: faces over a faceless platform.

Roadmap

What we have not yet earned, and when we plan to.

  1. 01

    SOC 2 Type I

    Scoping engagement underway with a Canadian auditor. Targeting completion in the second half of 2026. We will publish the report attestation on this page when issued.

  2. 02

    Third-party penetration test

    Annual external pen test of the web surface and Supabase row-level policies. The 2026 test is scheduled for Q3. Executive summary will be linked from this page once delivered.

  3. 03

    Sub-processor disclosure log

    When we add or change a sub-processor we will post a dated entry on this page and email every active subscriber thirty days before the change takes effect.

Compliance, at a glance

What we comply with, what we are working toward, and what genuinely does not apply.

FrameworkAppliesStatus
PIPEDA (federal)YesCompliant. Consent at signup, audit log, breach notification.
Quebec Law 25YesPrivacy Officer appointed. PIA documented for cross-border AI dispatch.
Alberta PIPA, BC PIPAYesSubstantially similar to PIPEDA; same controls satisfy.
PCI-DSS (SAQ-A)YesStripe-tokenised. We never see card numbers.
SOC 2 Type IOn roadmapScoping engagement underway. Targeting H2 2026.
OSC, CIRO registrationNot applicableNot applicable. We are educational, not registered to give advice.
FINTRAC (MSB)Not applicableNot applicable. We do not move money or convert currency.
OSFINot applicableNot applicable. We are not a regulated financial institution.

Not registered, by design

What we are not, and why that is the point.

We are not a CIRO investment dealer, not an OSC-registered adviser, not a FINTRAC money services business, not an OSFI-regulated financial institution. We do not move your money, we do not custody your assets, we do not recommend specific securities by ticker.

That is the design. The registered surface exists for firms that handle other people's money. We handle education. The disclaimer is the product boundary, not a hedge.

Sources: OSC delegation to CIRO, April 2025 · FINTRAC MSB scoping · OSFI mandate.

Disclosure

If we find a breach, we will tell you within 72 hours.

PIPEDA requires notification of any breach that poses a “real risk of significant harm.” We commit publicly to a 72-hour ceiling from confirmation, regardless of risk threshold, by email to every affected member and a notice on this page.