The Posture · Security & privacy
What we will, and will not, do with your household data.
The covenant
Six commitments we hold ourselves to.
- 01
No bank-login scraping
No third-party bank-aggregation APIs. No read-write integration into your accounts. You upload statements you already receive (CSV, PDF, screenshot); the parser runs in the browser when the layout allows and on a server worker only when it must.
- 02
Row-level security on every read
Every user-scoped table has RLS enabled with policies scoped to auth.uid() = user_id. API routes apply defense-in-depth with explicit .eq() filters on top of RLS, so a misconfigured policy cannot leak another household's data.
- 03
Canadian residency, by design
Supabase Canadian region. Postgres, Auth and Storage all colocated. We do not ship data outside the Canadian boundary for hosting, backups or analytics.
- 04
Encryption end-to-end
TLS 1.3 in transit. AES-256 at rest. Database backups encrypted with managed keys. API keys and the Anthropic dispatch credential are encrypted environment variables, never committed to the repo.
- 05
Educational guidance only
We are not a registered investment dealer, IIROC member, or licensed CFP. AI dispatches are planning models, not advice to buy or sell a security. We will not recommend specific products by ticker; we will explain the categories and trade-offs.
- 06
Data export + delete on request
Member dashboard offers a one-click export of every row tied to your account (JSON + CSV). Account deletion permanently removes those rows; deleted data is gone from primary storage and rotated out of encrypted backups on the next cycle.
Compliance
The Canadian regulatory frame we operate inside.
- 01
PIPEDA-aligned
Federal Personal Information Protection and Electronic Documents Act. Consent at signup, purpose limitation, retention policies documented in /privacy.
- 02
No data resale
We have no advertising surface, no third-party tracker resale, no "anonymised aggregate" data product. The business model is paid subscription only.
- 03
AI dispatch audit log
Every AI dispatch (Anthropic Claude call) writes an audit row: which agent, character counts in + out, tool calls, linter flags. You can review your own log in /dashboard/settings.
- 04
Consent-gated tools
Agents only see your transaction or net-worth data after you grant explicit consent. Until then they answer general questions only, no tool access.
Quebec Law 25
Quebec residents have stricter rights than federal PIPEDA grants. Here is how we honour them.
- 01
Privacy Officer appointed
Robin Raju, founder of Invest Wise Way, serves as the designated Privacy Officer under Quebec Law 25 section 8.1 and PIPEDA Schedule 1 Principle 1. Reachable at privacy@investwiseway.ca or via the intake form at /privacy-requests. Acknowledgement inside 24 hours; substantive reply inside the statutory 30-day window.
- 02
Privacy Impact Assessment on transfer
AI dispatches reach Anthropic compute outside Quebec. A PIA documents the legal basis, contractual safeguards (Zero Data Retention agreement), and risk assessment. Available on request.
- 03
Express consent per purpose
Quebec residents receive a per-purpose consent prompt at signup: account, AI dispatch, billing, and optional product analytics each consented separately. Implied consent (PIPEDA-acceptable) is not used inside Quebec.
- 04
Automated decision transparency
AI dispatches are planning models, not binding decisions, and we mark them as such. Where a dispatch influences a numbered recommendation, we surface the inputs used, the model that produced it, and the path to ask for a human review.
Internal access
Who at Invest Wise Way can read what, and under which controls.
- 01
Need-to-know access
Production database access is restricted to two named operators with audited credentials. No developer reads household data on their laptop. Support escalations require a per-incident, time-boxed grant that the member can revoke.
- 02
Zero shoulder-surfing of dispatches
AI dispatches stream directly between your browser and Anthropic via our backend. They are not surfaced to a moderation team. The audit log captures metadata (agent, token counts, latency) only, not the dispatch body.
- 03
Vendor minimisation
Three vendors only: Supabase (Canadian region, hosting), Anthropic (Zero Data Retention dispatch agreement), Stripe (payments). No analytics SDK, no session-replay tool, no marketing tag manager loaded on authenticated pages.
- 04
Background-checked operators
Anyone with production access has signed a confidentiality agreement and is named on the trust page on request. We are a small team and we mean small: faces over a faceless platform.
Roadmap
What we have not yet earned, and when we plan to.
- 01
SOC 2 Type I
Scoping engagement underway with a Canadian auditor. Targeting completion in the second half of 2026. We will publish the report attestation on this page when issued.
- 02
Third-party penetration test
Annual external pen test of the web surface and Supabase row-level policies. The 2026 test is scheduled for Q3. Executive summary will be linked from this page once delivered.
- 03
Sub-processor disclosure log
When we add or change a sub-processor we will post a dated entry on this page and email every active subscriber thirty days before the change takes effect.
Compliance, at a glance
What we comply with, what we are working toward, and what genuinely does not apply.
| Framework | Applies | Status |
|---|---|---|
| PIPEDA (federal) | Yes | Compliant. Consent at signup, audit log, breach notification. |
| Quebec Law 25 | Yes | Privacy Officer appointed. PIA documented for cross-border AI dispatch. |
| Alberta PIPA, BC PIPA | Yes | Substantially similar to PIPEDA; same controls satisfy. |
| PCI-DSS (SAQ-A) | Yes | Stripe-tokenised. We never see card numbers. |
| SOC 2 Type I | On roadmap | Scoping engagement underway. Targeting H2 2026. |
| OSC, CIRO registration | Not applicable | Not applicable. We are educational, not registered to give advice. |
| FINTRAC (MSB) | Not applicable | Not applicable. We do not move money or convert currency. |
| OSFI | Not applicable | Not applicable. We are not a regulated financial institution. |
Not registered, by design
What we are not, and why that is the point.
We are not a CIRO investment dealer, not an OSC-registered adviser, not a FINTRAC money services business, not an OSFI-regulated financial institution. We do not move your money, we do not custody your assets, we do not recommend specific securities by ticker.
That is the design. The registered surface exists for firms that handle other people's money. We handle education. The disclaimer is the product boundary, not a hedge.
Sources: OSC delegation to CIRO, April 2025 · FINTRAC MSB scoping · OSFI mandate.
Disclosure
If we find a breach, we will tell you within 72 hours.
PIPEDA requires notification of any breach that poses a “real risk of significant harm.” We commit publicly to a 72-hour ceiling from confirmation, regardless of risk threshold, by email to every affected member and a notice on this page.