1. Overview
Kountr (“Kountr,” “we,” “us”) provides accounting software for Canadian small businesses, freelancers, and bookkeepers. This policy explains what personal and financial information we collect when you use kountrfi.ca and the Kountr application (together, the “Service”), how we use it, who we share it with, and the choices you have. It is written under the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec’s Law 25, applicable provincial privacy laws, the EU/UK GDPR where it applies, and the California Consumer Privacy Act (CCPA/CPRA) for residents of California.
We do not sell your personal information. We do not use your bank-transaction data, receipts, or any financial records to train third-party or general-purpose AI models. See AI processing for the details.
2. What we collect
2.1 Information you give us
- Account data — name, business name, email, password (hashed), phone, country/province.
- Billing data — billing address, last four digits of payment card, plan, invoices. Full card numbers are handled by our payment processor (Stripe) and never reach our servers.
- Tax & business identifiers — HST/GST number, business number, fiscal year end — used to file and produce reports correctly.
- Content you upload — receipts, invoices, bills, attachments, notes, vendor and customer records, journal entries.
- Support correspondence — messages you send our team, in-app feedback, and any files you attach.
2.2 Information from your linked accounts
- Bank and credit-card data via Plaid — when you connect a financial institution, we receive transactions, balances, account and routing numbers (for accounts you authorize), account holder name, and statement metadata. See section 4.
- Accounting integrations — if you connect Shopify, Stripe payouts, Square, Wise, Wave, or QuickBooks (for migration), we receive the records you authorize via that provider’s OAuth scopes.
2.3 Information we collect automatically
- Device & log data — IP address, user-agent, OS, browser, approximate location (city-level from IP), timestamps, pages viewed, feature usage, crash logs.
- Cookies and similar — strictly-necessary cookies for sign-in and CSRF protection, and product-analytics cookies (first-party). We do not use cross-site advertising cookies.
3. How we use it
We use the information above to:
- Provide the Service — sync transactions, categorize, generate HST/GST/PST reports, prepare year-end packages, and produce financial statements.
- Authenticate you, prevent fraud, and keep accounts secure.
- Bill you, collect payment, and send service notices.
- Respond to support requests.
- Improve the Service — measure feature usage, fix bugs, and (with the limits in section 5) improve our own AI categorization quality.
- Comply with legal obligations — tax record-keeping, anti-money-laundering checks where required, valid legal requests.
Our legal bases under GDPR (where it applies) are: performance of a contract (delivering the Service you signed up for), legitimate interests (securing the Service, preventing abuse, improving the product), legal obligation (tax, accounting, AML), and consent (for optional features such as marketing email, which you can withdraw at any time).
4. Bank connections via Plaid
When you link a bank account, you log in through Plaid Inc., not Kountr. Plaid passes your credentials directly to your bank. Kountr never sees, stores, or has access to your online-banking username or password.
4.1 What Plaid gives us
Through the Plaid Link flow, you authorize Plaid to share with Kountr the data needed to run the Service. Depending on the products enabled, this includes:
- Transaction history (description, amount, date, merchant, category hints, pending status).
- Account balances, type (chequing, savings, credit card), currency, and masked account number.
- Account and routing/transit numbers, where you have enabled features (e.g. payouts) that require them.
- Account-holder name and institution name.
4.2 What Kountr does with Plaid data
- Display your transactions and balances inside Kountr.
- Auto-categorize transactions, match receipts, and reconcile against your books.
- Generate reports (P&L, balance sheet, HST/GST, mileage logs) you ask us to generate.
- Detect duplicates and suggest journal entries.
We retrieve Plaid data only for institutions you connect, and only for as long as your connection is active. You can disconnect a bank at any time in Settings → Connections; when you do, we stop fetching new data and you can choose whether to keep or delete the history we already imported.
4.3 Plaid’s own role
Plaid is an independent data-access provider and processes data under its own privacy policy at plaid.com/legal (Canada: End User Privacy Policy). Kountr is a “data recipient” of Plaid; Plaid is your data-access intermediary. You can review and revoke Plaid connections any time at my.plaid.com.
5. AI processing of your data
Kountr uses artificial intelligence to read receipts, categorize transactions, answer questions in our chat assistant, and draft journal entries. Some of that processing involves third-party AI providers. Your data may briefly leave Kountr’s systems to be processed by these providers. The rules below apply to all of it.
5.1 What we use AI for
- Transaction categorization — assigning a category to a Plaid transaction.
- Receipt & document OCR — extracting line-items, totals, tax, and vendor from images and PDFs.
- In-app assistant — answering questions like “what did I spend on fuel last quarter?”
- Anomaly detection — flagging likely duplicates, missing GST, or unusual amounts.
- Drafting — suggested journal entries, invoice descriptions, year-end notes (always reviewed by you before posting).
5.2 What data the AI sees
Depending on the feature, the inputs sent for AI processing can include: transaction descriptions and amounts, the text and images of receipts or invoices you upload, your chart of accounts, vendor and customer names, and your question or instruction. We do not send your password, banking credentials, full credit-card numbers, SIN/SSN, or government-issued IDs to AI providers.
5.3 Our rules for AI providers
We only use AI sub-processors whose terms meet all of the following, and we list each one in section 6:
- No training on your data. Inputs and outputs from Kountr are not used by the provider to train, fine-tune, or improve their foundation models.
- Zero-retention or short-retention mode. Where the provider offers it, we use zero-data-retention (the request is processed and immediately discarded). Where a short retention window is required for abuse monitoring (typically up to 30 days), we use the shortest available setting and require encryption at rest.
- Data processing agreement (DPA) in place, with confidentiality, security, and sub-processor controls.
- Regional processing where possible. We prefer Canadian or US regions and disclose where processing occurs.
5.4 No model training on your books
We do not use your financial records, receipts, bank transactions, customer/vendor data, or chat assistant conversations to train general-purpose AI models. We may use aggregated and de-identified signals (e.g. “a category suggestion was accepted vs. corrected”) to improve our own categorization rules; these signals do not contain your transaction descriptions, amounts, names, or identifiers.
5.5 Human oversight & your control
- AI suggestions never post to your books on their own — you approve them.
- You can turn off the AI assistant for your workspace in Settings → AI. Turning it off disables the chat assistant and the AI-drafted explanations; rule-based categorization continues to work.
- You can ask for any AI-generated content tied to your workspace to be deleted (see section 10).
- Significant decisions (e.g. filings, payments) are never made by AI without your explicit confirmation. The Service does not engage in solely automated decision-making with legal or similarly significant effects under GDPR Art. 22.
6. Sub-processors
We use the following categories of sub-processors. The current list with regions and contractual terms is published at /legal/subprocessors (or available on request).
- Cloud hosting & storage — Amazon Web Services (Canada Central region).
- Bank data access — Plaid Inc.
- Payments — Stripe.
- Email delivery — Postmark / Resend.
- Error monitoring & logging — Sentry.
- Product analytics — PostHog (self-hosted or EU/US, opt-out available).
- AI processing — Anthropic (Claude) and OpenAI, under zero-/short-retention, no-training enterprise terms. Used for OCR, categorization, and the in-app assistant as described in section 5.
7. Sharing & disclosure
We share personal information only as described below:
- With sub-processors acting on our instructions under written agreements.
- With your bookkeeper, CPA, or teammates — only people you explicitly invite to your workspace, and only at the role you assign.
- With authorities, when legally required — for valid Canadian (or comparable foreign) legal processes. We narrowly interpret requests, push back on overbroad ones, and notify you unless legally prohibited.
- In a corporate transaction — if Kountr is acquired or merges, your data may transfer to the successor, subject to this policy.
We do not sell personal information and we do not “share” it for cross-context behavioural advertising as defined under the CCPA.
8. Retention & deletion
- Active accounts — kept while your account is active.
- Cancelled accounts — bookkeeping records are kept for up to seven (7) years after cancellation to meet CRA and provincial record-keeping rules. You can export everything at any time.
- Plaid raw payloads — kept only as long as needed to reconcile your books; rotated regularly.
- AI request/response logs — kept for up to 30 days for abuse/quality monitoring, then deleted, unless you’ve opted out of AI features.
- Backups — encrypted backups age out within 35 days.
To delete your account, write to info@kountrfi.ca or use Settings → Account → Delete. We honour deletion requests within 30 days, subject to the record-keeping window above.
9. Security
We protect your data with TLS 1.2+ in transit, AES-256 at rest, hardware-backed keys for sensitive secrets, mandatory MFA for staff with production access, least-privilege role controls, audit logging, and continuous vulnerability scanning. We test our own systems and engage external security reviews. For a deeper write-up, see our Security page.
10. Your rights
Subject to applicable law, you have the right to:
- Access the personal information we hold about you.
- Correct inaccurate information.
- Delete your account and associated data (subject to legal retention).
- Port your data — export to CSV, OFX, or JSON.
- Object to or restrict certain processing (GDPR/UK GDPR).
- Withdraw consent for marketing email and optional features.
- Lodge a complaint with the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information (Quebec), your provincial regulator, or the ICO/CNIL/DPA where applicable.
- For California residents: the rights under the CCPA/CPRA, including non-discrimination for exercising them.
To exercise any of these, email info@kountrfi.ca. We may verify your identity before acting on the request.
11. Children
The Service is for businesses and is not directed at children under 16. We don’t knowingly collect data from children.
12. Changes
If we make material changes, we’ll notify you by email and in-app at least 14 days before they take effect. Older versions are archived and available on request.
13. Contact
Kountr
Privacy Officer — info@kountrfi.ca
Canada
