Privacy policy
Your privacy, in plain English.
Last updated May 25, 2026. This is a legal document, but we wrote it for humans first. If anything is unclear, email our Privacy Officer at privacy@truepathfinance.ca.
Jump to a section
Plain-English summary
The whole policy in eight lines.
The full policy below is the legally binding version. This summary is here to make it easy to understand the spirit of it.
Your data stays in Canada.
We never connect to your bank, ever.
We do not sell your data. Subscriptions are our only revenue.
We collect only what is needed to build a plan.
Encrypted at rest (AES-256) and in transit (TLS 1.3).
PIPEDA compliant. Quebec Law 25, BC PIPA, and Alberta PIPA respected.
You can access, correct, export or delete your data any time.
Cancel and delete with one click. No retention games.
1. Who we are
TruePath Finance ("TruePath", "we", "us") is a Canadian company that provides retirement and tax planning software at truepathfinance.ca and at app.truepathfinance.ca. We are the controller of the personal information you provide to us through the marketing website and the app.
For privacy questions, our Privacy Officer can be reached at privacy@truepathfinance.ca.
2. What we collect
We try to collect as little information as possible while still providing a useful service. The categories below cover everything we collect.
Account information
- Your name and email address
- A securely hashed copy of your password (we never store the password itself)
- Your subscription and billing status
Financial planning information you provide
- Account balances you enter (RRSP, TFSA, pensions, real estate, debts)
- CPP and OAS estimates you enter
- Goals, target retirement age, and household details (spouse, children if relevant)
- Scenarios you create and decisions you save in your plan
Voice and chat content
- Audio you choose to record using the microphone, transcribed in your browser or by our speech provider
- Messages you send to Ask TruePath and the responses we generate
Technical information
- Browser type, device type, operating system and IP address (for security and basic analytics)
- Pages visited and approximate time spent (privacy-respecting analytics, not personal tracking)
- Error logs that may include the URL of the page where the error occurred
What we do not collect: your bank credentials, your SIN, your full credit-card number (Stripe handles that and we never see it), your location beyond country level, and any data from outside our app.
3. Why we collect it
We only use your information for purposes you would reasonably expect when using a retirement planning app. Specifically:
- To build, save and update your retirement plan
- To answer your questions through Ask TruePath
- To process your subscription and send transactional emails (welcome, billing, password reset, trial reminder)
- To keep your account secure (logins, fraud prevention)
- To improve the app, in aggregated and de-identified form only
- To meet legal and regulatory obligations
We do not use your information for advertising, profile sales, or any purpose unrelated to giving you a working retirement plan.
4. Your consent
Under PIPEDA, we collect, use and disclose your personal information with your consent.
- Express consent when you create an account, agree to our terms, and provide financial planning information.
- Implied consent for routine purposes that fit the context, such as sending you a billing receipt for a charge you authorised.
You can withdraw consent at any time, subject to legal and contractual restrictions. Withdrawing consent for the core service generally means closing your account, which we make easy to do.
5. Data residency
Your personal information is stored in Canada, in Canadian-hosted databases, governed by Canadian privacy law. Your information does not cross the border for storage.
A small number of service providers we rely on (listed in the next section) may process limited information outside Canada in transit, for example to deliver an email or process a payment. Where this occurs, we use providers that are subject to comparable privacy standards and contractually bound to protect your information.
6. Service providers
We work with a small number of trusted service providers to operateTruePath. We share only the minimum information they need.
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase | Database hosting (Canadian region) | Account info, plan data |
| Stripe | Subscription billing | Email, card details (we never see card numbers) |
| Resend | Transactional email | Email address, message contents |
| Anthropic / OpenAI | Ask TruePath AI responses (no model training on your data) | Your chat messages and relevant plan context |
| ElevenLabs | Voice read-aloud (when you enable it) | Text to be read aloud |
| Plausible | Privacy-respecting marketing analytics | Aggregated, no personal data |
| PostHog | In-app product analytics | Usage events tied to account |
| Sentry | Error monitoring | Error context, may include URL |
We never sell, rent, lease or trade your information. We do not share your information with advertisers, data brokers or unauthorised third parties.
7. How we protect it
- All stored personal information is encrypted at rest using AES-256
- All connections to TruePath use TLS 1.3 (encrypted in transit)
- Passwords are hashed with bcrypt and never stored in plain text
- Two-factor authentication is available; enabling it adds a strong extra layer of protection
- Access to production systems is restricted, logged, and reviewed
- We follow modern secure-coding practices and update dependencies regularly
No system is perfectly secure, but we treat your retirement information with the care it deserves. If we ever experience a breach affecting your information, we will notify you and the Office of the Privacy Commissioner of Canada in accordance with PIPEDA.
8. How long we keep it
We keep your information only as long as we need it for the purposes above, or as required by law.
- Active accounts: for as long as you keep your account open
- Closed accounts: personal information is permanently deleted within 30 days, except as required by law (for example, billing records held for the period required by Canadian tax law)
- Backups: rolling encrypted backups are retained for up to 30 days, then deleted
- Anonymized analytics: aggregated, non-identifying usage data may be kept indefinitely
9. Your rights
Under Canadian privacy law, you have the right to:
- Access the personal information we hold about you
- Correct any inaccuracies in your information
- Delete your account and information at any time
- Export your plan as a PDF, including after cancellation
- Withdraw consent for any optional processing
- Complain to the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca
To exercise any of these rights, email privacy@truepathfinance.ca. We respond to all verified requests within 30 days, usually much faster.
10. Lawful access requests
We follow Canadian law. If we receive a request for user information from law enforcement, a regulator or a court, we require a valid legal basis (a warrant, court order or production order under Canadian law) and challenge requests we believe are overbroad or improper.
To the extent we are legally permitted, we will notify the affected user before disclosing any information, so they have an opportunity to seek their own legal advice.
We do not provide bulk or warrantless access to user data, and we have never received a request that would require us to do so. If this ever changes, we will note it in this policy.
11. Ask TruePath and AI
Ask TruePath uses an AI model to give you personalised, plain-English answers about your retirement plan. We want to be specific about how this works.
- Your messages and the relevant parts of your plan are sent to a third-party AI provider over a secure connection so the assistant can answer with context.
- We choose AI providers that contractually agree not to train their models on your data, and not to retain your messages beyond what is needed to deliver the response.
- We do not use your data to train any TruePath model.
- Voice transcription, when you use it, may be processed by a speech-to-text provider over a secure connection. The audio is not stored after transcription.
Ask TruePath is general educational information, not personalised financial advice. For advice specific to your situation, talk to a licensed financial planner (a fee-only one is often a good fit).
13. Children
TruePath is intended for adults planning their own retirement. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact our Privacy Officer and we will delete it.
14. Provincial law
In addition to the federal Personal Information Protection and Electronic Documents Act (PIPEDA), the following provincial laws may apply, depending on where you live:
- Quebec residents: An Act respecting the protection of personal information in the private sector, as amended by Law 25. You have additional rights, including the right to data portability and the right to be informed of automated decision making.
- British Columbia residents: Personal Information Protection Act (BC PIPA).
- Alberta residents: Personal Information Protection Act (Alberta PIPA).
We comply with all of the above. To exercise rights specific to your province, contact our Privacy Officer.
15. Changes to this policy
We may update this policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Email you at the address on your account before the change takes effect
- Give you a reasonable opportunity to review the change before it applies
A history of changes is available on request. Continued use ofTruePath after a change indicates your acceptance of the updated policy.
16. Contact our Privacy Officer
Privacy Officer, TruePath Finance
privacy@truepathfinance.caBuilt for Canadians, with Canadian privacy at the core.
No bank linking. Canadian-stored data. PIPEDA compliant. Cancel and delete any time.