Privacy Policy

Last updated: March 25, 2026

Huru Inc, an Ontario corporation operating as WeeKeeper ("Huru Inc", "WeeKeeper", "we", "our", "us"), is committed to protecting your privacy and the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the WeeKeeper mobile application and related services (the "Service"). By using our Service, you consent to the practices described in this policy.

1. Information We Collect

We collect the following types of information to provide and improve our Service. We limit our collection to information that is necessary for the purposes identified below, in accordance with PIPEDA's limiting collection principle.

Account Information

  • Name and email address
  • Business name and type (sole proprietor, corporation, etc.)
  • Province or territory of operation
  • Preferred language (English or French)

Financial Data

  • Bank transaction data imported via authorized banking providers (e.g., Plaid)
  • Transaction descriptions, amounts, dates, and merchant names
  • Account balances and account identifiers
  • Categories assigned to transactions (by you, your accountant, or our AI)

Invoice and Client Data

  • Invoice details you create (line items, amounts, due dates)
  • Client names and email addresses (for invoice delivery)
  • Payment status and payment history

Receipt Images

  • Photos of receipts you upload for scanning and matching
  • Extracted text from receipt images (via OCR processing)

Device Information

  • Device type, operating system, and version
  • Push notification tokens (for sending you notifications)
  • App version and crash reports

Biometric Data

If you enable biometric authentication (fingerprint or face recognition) in the WeeKeeper mobile app, biometric data is processed entirely on your device using your operating system's built-in authentication framework (Touch ID, Face ID, or Android Biometric). WeeKeeper never receives, transmits, or stores your biometric data. We only receive a success/failure signal from your device's biometric system.

Cookies and Analytics

Our website uses essential cookies required for the site to function (e.g., language preference). We may use analytics tools (such as Google Analytics) to understand how visitors use our website in aggregate. Analytics data is collected anonymously and does not include personally identifiable information. You can opt out of analytics tracking by adjusting your browser settings or using the cookie consent banner on our website.

2. How We Use Your Information

We identify the purposes for collecting your information before or at the time of collection. We use the information we collect for the following purposes:

  • Accounting and bookkeeping services: Importing transactions, categorizing expenses, generating financial reports (P&L, balance sheet, cash position), and tracking invoices.
  • AI-powered transaction categorization: Using artificial intelligence to automatically categorize your transactions. Transaction descriptions (without personal identifying information) may be processed by our AI providers.
  • Invoice generation and payment processing: Creating, sending, and tracking invoices on your behalf. Processing payments through our payment provider (Stripe).
  • Tax estimation: Calculating estimated GST/HST obligations based on your province and transaction data.
  • Service improvement: Analyzing usage patterns (in aggregate) to improve our features, fix bugs, and develop new functionality.
  • Communication: Sending you service-related notifications, updates, and responses to your inquiries.

3. How We Share Your Information

We do not sell your personal information. We share your data only in the following limited circumstances:

Banking Providers

We use authorized banking data providers (such as Plaid) to securely connect to your bank accounts. This connection is established only with your explicit consent. These providers access your bank data to import transactions into WeeKeeper. We do not store your banking login credentials — only secure provider tokens.

Payment Processor

We use Stripe to process invoice payments. When your clients pay an invoice, Stripe handles the payment transaction. WeeKeeper does not store credit card numbers or payment card details.

Your Accountant

You may choose to share read-only access to your books with your accountant. This sharing is initiated by you and can be revoked at any time. Your accountant can view your transactions, reports, and tax estimates but cannot modify your data.

AI Service Providers

For AI-powered transaction categorization, we send transaction descriptions to our AI provider (OpenAI). We do not send personally identifiable information (PII) such as your name, email, or account numbers. Only transaction descriptions and amounts are shared for categorization purposes.

Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Cross-Border Data Transfers

Your primary data is stored in Canada. However, some of our subprocessors operate in the United States, including OpenAI (AI categorization) and Plaid (banking data aggregation). When data is transferred to the US for processing, it may be subject to US law, including the CLOUD Act. We protect cross-border transfers through: contractual data processing agreements with each subprocessor, encryption of data in transit and at rest, and limiting the data shared to the minimum necessary for each service. We do not transfer your complete financial records outside of Canada — only specific data elements required by each subprocessor (e.g., transaction descriptions for AI categorization).

4. Data Storage and Security

We take the security of your data seriously and implement the following measures:

  • Encryption at rest: All data stored in our databases is encrypted using AES-256 encryption.
  • Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
  • No credential storage: We never store your banking login credentials. We use secure provider tokens issued by your banking data provider.
  • Data residency: Your data is stored on servers located in Canada (PostgreSQL on DigitalOcean Kubernetes, Toronto, Canada).
  • Access controls: Access to your data within our organization is restricted to authorized personnel on a need-to-know basis.
  • Compliance target: We are working toward SOC 2 Type II compliance (post-launch).
  • Employee training: All personnel with access to personal information receive privacy and security training.
  • Regular audits: We conduct regular security assessments and vulnerability testing of our systems.

5. Your Rights Under PIPEDA

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the following rights regarding your personal information:

  • Access: You have the right to request access to the personal information we hold about you. We will respond to your request within 30 days.
  • Correction: You have the right to request correction of any inaccurate or incomplete personal information we hold about you.
  • Deletion: You have the right to request deletion of your account and associated data. Upon deletion, your data will be purged within 30 days, except where retention is required by law.
  • Data export: You can export your data at any time, on any plan, for free. We believe your data belongs to you and will never hold it hostage behind a paywall.
  • Withdraw consent: You can withdraw consent for banking data access at any time by disconnecting your bank account in the app. This will stop new transaction imports but will not delete previously imported data unless you also request deletion.
  • Challenge compliance: You have the right to challenge our compliance with these privacy principles. To do so, contact our Privacy Officer, who will investigate and respond within 30 days.

5.5 Additional Rights for Quebec Residents

If you are a resident of Quebec, you have additional rights under Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25):

  • Privacy by default: Your privacy settings are configured to the most private option by default. Features that share data with third parties (bank connections, AI categorization, accountant access) require your explicit, opt-in consent.
  • Data portability: You have the right to receive your personal information in a commonly used technological format (CSV, JSON). This is available free of charge on all plans via Settings > Export Data.
  • De-indexing: You have the right to request that we cease disseminating your personal information if it was collected when you were a minor or if dissemination contravenes the law or a court order.
  • Automated decision-making: If any automated decision (including AI categorization) is made about you, you have the right to be informed of the use of such technology and to request that the decision be reviewed by a person.
  • Privacy impact assessments: We conduct privacy impact assessments before implementing new projects or systems that involve the collection, use, or disclosure of personal information.

6. Data Retention

  • Active accounts: Your data is retained for as long as your account is active, plus 6 years after account closure to comply with CRA record-keeping requirements.
  • Deleted accounts: When you delete your account, your personal data is purged within 30 days. Financial records may be retained in anonymized form for the legally required retention period.
  • Receipt images: Receipt images are stored for the duration of your account activity and subject to the same retention and deletion policies as other account data.

7. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your rights, or have concerns about how we handle your personal information, please contact our Privacy Officer:

Privacy Officer

Huru Inc (operating as WeeKeeper)

3280 Bloor Street West, Suite 1140, Centre Tower

Toronto, ON Canada M8X 2X3

Email: privacy@weekeeper.com

Huru Inc is accountable for all personal information under its control, including information transferred to third-party subprocessors. Our Privacy Officer is responsible for overseeing compliance with this policy and applicable privacy legislation.

If you wish to make a complaint, please contact our Privacy Officer first. We will investigate your complaint and respond within 30 days. If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada. Quebec residents may also file a complaint with the Commission d'accès à l'information du Québec.

7.5 Canadian Anti-Spam Legislation (CASL)

We comply with Canada's Anti-Spam Legislation (CASL). We only send commercial electronic messages (such as product updates, new feature announcements, or promotional content) to users who have provided express consent. Service-related messages (such as password resets, billing notifications, security alerts, and transaction confirmations) are sent as part of our contractual relationship with you and do not require separate CASL consent.

Every commercial message we send includes: our identity and contact information, a clear and functional unsubscribe mechanism, and our physical mailing address. You may unsubscribe from commercial messages at any time, and we will process your request within 10 business days as required by CASL. Unsubscribing from commercial messages does not affect service-related communications.

8. Data Breach Notification

In the event of a data breach that creates a real risk of significant harm to you, WeeKeeper will:

  • Notify affected users as soon as feasible after determining that a breach has occurred
  • Report to the Office of the Privacy Commissioner of Canada as required by PIPEDA (section 10.1) and, where applicable, to the Commission d'accès à l'information du Québec
  • Provide details of the breach including what information was affected and steps taken to mitigate harm
  • Offer guidance on how to protect yourself

9. Subprocessors

We use the following third-party service providers (subprocessors) to operate the Service:

  • Plaid — banking data aggregation (US/Canada)
  • Stripe — payment processing (PCI DSS compliant)
  • OpenAI — AI-powered transaction categorization (transaction descriptions only, no PII)
  • DigitalOcean — cloud infrastructure (Toronto, Canada region)

Each subprocessor processes data only as necessary to provide their service to us. We maintain data processing agreements with each subprocessor. An up-to-date list is available at privacy@weekeeper.com upon request.

10. Children's Privacy

WeeKeeper is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from anyone under the age of 18. If we learn that we have collected personal information from a child, we will delete it immediately.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of any material changes by posting the updated policy in the app and on our website, and by updating the "Effective date" at the top of this page. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.