Privacy Policy
1. About this policy
This policy describes how Credit GPS Inc., an Ontario corporation, collects, uses, shares, and protects personal information when you use our website at creditgps.ca, our waitlist signup, and the Credit GPS mobile and web application (together, the "Service").
This policy applies to individuals in Canada outside Quebec. Quebec residents: please see Section 11.
This policy does not cover third-party sites or services we may link to. Their privacy practices are governed by their own policies.
Effective: May 1, 2026.
2. Information we collect
We collect the categories below. We collect only what we need to deliver the Service.
| Category | Specific fields | Source |
|---|---|---|
| Account identifiers | Email address, hashed password, full name, postal code | Provided by you at signup |
| Financial-account data | Card name, last four digits, statement balance, credit limit, statement close date, next payment due date, minimum payment amount, overdue flag | Plaid Inc., after you authorize the link to your financial institution |
| Subscription data | Subscription state, billing email, plan tier, payment status; cardholder data is handled by Stripe and never touches our servers | Stripe Inc., after you start a paid subscription |
| Usage data | App interactions, recommendation history, feature usage, support requests | Generated as you use Credit GPS |
| Security metadata | IP address at sign-in, user-agent string, sign-in timestamps, audit logs of access to your data | Generated automatically for security and fraud prevention |
3. Why we collect it
We collect personal information for the following identified purposes (per PIPEDA Principle 2):
- Deliver the Service — compute your next-move recommendation and show your account information to you.
- Bill the subscription — process payments through Stripe and manage your plan.
- Communicate about the Service — send transactional messages such as receipts, security alerts, and material policy changes.
- Security and fraud prevention — detect unauthorized access and protect your account.
- Improve the recommendation engine — analyze de-identified or aggregated usage data. We do not use the content of your linked accounts to train external models.
- Comply with law — respond to lawful requests, defend our rights, and meet record-keeping obligations under applicable Canadian and provincial law.
We will not use your information for any new purpose without obtaining your consent first, unless required or permitted by law.
4. How we obtain and manage consent
Your consent is the basis on which we collect and use your personal information.
- Implied consent applies to information we collect to deliver the Service after you sign up.
- Express consent is required, and obtained separately, before we link a financial account through Plaid.
- Express opt-in consent is required for any marketing email, in compliance with Canada's Anti-Spam Legislation. Every marketing message includes an unsubscribe link.
You may withdraw consent at any time by emailing privacy@creditgps.ca. Withdrawing consent for core data collection means we can no longer deliver the Service to you, and we will close your account.
5. Sub-processors and how we share your data
We share personal information only with the sub-processors below, and only to the extent each one needs to perform their function.
| Sub-processor | Purpose | Data they receive | Region |
|---|---|---|---|
| Plaid Inc. | Connect to your financial institution and retrieve credit-account data | Account names, balances, limits, statement and due dates, minimum payments | United States |
| Stripe Inc. | Process subscription payments | Cardholder data (PCI DSS Level 1, kept on Stripe), billing email, plan tier, payment outcome | United States |
| Google Cloud Platform | Run our application servers, store encrypted application data, manage secrets, log access | All Credit GPS application data, encrypted in transit and at rest | United States (us-central1) |
| Supabase Inc. | Managed application database | Account identifiers, usage data, recommendation history | United States |
| Google Workspace | Email and document tools used by Credit GPS staff | Email correspondence, support tickets, documents you send to us | United States |
Plaid's end-user privacy policy is available at https://plaid.com/legal/. Stripe's privacy policy is available at https://stripe.com/privacy. You will see Plaid's consent screen the first time you link a financial account.
We do not sell or rent your personal information. We do not share your personal information with advertisers.
We may disclose personal information without your consent only when required or permitted by law — for example, to comply with a court order, lawful subpoena, or investigation by Canadian privacy or law-enforcement authorities.
6. International data transfers
Most of our sub-processors are based in the United States. Your personal information is therefore stored and processed in the United States while it is in their custody, and is subject to United States law, including lawful access by United States government authorities. We rely on contractual safeguards (data-processing agreements with each sub-processor) and the technical safeguards described in Section 7 to protect this information.
By using the Service, you understand and acknowledge that your information will be transferred outside Canada for the purposes described in this policy.
7. How we secure your information
We protect your personal information using safeguards that match the sensitivity of the data. These safeguards are documented in our internal Information Security Policy and include:
- Encryption in transit (TLS 1.2 or higher) and at rest (AES-256).
- Multi-factor authentication on every Credit GPS staff account.
- Identity-Aware Proxy fronting our internal tools.
- Secrets, including Plaid access tokens, stored in Google Cloud Secret Manager and never sent to your browser or written to durable storage outside that vault.
- Quarterly access reviews and immediate revocation on role change.
- Audit logging across our production systems.
No system is perfectly secure. If we ever experience a security incident affecting your personal information, we will follow the incident-response timeline in our Information Security Policy and the breach-notification rules in Section 9 of this policy.
8. How long we keep your information
We keep personal information only as long as we need it for the purposes in Section 3, or as required by law. The defaults are:
- Active accounts: kept while your subscription is active, plus 90 days after cancellation for billing-dispute resolution.
- Linked financial-account data: deleted within 7 days of you unlinking the institution or closing your account.
- Recommendation history: deleted within 30 days of account closure.
- Security and audit logs: retained for 90 days.
- Tax and accounting records (CRA requirement): retained for 7 years, with customer-identifying fields redacted where the law allows.
9. Breach notification
If we determine that a breach of security safeguards involving your personal information creates a real risk of significant harm, we will notify you and the Office of the Privacy Commissioner of Canada in accordance with PIPEDA. The notification will describe the nature of the breach, the personal information involved, and the steps you can take to reduce risk.
10. Your rights
Under PIPEDA, you have the right to:
- Access the personal information we hold about you.
- Request correction of inaccurate or incomplete information.
- Withdraw consent (subject to legal or contractual restrictions and reasonable notice).
- Request deletion of your personal information, subject to our retention obligations under Section 8.
- Receive a copy of your personal information in a portable format.
- File a complaint with the Office of the Privacy Commissioner of Canada if you are not satisfied with our response.
To exercise any of these rights, email privacy@creditgps.ca. We will respond within 30 days of receiving a complete request. If we cannot meet your request, we will explain why and tell you how to escalate.
11. Quebec residents
Credit GPS is not yet generally available in Quebec. The Service has not been adapted for Quebec's Act respecting the protection of personal information in the private sector (Law 25) and Bill 96. If you are a Quebec resident and want to be notified when the Service launches in Quebec, please email privacy@creditgps.ca. A Quebec-specific addendum to this policy will be published before launch.
12. Children
The Service is intended for adults. You must be at least 18 years of age, or the age of majority in your province of residence, to use the Service. We do not knowingly collect personal information from individuals under that age. If we learn we have collected such information, we will delete it.
13. Cookies and analytics
The Service uses:
- Session cookies that are necessary for sign-in and form submission.
- Google Analytics 4 (Measurement ID
G-8W9WXJLD8G) to understand how visitors use the Service. This sends pseudonymous usage data (page views, geographic region at country/region level, browser and device class, referral source) to Google. We do not enable Google Signals or any cross-site / advertising-personalization features. Google's privacy practices are at https://policies.google.com/privacy. - Meta Pixel (Pixel ID
2695427194184357) to measure the effectiveness of any advertising we run on Facebook or Instagram. The Pixel sends aPageViewevent when you load a public page and aLeadevent when you submit the waitlist form, the coaching intake form, or the founding-partner application. Meta's privacy practices are at https://www.facebook.com/privacy/policy.
If you prefer not to be tracked by the analytics or pixel, you can: (a) use your browser's built-in tracking protection (Firefox, Safari, Brave have this on by default); (b) install a content blocker such as uBlock Origin or the EFF's Privacy Badger; or (c) decline non-essential cookies via a cookie consent banner — we are adding one before broader marketing rollout. Until that banner is live, you can email privacy@creditgps.ca to request that we delete any analytics records associated with your visit.
14. Changes to this policy
We may update this policy as our practices evolve or as the law changes. For material changes, we will give you at least 30 days' notice by email and a banner on the Service before the changes take effect. The "Effective" date at the top of this policy reflects the latest revision. Continued use of the Service after the effective date of a change constitutes your acceptance of the updated policy.
15. Contact us
- Privacy contact: privacy@creditgps.ca
- Mailing address: Credit GPS Inc., Office 731, 145 1/2 Church Street, Unit 5, Toronto, Ontario, M5B 1Y4, Canada
- Office of the Privacy Commissioner of Canada: https://www.priv.gc.ca/ (1-800-282-1376)
If you contact us about a privacy matter, please put "Privacy" in the subject line so we can route your message correctly.