← Back to home
Legal

Privacy Policy

Document title
Privacy Policy
Owner
Geoffrey Anderson, Founder & CEO
Version
1.0
Effective date
May 1, 2026
Privacy contact
privacy@creditgps.ca
Jurisdiction
Canada (excluding Quebec) — see Section 11 for the Quebec carve-out
Review cadence
Quarterly, and on every material change to data practices, sub-processors, or law
Bottom line up front. Credit GPS reads a small set of credit-account fields from your bank through Plaid so we can compute one specific payment recommendation: which card to pay, how much, and by when. We share your data only with the named sub-processors in Section 5. We do not sell your data. You can access, correct, or delete your information at any time by emailing privacy@creditgps.ca.

1. About this policy

This policy describes how Credit GPS Inc., an Ontario corporation, collects, uses, shares, and protects personal information when you use our website at creditgps.ca, our waitlist signup, and the Credit GPS mobile and web application (together, the "Service").

This policy applies to individuals in Canada outside Quebec. Quebec residents: please see Section 11.

This policy does not cover third-party sites or services we may link to. Their privacy practices are governed by their own policies.

Effective: May 1, 2026.

2. Information we collect

We collect the categories below. We collect only what we need to deliver the Service.

CategorySpecific fieldsSource
Account identifiersEmail address, hashed password, full name, postal codeProvided by you at signup
Financial-account dataCard name, last four digits, statement balance, credit limit, statement close date, next payment due date, minimum payment amount, overdue flagPlaid Inc., after you authorize the link to your financial institution
Subscription dataSubscription state, billing email, plan tier, payment status; cardholder data is handled by Stripe and never touches our serversStripe Inc., after you start a paid subscription
Usage dataApp interactions, recommendation history, feature usage, support requestsGenerated as you use Credit GPS
Security metadataIP address at sign-in, user-agent string, sign-in timestamps, audit logs of access to your dataGenerated automatically for security and fraud prevention

3. Why we collect it

We collect personal information for the following identified purposes (per PIPEDA Principle 2):

We will not use your information for any new purpose without obtaining your consent first, unless required or permitted by law.

4. How we obtain and manage consent

Your consent is the basis on which we collect and use your personal information.

You may withdraw consent at any time by emailing privacy@creditgps.ca. Withdrawing consent for core data collection means we can no longer deliver the Service to you, and we will close your account.

5. Sub-processors and how we share your data

We share personal information only with the sub-processors below, and only to the extent each one needs to perform their function.

Sub-processorPurposeData they receiveRegion
Plaid Inc.Connect to your financial institution and retrieve credit-account dataAccount names, balances, limits, statement and due dates, minimum paymentsUnited States
Stripe Inc.Process subscription paymentsCardholder data (PCI DSS Level 1, kept on Stripe), billing email, plan tier, payment outcomeUnited States
Google Cloud PlatformRun our application servers, store encrypted application data, manage secrets, log accessAll Credit GPS application data, encrypted in transit and at restUnited States (us-central1)
Supabase Inc.Managed application databaseAccount identifiers, usage data, recommendation historyUnited States
Google WorkspaceEmail and document tools used by Credit GPS staffEmail correspondence, support tickets, documents you send to usUnited States

Plaid's end-user privacy policy is available at https://plaid.com/legal/. Stripe's privacy policy is available at https://stripe.com/privacy. You will see Plaid's consent screen the first time you link a financial account.

We do not sell or rent your personal information. We do not share your personal information with advertisers.

We may disclose personal information without your consent only when required or permitted by law — for example, to comply with a court order, lawful subpoena, or investigation by Canadian privacy or law-enforcement authorities.

6. International data transfers

Most of our sub-processors are based in the United States. Your personal information is therefore stored and processed in the United States while it is in their custody, and is subject to United States law, including lawful access by United States government authorities. We rely on contractual safeguards (data-processing agreements with each sub-processor) and the technical safeguards described in Section 7 to protect this information.

By using the Service, you understand and acknowledge that your information will be transferred outside Canada for the purposes described in this policy.

7. How we secure your information

We protect your personal information using safeguards that match the sensitivity of the data. These safeguards are documented in our internal Information Security Policy and include:

No system is perfectly secure. If we ever experience a security incident affecting your personal information, we will follow the incident-response timeline in our Information Security Policy and the breach-notification rules in Section 9 of this policy.

8. How long we keep your information

We keep personal information only as long as we need it for the purposes in Section 3, or as required by law. The defaults are:

9. Breach notification

If we determine that a breach of security safeguards involving your personal information creates a real risk of significant harm, we will notify you and the Office of the Privacy Commissioner of Canada in accordance with PIPEDA. The notification will describe the nature of the breach, the personal information involved, and the steps you can take to reduce risk.

10. Your rights

Under PIPEDA, you have the right to:

To exercise any of these rights, email privacy@creditgps.ca. We will respond within 30 days of receiving a complete request. If we cannot meet your request, we will explain why and tell you how to escalate.

11. Quebec residents

Credit GPS is not yet generally available in Quebec. The Service has not been adapted for Quebec's Act respecting the protection of personal information in the private sector (Law 25) and Bill 96. If you are a Quebec resident and want to be notified when the Service launches in Quebec, please email privacy@creditgps.ca. A Quebec-specific addendum to this policy will be published before launch.

12. Children

The Service is intended for adults. You must be at least 18 years of age, or the age of majority in your province of residence, to use the Service. We do not knowingly collect personal information from individuals under that age. If we learn we have collected such information, we will delete it.

13. Cookies and analytics

The Service uses:

If you prefer not to be tracked by the analytics or pixel, you can: (a) use your browser's built-in tracking protection (Firefox, Safari, Brave have this on by default); (b) install a content blocker such as uBlock Origin or the EFF's Privacy Badger; or (c) decline non-essential cookies via a cookie consent banner — we are adding one before broader marketing rollout. Until that banner is live, you can email privacy@creditgps.ca to request that we delete any analytics records associated with your visit.

14. Changes to this policy

We may update this policy as our practices evolve or as the law changes. For material changes, we will give you at least 30 days' notice by email and a banner on the Service before the changes take effect. The "Effective" date at the top of this policy reflects the latest revision. Continued use of the Service after the effective date of a change constitutes your acceptance of the updated policy.

15. Contact us

If you contact us about a privacy matter, please put "Privacy" in the subject line so we can route your message correctly.