Privacy Policy

1. Introduction

Kwata Books ("we," "our," or "us") is operated by Kwata Team. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered Canadian bookkeeping and expense tracking platform.

By using Kwata Books, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use our service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name and email address through your authentication provider. We do not store passwords — authentication is handled by secure third-party providers (Google OAuth, email/password via Better Auth).

2.2 Receipt and Financial Data

When you upload receipts, invoices, or connect financial integrations, we process and store:

• Receipt and invoice images and PDF documents (stored in Google Cloud Storage, US region)
• Extracted financial data including vendor names, amounts, dates, HST/GST numbers, and CRA expense categories
• Business profile information (business name, province, business type)
• Transaction records, payroll data, and dividend records you create or import
• Any manual edits or annotations you make

2.3 Usage Information

We automatically collect certain information about your device and usage patterns, including browser type, access times, and pages viewed. This information is used solely to improve our service and is not sold or shared.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our bookkeeping and expense tracking services
• Process and organize your receipts, invoices, and financial records
• Generate CRA-compliant reports (T2125, HST returns, CCA schedules)
• Power AI-assisted features including receipt OCR and the Lex AI financial assistant
• Send you service-related communications
• Respond to your inquiries and support requests
• Detect, prevent, and address technical issues or fraud
• Comply with legal obligations

We do not sell your personal information, financial data, or receipt contents to third parties. We do not use your data for advertising.

4. Data Storage and Security

Your data is stored on secure servers. Our database is hosted in Germany (EU) and receipt files are stored in Google Cloud Storage (US). We implement industry-standard security measures including:

• AES-256-GCM encryption for sensitive data at rest (OAuth tokens, Social Insurance Numbers)
• TLS 1.3 encryption for all data in transit
• Regular security assessments (PESNO framework — 98/100 score)
• Access controls: data is isolated per user account (no cross-tenant access)
• Rate limiting and audit logging on all critical operations
• Secure data backup procedures

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

5. Data Retention

We retain your account information and financial data for as long as your account is active or as needed to provide you services. You may request deletion of your data at any time by contacting us.

Upon account deletion, we will remove your personal data within 30 days, except where we are required to retain certain information for legal or legitimate business purposes (e.g., payment records required by law).

Note: CRA recommends retaining business financial records for at least 6 years. We encourage you to export your data before deleting your account.

6. Google Workspace Integration Data

Kwata Books offers optional integrations with Google Drive and Gmail to help you automatically import expense receipts and invoices. These integrations are optional — all core bookkeeping features work without them.

6.1 Google Drive Integration (drive.readonly)

When you connect Google Drive, we request the https://www.googleapis.com/auth/drive.readonly scope. This grants us read-only access to your Google Drive files. Specifically:

• What we access: Only files (PDFs and images) inside the specific folder you select. We list files in that folder and download files solely to extract expense data.
• What we do not access: We do not read, view, or store any file outside the folder you choose. We do not access Google Docs, Google Sheets, other file types, or any other Drive content.
• Read-only guarantee: We never upload, modify, move, rename, or delete any file in your Google Drive.
• Data extracted and stored: Vendor name, date, amount, and CRA expense category extracted from each receipt. The original file content is not permanently stored — only the structured extracted data.
• No data sharing: Extracted Drive data is never shared with third parties or used for any purpose other than your bookkeeping records.
• Token storage: Your Google OAuth access and refresh tokens are encrypted at rest using AES-256-GCM encryption before being stored in our database.

6.2 Gmail Integration (gmail.readonly)

When you connect Gmail, we request the https://www.googleapis.com/auth/gmail.readonly scope. This grants us read-only access to your Gmail messages. Specifically:

• What we access: Only emails whose subject line or body contains keywords you explicitly configure (e.g., "invoice", "receipt", "bill"). We only process emails that have PDF or image attachments.
• What we do not access: We do not read personal emails, emails without matching keywords, or emails without attachments. We do not access your contacts, calendar, labels, or any other Gmail data.
• Read-only guarantee: We never send emails, delete emails, mark emails as read, or modify your Gmail in any way.
• Data extracted and stored: Only the PDF/image attachment content is processed for expense extraction. Email subject lines and sender addresses are used only to match keywords — they are not permanently stored.
• No data sharing: Gmail data is never shared with third parties or used for advertising, analytics, or any purpose beyond your bookkeeping records.
• Token storage: Your Google OAuth tokens are encrypted at rest using AES-256-GCM encryption before being stored in our database.

6.3 Revoking Google Access

You can disconnect your Google Drive or Gmail integration at any time from the Integrations page within Kwata Books. When you disconnect:

• We immediately revoke your OAuth token at Google (calls Google's token revocation endpoint)
• Your stored OAuth tokens are permanently deleted from our database
• We stop all sync or scanning activity immediately

You can also revoke access directly from your Google Account at myaccount.google.com/permissions — look for "Kwata Books" and remove it.

6.4 Google Data Retention

We do not store raw email content or Drive file content. Only structured expense data (vendor, date, amount, category) extracted from attachments is retained as part of your bookkeeping records. This data is kept for as long as your Kwata Books account is active.

Upon account deletion or integration disconnection, Google OAuth tokens are immediately and permanently deleted. Extracted expense records may be retained for the account lifetime unless you request deletion.

7. Third-Party Services

We use the following third-party services to operate our platform. Each has its own privacy policy:

• Google (OAuth, Drive, Gmail): Authentication and optional receipt import
• Anthropic Claude: AI-powered receipt OCR and the Lex financial assistant (receipt images are sent for processing; no personal data is retained by Anthropic beyond their standard API usage)
• Google Cloud Storage: Secure file storage for your receipt and invoice documents (US region)
• Stripe, PayPal, Square: Optional payment integration providers (each governed by their own terms)

We only share the minimum information necessary for these services to function. We do not sell data to any third party.

8. Your Rights

You have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Export your data in a portable format (CSV, PDF)
• Withdraw consent for data processing
• Disconnect Google integrations at any time with immediate effect

To exercise these rights, please contact us at privacy@kwatateam.com.

9. Canadian Privacy Law Compliance

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. Canadian residents may contact our Privacy Officer for any privacy-related concerns.

Your database is hosted in Germany (EU) and receipt files are stored in Google Cloud Storage in the United States. Both jurisdictions maintain strong data protection standards. We comply with PIPEDA and Alberta PIPA requirements for cross-border data transfers.

10. Children's Privacy

Kwata Books is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete such information promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page, updating the "Last updated" date, and sending an email notification to registered users for significant changes. Your continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy, our data practices, or Google API data usage, please contact us at:

Kwata Team — Privacy Officer
Email: privacy@kwatateam.com
Website: kwatateam.com
Address: Alberta, Canada