Privacy Policy - MyCPACRM | CRM for CPA Firms

1. Introduction

MyCPACRM ("we", "us", "our") is a client relationship management platform designed for Canadian accounting and tax filing firms. We are committed to protecting the personal information entrusted to us by our users and their clients in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and your rights regarding your data.

2. Accountability

MyCPACRM is accountable for all personal information under its control. Our designated Privacy Officer can be reached at:

Privacy Officer

Email: privacy@mycpacrm.com

Each accounting firm using MyCPACRM is a separate data controller for their own client data. MyCPACRM acts as a data processor on behalf of these firms.

3. Purposes of Collection

We collect and use personal information only for the following identified purposes:

Data Category	Purpose	Legal Basis
Name, address, email, phone	Client identification, communication, and service delivery	Consent + contractual necessity
Social Insurance Number (SIN)	Required for filing personal tax returns (T1) with CRA	Legal obligation (Income Tax Act)
Business Number (BN)	Required for filing corporate (T2), GST/HST, payroll returns with CRA	Legal obligation (Income Tax Act, Excise Tax Act)
Tax filing details (income, deductions, dates)	Preparation and filing of tax returns and compliance tracking	Consent + contractual necessity
Documents (tax slips, receipts, CRA correspondence)	Supporting documentation for tax filings and CRA audit readiness	Legal obligation (record-keeping requirements)
User account information (staff login, email)	Authentication, access control, and audit logging	Contractual necessity
Activity logs and session data	Security monitoring, audit trail, and PIPEDA accountability	Legitimate interest (security)

We do not use personal information for purposes other than those identified above without obtaining further consent.

4. Consent

We obtain meaningful consent before or at the time of collecting personal information. Consent is recorded in the system with full audit trail including date, method, and type.

Express consent is obtained for sensitive information such as SIN and financial data
Implied consent may apply when a client engages the accounting firm for tax preparation services
Clients may withdraw consent at any time by contacting their accounting firm or through the client portal. Withdrawal does not affect the legality of processing performed before withdrawal.
Note: Certain data must be retained regardless of consent withdrawal to comply with CRA record-keeping requirements

5. Limiting Collection

We collect only the personal information that is necessary for the purposes identified in Section 3. We do not collect information indiscriminately. SIN and Business Number are collected solely because they are required by law for tax filing with the Canada Revenue Agency.

6. Limiting Use, Disclosure, and Retention

Use and Disclosure

Personal information is used only for the purposes for which it was collected. We do not sell, rent, or trade personal information. Information may be disclosed only:

To the Canada Revenue Agency as required for tax filing
To the client's accounting firm staff who need it to provide services
When required by law, regulation, or court order
With the individual's explicit consent

Retention

Personal information is retained only as long as necessary to fulfill the purposes for which it was collected, subject to legal requirements:

Data Type	Retention Period	Reason
Tax filings and supporting documents	7 years after the tax year	CRA requires 6 years; 7 years provides a safety buffer
Client profile data	Duration of client relationship + 7 years	CRA record-keeping + potential reassessment
Consent records	7 years after last interaction	Proof of consent for PIPEDA compliance
Activity and audit logs	3 years	Security monitoring and compliance auditing
Inactive client data	Archived after 2 years of inactivity	Data minimization while respecting CRA retention

After the retention period expires, personal information is securely deleted or anonymized.

7. Accuracy

We take reasonable steps to ensure that personal information is accurate, complete, and up-to-date:

Clients can view and update their information through the client portal
Accounting firm staff can correct client records at any time
Clients are encouraged to notify their accountant of any changes to their personal information

8. Safeguards

We protect personal information with security safeguards appropriate to the sensitivity of the data:

Encryption at rest: SIN, Business Numbers, and other sensitive identifiers are encrypted using industry-standard encryption before storage
Encryption in transit: All data is transmitted over HTTPS/TLS
Access control: Role-based access with per-user custom permissions
Authentication: Strong password policy (12+ characters, complexity requirements), optional two-factor authentication (OTP), HttpOnly secure session cookies
Account protection: Automatic account lockout after failed login attempts, rate limiting on authentication endpoints
Audit logging: All access to sensitive data is logged, including who accessed what and when
Data isolation: Each accounting firm's data is strictly separated and protected
File validation: Uploaded documents are validated for type and content integrity
Admin verification: Administrative actions (password changes, user management) require re-authentication

9. Openness

This Privacy Policy is readily available on our website, login pages, client portal, and consent forms. We will notify users of any material changes to this policy.

10. Individual Access

Individuals have the right to:

Access all personal information we hold about them. Requests can be made through the client portal or by contacting the accounting firm. Administrators can generate a complete data export in JSON format.
Correct any inaccurate or incomplete personal information
Request deletion of personal information, subject to legal retention requirements (CRA mandates 6-year minimum retention for tax records)
Withdraw consent at any time, with the understanding that this may affect the firm's ability to provide services

Access requests will be responded to within 30 days, as required by PIPEDA.

11. Challenging Compliance

Individuals may challenge our compliance with this Privacy Policy by contacting our Privacy Officer:

Privacy Inquiries and Complaints

Email: privacy@mycpacrm.com

We will investigate all complaints and respond within 30 days.

If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to users through the application and updated on this page. The "Last Updated" date at the top of this policy indicates when the most recent revision was made.

Contact Us

If you have any questions about this Privacy Policy:

Privacy Inquiries: privacy@mycpacrm.com
General Inquiries: info@mycpacrm.com