What is PIPEDA?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal privacy law governing how private-sector organizations collect, use, and disclose personal information in the course of commercial activity. As a Canadian fintech company handling sensitive financial data, rogat.ai is fully committed to compliance with PIPEDA and its 10 Fair Information Principles.
The 10 Fair Information Principles
PIPEDA is built on 10 principles that guide how organizations should handle personal information. Here is how rogat.ai adheres to each:
1. Accountability
rogat.ai has designated a Privacy Officer responsible for compliance with PIPEDA. Our team is trained on privacy obligations, and we maintain contractual agreements with all third-party service providers that access personal information, ensuring they meet equivalent privacy standards.
2. Identifying Purposes
We identify and document the purposes for collecting personal information before or at the time of collection. Your data is used to provide financial tracking, AI-powered categorization, budgeting tools, and personalized insights — as described in our Privacy Policy.
3. Consent
We obtain meaningful consent before collecting, using, or disclosing your personal information. When you create an account and link your bank, you are informed of exactly what data we access and why. You may withdraw consent at any time by unlinking your accounts or deleting your account.
4. Limiting Collection
We collect only the personal information necessary to provide the Service. We have read-only access to your financial data — we cannot access data beyond what is needed for account aggregation and transaction display. We never collect information indiscriminately.
5. Limiting Use, Disclosure, and Retention
Personal information is used only for the purposes for which it was collected, unless you give further consent. We do not sell or share your data with advertisers. We retain data only as long as your account is active, plus any period required by law, after which it is securely deleted.
6. Accuracy
We strive to keep your personal information accurate and up-to-date. Financial data is synced directly from your bank to ensure accuracy. You can update your profile information at any time through the app, and you may request corrections by contacting us.
7. Safeguards
We protect personal information with security safeguards appropriate to the sensitivity of the data. This includes AES-256 encryption at rest, TLS 1.3 encryption in transit, per-user encryption keys, JWT authentication with short-lived tokens, rate limiting, and comprehensive audit logging.
8. Openness
We make our privacy practices readily available through this PIPEDA Compliance page, our Privacy Policy, Cookie Policy, and Terms of Service. These documents are written in clear, accessible language.
9. Individual Access
You have the right to request access to your personal information held by rogat.ai. Upon request, we will inform you of the existence, use, and disclosure of your personal information and provide access to that information within 30 days. You may also challenge the accuracy of your information and have it corrected.
10. Challenging Compliance
You may challenge our compliance with PIPEDA by contacting our Privacy Officer. We will investigate all complaints and respond within 30 days. If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada.
Your Rights Under PIPEDA
As a user of rogat.ai, you have the right to:
- Access your data: Request a complete copy of all personal and financial data we hold about you
- Correct your data: Request correction of any inaccurate or incomplete information
- Delete your data: Request full deletion of your account and all associated data
- Export your data: Request your data in a portable, machine-readable format (CSV or JSON)
- Withdraw consent: Revoke your consent for data collection at any time by unlinking accounts or closing your account
- File a complaint: Challenge our privacy practices through our complaint process or with the Privacy Commissioner
Data Deletion Process
When you request account deletion:
- All bank connections are immediately severed
- Your personal profile data is deleted within 24 hours
- Your financial data (transactions, budgets, goals) is deleted within 30 days
- AI conversation history is deleted within 30 days
- Audit logs are retained for 7 years as required by Canadian financial regulations, then deleted
- Backups containing your data are purged within 90 days
To request deletion, go to Settings > Account > Delete Account in the app, or email privacy@rogat.ai.
Cross-Border Data Transfers
rogat.ai primarily stores and processes data within Canada. Where data must be transferred to service providers outside of Canada (such as our AI provider for processing queries), we ensure:
- Contractual protections are in place that provide a comparable level of protection
- Data transferred is limited to the minimum necessary
- Financial data sent for AI processing is not retained by the AI provider
- You are informed of the countries involved (currently: Canada and United States)
Breach Notification
In the event of a data breach that creates a real risk of significant harm, rogat.ai will:
- Notify the Office of the Privacy Commissioner of Canada as soon as feasible
- Notify affected individuals directly, describing the nature of the breach, the data involved, and steps we are taking
- Maintain records of all breaches for a minimum of 24 months
Contact Our Privacy Officer
For any questions, access requests, complaints, or concerns about our PIPEDA compliance:
Privacy Officer
rogat.ai
Email: privacy@rogat.ai
We will acknowledge receipt of your request within 5 business days and provide a full response within 30 days.
Office of the Privacy Commissioner of Canada
If you are not satisfied with our response, you may file a complaint at www.priv.gc.ca or call 1-800-282-1376.