In plain language: We collect only what we need, we never sell your data, we use bank-level encryption, and you can delete everything at any time.
1. Who We Are
rogat.ai ("we", "our", "us") is a personal finance application operated in Canada. We provide AI-powered financial tracking, budgeting, and insights to help Canadians manage their money. This Privacy Policy explains how we handle your information in compliance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Full name
- Email address
- Password (stored as a salted, hashed value — we never store plaintext passwords)
- Authentication provider details (if you sign in with Apple or Google)
2.2 Financial Data
When you link your bank accounts, we receive from our certified banking data provider:
- Account names, types, and balances
- Transaction history (merchant name, amount, date, category)
- Account numbers are masked — we only receive the last 4 digits
Important: We have read-only access to your financial data. We cannot move money, make payments, or modify anything in your bank accounts. Your banking credentials are never stored on our servers — authentication is handled directly by your bank through our certified provider.
2.3 Usage Data
We automatically collect:
- Device type, operating system, and app version
- Feature usage and interaction patterns (anonymized)
- Crash reports and performance metrics
- IP address (for security and fraud prevention)
2.4 AI Interaction Data
When you use our AI financial assistant, we process your queries and the relevant financial context needed to provide accurate responses. Conversations are stored to maintain continuity and improve the service.
3. How We Use Your Information
We use your information to:
- Provide the service: Display your accounts, categorize transactions, track budgets, and deliver insights
- AI features: Power transaction categorization and the financial assistant
- Security: Detect and prevent fraud, unauthorized access, and suspicious activity
- Communications: Send account alerts, bill reminders, and service updates
- Improvement: Analyze aggregate, anonymized usage patterns to improve the product
4. What We Do NOT Do
- We never sell your personal or financial data to third parties
- We never share identifiable financial data with advertisers
- We never use your financial data to make lending or credit decisions
- We never store your bank login credentials
5. Data Sharing
We share data only with the following categories of service providers, under strict contractual obligations:
- Banking data provider: To connect and sync your bank accounts (read-only)
- AI provider (Anthropic): To process AI categorization and assistant queries. Financial data sent to the AI is processed in real-time and not used to train AI models.
- Cloud infrastructure (AWS): To host our application and store encrypted data
- Payment processor: To process Premium subscription payments (Apple/Google)
6. Data Security
We implement bank-level security measures:
- AES-256 encryption for all data at rest
- TLS 1.3 for all data in transit
- Per-user encryption keys for financial data
- JWT-based authentication with short-lived access tokens (15 minutes) and secure refresh tokens
- Rate limiting and brute-force protection on all authentication endpoints
- Full audit logging of all data access
7. Data Retention
- Active accounts: We retain your data for as long as your account is active
- Closed accounts: Data is deleted within 30 days of account closure, except where required by law
- AI conversations: Retained for 12 months, then automatically deleted
- Audit logs: Retained for 7 years as required by Canadian financial regulations
8. Your Rights
Under PIPEDA and applicable Canadian privacy law, you have the right to:
- Access: Request a copy of all personal data we hold about you
- Correction: Request correction of inaccurate personal data
- Deletion: Request complete deletion of your data (see our PIPEDA Compliance page)
- Portability: Export your data in a machine-readable format
- Withdraw consent: Withdraw your consent for data processing at any time
To exercise any of these rights, email privacy@rogat.ai. We respond to all requests within 30 days.
9. Children's Privacy
rogat.ai is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it immediately.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or in-app notification at least 30 days before they take effect. Continued use of the service after changes constitutes acceptance of the updated policy.
11. Contact Us
If you have questions about this Privacy Policy or our data practices:
Privacy Officer
rogat.ai
Email: privacy@rogat.ai
If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.