Skip to content
Fruxal

Legal

Privacy Policy

Effective date: April 21, 2026 · Last updated: April 21, 2026

Fruxal Inc. (“Fruxal,” “we,” “us,” or “our”) operates a financial diagnostic platform for Canadian small and mid-size businesses. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

By using Fruxal, you consent to the collection and use of your information as described in this policy. If you do not agree, do not use our service.

1. Information we collect

We collect information in two ways: information you provide directly, and information we collect automatically.

Information you provide:

  • Account information — name, email address, business name when you register
  • Business profile data — industry, province, revenue band, employee count, business structure
  • Financial diagnostic data — the revenue, payroll, margin, and other financial figures you enter into the intake form; the diagnostic findings, health scores, and task history generated from that data
  • Uploaded documents (Enterprise tier only) — T2 corporate returns, financial statements, GST/HST returns, T4 summaries, and bank statements you choose to upload for verified analysis
  • Communications — when you contact us by email or through the platform
  • Account deletion reason — if you voluntarily provide one when deleting your account

Information collected automatically:

  • Usage data — pages visited, features used, diagnostic run frequency, login timestamps
  • Device and browser information — browser type, operating system, IP address (used for security and abuse prevention)
  • Cookies — session cookies required for login; analytics cookies from Vercel Analytics (anonymized)
  • Email engagement data — whether emails we send were opened or links were clicked (through Resend)

We do not collect payment card numbers. All payment processing is handled by Stripe, which is PCI-DSS certified.

2. Why we collect this information

  • To provide the diagnostic service — analyzing your financial inputs, generating findings, scores, and recovery recommendations
  • To personalize your recovery — matching programs, grants, and findings to your specific industry, province, and business size
  • To send transactional communications — email verification, receipts, diagnostic results, and account-security notices. These are required to operate your account and are sent regardless of marketing preferences
  • To send commercial electronic messages (with your consent) — monthly briefs, deadline reminders, program updates, and promotional messages are sent only if you provided express opt-in consent at sign-up or in Settings, in compliance with Canada's Anti-Spam Legislation (CASL). Every such message includes an unsubscribe link that takes effect within 10 business days
  • To process payments — creating and managing your subscription through Stripe
  • To improve the platform — understanding how features are used to make Fruxal better
  • To comply with legal obligations — maintaining records required by applicable law

CASL record of consent. When you opt in to commercial emails, we record the date, time, IP address, and wording shown to you so we can demonstrate consent if required. You may withdraw consent at any time through the unsubscribe link in any commercial message or in Settings → Email preferences.

3. Who we share your information with

We share your information only with the following service providers, each operating under appropriate data agreements:

  • Anthropic — Your financial inputs are processed by Anthropic's Claude API to generate diagnostic findings. Anthropic does not use your inputs to train their models. See Anthropic's privacy policy at anthropic.com.
  • Stripe — Payment processing and recovery fee billing. Stripe handles all card data. See stripe.com/privacy.
  • Resend — Transactional email delivery (diagnostic results, monthly briefs, account notifications). See resend.com/privacy.
  • Supabase — Database hosting for your account and diagnostic data. Supabase is SOC 2 certified. See supabase.com/privacy.
  • Vercel — Application hosting and anonymized web analytics. See vercel.com/legal/privacy-policy.

We do not sell your data to third parties. Ever. Affiliate solution providers receive only an anonymous click referral when you click on a recommended solution — they never receive your name, email, financial data, or any personally identifiable information.

We may disclose your information if required by law, court order, or to protect the rights and safety of Fruxal, our users, or the public.

4. Your rights under PIPEDA

As a Canadian resident, you have the following rights with respect to your personal information:

  • Right to access — You may request a copy of the personal information we hold about you
  • Right to correct — You may request that we correct inaccurate or incomplete information
  • Right to delete — You may delete your account and all associated data at any time from Settings → Danger Zone. All data is purged within 30 days
  • Right to withdraw consent — You may withdraw consent to specific uses (such as marketing emails) at any time without affecting the lawfulness of prior processing
  • Right to complain — If you believe we have not handled your information appropriately, you may lodge a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca

To exercise these rights, contact us at privacy@fruxal.ca. We will respond within 30 days.

5. Data retention

  • Active accounts — Data is retained for as long as your account is active
  • Deleted accounts — All personal data is purged within 30 days of account deletion. We retain only an anonymized deletion log (a cryptographic hash, not your actual data) for compliance purposes
  • Diagnostic reports — Retained for the lifetime of your account and deleted with your account
  • Email logs — Retained for 12 months
  • Uploaded documents (Enterprise) — Retained for the lifetime of your account or until you request deletion

6. Security

  • All data transmitted between your browser and Fruxal is encrypted using TLS (Transport Layer Security)
  • Database access is controlled via Row Level Security — your data is only accessible by authenticated requests associated with your account
  • Payment card data is handled entirely by PCI-DSS certified Stripe infrastructure. We never see or store card numbers
  • We regularly review our security practices and promptly address identified vulnerabilities

No system is 100% secure. If you become aware of a security concern, please contact us at privacy@fruxal.ca.

7. Cookies

  • Session cookies — Required for you to stay logged in. Without these, the service cannot function
  • Analytics cookies — Vercel Analytics uses anonymized, aggregated data to help us understand page performance. No personal identifiers are collected

We do not use advertising cookies, retargeting pixels, or third-party tracking. See our Cookie Policy for full details.

8. Quebec residents — Law 25 (Act respecting the protection of personal information in the private sector)

If you reside in Quebec, the following additional rights and disclosures apply to you under Quebec's Act respecting the protection of personal information in the private sector (commonly referred to as “Law 25” or LPRPDE), as amended by An Act to modernize legislative provisions as regards the protection of personal information.

Privacy Officer

Fruxal has designated a person responsible for the protection of personal information. You may contact our Privacy Officer directly at privacy@fruxal.ca for any question, request, or complaint concerning the handling of your personal information.

Your Law 25 rights

  • Right of access — Obtain confirmation that we hold personal information about you and a copy of that information
  • Right of rectification — Have inaccurate, incomplete, or equivocal information corrected
  • Right to de-indexation and cessation of dissemination — Request that we stop disseminating your personal information or de-index it where the law allows
  • Right to data portability — Receive the computerized personal information you provided to us in a structured, commonly used technological format, or have it transmitted directly to another organization where technically feasible
  • Right to be informed about automated decisions — Be informed when a decision about you is based exclusively on automated processing, and obtain information about the principal factors and parameters used; you may submit observations to a Fruxal employee for a review of such decisions
  • Right to withdraw consent — Withdraw your consent to the use or disclosure of your personal information at any time, subject to legal and contractual limits

Automated processing disclosure

Fruxal uses automated processing (including large-language-model analysis through Anthropic's Claude API) to generate diagnostic findings, health scores, and recovery recommendations from the financial data you provide. These outputs are informational — they are not binding financial, legal, or tax decisions, and a human Fruxal reviewer is available on request to examine any finding you wish to contest.

Storage and transfers outside Quebec

Your personal information is stored on infrastructure operated by Supabase and Vercel, which may host data in regions outside Quebec, including elsewhere in Canada and the United States. Before transferring personal information outside Quebec, Fruxal conducts a privacy impact assessment to confirm that the information will receive adequate protection, having regard to the sensitivity of the information, the purpose of its use, the protective measures in place, and the legal framework of the destination jurisdiction.

Confidentiality by default

Parameters that involve the disclosure of your personal information are, by default, set to provide the highest level of confidentiality, without any intervention required from you.

Complaints to the CAI

If you are not satisfied with our response to a privacy request, you may lodge a complaint with Quebec's Commission d'accès à l'information (CAI) at cai.gouv.qc.ca.

9. Contact us

For privacy questions, data access requests, or to exercise your rights under PIPEDA:

  • Email: privacy@fruxal.ca
  • Response time: 30 days
  • Jurisdiction: This policy is governed by the laws of Quebec, Canada

This Privacy Policy was last updated on April 21, 2026. We will notify active users of material changes by email before they take effect.