Privacy Policy

1. Interpretation and Definitions

1.1 Consent and Agreement

This Privacy Policy complies with Canadian federal and provincial privacy laws, including PIPEDA (Personal Information Protection and Electronic Documents Act). By using Sonnet Money, you consent to the collection, use, and disclosure of your personal information as described in this policy.

1.2 Company Information

Sonnet Money Corp. ("we," "us," "our," or "Company") is a Canadian corporation operating a personal financial tracking and management platform. This Privacy Policy governs the collection, use, and disclosure of personal information in accordance with Canadian privacy laws, including PIPEDA and applicable provincial privacy legislation.

1.3 Definitions

• "Account" means your Sonnet Money user account
• "Application" or "Service" refers to Sonnet Money software and related services
• "Device" means any device that can access our Service
• "Personal Information" means information about an identifiable individual as defined under PIPEDA
• "Financial Data" means your banking, investment, and financial account information
• "Usage Data" means data collected automatically when using our Service

2. Information We Collect

2.1 Personal Information You Provide

• Account Information: Full name, email address, phone number, postal address
• Authentication Data: Username, password, security questions and answers
• Profile Information: Profile picture, preferences, financial goals
• Communication Data: Support requests, feedback, survey responses

2.2 Financial Information

• Account Data: Bank account names, balances, account types, and institutions you manually enter
• Transaction Details: Income, expenses, transfers, recurring transactions, and transaction categories you input
• Net Worth Information: Assets (investments, property, vehicles), liabilities (mortgages, loans, debt), and values you track
• Budget Data: Spending categories, budget amounts, financial goals, and targets you create
• Cash Flow Data: Historical balances and projected future balances calculated from your inputs

Important: We do not directly connect to your bank accounts or process financial transactions. All financial data is manually entered by you.

2.3 Technical Information

• Device Information: IP address, browser type, operating system, device identifiers
• Usage Data: Features used, time spent, click patterns, session recordings
• Location Data: General geographic location (city/province level)
• Cookies and Tracking: Session cookies, analytics cookies, preference cookies (see Section 2.4 below for details)

2.4 Cookies and Tracking Technologies

What Are Cookies?

Cookies are small text files placed on your device by websites you visit. They help websites remember information about your visit, which can make it easier to visit the site again and make the site more useful to you.

Types of Cookies We Use

1. Essential Cookies (Strictly Necessary)

These cookies are necessary for the Service to function and cannot be switched off. They are usually only set in response to actions you take, such as logging in, setting privacy preferences, or filling in forms. Without these cookies, some parts of our Service will not work.

• Purpose: Authentication, security, session management, account access
• Duration: Session cookies (deleted when you close browser) or up to 30 days
• Legal Basis: Necessary to perform our contract with you and provide the Service
• Cannot be disabled: Disabling these cookies will prevent you from using the Service

2. Performance/Analytics Cookies

These cookies help us understand how visitors interact with our Service by collecting and reporting information. This helps us improve how our Service works.

• Purpose: Track usage patterns, page views, feature adoption, user behavior analysis
• Examples: Google Analytics, Vercel Analytics, Microsoft Clarity (if applicable)
• Duration: Up to 2 years
• Information Collected: Pages visited, time on site, clicks, referring URLs, browser type, device type, IP address (anonymized)
• Legal Basis: Your consent (you can opt-out)

3. Functional/Preference Cookies

These cookies enable enhanced functionality and personalization, such as remembering your preferences and settings.

• Purpose: Remember your settings, dashboard layout, currency preferences, language, theme
• Duration: Up to 1 year
• Legal Basis: Your consent (you can opt-out, but some features may be less convenient)

4. Targeting/Advertising Cookies (If Applicable)

These cookies may be set through our site by advertising partners to build a profile of your interests and show you relevant ads on other sites.

• Purpose: Measure ad campaign effectiveness, retargeting, interest-based advertising
• Duration: Up to 1 year
• Legal Basis: Your explicit consent (you can opt-out)
• Note: We do not sell your personal information. These cookies help us market our Service, not third-party products.

Third-Party Cookies

Some cookies on our Service are set by third-party service providers we use to deliver certain features:

• Google Analytics: Usage analytics and reporting. Google Privacy Policy | Opt-Out
• Vercel Analytics: Performance monitoring. Vercel Privacy Policy
• Stripe: Payment processing (session cookies only). Stripe Privacy Policy

These third parties have their own privacy policies governing their use of cookies and data collection.

How to Manage Cookies

Browser Settings:

You can control and/or delete cookies through your browser settings. Most browsers allow you to:

• See what cookies you have and delete them individually
• Block third-party cookies
• Block all cookies from specific sites
• Block all cookies from being set
• Delete all cookies when you close your browser

Browser-Specific Instructions:

• Chrome: Settings > Privacy and security > Cookies and other site data
• Firefox: Settings > Privacy & Security > Cookies and Site Data
• Safari: Preferences > Privacy > Manage Website Data
• Edge: Settings > Cookies and site permissions > Cookies and site data

Analytics Opt-Out:

• Google Analytics: Install the Google Analytics Opt-out Browser Add-on
• In-App Settings: You can disable analytics tracking in your account settings

"Do Not Track" Signals:

Some browsers include a "Do Not Track" (DNT) feature that signals to websites you visit that you do not want your online activity tracked. Currently, there is no universal standard for how DNT signals should be interpreted. We do not currently respond to DNT signals, but we provide other ways to control tracking as described above.

Important: If you delete or disable essential cookies, you may not be able to access certain features of our Service, and you may need to manually adjust preferences every time you visit.

Cookies and Legal Compliance

Our use of cookies complies with Canadian privacy laws (PIPEDA), the European General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). By continuing to use our Service, you consent to our use of cookies as described in this Privacy Policy. You can withdraw consent at any time by adjusting your browser or account settings.

For more information about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org or www.youronlinechoices.com.

2.5 Third-Party Services and Processors

We use the following categories of third-party services to operate our Service:

• Payment Processing: Stripe Inc. processes subscription payments. Stripe handles your payment card information and billing details. We do not store full payment card numbers. See Stripe's Privacy Policy: https://stripe.com/privacy
• Hosting and Infrastructure: Cloud hosting providers for secure data storage and application delivery
• Analytics Services: Usage analytics to understand feature adoption and improve user experience (e.g., Google Analytics, Vercel Analytics)
• Email Communications: Email service providers for transactional emails, account notifications, and optional marketing (with consent)
• Customer Support: Support ticket and chat systems for responding to your inquiries

Important: We do not use third-party financial aggregation services (like Plaid or MX). All financial data is manually entered by you and is not shared with banks or financial institutions.

3. How We Use Your Information

3.1 Primary Purposes

• Financial Dashboard: Display your real-time financial overview, account balances, and key metrics
• Cash Flow Forecasting: Calculate and project your future account balances from 3 months to 10+ years based on your recurring transactions
• Net Worth Tracking: Monitor your assets, liabilities, investments, and overall net worth over time
• Budget & Spending Analysis: Track expenses, categorize spending, and compare against your budgets
• Multi-Account Management: Manage unlimited bank accounts, track transfers, and monitor portfolio performance
• Account Management: Create, maintain, and secure your account
• Customer Support: Respond to inquiries and provide technical assistance

3.2 Secondary Purposes

• Service Improvement: Analyze usage patterns to enhance our platform
• Security: Detect and prevent fraud, unauthorized access, and security threats
• Legal Compliance: Meet regulatory requirements and legal obligations
• Business Operations: Internal analytics, quality assurance, and business intelligence

3.3 Marketing Communications (With Consent)

We may send you promotional materials about our services only with your explicit consent. You can withdraw consent at any time by unsubscribing or contacting us.

4. Legal Basis for Processing

4.1 Consent

For most processing activities, we rely on your informed consent, which you provide when creating an account and using our services.

4.2 Contractual Necessity

Processing necessary to perform our contract with you and provide the tools you've requested, including: financial dashboard, cash flow forecasting, net worth tracking, budget and spending analysis, and multi-account management.

4.3 Legal Obligations

Processing required to comply with Canadian federal and provincial laws, including:

• Consumer protection laws
• Court orders or government requests
• Privacy and data protection regulations
• Business record-keeping requirements

4.4 Legitimate Interests

Processing for security, fraud prevention, and service improvement, balanced against your privacy rights.

5. Sharing Your Information

5.1 We Do Not Sell Personal Information

We do not sell, rent, or trade your personal or financial information to third parties for marketing purposes.

5.2 Authorized Sharing

We may share your information in the following limited circumstances:

Service Providers

• Cloud hosting and data storage providers
• Payment processing services (for subscription billing only)
• Security and fraud prevention services
• Customer support platforms
• Analytics and performance monitoring tools

Legal Requirements

• Court orders, subpoenas, or government requests
• Law enforcement investigations
• Regulatory compliance when required by law
• Protection of legal rights and safety

Business Transactions

In the event of a merger, acquisition, or sale of assets, your information may be transferred with appropriate privacy protections.

5.3 Third-Party Service Provider Agreements

All service providers are bound by contractual obligations to protect your information and use it only for authorized purposes.

6. Data Security

6.1 Security Measures

• Encryption: 256-bit SSL/TLS encryption for data in transit
• Data Storage: AES-256 encryption for data at rest
• Access Controls: Multi-factor authentication and role-based access
• Network Security: Firewalls, intrusion detection, and monitoring
• Regular Audits: Security assessments and penetration testing
• Employee Training: Regular privacy and security training

6.2 Industry-Standard Security

We use industry-standard security practices to protect your data, including encryption, access controls, and regular security audits.

6.3 Data Breach Response

In the unlikely event of a data breach, we will:

• Contain the breach immediately
• Assess the scope and impact
• Notify affected users within 72 hours
• Report to the Privacy Commissioner of Canada as required
• Provide assistance and monitoring services as appropriate

7. Data Retention

7.1 How Long We Keep Your Data

We retain your personal information only as long as necessary to provide you with our Services. Here's how long we keep different types of data:

• Active Account Data: Retained while your account is active and you're using our Services
• After Account Cancellation: Your account and financial data are deleted within 30 days after you cancel your subscription or close your account
• Subscription/Billing Records: Invoices and payment records for your subscription fees are retained for 6 years to comply with Canadian business tax requirements (GST/HST). This does NOT include your financial tracking data (account balances, transactions, budgets, etc.)
• Support Communications: Customer support emails and tickets retained for 2 years for quality assurance
• Usage Analytics: Anonymized usage statistics retained for 1 year, then deleted or further anonymized

7.2 Your Right to Delete Your Data

You can delete your account and data at any time through your account settings or by contacting us at legal@sonnetmoney.com. We will process deletion requests within 30 days.

Exceptions: We may retain data longer only if:

• Required by law (court orders, regulatory investigations)
• Necessary to resolve disputes or enforce our Terms of Service
• Needed for fraud prevention (suspected fraudulent accounts)

When we delete your data, we use secure deletion methods to ensure it cannot be recovered.

7.3 What Happens to Your Data

Important: We do not keep your financial tracking data (account balances, transactions, budgets, net worth information) for tax or regulatory purposes. You are responsible for maintaining your own financial records. We are a software tool, not a bank, accountant, or financial institution.

8. Your Privacy Rights

8.1 Access Rights

You have the right to request access to your personal information, including:

• What information we have about you
• How we use your information
• Who we share it with
• How long we keep it

8.2 Correction Rights

You can request correction of inaccurate or incomplete personal information.

8.3 Withdrawal of Consent

You can withdraw consent for processing that relies on consent, though this may limit service functionality.

8.4 Account Closure

You can request account closure and deletion of your information, subject to legal retention requirements.

8.5 Complaint Rights

You have the right to file a complaint with:

• The Privacy Commissioner of Canada
• Your provincial privacy commissioner
• Our company's privacy officer

8.6 Exercising Your Rights

To exercise these rights, contact us using the information in Section 13. We will respond within 30 days and may require identity verification.

8.7 Quebec Residents' Additional Rights

If you are a Quebec resident, you have additional rights under Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25), including:

• Right to data portability (receive your information in a structured, commonly used format)
• Right to de-indexing (removal from search engines in certain circumstances)
• Enhanced consent requirements for sensitive information
• Right to automated decision-making transparency

For Quebec-specific privacy inquiries, contact our Privacy Officer at legal@sonnetmoney.com.

9. Children's Privacy

9.1 Age Restrictions

Our service is not intended for children under 18. We do not knowingly collect personal information from minors.

9.2 Parental Rights

If we become aware that we have collected information from a child under 18, we will delete it immediately. Parents may contact us to review, delete, or stop further collection of their child's information.

10. International Data Transfers

10.1 Data Location

Your personal information is primarily stored and processed in Canada. Some service providers may process data in other countries with adequate privacy protections.

10.2 Cross-Border Safeguards

When data is transferred internationally, we ensure:

• Adequate level of protection in the destination country
• Contractual safeguards with service providers
• Compliance with PIPEDA cross-border requirements

11. California and U.S. Consumer Privacy Rights

11.1 Understanding CCPA

While Sonnet Money is a Canadian company, we respect the privacy rights of California residents and other U.S. users under the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and similar state laws.

11.2 California Residents' Rights

If you are a California resident, you have the following rights:

• Right to Know: Request disclosure of personal information collected, used, disclosed, or sold in the past 12 months
• Right to Delete: Request deletion of personal information we have collected from you (subject to legal exceptions)
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt out of the "sale" or "sharing" of personal information (Note: We do not sell personal information)
• Right to Limit Use: Limit use and disclosure of sensitive personal information
• Right to Non-Discrimination: Exercise privacy rights without discriminatory treatment

12.3 "Do Not Sell My Personal Information"

We do not sell your personal information to third parties. We do not share your information with third parties for their own marketing purposes. All third-party sharing is limited to service providers necessary to operate Sonnet Money (hosting, payment processing, analytics).

11.4 California "Shine the Light" Law

Under California Civil Code Section 1798.83, California residents have the right to request information regarding disclosure of personal information to third parties for direct marketing purposes. Since we do not disclose personal information for such purposes, this right does not apply.

11.5 Sensitive Personal Information

Your financial data (account balances, transactions, net worth information, assets, liabilities, budgets, and spending patterns) may be considered "sensitive personal information" under California law. We use this information solely to:

• Provide the tools you requested (financial dashboard, cash flow forecasting, net worth tracking, budget and spending analysis, multi-account management)
• Perform our contract with you
• Ensure security and integrity of our Service
• Comply with legal obligations

We do not use or disclose sensitive personal information for purposes other than those permitted by CPRA.

11.6 Exercising California Rights

To exercise these rights, contact us at:

• Email: legal@sonnetmoney.com
• Subject Line: "California Privacy Rights Request"
• Include: Your name, email address, and specific request

We will verify your identity and respond within 45 days (extendable by 45 days if needed). You may designate an authorized agent to make requests on your behalf.

12.7 Other U.S. State Privacy Laws

We extend similar privacy rights to residents of other U.S. states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, etc.). Contact us using the information in Section 12 to exercise your rights.

12. Contact Information

12.1 Privacy Officer

For privacy-related inquiries, concerns, or requests to exercise your rights, contact:

12.2 Privacy Complaint Process

If you believe we have violated your privacy rights, you may file a complaint with:

• Our Privacy Officer: legal@sonnetmoney.com
• Office of the Privacy Commissioner of Canada: www.priv.gc.ca | 1-800-282-1376
• Provincial Privacy Commissioner: For Quebec residents - www.cai.gouv.qc.ca

We will investigate all complaints and respond within 30 days.

12.3 General Support

For non-privacy related support inquiries, visit our Help Center or email support@sonnetmoney.com.

13. Changes to This Policy

13.1 Policy Updates

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated through:

• Email notification to registered users
• Prominent notice on our website
• In-app notifications

13.2 Continued Use

Your continued use of our service after policy changes constitutes acceptance, unless the changes require explicit consent under applicable law.