Privacy Policy

Effective Date: March 25, 2026 · Last Updated: April 15, 2026

Steadyhand Bookkeeping ("we", "us", "our") is committed to protecting the privacy and confidentiality of our clients' personal and financial information. This policy explains how we collect, use, protect, and disclose your information in compliance with Alberta's Personal Information Protection Act (PIPA).

Privacy Officer: Jory Moisan-Poitras, Owner, is the designated individual responsible for Steadyhand Bookkeeping's compliance with PIPA.

1. Information We Collect

Personal Information

• Full name and contact information (address, phone number, email)
• Social Insurance Number (SIN) — only when required for payroll or tax filings, and only with your express written consent
• Date of birth (if required for specific filings)

Business Information

• Business name, business number (BN), and GST/HST registration number
• Banking and financial account information (account numbers, transaction records, statements)
• Accounts payable and receivable records
• Payroll information (employee names, addresses, contact information, SINs, pay rates, deductions)
• Receipts, invoices, and supporting financial documents
• Vehicle logbooks and mileage records

2. Why We Collect This Information

We collect personal and financial information solely for the purpose of:

• Performing the bookkeeping services outlined in your engagement letter
• Preparing and filing GST/HST returns with the Canada Revenue Agency (CRA)
• Processing payroll and issuing T4/T4A slips
• Generating financial reports (profit & loss, balance sheet, etc.)
• Communicating with you about your account and services

We will not collect more information than is reasonably necessary to perform these services.

3. Consent

We rely on the following forms of consent to collect, use, and disclose your information:

• Implied consent: By signing the engagement letter and providing your business records to us, you provide implied consent for the collection, use, and disclosure of your business and personal information as reasonably necessary to perform the bookkeeping services described in the engagement letter.
• Express consent: For highly sensitive information — including Social Insurance Numbers (SINs) and direct banking access credentials — we will obtain your separate, express written consent before collection. Express consent will also be obtained for any use or disclosure of your information beyond the purposes stated in this policy.

Withdrawal of Consent

You may withdraw your consent at any time by providing written notice to us via email or mail. Please be aware that:

• Withdrawal may limit or end our ability to provide some or all services
• Withdrawal is not retroactive and does not affect the lawfulness of processing conducted prior to withdrawal
• We may still be required to retain certain records under CRA requirements, even after consent is withdrawn
• We will process your withdrawal request within 30 days

4. How We Protect Your Information

We implement the following safeguards to protect your data:

• Encrypted cloud storage — All financial records are stored in cloud-based platforms (e.g., QuickBooks Online) that use industry-standard encryption
• Two-factor authentication (2FA) — Enabled on all accounts that access client data
• Strong passwords — Unique, complex passwords managed through a password manager
• Access control — Only authorized personnel have access to your information
• Secure communication — Sensitive documents are shared via encrypted channels, not unencrypted email attachments
• Physical security — Any physical documents are stored securely and shredded when no longer needed
• Software updates — All systems are kept up to date with the latest security patches

5. Cross-Border Data Transfers

Your personal and financial information is processed through third-party cloud-based platforms. Our current service providers include:

• Intuit Inc. (QuickBooks Online) — accounting data storage and processing. US-based.
• Google LLC (Gmail, Google Workspace, Google Drive) — business email and client document exchange. US-based.
• Cloudflare Inc. — website hosting and email routing for steadyhandbookkeeping.ca. US-based.
• Wave Financial Inc. (Wave Accounting) — invoicing for Steadyhand's own billing. Canadian-based; may use US cloud infrastructure.
• Dext Prepare (when in use) — receipt capture and categorization. UK/international-based.

As a result, your information may be stored, processed, or accessible on servers located outside of Canada, primarily in the United States. While stored outside Canada, your information may be subject to the laws of that jurisdiction, including laws that may permit government authorities to access data (such as the U.S. CLOUD Act or Patriot Act).

The privacy protections available under Alberta's PIPA may not apply in those jurisdictions. However, we require all third-party service providers to maintain appropriate security safeguards for your information.

An up-to-date list of current third-party service providers that may process your data is available on this page or upon request.

6. Who We Share Your Information With

We do not sell, trade, or rent your personal information to anyone.

We will only share your information with:

• Canada Revenue Agency (CRA) — As required for tax filings, GST/HST remittances, payroll reporting, or in response to a lawful request
• Your designated accountant or CPA — When you authorize us to share year-end files or financial records for tax preparation
• Third parties you authorize — Only with your written consent (e.g., lenders requesting financial statements)
• Software providers — Your data is processed through platforms like QuickBooks Online, which have their own privacy policies and security measures (see Section 5 — Cross-Border Data Transfers)

We will not share your SIN, banking information, or financial records with any party except as described in this policy or as required by law.

7. Employee Information

If we provide payroll processing services, we will collect and process personal information about your employees on your behalf, including names, addresses, SINs, pay rates, and deduction details.

In this capacity:

• We act as a service provider processing your employees' personal information on your behalf. You, as the employer, remain the custodian of that information under PIPA.
• You are responsible for notifying your employees that their personal information will be processed by Steadyhand Bookkeeping as a third-party service provider, in accordance with PIPA Sections 14–18.
• We will use employee information strictly for the payroll processing purposes specified by you and will not use it for any other purpose.
• All security safeguards described in this policy apply equally to employee information.
• Employee information is subject to the same retention and destruction policies as client information.

8. How Long We Retain Your Information

• Active clients — We retain your financial records for the duration of our engagement
• After termination — We retain records for a minimum of 7 years from the end of the tax year to which they relate, or from the end of the engagement, whichever is later, in compliance with record-keeping requirements under the Income Tax Act and Excise Tax Act
• After the retention period — Records are securely destroyed (digital files permanently deleted from all systems including backups, physical documents shredded). Cloud-based backups (e.g., QuickBooks Online) are removed by deactivating client access and purging data per the provider's deletion process. Local backups, if any, are overwritten or securely erased.
• SINs and sensitive identifiers — Retained within filed records (e.g., T4s) for the required retention period, but removed from standalone working documents once the specific filing purpose is complete
• Non-tax records (general correspondence, notes, communications) — Retained for a reasonable period after use (minimum 1 year as a best practice), then securely destroyed

You may request deletion of your information at any time, subject to our legal obligation to retain records under CRA requirements.

9. Your Rights Under PIPA

As our client, you have the right to:

• Access your personal information held by us
• Request corrections to any inaccurate information
• Withdraw your consent for us to collect, use, or disclose your information (see Section 3 for details)
• File a complaint with the Office of the Information and Privacy Commissioner of Alberta (OIPC) if you believe your privacy rights have been violated

Access and Correction Requests

We will respond to access and correction requests within 45 days, as required by PIPA. If we require additional time (up to 30 additional days), we will notify you with reasons. There is no fee for standard access requests. We may refuse access in limited circumstances as permitted by PIPA (e.g., where disclosure would reveal another individual's personal information).

Filing a Complaint

If you are not satisfied with our response to a privacy concern, you may contact:

10. Breach Notification

In the event of a privacy breach involving your personal information:

1. We will assess the breach immediately to determine the scope, nature, and whether it creates a real risk of significant harm (RROSH) to any individual, considering the sensitivity of the information involved and the probability that it will be misused
2. We will notify you without unreasonable delay after confirming a breach, including:
   • A description of what happened
   • What information was involved
   • What steps we are taking to contain the breach and reduce the risk of harm
   • What you can do to protect yourself
   • Our contact information for follow-up questions
3. If the breach creates a real risk of significant harm, we will also notify:
   • The Office of the Information and Privacy Commissioner of Alberta (OIPC), as required by PIPA Section 34.1
   • Any other parties as required by law
   Note: The Commissioner may require us to notify individuals even if we assess no real risk of significant harm.
4. We will document all breaches (whether or not they meet the RROSH threshold) and our response, and take steps to prevent recurrence. Breach records are maintained for a minimum of 2 years.

11. Website Visitors & Prospective Clients

If you visit our website (steadyhandbookkeeping.ca) or contact us via phone or email without becoming a client, we may collect limited information such as your name, email address, and the content of your inquiry.

• This information is used solely to respond to your inquiry and is not shared with any third party
• If you do not become a client, your inquiry information will be deleted within 12 months
• Our website is hosted on Cloudflare Pages. Cloudflare may collect basic analytics data (page views, country of origin). We do not use cookies, tracking pixels, or third-party analytics tools beyond what the hosting platform provides.

12. Changes to This Policy

We may update this privacy policy from time to time. Any changes will be communicated to active clients via email and will take effect on the date specified. The updated policy will be made available on our website.

13. Contact Us

If you have any questions about this privacy policy or how we handle your information, please contact:

This privacy policy is designed to comply with Alberta's Personal Information Protection Act (PIPA). It is not legal advice. For legal guidance, consult a qualified privacy professional.