Privacy Policy

Last updated: 2026-06-17

This Privacy Policy describes how En6ia Invoicing collects, uses, shares, retains, and protects personal information. It is written to comply with Quebec's Act respecting the protection of personal information in the private sector (Law 25) and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

1. Information we collect

Account information: your name, email address, password (stored hashed via Supabase Auth), business legal name, address, GST and QST registration numbers, and brand customization. Customer data you upload: client and sub-customer records, invoices, quotations, expenses, receipts, time entries, project information, and any documents you attach. Financial data: bank routing details if you enter them in invoice templates, Stripe customer identifiers if you connect Stripe, and payment activity recorded against invoices. Usage data: pages visited, features used, error logs, IP address, browser type, and timestamps. This is collected automatically when you use the service. AI processing data: when you use AI-assisted features such as the receipt scanner, the binary content of the file you upload (which may contain receipt printed text, vendor and merchant details, and a portion of your payment card if printed on the receipt) is transmitted to the AI provider you have configured (or the En6ia-managed pool provider if you have opted in).

2. How we use your information

To provide and improve the service, including authenticating you, rendering your invoices, processing your AI requests, sending notifications, and reconciling payments. To communicate with you about your account, including transactional emails (invoice send confirmations, dunning reminders, password resets), service announcements, and security alerts. To comply with legal obligations, including Quebec record-keeping rules, Canadian anti-spam (CASL) compliance for transactional email, and tax-audit requests. To monitor and improve security, including detecting and preventing fraud, abuse, and unauthorized access. We do NOT use your data to train AI models. Pooled-mode AI providers we route requests through have contractually agreed not to train on our customer data; BYOK customers contract directly with their chosen provider.

3. Sharing and subprocessors

We share personal information with subprocessors to operate the service: Supabase (database and authentication, US/Canada), Vercel (hosting and edge functions, US), Resend (transactional email, US), Stripe (payment processing, US/Canada, only if you enable it), Cloudflare (DNS, US), Sentry (error monitoring, US), and the AI providers you select for AI-assisted features. We do not sell or rent your personal information to advertisers, data brokers, or third parties.

View the complete subprocessor list with jurisdictions, retention, and PIA links

4. Data retention

Account data is retained for the duration of your subscription. After cancellation, you have 30 days to export your data via the data-export endpoints. After 30 days, account data may be deleted, except where retention is required by law. Financial records, including invoices, expenses, payments, and any related correspondence, are retained for 6 years per Quebec record-keeping rules. AI usage events are retained for 6 years and 11 months for Revenu Québec tax-audit substantiation and then automatically purged by our nightly retention cron. Revoked AI provider API keys are kept in encrypted-but-revoked state for a 30-day grace period (so revocation can be undone if mistaken), then zero-overwritten with an audit trail recorded. Activity logs (who did what, when) are retained as long as the related business records. Backups are retained for 30 days on a rolling basis.

5. Your rights (Loi 25 art. 27 + 28.1, PIPEDA)

Under Quebec Loi 25 article 27 you have the right to: access the personal information we hold about you; correct it if it is inaccurate, incomplete, or ambiguous; receive a copy in a structured, commonly used format. Under Loi 25 article 28.1 you may withdraw consent to a specific processing activity, including AI processing, at any time, and request erasure of your personal information. To exercise any of these rights, contact our Privacy Officer (section 11 below). We respond within the 30-day window required by Loi 25. We may need to verify your identity before fulfilling a request. Some information cannot be deleted on request where retention is required by law (for example, financial records required by Quebec record-keeping rules).

6. Cookies and similar technologies

We use first-party cookies strictly necessary to operate the service: a session cookie to keep you signed in, a locale cookie to remember your language preference, and a CSRF cookie to protect form submissions. We do not use third-party advertising cookies or cross-site tracking. We do not have a 'Do Not Track' setting but we do not engage in any cross-site tracking that the setting would affect.

7. Security

We protect your data in transit with TLS 1.3 and at rest with AES-256 encryption at the Supabase and Vercel layers. AI provider API keys you store with us are individually encrypted with AES-256-GCM using a master secret held in Vercel environment variables, never written to logs. Receipts and other uploaded files are stored in private Supabase Storage buckets gated by row-level-security policies. We log every plaintext-key access event to an immutable activity log for audit. We employ defence-in-depth security including SSRF protection for tenant-supplied URLs, rate limiting on sensitive routes, magic-byte verification on file uploads, and constant-time comparison on shared secrets. No system is perfectly secure. If we discover a breach affecting your personal information, we will notify you and the appropriate regulators within the time required by Loi 25 and PIPEDA.

8. International transfers

Some of our subprocessors are located in the United States (notably Supabase, Vercel, Resend, Stripe, the AI providers, Sentry, Cloudflare). When we transfer your personal information outside Quebec, we ensure adequate protection by signing data processing agreements that include the Standard Contractual Clauses required by Canadian privacy law. The complete list of subprocessors, the country each operates from, and the protection measures applied is at en6ia.com/legal/subprocessors.

9. Operator access to your data

En6ia operator staff may enter "tenant view" mode (read-only) for support or incident response. When this happens: every page they view is recorded in your activity feed in real-time; the reason for entering tenant view is shown alongside each session; sessions are time-bound to 60 minutes; each operator may run a maximum of 3 sessions per hour; the operator cannot modify your data during tenant view — only read it; mutations the operator performs while in tenant view route to their own account, not yours. You can review every operator session that ever touched your data at /portal/audit/operator-access in your portal. To request a complete audit log export, email privacy@en6ia.com.

10. Children's privacy

En6ia Invoicing is a business-to-business service intended for users 18 years or older. We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, contact our Privacy Officer and we will take steps to delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes, including changes to the categories of personal information collected, the purposes for processing, or the subprocessor list, will be announced at least 30 days in advance via email to your account email and via a notice in the application. The most recent version is always posted at en6ia.com/legal/privacy.

12. Privacy Officer (Loi 25 art. 8.2)

Iulian Enescu serves as En6ia's Privacy Officer, responsible for the protection of personal information. To exercise any right granted by Loi 25 or PIPEDA, report a concern, or request information about our practices, contact iulian.enescu@icloud.com. We respond to access and erasure requests within the 30-day window required by Law 25.