Steeped Books

Privacy Policy

Effective April 18, 2026

SteepedBooks is operated by Sirrius Office Inc. (“we,” “us,” or “our”), based in the Greater Toronto Area, Canada. This Privacy Policy explains how we collect, use, and protect your information when you use the SteepedBooks application and website.

Information We Collect

Account information

When you create an account, we collect your email address and password. Passwords are hashed and never stored in plain text. We use this information to create and manage your SteepedBooks account through Supabase Auth.

Google Drive data

During onboarding, you connect your Google Drive using thedrive.filescope. This allows us to create and manage files only within the SteepedBooks folder in your Drive. We cannot access any other files in your Google account. Your receipts, bank statements, invoices, and year-end packages are stored in your own Google Drive.

Operational data

We store operational data in Supabase Postgres, including transaction metadata, categorization rules, invoice records, HST calculations, and AI-learned patterns. This data is used to operate the service. Google Drive is the source of truth for your files; Supabase is an operational cache.

Uploaded documents

When you upload receipts, bank statements, or other financial documents, we process them to extract transaction data using AI. The extracted data is stored in your Supabase record and synced to your Google Drive. Original documents are stored in your Google Drive.

Phone number

If you use SMS receipt capture, we collect your phone number during onboarding to identify you when you text receipt photos to our Twilio number.

Payment information

If you subscribe to the Pro plan, your payment is processed by Stripe. We do not store your credit card number. We receive only a customer ID and subscription status from Stripe.

Usage data

We collect usage analytics through PostHog, including page views, feature usage, and performance metrics. This data helps us improve the service.

How We Use Your Information

  • To provide and maintain the SteepedBooks service
  • To process your uploaded documents (receipts, bank statements) and extract transaction data using AI
  • To categorize transactions and calculate HST/GST/PST
  • To generate and send invoices on your behalf
  • To process subscription payments
  • To send you email reminders (HST deadlines, weekly digests, onboarding sequences)
  • To communicate with you about your account, service updates, and support requests
  • To improve and develop new features
  • To generate anonymised, aggregate insights and benchmarks for the benefit of all users (see Anonymised and Aggregate Data section below)

Anonymised and Aggregate Data

We may create anonymised, aggregate datasets from usage patterns across our user base. This data is stripped of all personally identifiable information and cannot be linked back to any individual user, business, or transaction.

We use this anonymised data to:

  • Provide benchmarking features (e.g., comparing your expense ratios to anonymised industry averages)
  • Produce aggregate trend reports and business insights shared in our newsletter
  • Improve AI categorisation accuracy across the platform
  • Understand seasonal patterns and regional economic trends to better serve Canadian small businesses

We never sell individual user data. Anonymised aggregate insights may be shared publicly (e.g., in blog posts or reports) but will never contain information that could identify you or your business.

Data Storage and Residency

Your files live in YOUR Google Drive.

Receipts, bank statements, invoices, and year-end packages are stored in a SteepedBooks folder within your own Google Drive. If you cancel your account, these files remain in your Drive. They are yours, always.

Application hosting: Our application is hosted on DigitalOcean App Platform in the Toronto, Canada region.

Database: Operational data is stored in Supabase Postgres. Supabase’s default region may process data in the United States. We disclose this because transparency matters, even though bookkeeping data is not considered protected health information (PHI) under Canadian law.

Internal file storage: Internal files (not customer data) are stored on DigitalOcean Spaces in the Toronto region.

PIPEDA permits cross-border data transfers with disclosure. This section serves as that disclosure.

Third-Party Services

We use the following third-party services to operate SteepedBooks:

  • Supabase:Database and authentication. Stores operational data including transaction metadata, categorization rules, and account information. Subject to Supabase’s Privacy Policy.
  • Google (Drive API):For storing your bookkeeping files in your own Google Drive. We use thedrive.filescope, which limits our access to files we create. Subject to Google’s Privacy Policy.
  • Anthropic (Claude AI):For processing uploaded receipts, bank statements, and payroll registers. Document content is sent to Anthropic’s API for extraction and is not retained by Anthropic beyond the API request. Subject to Anthropic’s Privacy Policy.
  • Stripe:For processing subscription payments and invoice payments from your clients via Stripe Connect. We do not store your payment card details. Subject to Stripe’s Privacy Policy.
  • Twilio:For SMS/MMS receipt capture. Your phone number and receipt images are processed through Twilio. Subject to Twilio’s Privacy Policy.
  • Resend:For sending transactional emails (invoices, reminders, onboarding sequences). Subject to Resend’s Privacy Policy.

Data Security

We use industry-standard security measures to protect your data. All communication between your browser and our servers is encrypted using TLS 1.3. Supabase provides row-level security (RLS) to ensure each customer’s data is isolated at the database level. We never store bank credentials because our architecture does not require bank API connections.

Account Deletion

You can request account deletion at any time. When you delete your account:

  • All operational data in Supabase (transaction metadata, categorization rules, account settings) will be permanently deleted within 30 days.
  • Your Google Drive files (receipts, statements, invoices, year-end packages) remain in your Drive. They are yours.
  • Your Stripe subscription will be cancelled.
  • Your SMS phone number will be unregistered from our system.

Your Rights

Under PIPEDA, you have the right to:

  • Access your data:Your files are already in your Google Drive. You can request a copy of your operational data at any time.
  • Correct your data:You can update your account information and business profile at any time through the application.
  • Delete your account:You can request full account deletion. Operational data is purged within 30 days.
  • Revoke Google Drive access:You can revoke SteepedBooks’ access to your Google Drive at any time through your Google account settings.
  • Withdraw consent:You can opt out of non-essential communications at any time through the Reminders settings in the application.

PIPEDA Compliance

SteepedBooks is operated by Sirrius Office Inc., a Canadian corporation. We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. We maintain procedures for responding to privacy breaches in accordance with PIPEDA requirements, including mandatory breach notification to affected individuals and the Office of the Privacy Commissioner of Canada when warranted.

Children’s Privacy

SteepedBooks is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by email or by posting a notice in the application. Your continued use of SteepedBooks after changes are posted constitutes your acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us:

Email: [email protected]

Company: Sirrius Office Inc.
Greater Toronto Area, Ontario, Canada