Privacy Policy — MyCPACRM | PIPEDA, CCPA, GLBA-aligned CRM for CPA Firms

1. Introduction

MyCPACRM ("we", "us", "our") is a client relationship management platform designed for accounting and tax filing firms across the United States and Canada. We are committed to protecting the personal information entrusted to us by our users and their clients in accordance with the privacy laws of both jurisdictions.

Canadian users are protected under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation (including Alberta's PIPA, BC's PIPA, and Quebec's Law 25). US users are protected under the California Consumer Privacy Act (CCPA / CPRA), the Virginia Consumer Data Protection Act (VCDPA) and similar state laws, the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule for financial institutions, and IRS Publication 4557 (Safeguarding Taxpayer Data).

This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and your rights regarding your data — applying these protections regardless of which side of the border you operate from.

2. Accountability

MyCPACRM is accountable for all personal information under its control. Our designated Privacy Officer can be reached at:

Privacy Officer

Email: privacy@mycpacrm.com

Each accounting firm using MyCPACRM is a separate data controller for their own client data. MyCPACRM acts as a data processor on behalf of these firms.

3. Purposes of Collection

We collect and use personal information only for the following identified purposes:

Data Category	Purpose	Legal Basis
Name, address, email, phone	Client identification, communication, and service delivery	Consent + contractual necessity
Social Security Number (SSN) — US	Required for filing personal tax returns (Form 1040) with the IRS	Legal obligation (Internal Revenue Code)
Employer Identification Number (EIN) — US	Required for filing corporate (1120, 1120-S), partnership (1065), payroll, and information returns with the IRS	Legal obligation (Internal Revenue Code)
Social Insurance Number (SIN) — Canada	Required for filing personal tax returns (T1) with CRA	Legal obligation (Income Tax Act)
Business Number (BN) — Canada	Required for filing corporate (T2), GST/HST, payroll returns with CRA	Legal obligation (Income Tax Act, Excise Tax Act)
Tax filing details (income, deductions, dates)	Preparation and filing of tax returns and compliance tracking	Consent + contractual necessity
Documents (W-2, 1099, T-slips, receipts, IRS / CRA correspondence)	Supporting documentation for tax filings and audit readiness (IRS or CRA)	Legal obligation (record-keeping requirements)
User account information (staff login, email)	Authentication, access control, and audit logging	Contractual necessity
Activity logs and session data	Security monitoring, audit trail, and accountability under PIPEDA, GLBA Safeguards Rule, and IRS Publication 4557	Legitimate interest (security)

We do not use personal information for purposes other than those identified above without obtaining further consent.

4. Consent

We obtain meaningful consent before or at the time of collecting personal information. Consent is recorded in the system with full audit trail including date, method, and type.

Express consent is obtained for sensitive information such as SSN, SIN, EIN, BN, and financial data
Implied consent may apply when a client engages the accounting firm for tax preparation services
Clients may withdraw consent at any time by contacting their accounting firm or through the client portal. Withdrawal does not affect the legality of processing performed before withdrawal.
Note: Certain data must be retained regardless of consent withdrawal to comply with IRS record-keeping requirements (typically 3 years general, 6 years for substantial understatement, 7 years for bad debt / worthless securities) and CRA record-keeping requirements (6 years from the end of the tax year)

5. Limiting Collection

We collect only the personal information that is necessary for the purposes identified in Section 3. We do not collect information indiscriminately. SSN, EIN, SIN, and BN are collected solely because they are required by law for tax filing — with the Internal Revenue Service (IRS) for US clients and the Canada Revenue Agency (CRA) for Canadian clients.

6. Limiting Use, Disclosure, and Retention

Use and Disclosure

Personal information is used only for the purposes for which it was collected. We do not sell, rent, or trade personal information. Information may be disclosed only:

To the Internal Revenue Service (US) or Canada Revenue Agency (Canada) as required for tax filing
To state tax agencies (US) or provincial tax authorities (Canada, e.g. Revenu Québec) as required for jurisdictional filings
To the client's accounting firm staff who need it to provide services
When required by law, regulation, court order, or subpoena
With the individual's explicit consent

Retention

Personal information is retained only as long as necessary to fulfill the purposes for which it was collected, subject to legal requirements:

Data Type	Retention Period	Reason
Tax filings and supporting documents	7 years after the tax year	Covers CRA's 6-year requirement (Canada) and IRS's typical 3–7 year window (US — varies with substantial understatement, NOL carryforwards, or worthless-securities claims); 7 years provides a safety buffer for both
Client profile data	Duration of client relationship + 7 years	IRS / CRA record-keeping plus potential reassessment
Consent records	7 years after last interaction	Proof of consent for PIPEDA, CCPA / CPRA, and GLBA compliance
Activity and audit logs	3 years	Security monitoring and compliance auditing (incl. IRS Pub 4557)
Inactive client data	Archived after 2 years of inactivity	Data minimization while respecting IRS / CRA retention

After the retention period expires, personal information is securely deleted or anonymized.

7. Accuracy

We take reasonable steps to ensure that personal information is accurate, complete, and up-to-date:

Clients can view and update their information through the client portal
Accounting firm staff can correct client records at any time
Clients are encouraged to notify their accountant of any changes to their personal information

8. Safeguards

We protect personal information with security safeguards appropriate to the sensitivity of the data:

Encryption at rest: SIN, Business Numbers, and other sensitive identifiers are encrypted using industry-standard encryption before storage
Encryption in transit: All data is transmitted over HTTPS/TLS
Access control: Role-based access with per-user custom permissions
Authentication: Strong password policy (12+ characters, complexity requirements), optional two-factor authentication (OTP), HttpOnly secure session cookies
Account protection: Automatic account lockout after failed login attempts, rate limiting on authentication endpoints
Audit logging: All access to sensitive data is logged, including who accessed what and when
Data isolation: Each accounting firm's data is strictly separated and protected
File validation: Uploaded documents are validated for type and content integrity
Admin verification: Administrative actions (password changes, user management) require re-authentication

9. Openness

This Privacy Policy is readily available on our website, login pages, client portal, and consent forms. We will notify users of any material changes to this policy.

10. Individual Access

Individuals have the right to:

Access all personal information we hold about them. Requests can be made through the client portal or by contacting the accounting firm. Administrators can generate a complete data export in JSON format.
Correct any inaccurate or incomplete personal information
Request deletion of personal information, subject to legal retention requirements (IRS minimum 3 years and up to 7; CRA minimum 6 years for tax records)
Withdraw consent at any time, with the understanding that this may affect the firm's ability to provide services

Access requests will be responded to within 30 days, as required by PIPEDA. CCPA / CPRA verifiable consumer requests for California residents will be responded to within 45 days (extendable by an additional 45 days when reasonably necessary, with notice).

10b. US-Specific Privacy Rights

In addition to the access, correction, deletion, and consent-withdrawal rights described in Section 10, US users have the following rights under applicable state law:

Right to Know (CCPA / CPRA, VCDPA, similar state laws): What categories and specific pieces of personal information we have collected, the sources, the business purposes, and any third parties with whom it has been shared.
Right to Opt Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising. There is therefore no "Do Not Sell or Share My Personal Information" link on this site, but you may submit a written confirmation request to privacy@mycpacrm.com.
Right to Limit Use of Sensitive Personal Information (CPRA): Sensitive identifiers (SSN, EIN, financial account numbers) are used only for the strictly necessary tax-filing purposes described in Section 3.
Right to Non-Discrimination: We will not deny services, charge different prices, or provide a different level of service because you exercised a privacy right.
Authorized Agent: California residents may designate an authorized agent to make a request on their behalf. We will require written authorization and proof of identity.

Under the GLBA Safeguards Rule, MyCPACRM maintains administrative, technical, and physical safeguards designed to ensure the security and confidentiality of customer information, protect against anticipated threats, and protect against unauthorized access.

11. Challenging Compliance

Individuals may challenge our compliance with this Privacy Policy by contacting our Privacy Officer:

Privacy Inquiries and Complaints

Email: privacy@mycpacrm.com

We will investigate all complaints and respond within 30 days.

If you are not satisfied with our response, you have the right to escalate to your jurisdiction's regulator:

Canada: Office of the Privacy Commissioner of Canada (or applicable provincial commissioner — Alberta OIPC, BC OIPC, Quebec CAI).
United States: Your state's Attorney General office (e.g. California Office of the Attorney General for CCPA / CPRA matters), or the Federal Trade Commission for GLBA Safeguards-Rule concerns.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to users through the application and updated on this page. The "Last Updated" date at the top of this policy indicates when the most recent revision was made.

Contact Us

If you have any questions about this Privacy Policy:

Privacy Inquiries: privacy@mycpacrm.com
General Inquiries: info@mycpacrm.com

Mailing Address (Privacy Officer):

Gagan Kambo
MyCPACRM Privacy Officer
8-17 Worthington Ave
Brampton, ON L7A 2Y7
Canada