Privacy and Security

Fiscal Flow Privacy Policy

This policy explains what data we collect, how we use it, and how your rights are protected under PIPEDA and applicable Canadian privacy law.

Last updated: February 27, 2026 Operated by ITSMyFix, Canada
The short version Your bank credentials never touch our servers. Financial data is used in-session in the app, and you can revoke access and request deletion at any time.

1. Who We Are

Fiscal Flow ("we", "us", "our") is a Canadian personal finance application operated by ITSMyFix (muhammad@itsmyfix.com). This policy explains what data we collect, how we use it, and your rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Canadian privacy law.

2. What We Collect

DataSourcePurpose
Apple ID (user identifier)Sign in with AppleAuthentication, session management
First name, last nameSign in with Apple (first login only)Personalisation (Settings display)
Email addressSign in with Apple (optional)Account recovery
Bank account names and balancesPlaid APIDashboard, budgeting features
Transaction history (90 days)Plaid APISpending analysis, AI insights
Budget categoriesDerived from transactionsBudget tracking

We do not collect:

  • Bank login credentials (handled entirely by Plaid)
  • Social Insurance Number or government ID
  • Payment card numbers
  • Location data
  • Device identifiers beyond what Apple provides

3. How We Use Your Data

  • Provide the service - display your accounts, transactions, and budget in the app
  • AI features - Apple Intelligence (on-device only, never leaves your iPhone) analyses your transactions to generate insights and anomaly alerts
  • Service improvement - aggregate, anonymised usage patterns only (no personal data)

We do not sell your data. We do not share your data with advertisers.

4. How Your Data Is Protected

  • Bank credentials are never seen or stored by Fiscal Flow - Plaid handles bank authentication directly
  • Financial data fetched from Plaid is used in-session only and is not persisted to device storage or any remote database
  • Your Apple ID session token is stored in the iOS Keychain - AES-256 encrypted and hardware-protected by the iPhone Secure Enclave
  • All data in transit is encrypted with TLS 1.2 or higher
  • Plaid access tokens are stored in AWS Secrets Manager with AES-256 encryption

5. Data Retention

DataRetention Period
Apple ID session (Keychain)Until you sign out or uninstall the app
Bank account and transaction dataSession only - cleared on sign out or app close
Plaid access tokens (server)Until you disconnect your bank or request deletion
Inactive accountsTokens revoked after 12 months of inactivity
Server access logs90 days, then automatically deleted

6. Your Rights (PIPEDA)

As a Canadian resident, you have the right to:

  • Access - request a copy of any personal data we hold about you
  • Correction - request correction of inaccurate data
  • Deletion - request deletion of all your data (see Section 7)
  • Withdraw consent - at any time, for any reason
  • Complain - to the Office of the Privacy Commissioner of Canada if you believe we violated PIPEDA: www.priv.gc.ca

To exercise these rights, contact privacy@itsmyfix.com. Response time: within 30 days.

7. Data Deletion

In the app (instant, no support ticket needed)
Settings > Disconnect Bank - permanently revokes Plaid access and deletes your token from our server.

Settings > Sign Out - clears all session data and personal info from your device.

To request deletion by email, send "Data Deletion Request" to privacy@itsmyfix.com. We will delete all server-side tokens and confirm within 30 days.

8. Third-Party Services

Plaid Technologies Inc. - We use Plaid to connect to your bank. Plaid is PIPEDA-compliant and SOC 2 Type II certified. Plaid's Privacy Policy: plaid.com/legal/privacy-policy. You can manage or revoke Plaid access at my.plaid.com.

Apple (Sign in with Apple) - Apple's Privacy Policy: apple.com/legal/privacy.

Amazon Web Services - Our server infrastructure runs on AWS in Canada/US-East. AWS is SOC 2 Type II and ISO 27001 certified. AWS Privacy: aws.amazon.com/privacy.

9. Children's Privacy

Fiscal Flow is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided personal data, contact privacy@itsmyfix.com and we will delete it immediately.

10. Changes to This Policy

We will notify you of material changes via an in-app notice at least 30 days before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the app after the effective date constitutes acceptance of the updated policy.

11. Contact

Privacy Officer: Muhammad Hassan

Email: privacy@itsmyfix.com

General: muhammad@itsmyfix.com

Support: support@itsmyfix.com

Mailing: ITSMyFix, Canada