1. Who We Are
Fiscal Flow ("we", "us", "our") is a Canadian personal finance application operated by ITSMyFix (muhammad@itsmyfix.com). This policy explains what data we collect, how we use it, and your rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Canadian privacy law.
2. What We Collect
| Data | Source | Purpose |
|---|---|---|
| Apple ID (user identifier) | Sign in with Apple | Authentication, session management |
| First name, last name | Sign in with Apple (first login only) | Personalisation (Settings display) |
| Email address | Sign in with Apple (optional) | Account recovery |
| Bank account names and balances | Plaid API | Dashboard, budgeting features |
| Transaction history (90 days) | Plaid API | Spending analysis, AI insights |
| Budget categories | Derived from transactions | Budget tracking |
We do not collect:
- Bank login credentials (handled entirely by Plaid)
- Social Insurance Number or government ID
- Payment card numbers
- Location data
- Device identifiers beyond what Apple provides
3. How We Use Your Data
- Provide the service - display your accounts, transactions, and budget in the app
- AI features - Apple Intelligence (on-device only, never leaves your iPhone) analyses your transactions to generate insights and anomaly alerts
- Service improvement - aggregate, anonymised usage patterns only (no personal data)
We do not sell your data. We do not share your data with advertisers.
4. How Your Data Is Protected
- Bank credentials are never seen or stored by Fiscal Flow - Plaid handles bank authentication directly
- Financial data fetched from Plaid is used in-session only and is not persisted to device storage or any remote database
- Your Apple ID session token is stored in the iOS Keychain - AES-256 encrypted and hardware-protected by the iPhone Secure Enclave
- All data in transit is encrypted with TLS 1.2 or higher
- Plaid access tokens are stored in AWS Secrets Manager with AES-256 encryption
5. Data Retention
| Data | Retention Period |
|---|---|
| Apple ID session (Keychain) | Until you sign out or uninstall the app |
| Bank account and transaction data | Session only - cleared on sign out or app close |
| Plaid access tokens (server) | Until you disconnect your bank or request deletion |
| Inactive accounts | Tokens revoked after 12 months of inactivity |
| Server access logs | 90 days, then automatically deleted |
6. Your Rights (PIPEDA)
As a Canadian resident, you have the right to:
- Access - request a copy of any personal data we hold about you
- Correction - request correction of inaccurate data
- Deletion - request deletion of all your data (see Section 7)
- Withdraw consent - at any time, for any reason
- Complain - to the Office of the Privacy Commissioner of Canada if you believe we violated PIPEDA: www.priv.gc.ca
To exercise these rights, contact privacy@itsmyfix.com. Response time: within 30 days.
7. Data Deletion
Settings > Disconnect Bank - permanently revokes Plaid access and deletes your token from our server.
Settings > Sign Out - clears all session data and personal info from your device.
To request deletion by email, send "Data Deletion Request" to privacy@itsmyfix.com. We will delete all server-side tokens and confirm within 30 days.
8. Third-Party Services
Plaid Technologies Inc. - We use Plaid to connect to your bank. Plaid is PIPEDA-compliant and SOC 2 Type II certified. Plaid's Privacy Policy: plaid.com/legal/privacy-policy. You can manage or revoke Plaid access at my.plaid.com.
Apple (Sign in with Apple) - Apple's Privacy Policy: apple.com/legal/privacy.
Amazon Web Services - Our server infrastructure runs on AWS in Canada/US-East. AWS is SOC 2 Type II and ISO 27001 certified. AWS Privacy: aws.amazon.com/privacy.
9. Children's Privacy
Fiscal Flow is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided personal data, contact privacy@itsmyfix.com and we will delete it immediately.
10. Changes to This Policy
We will notify you of material changes via an in-app notice at least 30 days before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the app after the effective date constitutes acceptance of the updated policy.
11. Contact
Privacy Officer: Muhammad Hassan
Email: privacy@itsmyfix.com
General: muhammad@itsmyfix.com
Support: support@itsmyfix.com
Mailing: ITSMyFix, Canada