Table of Contents
Overview and Scope
YBAWS! Inc. ("YBAWS!", "we", "us", or "our") is a technology company incorporated under the laws of Ontario, Canada. We operate an integrated platform serving Canadian CPA firms and their clients, comprising a document collection portal, an SBL financing facilitation tool, a digital estate vault, and a professional network layer.
This Privacy Policy applies to all personal information collected, used, or disclosed by YBAWS! in connection with the operation of our platform at ybaws.ca and any related subdomains or applications. It applies to all users, including CPA firm administrators, individual team members, and end clients who access the platform at the invitation of their CPA firm.
This Policy does not apply to the Still Here wellness application, which is governed by a separate privacy policy. Still Here wellness data, if integrated with the estate vault, is handled under the terms disclosed at the point of that integration.
By using our platform, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use our services.
PIPEDA Fair Information Principles
The following ten sections correspond directly to the ten Fair Information Principles set out in Schedule 1 of PIPEDA. This structure ensures full transparency about our data practices and your rights under Canadian privacy law.
PIPEDA Fair Information Principles
Principle 1: Accountability
YBAWS! Inc. is responsible for personal information under its control and has designated a Privacy Officeraccountable for the organization's compliance with PIPEDA.
Privacy Officer Contact:
Email: privacy@ybaws.ca
Mailing Address: YBAWS! Inc., Privacy Officer, Toronto, Ontario, Canada
The Privacy Officer is responsible for:
- Overseeing compliance with this Privacy Policy and PIPEDA;
- Ensuring that sub-processors and third-party service providers who handle personal information on our behalf provide comparable levels of protection;
- Receiving and responding to privacy complaints and access requests from individuals;
- Training YBAWS! staff on privacy obligations; and
- Conducting periodic reviews of privacy practices to ensure continued compliance.
Where personal information is transferred to third parties for processing, YBAWS! uses contractual means to ensure comparable protection is maintained. A list of key sub-processors is provided in the "Data Sharing" section below.
Principle 2: Identifying Purposes
YBAWS! identifies the purposes for which personal information is collected at or before the time of collection. We collect personal information for the following purposes:
- Account creation and management: To register and maintain your YBAWS! account, verify your identity, manage your subscription, and communicate with you about your account.
- Service delivery: To provide the document collection, SBL financing facilitation, estate vault, and professional network features of the platform.
- Billing and payment processing: To process subscription payments, generate invoices, and manage billing inquiries.
- Customer support: To respond to your support requests, investigate complaints, and improve the Service.
- Security and fraud prevention: To monitor for unauthorized access, detect and prevent fraud, and maintain the integrity and security of the platform.
- Legal and regulatory compliance: To comply with applicable laws, professional regulatory requirements, and court orders, and to enforce our Terms of Service.
- Service improvement and model training: To analyze and assimilate platform data — including individual-level data, but excluding zero-knowledge vault contents — to operate, train, and continuously improve the platform, its models, and its services.
- Communications: To send service-related notices, security alerts, and, with your consent, product updates and announcements.
We do not collect personal information indiscriminately. Each category of information we collect is necessary for at least one of the purposes listed above.
Principle 3: Consent
YBAWS! obtains meaningful consent for the collection, use, and disclosure of personal information, taking into account the sensitivity of the information involved.
Express Consent
We obtain express (opt-in) consent for:
- The collection of sensitive financial or personal information uploaded to the document collection portal or estate vault;
- The sharing of your contact information with professionals through the professional network feature;
- Sending you marketing or promotional communications; and
- Any new purpose that arises after the time of original collection that is not described in this Policy.
Implied Consent
We rely on implied consent, derived from the context of the transaction, for:
- Processing account registration data to create and manage your account;
- Processing billing information to fulfill your subscription; and
- Sending transactional emails directly necessary to deliver the Service (e.g., document request notifications, vault release alerts, security notifications).
Withdrawing Consent
You may withdraw consent at any time, subject to legal and contractual restrictions. To withdraw consent for non-essential data processing, or to opt out of marketing communications, please contact our Privacy Officer at privacy@ybaws.ca or update your communication preferences in your account settings. Note that withdrawing consent for essential data processing may mean we can no longer provide the Service to you.
Principle 4: Limiting Collection
YBAWS! limits the collection of personal information to that which is necessary for the identified purposes. We collect information by fair and lawful means.
We do not collect personal information from publicly available sources without consent. We do not purchase or obtain personal information from data brokers. We do not collect more information than is reasonably necessary for the delivery and improvement of the Service.
A detailed breakdown of the specific categories of information we collect is provided in the "Types of Data We Collect" section below.
Principle 5: Limiting Use, Disclosure, and Retention
Personal information is used or disclosed only for the purposes for which it was collected, except where required by law or with your additional consent.
Use Limitations
We will not use your personal information for purposes other than those described in this Policy. Specifically:
- We will not sell, rent, or trade personal information to third parties for their own commercial purposes.
- We use platform data, including individual-level data (other than zero-knowledge vault contents), to operate, train, and improve the platform and its models, as described under Principle 2. This use is internal to the delivery and improvement of the Service; we do not sell identifiable client data to third parties.
- We will not use vault contents for any purpose, we architecturally cannot access them.
Disclosure
We may disclose personal information only in the following circumstances:
- To sub-processors and service providers who assist us in delivering the Service, under binding data processing agreements (see "Data Sharing" section);
- To comply with a legal obligation, court order, or regulatory requirement;
- To protect the security, safety, or rights of YBAWS!, our users, or third parties in cases of actual or suspected fraud, unauthorized access, or other illegal activity;
- In connection with a merger, acquisition, or sale of all or substantially all of YBAWS!'s assets, provided that the acquiring party agrees to be bound by terms at least as protective as this Privacy Policy; or
- With your express consent for any other purpose.
Retention
We retain personal information only as long as necessary to fulfill the purposes for which it was collected or as required by applicable law. A detailed retention schedule is provided in the "Retention Schedule" section below.
Principle 6: Accuracy
YBAWS! takes reasonable steps to ensure that personal information is accurate, complete, and up-to-date for the purposes for which it is used.
Account holders are responsible for keeping their account information accurate and current. You may update your account information at any time through the account settings page. If you believe that any personal information we hold about you is inaccurate or incomplete, you may submit a correction request to our Privacy Officer at privacy@ybaws.ca. We will respond to correction requests within 30 days.
We do not use personal information for decision-making purposes that would require a higher standard of accuracy without first confirming the accuracy of the information with the individual.
Principle 7: Safeguards
YBAWS! protects personal information with security safeguards appropriate to the sensitivity of the information. Our security measures include:
Technical Safeguards
- Encryption in Transit: All data transmitted to and from the platform is encrypted using TLS 1.2 or higher. Connections using insecure protocols are refused.
- Encryption at Rest: All data stored on YBAWS! servers is encrypted at rest using AES-256 encryption.
- Zero-Knowledge Vault Encryption: Estate vault contents are encrypted client-side using end-to-end encryption before transmission to our servers. YBAWS! has no ability to decrypt vault contents.
- Shamir's Secret Sharing:Vault release keys may be distributed among designated authorized contacts using Shamir's Secret Sharing cryptography, ensuring that no single party holds a complete key.
- Blockchain Audit Trails: Critical vault events (creation, access attempts, release triggers) are logged to an immutable audit trail on the Polygon blockchain, providing a tamper-proof record of vault activity.
- Multi-Factor Authentication (MFA): MFA is available and strongly recommended for all accounts. Firm administrators may enforce MFA requirements for all sub-accounts within their firm.
- Access Controls: Access to personal information within our systems is restricted on a need-to-know basis. Employees with access to personal data are subject to confidentiality obligations.
Organizational Safeguards
- Privacy and security training for all staff with access to personal data;
- Regular security assessments and vulnerability scanning of our infrastructure;
- A documented data breach response plan as described in the "Data Breach Notification" section below; and
- Contractual security requirements imposed on all sub-processors.
No security measure is perfect. In the event of a data breach, we will respond as described in the "Data Breach Notification" section of this Policy.
Principle 8: Openness
YBAWS! makes information about its privacy policies and practices readily available to individuals through this Privacy Policy, which is publicly accessible on our website at ybaws.ca/privacy.
We are transparent about:
- The name and contact information of our Privacy Officer;
- The types of personal information we hold;
- The purposes for which we use personal information;
- The third parties to whom we disclose personal information; and
- How individuals can access and correct their information.
Any individual may request a copy of this Policy or information about our privacy practices by contacting our Privacy Officer at privacy@ybaws.ca.
Principle 9: Individual Access
Upon written request, YBAWS! will inform individuals of the existence, use, and disclosure of their personal information and will give the individual access to that information, subject to applicable legal exceptions.
Your Rights
You have the right to:
- Access: Request confirmation of whether we hold personal information about you, and receive a copy of that information in a readable format.
- Correction: Request correction of inaccurate or incomplete personal information.
- Deletion:Request deletion of your personal information, subject to our legal retention obligations (see "Retention Schedule") and the technical limitations of the zero-knowledge vault (which we cannot decrypt or delete on your behalf, deletion of vault contents requires your encryption credentials).
- Portability:Request a machine-readable copy of the personal information we hold about you. This right applies to your personal information; it does not extend to YBAWS! Inc.'s proprietary work product or working materials (see our Terms of Service).
- Withdrawal of Consent: Withdraw consent for non-essential data processing as described under Principle 3.
How to Make a Request
Access, correction, and deletion requests may be submitted to our Privacy Officer at privacy@ybaws.ca. We will acknowledge your request within 5 business days and respond substantively within 30 days of receiving a complete request. In exceptional circumstances, we may extend this period by up to an additional 30 days with written notice and explanation.
We may require sufficient identification to verify your identity before processing an access or correction request, to protect the security of your information.
We may refuse access in limited circumstances permitted by PIPEDA, such as where granting access would disclose personal information about a third party or where a legal privilege applies. We will provide written reasons for any refusal.
Principle 10: Challenging Compliance
You have the right to challenge YBAWS!'s compliance with PIPEDA and this Privacy Policy. If you have a concern about how we have handled your personal information, we encourage you to contact our Privacy Officer first so that we have an opportunity to address your concern directly.
Step 1: Contact our Privacy Officer:
Submit your complaint in writing to privacy@ybaws.ca. Please describe the nature of your concern in sufficient detail. We will acknowledge your complaint within 5 business days and respond substantively within 30 days.
Step 2: Escalate to the Office of the Privacy Commissioner:
If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada ("OPC"):
- Website: www.priv.gc.ca
- Toll-free: 1-800-282-1376
- Mailing Address: 30 Victoria Street, Gatineau, Quebec, K1A 1H3
We will cooperate fully with any investigation by the OPC and will take steps to remedy any compliance deficiencies identified.
Types of Data We Collect
YBAWS! collects the following categories of personal and operational information:
Account Data
Collected at registration and updated over time: name, professional email address, job title, CPA firm name, province of practice, billing address, payment method metadata (token provided by Stripe, we do not store card numbers), and account preferences.
Financial Documents
Documents uploaded through the document collection portal, including but not limited to: tax returns, financial statements, payroll records, corporate filings, and supporting schedules. These are encrypted at rest and accessible only to the CPA firm and the client who uploaded them. The CPA firm is the data controller for this information.
SBL and Alternative Financing Application Data
Business information and financial data submitted in connection with financing applications, including business registration details, revenue figures, credit profile indicators, intended use of financing, and supporting documentation. This includes data collected through the Alternative Funding Options (AFO) intake questionnaire (the “universal core” answers) and any documents uploaded in support of an AFO application.
Vault Contents
Documents, credentials, directives, and other information stored in the digital estate vault. Vault contents are zero-knowledge encrypted, YBAWS! cannot read, access, or disclose vault contents under any circumstances. We store only the encrypted ciphertext and the metadata necessary to manage vault access (e.g., vault name, creation date, authorized contact designations, not the contents).
Still Here Wellness Data (If Integrated)
If you have chosen to integrate the Still Here wellness application with your YBAWS! estate vault, certain wellness check-in data may be referenced to trigger vault release conditions. This data is governed by the Still Here Privacy Policy and is kept separate from YBAWS! platform data. YBAWS! receives only a binary trigger signal, not the underlying wellness data itself.
Audit Logs and Technical Data
IP addresses, device type, browser type, access timestamps, and action logs generated during use of the platform, collected automatically for security monitoring and audit purposes. Critical vault events are also recorded to the Polygon blockchain audit trail as described under Principle 7.
Communications Data
Records of communications between you and YBAWS! customer support, including email threads and any attachments you send us.
Data Sharing and Sub-Processors
YBAWS! engages the following sub-processors to assist in delivering the Service. Each sub-processor processes personal information under a written agreement that requires them to maintain privacy and security standards consistent with PIPEDA.
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| Stripe, Inc. | Payment processing, invoicing, subscription management | United States (Stripe processes payment data globally under its own compliance certifications, including PCI-DSS) |
| Resend | Transactional email delivery (notifications, alerts, receipts) | United States (email addresses and message content only; data is not retained beyond delivery) |
| Supabase, Inc. | Database and backend infrastructure (PostgreSQL, authentication, storage) | Canada, Toronto region. All YBAWS! data is configured to the Supabase Canada (ca-central-1) region. |
We do not share personal information with any other third parties except as required by law or with your express consent. We do not use advertising networks, social media trackers, or third-party analytics services on our platform.
Cross-Border Transfers
YBAWS! is committed to ensuring that your personal information does not leave Canada except in limited and necessary circumstances.
Database and application data (account data, financial documents, audit logs, vault ciphertext) is stored exclusively on Supabase infrastructure in the Toronto, Ontario, Canada region. YBAWS! does not configure cross-region replication to servers outside Canada.
Payment datais processed by Stripe. When you submit payment information, that data is transmitted to Stripe's servers, which may be located outside Canada. Stripe is certified under PCI-DSS Level 1 and complies with applicable data protection laws. YBAWS! does not store payment card numbers on its servers.
Email deliveryvia Resend involves the transmission of your email address and message content to Resend's servers for delivery. Resend does not retain message content after delivery.
Where personal information is transferred outside Canada, YBAWS! ensures that appropriate safeguards are in place, either through contractual protections or the sub-processor's own certification under recognized data protection frameworks.
Children's Privacy
The YBAWS! platform is intended exclusively for use by professionals and their business clients. The Service is not directed to individuals under the age of 18, and we do not knowingly collect personal information from minors.
If you believe that we have inadvertently collected personal information from a person under 18, please contact our Privacy Officer immediately at privacy@ybaws.ca and we will take prompt steps to delete such information.
Data Breach Notification
YBAWS! has implemented a documented data breach response plan. In the event of a breach of security safeguards that creates a real risk of significant harm to individuals, YBAWS! will comply with its notification obligations under PIPEDA, including the Breach of Security Safeguards Regulations, SOR/2018-64.
Our Notification Commitments
- Notification to affected users: We will notify affected users as soon as feasible after determining that a breach has occurred and creates a real risk of significant harm. We commit to notifying affected users within 72 hours of confirming the breach, except where earlier notification is legally required.
- Notification to the OPC: Where a breach affects 100 or more individuals, or where the breach involves particularly sensitive information regardless of the number of individuals affected, we will notify the Office of the Privacy Commissioner of Canada within 72 hours of confirming the breach.
- Record-keeping: We maintain records of all breaches of security safeguards, regardless of whether they meet the reporting threshold, as required by the Regulations.
Notification to affected users will include, at minimum: a description of the circumstances of the breach; the date or estimated date of the breach; a description of the personal information that was the subject of the breach; the steps YBAWS! has taken or will take to reduce the risk of harm; the steps we recommend affected individuals take to protect themselves; and contact information for the Privacy Officer.
Retention Schedule
YBAWS! retains personal information only as long as necessary to fulfill the purposes for which it was collected or as required by law. The following schedule describes our standard retention periods:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data | Duration of active subscription + 90 days after cancellation | Service delivery; cancellation grace period |
| Financial documents | 7 years from the date of the relevant tax year | Income Tax Act (Canada), CRA retention requirement |
| Vault contents | Until deleted by the user or triggered release occurs | User-controlled; YBAWS! cannot access or delete independently |
| Billing records | 7 years from transaction date | Income Tax Act (Canada); accounting record requirements |
| Security and audit logs | 2 years from creation | Security monitoring; fraud investigation |
| Blockchain audit trail | Permanent (immutable by design) | Polygon blockchain, cannot be altered or deleted; contains only event hashes, not personal content |
| Financing application data (submitted) | 7 years from submission date | CRA record-keeping requirements for financing records; applicable to SBL and Alternative Funding Options (AFO) applications where a deal was submitted |
| AFO intake data (not submitted) | 90 days from gate acceptance date | Applicants who accepted the Alternative Funding Options marketing gate but did not complete a submission within 90 days have their intake questionnaire answers and uploaded documents automatically cleared. The gate acceptance record (confirming consent to our Terms) is retained separately. |
| Support communications | 3 years from resolution | Dispute resolution; service quality |
Upon expiry of the applicable retention period, personal information is securely deleted or anonymized. Where anonymization is not technically feasible, information is destroyed in a manner that renders recovery impossible.
Contact and Complaints
For all privacy-related inquiries, access requests, correction requests, or complaints, please contact our Privacy Officer:
YBAWS! Inc., Privacy Officer
- Email:
- privacy@ybaws.ca
- Legal:
- legal@ybaws.ca
- Mail:
- YBAWS! Inc., Attn: Privacy Officer
Toronto, Ontario, Canada - Response:
- Within 30 days of receiving a complete written request
Office of the Privacy Commissioner of Canada
If you are not satisfied with our response to your privacy concern, you have the right to file a complaint directly with the Office of the Privacy Commissioner of Canada:
- Website: www.priv.gc.ca
- Toll-free telephone: 1-800-282-1376
- TTY: 1-613-947-1736
- Mail: Office of the Privacy Commissioner of Canada, 30 Victoria Street, Gatineau, Quebec, K1A 1H3
This Privacy Policy was last updated on May 31, 2026 (AFO data retention schedule added). YBAWS! Inc. is incorporated under the laws of Ontario, Canada. This Policy is designed to meet the requirements of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA) and the Breach of Security Safeguards Regulations, SOR/2018-64. For information about the applicable terms of service, please see our Terms of Service.