We know you are trusting us with some of your most personal and private information. Here's how we collect, protect, and use your data.
Personally Identifiable Information
When you sign up for a SimpleTax account, we'll ask for your email address. Your email address is the only personally identifiable information that we can access without your password. All other information you provide is encrypted.
Your Email Address
Your email address will never be sold and will only be used to inform you of product updates and future versions. We will never send you third-party marketing emails. We comply with CASL and give you the option to unsubscribe. We hate spam too.
Data Ownership & Encryption
Your data is yours. We will never, ever, sell it.
Your tax data is encrypted on our servers using your password as the key. You are the only person who can access your account; we can't decrypt your data without your password. If you lose your password, we are not able to reset or recover it for you.
Your password is salted with a 9 byte salt and hashed with MD5 before being sent over HTTPS to our server. This hash is never stored in a cache or on disk. We take this hash and salt it again with an 8 byte salt and hash it using PBKDF2 with SHA1 for 60,000 iterations. The resulting signature is what we store in our database.
Your tax data is sent over HTTPS to our server where it is encrypted using AES in CTR mode. The IV is a 128 bit number generated with a cryptographically secure random number generator. We also store an HMAC of the data which is packed along with it. The cryptographic key is derived from the second to last hash pulled from the PBKDF2 algorithm used to hash the password. This ensures that the key cannot be derived from anything stored in our database. The key must be transmitted from the client and a full hash run each time the data is encrypted or decrypted.
You can delete your account, and all your data, at any time.
SSL/TLS and HSTS
The connection between you and our servers uses high-grade encryption. We use HTTPS across all our services with an Extended Validation (EV) certificate from DigiCert. We have an A+ rating from SSL Labs. We also use HSTS to ensure your browser only uses HTTPS. We are on the HSTS preloaded lists for both Chrome and Firefox.
We use Canadian datacentres and your data resides only in Canada. Our hosting partners share our high standards for security and privacy.
Disclosure of Information
We comply with the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). If required by law, we may disclose your information, in its encrypted form, to law enforcement officials. We are unable to disclose your decrypted information.
Credit Card Data
If you choose to pay, your payment will be processed by Stripe or PayPal (depending on the payment method you selected). We are PCI DSS compliant and we do not store any credit card data on our servers.
Diagnostic and Usage Data
We collect diagnostic and usage data to improve SimpleTax and ensure everything is working properly. For example, if an error is detected, we may capture details about your browser to help us fix the problem. This data is for internal use only and will never contain sensitive information.
Questions or Concerns
Should you have any questions or concerns, or would simply like to better understand the way we do things at SimpleTax, please don't hesitate to contact us.