Privacy Policy

Yany Consultation CPA ("we", "us", "our") operates the Otama platform. This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with the Service, in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Québec's Act respecting the protection of personal information in the private sector (Law 25 / Bill 64), and other applicable Canadian privacy legislation.

Account information: Name, email address, firm name, province, and billing details provided during registration.

Client data you provide: Personal information about your clients (names, SINs, financial records, tax documents) that you upload or enter into the Service. This data is yours — we process it on your behalf as a data processor.

Usage data: Log files, IP addresses, browser type, pages visited, and feature interactions for security monitoring and product improvement.

Communications: Emails or support messages you send us.

• Providing, maintaining, and improving the Service
• Processing transactions and sending billing-related communications
• Sending product updates, security alerts, and support messages
• Detecting and preventing fraud, abuse, and security incidents
• Complying with legal obligations
• Training and improving AI features (only using anonymized, aggregated data — never individual client files)

We do not sell your personal information or your clients' information to third parties.

Tax intake forms may collect Social Insurance Numbers and other sensitive financial information. This data is encrypted at rest using AES-256 encryption. SINs are never stored in plain text and are never used for purposes other than those authorized by you and your client. Access is restricted to authenticated firm staff.

Otama uses AI to classify documents, assess client readiness, and draft communications. Document content sent to AI models is processed solely to provide the requested feature. We do not retain AI input/output for model training without explicit consent. We use OpenAI APIs; their data processing practices are governed by their API data usage policy, which includes a zero data-retention option for API calls.

We share personal information only in the following circumstances:

• Service providers: Supabase (database and authentication, servers in Canada/US), Resend (transactional email), Stripe (payment processing), OpenAI (AI features). Each is bound by data processing agreements.
• Legal requirements: When required by law, court order, or governmental authority.
• Business transfers: In connection with a merger or acquisition, with appropriate confidentiality protections.

We do not disclose client data to third parties except as instructed by you or required by law.

We retain account data for the duration of your subscription plus 90 days following termination (to allow data export). Client data is retained as long as the client record exists and is not deleted by you. You may request deletion of your data at any time by contacting us. Some data may be retained longer where required by law or legitimate business purposes (e.g., billing records for 7 years).

We implement industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest for sensitive fields, role-based access control, and audit logging. We undergo regular security reviews. No method of electronic transmission or storage is 100% secure; we cannot guarantee absolute security.

Under PIPEDA and Québec Law 25, you have the right to:

• Access the personal information we hold about you
• Correct inaccurate information
• Withdraw consent to certain uses (subject to legal and contractual obligations)
• Request deletion of your personal information
• Receive your data in a portable, structured format
• Lodge a complaint with the Office of the Privacy Commissioner of Canada or the Commission d'accès à l'information du Québec

To exercise any of these rights, contact us at privacy@otama.ca. We will respond within 30 days.

We use essential session cookies required for authentication. We do not use advertising cookies or third-party tracking pixels. Analytics, if any, are privacy-friendly and aggregated.

Some of our service providers (Supabase, OpenAI, Resend, Stripe) may process data outside Canada, including in the United States. Where data is transferred internationally, we ensure adequate protections are in place through data processing agreements and, where applicable, standard contractual clauses.

The Service is not directed at individuals under 18. We do not knowingly collect personal information from children.

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice at least 14 days in advance. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

For privacy inquiries, contact our Privacy Officer at privacy@otama.ca or by mail at Yany Consultation CPA, Québec, Canada.