Privacy Policy

Our Privacy Officer is responsible for overseeing compliance with this Privacy Policy and applicable privacy legislation, including PIPEDA, Alberta PIPA, and Quebec Law 25. You can contact our Privacy Officer with any questions, concerns, or requests related to your personal information.

The Service is intended for users 18 years or older. Users under 18 may only participate as part of a household account added by a parent or guardian. Minors cannot link bank accounts or provide financial information. Parents/guardians must provide express consent when adding minors.

The Service is primarily available to residents of Canada and is subject to applicable provincial and federal privacy laws. US residents may also use the Service, subject to applicable US privacy laws.

We collect information necessary to provide the Service. The purposes for each category are identified at or before the time of collection. We will not use your information for purposes beyond those identified without obtaining your consent.

We obtain your consent before collecting, using, or disclosing your personal information. The type of consent depends on the sensitivity of the information:

We use your information to:

• Provide, operate, and maintain the Service
• Authenticate your identity via AWS Cognito and Google OAuth
• Process payments and subscriptions via Stripe
• Aggregate and display financial data from linked bank accounts via Plaid
• Respond to support requests
• Analyze usage patterns to improve and personalize the Service
• Send transactional emails (account confirmations, billing receipts)
• Send optional marketing communications via Resend (express opt-in only)

We will not use your personal information for new purposes beyond those listed above without first obtaining your consent.

We share information with trusted third-party service providers (processors) to operate the Service. ModuFi acts as the data controller — these providers process your data only on our behalf and under our instructions.

We may also disclose your personal information if required by law, regulation, legal process, or enforceable governmental request, or to protect the rights, property, or safety of ModuFi, our users, or the public.

We retain personal information only as long as necessary for the purposes for which it was collected:

When you delete your account, all associated personal and financial data is permanently removed from our database, including linked accounts, transactions, and encrypted Plaid tokens. Your authentication credentials are also deleted from AWS Cognito.

You may request deletion of your personal information at any time by contacting privacy@modufi.ca. We will respond to deletion requests within 30 days.

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the financial data we handle:

• All data is encrypted in transit using TLS/SSL
• Plaid access tokens are encrypted at rest using AES-256-GCM encryption
• Passwords are managed by AWS Cognito with industry-standard hashing — we never store or have access to your password
• Database access is restricted and secured within AWS infrastructure
• Authentication supports multi-factor authentication (MFA) via AWS Cognito
• Payment card data is handled exclusively by Stripe and never touches our servers

We strive to keep your personal information accurate, complete, and up-to-date. While no system is completely secure, we take reasonable measures to protect your data against unauthorized access, disclosure, alteration, or destruction.

We use cookies and similar technologies on the Service. These fall into the following categories:

You can manage or disable analytics and marketing cookies through your browser settings. You may also opt out of Google Analytics using the Google Analytics Opt-out Browser Add-on. Opting out of non-essential cookies does not affect the core functionality of the Service.

Users under 18 may only access the Service via a household account controlled by a parent or guardian. When a parent or guardian adds a minor to their household account, they provide express consent on the minor's behalf.

Minors cannot link bank accounts, provide financial information, or make payments. Parents and guardians may review, request correction of, request deletion of, and prevent further collection of their minor's personal information at any time by contacting privacy@modufi.ca.

In the event of a breach of security safeguards involving your personal information that poses a real risk of significant harm, we will:

• Notify affected individuals as soon as feasible, describing the nature of the breach, the information involved, and steps we are taking
• Report the breach to the Office of the Privacy Commissioner of Canada (OPC)
• Report the breach to the Office of the Information and Privacy Commissioner of Alberta (OIPC) where applicable
• Notify the Commission d'accès à l'information du Québec (CAI) where Quebec residents are affected
• Maintain records of all breaches for a minimum of 24 months, regardless of whether they meet the notification threshold

Under PIPEDA and Alberta PIPA, Canadian users have the right to:

• Access their personal information held by ModuFi
• Request correction of inaccurate or incomplete information
• Withdraw consent for the collection, use, or disclosure of their information
• Request deletion of their account and personal information

We will respond to access and correction requests within 30 days.

To exercise any of your rights, contact our Privacy Officer at privacy@modufi.ca.

If you are a resident of the United States, you may have additional privacy rights depending on your state of residence.

Residents of other US states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Texas, and Oregon) may have similar rights to access, delete, and correct their personal information, as well as the right to opt out of targeted advertising. To exercise any of these rights, contact us at privacy@modufi.ca. We will respond to verifiable consumer requests within 45 days.

We comply with Canada's Anti-Spam Legislation (CASL) for all commercial electronic messages.

• Marketing emails are only sent with your express opt-in consent
• Every marketing email includes a clear and functional unsubscribe mechanism
• Unsubscribe requests are processed within 10 business days
• Unsubscribe links remain functional for at least 60 days after the message is sent
• All emails identify ModuFi Inc. as the sender and include our mailing address
• We maintain records of consent for commercial messages

Transactional emails (account confirmations, security alerts, billing receipts) are not commercial messages under CASL and do not require separate consent.

If you believe your personal information has been handled in a manner that does not comply with this Privacy Policy or applicable privacy legislation, you may:

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent version. For material changes that affect how we handle your personal information, we will notify you via email or through a prominent notice in the Service at least 30 days before the changes take effect.