1. Introduction
1001394704 Ontario Inc., operating under the trade name ClarionOps ("ClarionOps", "we", "us", or "our"), is committed to protecting your personal information and your right to privacy. This Privacy Policy explains what information we collect, why we collect it, how we use and protect it, and what rights you have in relation to it.
This policy applies to all information collected through the ClarionOps web application, APIs, public-facing marketing pages, and any related services (collectively, the "Service"). By accessing or using the Service, you acknowledge that you have read, understood, and agree to the data practices described in this Privacy Policy.
If you do not agree with this policy, please discontinue use of the Service immediately. For questions, contact us at support@clarionops.com.
2. Who We Are
The data controller responsible for your personal information is:
Legal Name: 1001394704 Ontario Inc.
Operating Name: ClarionOps
Incorporation: Ontario, Canada
Registered Office: 8 Gershwin Crt, Whitby, Ontario, Canada
Contact Email: support@clarionops.com
For EU/EEA users, ClarionOps acts as the data controller within the meaning of the General Data Protection Regulation (GDPR). No formal Data Protection Officer (DPO) has been appointed at this time; all data protection inquiries should be directed to the contact email above.
3. Information We Collect
3.1 Account & Identity Data
When you create an account, we collect your full name, email address, and a securely hashed password. Authentication is managed by AWS Cognito; ClarionOps never stores plaintext passwords. We also collect account preferences and settings you configure within the Service.
3.2 Business & Tenant Data
When you create or join a Tenant (organisational account), we collect your company or organisation name, industry designation, and the roles and permissions assigned to users within that Tenant. ClarionOps is a multi-tenant platform; data for each Tenant is strictly isolated from all others.
3.3 Financial Document Data (Core Service Data)
This is the primary data the Service processes on your behalf. It includes:
- Uploaded PDF files (receipts, invoices, bills, vendor credits)
- AI-extracted structured data: vendor name, invoice or document number, transaction date, due date, line item descriptions, quantities, unit prices, subtotals, tax amounts, total amounts, currency codes, and payment methods
- Document type classifications (Bill, Immediate Expense, Vendor Credit, Other)
- Review and approval status workflow data (Pending, Needs Review, Reviewed, Approved, Rejected, Auto-Approved, Error)
- Project associations and annotations added by your team
This data is treated as confidential business information. It is used solely to deliver the Service and is never used for advertising, sold, or disclosed to third parties except as described in this policy.
3.4 QuickBooks Integration Data
If you choose to connect your QuickBooks Online account, we collect and store OAuth 2.0 access tokens and refresh tokens issued by Intuit, your QuickBooks company (realm) ID, and reference data retrieved from QuickBooks to enable document mapping: vendor names and IDs, chart-of-accounts names and IDs, and customer names and IDs. We also store metadata about bills, purchases, and vendor credits successfully pushed to QuickBooks at your direction. This data is covered in detail in Section 7.
3.5 Usage & Analytics Data
On public-facing pages only (the marketing site, sign-in, sign-up, about, privacy policy, and EULA pages), we use Google Analytics 4 (Measurement ID: G-69DMXK89CS) to collect aggregated analytics data, including page views, session duration, approximate geographic location (city/country level), browser type, operating system, referral source, and device category.
Google Analytics is NOT active within the authenticated ClarionOps application dashboard. No analytics data is collected about your in-app document processing activities, your financial documents, or your QuickBooks data.
3.6 Technical & Device Data
AWS infrastructure may log IP addresses as part of standard security and access logging. We may also collect browser type, operating system, and device identifiers for security and troubleshooting purposes.
3.7 Communications Data
If you contact us via email or a support channel, we retain the content of your communications and our responses in order to handle your inquiry and improve support quality.
4. How We Collect Information
We collect information in three ways:
- Directly from you — when you create an account, upload documents, fill in forms, configure settings, or contact our support team.
- Automatically from your device — through Google Analytics cookies on public pages, and through AWS infrastructure access logs.
- From third-party authorisations — when you connect your QuickBooks Online account via OAuth 2.0, we receive data from Intuit's API as described in Section 7.
5. Legal Basis for Processing (GDPR)
For users in the EU, EEA, or United Kingdom, the GDPR requires that we identify a lawful basis for each processing activity. Our bases are:
| Purpose of Processing | Legal Basis (GDPR Art. 6) |
|---|---|
| Account creation and authentication | Performance of contract — Art. 6(1)(b) |
| Delivering document processing and extraction features | Performance of contract — Art. 6(1)(b) |
| QuickBooks synchronisation (when you connect QB) | Performance of contract / your explicit authorisation — Art. 6(1)(b) |
| Service security, abuse prevention, and troubleshooting | Legitimate interests — Art. 6(1)(f) |
| Public-page analytics (Google Analytics) | Consent — Art. 6(1)(a); withdrawable at any time |
| Billing and subscription management | Performance of contract — Art. 6(1)(b) |
| Legal compliance, tax, audit, and fraud prevention | Legal obligation — Art. 6(1)(c) |
| Service communications (billing notices, security alerts) | Legitimate interests / legal obligation — Art. 6(1)(c) and (f) |
Where we rely on consent (e.g., public-page analytics), you may withdraw consent at any time by adjusting your browser cookie settings or using the Google Analytics opt-out browser add-on. Withdrawal of consent does not affect the lawfulness of prior processing.
6. How We Use Your Information
We use the information we collect to:
- Provide, operate, and continuously improve the ClarionOps Service
- Process and extract structured data from uploaded financial documents using AWS Textract (OCR) and Amazon Bedrock (Claude AI model by Anthropic, hosted by AWS)
- Generate and refine QuickBooks account-mapping suggestions using AI, when the QuickBooks integration is enabled
- Synchronise approved expense documents into your QuickBooks Online company at your direction, via the Intuit API
- Authenticate and authorise users securely via AWS Cognito
- Store your files securely in AWS S3 and structured data in MongoDB
- Analyse aggregate, anonymised usage on public-facing pages via Google Analytics
- Respond to your support requests and inquiries
- Detect, investigate, and prevent fraudulent or abusive activity
- Comply with legal obligations including tax, audit, and regulatory requirements
- Send you service-critical communications such as billing confirmations, payment failures, and security alerts (we do not send unsolicited marketing without your explicit opt-in)
7. QuickBooks Data — Dedicated Disclosure
This section is specifically required by the Intuit Developer Program and governs how ClarionOps accesses and uses data from your QuickBooks Online account.
ClarionOps connects to Intuit QuickBooks Online on your explicit authorisationvia the OAuth 2.0 protocol. You choose when to connect, and you may disconnect at any time.
Data accessed from QuickBooks Online
- Vendor list (names and QuickBooks IDs) — for mapping extracted vendor names
- Chart of accounts (names, IDs, account types) — for mapping expense line items to the correct GL accounts
- Customer list (names and IDs) — for associating documents with projects/customers
- OAuth 2.0 access tokens and refresh tokens issued by Intuit
- Your QuickBooks Online company (realm) ID
- Confirmation metadata for Bills, Purchases, and Vendor Credits created on your behalf
Purpose of access
QuickBooks data is accessed solely to: (a) retrieve vendor, account, and customer reference data to power AI-assisted document mapping; and (b) push your approved expense documents into QuickBooks as Bills, Purchases, or Vendor Credits, as directed by you.
Restrictions on QuickBooks data use
- QuickBooks data is never sold to any third party.
- QuickBooks data is never used for advertising or marketing purposes.
- QuickBooks data is never used to train AI models beyond the immediate, session-level mapping task for your specific documents.
- QuickBooks data is never shared with any party other than AWS (infrastructure processor) and Intuit (as the OAuth provider).
- QuickBooks reference data (vendor/account/customer lists) is used only within your Tenant — it is never visible to or shared with any other ClarionOps customer.
Token security
OAuth access tokens and refresh tokens are encrypted at rest using AES-256 and encrypted in transit using TLS 1.2 or higher. ClarionOps never stores your Intuit username or password.
Revoking access
You may disconnect ClarionOps from your QuickBooks account at any time from the Settings > Integrations page within ClarionOps, or directly from your Intuit account at accounts.intuit.com. Upon disconnection, all stored OAuth tokens are immediately invalidated and deleted. No further QuickBooks data will be accessed.
8. Third-Party Service Providers
We share data with the following third-party service providers ("data processors") solely to the extent necessary to deliver the Service. All processors are bound by data processing agreements and are prohibited from using your data for any purpose other than providing services to ClarionOps.
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services, Inc. (AWS) | Hosting and compute (Lambda), user authentication (Cognito), file storage (S3), document OCR (Textract), AI inference (Bedrock / Claude by Anthropic) | United States |
| MongoDB, Inc. | Primary cloud database for all structured application and document data (MongoDB Atlas) | United States |
| Google LLC | Public-page analytics only (Google Analytics 4); not active in the authenticated app | United States |
| Intuit Inc. | QuickBooks Online OAuth 2.0 authorisation and API access (only when you connect QB) | United States |
We do not sell, rent, or trade your personal information to or with any third party for their own purposes.
We may disclose personal information if required to do so by law, court order, or lawful request by a government authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of ClarionOps, our users, or the public. We will notify affected users of such requests to the extent permitted by law.
9. Data Retention
- Active accounts: Your data is retained for as long as your account remains active and for a reasonable period thereafter to allow you to reactivate.
- After account deletion: All personal data, uploaded documents, extracted financial data, and QuickBooks tokens are permanently and irreversibly deleted within 30 days of account closure. Encrypted backup media containing your data is overwritten within the same 30-day window.
- Suspended accounts (non-payment): Data is retained for 30 days following suspension. If the subscription is not reinstated within that period, data is deleted.
- Legal holds: Certain data may be retained beyond the above periods where required by applicable law (e.g., for tax, financial regulation, fraud investigation, or legal proceedings). Such data is maintained with restricted access and used solely for compliance purposes, then deleted when the legal obligation expires.
10. International Data Transfers
ClarionOps is headquartered in Ontario, Canada and the Service is hosted on AWS infrastructure primarily located in the United States. If you are located in the EU, EEA, United Kingdom, or elsewhere, your personal data will be transferred to and processed in the United States and potentially other countries.
We ensure appropriate safeguards are in place for all international transfers:
- EU/EEA/UK: Transfers are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission under GDPR Chapter V, incorporated in our agreements with AWS. You may request a copy of the relevant safeguards by contacting support@clarionops.com.
- Canada (PIPEDA): As a Canadian entity subject to PIPEDA, transfers to US-based processors are governed by contractual protections that meet the standards of PIPEDA Schedule 1 (the Canadian Standards Association's Model Code for the Protection of Personal Information).
11. Data Security
We implement industry-standard technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction:
- All data in transit is encrypted via TLS 1.2 or higher
- Files stored in AWS S3 are encrypted at rest using AES-256 server-side encryption
- Database records in MongoDB Atlas are encrypted at rest
- User authentication is managed by AWS Cognito; ClarionOps never stores plaintext passwords or Intuit credentials
- OAuth tokens (for QuickBooks) are encrypted at rest and in transit and are scoped to the minimum permissions necessary
- Multi-tenant data isolation: strict logical separation ensures no tenant can access another tenant's data at any layer of the system
- Access to production systems is restricted to authorised personnel on a need-to-know basis
Despite these measures, no system is completely secure. If you believe your account has been compromised, please contact us immediately at support@clarionops.com.
In the event of a personal data breach, we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware (as required by GDPR Art. 33/34), and promptly under PIPEDA breach-of-security-safeguards reporting obligations.
12. Cookies and Tracking Technologies
We use cookies and similar tracking technologies on our public-facing pages. No advertising cookies or third-party tracking pixels are used anywhere on the Service.
| Cookie Type | Purpose | Pages | How to Opt Out |
|---|---|---|---|
| Session / authentication cookies | Maintain your authenticated session within the app | Authenticated app only | Cannot be disabled without logging out (strictly necessary) |
| Google Analytics (_ga, _gid, _ga_*) | Aggregate, anonymised page-view analytics to understand how visitors use our public pages | Public pages only (not in authenticated app) | Browser cookie settings, or install the Google Analytics opt-out add-on |
ClarionOps does not use advertising cookies, retargeting pixels, social media tracking, or sell your browsing behaviour to any third party.
13. Your Privacy Rights
13.1 GDPR — EU/EEA/UK Users
Under the General Data Protection Regulation, you have the right to:
- Access — obtain a copy of the personal data we hold about you
- Rectification — request correction of inaccurate or incomplete data
- Erasure ("right to be forgotten") — request deletion of your personal data, subject to legal retention obligations
- Restriction — request that we limit how we use your data while a dispute is resolved
- Portability — receive your data in a structured, machine-readable format and transfer it to another controller
- Objection — object to processing based on legitimate interests
- Withdraw consent — for analytics cookies, at any time without affecting prior lawful processing
- Lodge a complaint — with your national data protection authority (e.g., the ICO in the UK at ico.org.uk)
13.2 CCPA — California Residents
Under the California Consumer Privacy Act (as amended by the CPRA), you have the right to:
- Know what categories of personal information we collect, use, disclose, and retain
- Delete your personal information, subject to certain exceptions
- Opt out of the sale or sharing of personal information — ClarionOps does NOT sell or share personal information within the meaning of the CCPA
- Correct inaccurate personal information
- Non-discrimination — we will not discriminate against you for exercising any CCPA right
To submit a verifiable consumer request, email support@clarionops.com with the subject line "CCPA Privacy Request".
13.3 PIPEDA — Canadian Users
Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:
- Access the personal information ClarionOps holds about you
- Request correction of any inaccurate information
- Withdraw consent for non-essential processing (subject to legal or contractual restrictions)
- File a complaint with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca
How to Exercise Your Rights
Email support@clarionops.com with the subject line "Privacy Rights Request". Please include your name, email address, and a description of the right you wish to exercise. We will respond within 30 days. Where required by law, we will verify your identity before processing the request.
14. Children's Privacy
The ClarionOps Service is a business-to-business platform intended exclusively for use by individuals who are 18 years of age or older. We do not knowingly collect personal information from children under 18 (or the applicable age of majority in your jurisdiction).
If we become aware that we have inadvertently collected personal information from a minor, we will take immediate steps to delete such information. If you believe a minor has provided us with personal information, please contact us at support@clarionops.com.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:
- We will update the "Last Updated" date at the top of this page
- For material changes (changes that significantly affect your rights or how we use your data), we will provide at least 30 days' advance notice via email to the address on your account and/or a prominent in-app notification
- Your continued use of the Service after the effective date constitutes acceptance of the revised policy
- If you do not accept the revised policy, you may delete your account before the effective date
We encourage you to review this page periodically to stay informed about how we protect your information.
16. Contact Information
For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:
Legal Name: 1001394704 Ontario Inc.
Operating Name: ClarionOps
Registered Office: 8 Gershwin Crt, Whitby, Ontario, Canada
Email: support@clarionops.com
We are committed to working with you to resolve any privacy concerns. If you are not satisfied with our response, you have the right to escalate to the relevant supervisory authority in your jurisdiction (see Section 13).