Legal

Privacy Policy

Last updated · May 20, 2026Draft — pending counsel review

The short version

Norrith is a personal finance app for Canada. We need certain information — your email, the bank connections you choose to link, your transaction history once linked — to make the product work. Everything we collect is described below. We do not sell your data. We do not share it with advertisers. We store it encrypted in Canadian infrastructure. You can leave any time with a full export of everything we have.

We collect: your email, account data from linked institutions, app usage data, device metadata for security.
We do not collect: banking passwords (Plaid Canada handles authentication; we never see them).
We never sell or rent your data.
You can delete your data — including a 30-day recovery window before permanent erasure.

What this policy covers

This Privacy Policy applies to information collected through the Norrith iOS application, this website (norrith.com), and any communications you have with us. By using Norrith you confirm you have read and understood this policy.

Who controls your data

Norrith Technologies Inc. (referred to as "Norrith", "we", or "us") is the data controller for personal information processed through the app and website. Norrith is incorporated in Ontario, Canada, with its principal place of business in Toronto.

Our designated Privacy Officer can be reached at privacy@norrith.com.

Information we collect

From you directly. Email address (when you join the waitlist, create an account, or contact support); your name if you provide it; subscription preferences; any feedback you send.

From your bank, with your consent, via Plaid Canada. Account names, balances, transactions, merchant names, dates, amounts, account type (chequing, credit, RRSP, TFSA, brokerage, etc.), and institution metadata. Plaid handles authentication — your banking password is sent only to Plaid and your bank, and is never visible to Norrith.

From your device. Operating system version, device model, app version, IP address (used for security and abuse detection), crash and performance diagnostics. We do not access your contacts, photos, location, or calendar.

Inferred or derived. Spending categories assigned by our machine-learning classifier; budget calculations and goal progress; anomaly detection signals (e.g., a subscription price increase). This data is generated on your device or on our servers from the transaction data above.

Web analytics. When you visit norrith.com, Vercel Analytics records anonymous, aggregated page views and performance metrics. No cookies are set; no individual visitor is identified.

How we use your information

We use your information only for the following purposes:

Provide the service. Show you your accounts, categorize transactions, calculate budgets, surface insights.
Maintain security. Detect fraud, abuse, and unauthorized access attempts.
Customer support. Respond to your questions and resolve issues.
Improve the product. Aggregate, de-identified analysis of feature usage. No individual user is identified in this work.
Communicate with you. Service notices, security alerts, product updates you opted into.
Comply with law. Respond to lawful requests from regulators or courts.

We do not use your data for advertising, profiling for marketing purposes outside Norrith, or training third-party AI models.

How long we keep it

Active accounts. Your data is retained for as long as you have an active Norrith account.

Deletion request. When you delete your account from inside the app, Norrith enters a 30-day soft delete window. During this window your account is recoverable. After 30 days, all personal data is permanently erased from production systems within 7 days.

Backups. Encrypted backups are retained for up to 90 days for disaster recovery. Personal data in backups is purged on the next backup rotation following permanent deletion.

Operational logs and aggregated analytics may be retained longer in de-identified form.

Your rights

Under PIPEDA (Personal Information Protection and Electronic Documents Act) and Quebec's Law 25, you have the right to:

Access the personal information we hold about you.
Correct information that is inaccurate or out of date.
Withdraw consent for processing — revoke a bank connection or delete your account at any time from inside the app.
Receive a copy of your data in a portable, machine-readable format (CSV and JSON exports are available directly from the app, on every tier, including Free).
Delete your account and have your personal data erased (subject to the 30-day soft delete window above).
Lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, for Quebec residents, the Commission d'accès à l'information du Québec.

To exercise any of these rights, email privacy@norrith.com. We respond within 30 days.

How we protect your data

Our full security overview is published at norrith.com/security. The highlights:

Encryption in transit. TLS enforced via App Transport Security with no exceptions. Certificate pinning by SPKI-SHA256 (leaf + issuer) defeats hostile networks running TLS-intercepting proxies.
On-device encryption. AES-GCM-256 over the SwiftData store; master key in iOS Keychain with .userPresence access control. iOS File Protection set to complete — the store is inaccessible while your device is locked.
iCloud sync is disabled. Your data does not leave the device except via authenticated API calls to our backend.
Authentication. Sign in with Apple, Google, or email + password. Two-factor authentication (TOTP) available for every account. Face ID / Touch ID at the app door with biometrics-only policy, idle auto-lock, and a 5-attempt lockout.
Read-only bank access. Plaid Canada handles authentication directly with your bank — your password never reaches Norrith. Access tokens never leave the server. Webhook signatures verified by ES256 JWT.
Database-layer isolation. Postgres Row-Level Security enforces auth.uid() = owner on every owner-scoped table. The database itself refuses to return another user's row.
Audit log. Every security event (MFA enroll/unenroll, password/email/credential change, deletion scheduling) is written to your account_events log — viewable in Settings → Security inside the app.
Rate limits. Data export 5/day, account deletion 5/day, bank-link 20/hour, login attempts throttled.
PII redaction in logs. Emails masked, amounts and tokens never logged.
Apple App Attest device attestation (Phase 1 shipped).
No custom cryptography. Only Apple frameworks (CryptoKit, LocalAuthentication, Security framework).
SOC 2 Type II. Not yet attested. We will not claim it on the site until it is.
Breach notification. If a breach materially impacts your data, we will notify you and the Privacy Commissioner of Canada within 72 hours of discovery, as required by PIPEDA.

International users

Norrith is currently available in Canada. If you access the service from outside Canada, you understand that your personal information will be transferred to and processed in Canada, and that Canadian authorities may, under valid legal process, request access to it.

We are not currently offering Norrith to residents of the European Union or the United Kingdom. When we expand to the United States, this policy will be updated to address state-level privacy laws (CCPA, etc.) and we will re-confirm consent before processing US users' data.

Children's privacy

Norrith is not directed at children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child under 16 has provided us with personal information, please contact us and we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced through the app and via email to registered users at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent change.

Contact us

Privacy questions, requests to exercise your rights, or complaints:

Norrith Technologies Inc.
Privacy Officer
Toronto, Ontario, Canada
privacy@norrith.com