Privacy Policy
Privacy Policy
Last updated : May 9, 2026
14
Sections
12 min
Reading
🇨🇦
Canada
✓
Compliant
Version 1.2
NorivenLegal ✓
1. Introduction
The Glutax mobile application is published and operated by Noriven. Noriven acts as the data controller for your personal information. Glutax is an innovative mobile application designed to simplify and automate Canadian tax deductions for the purchase of gluten-free foods for people with celiac disease. Glutax is only available in Canada. This privacy policy explains how Noriven collects, uses, centralizes and protects your personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Law 25.
For any questions regarding this policy, you can contact us at: contact@glutax.ca
This policy may be modified. In case of minor changes, we will inform you by email 7 days before it takes effect. In case of major changes affecting the use of your data or your rights, we will inform you 30 days in advance and your explicit consent will be required during your next use of the application.
For any questions regarding this policy, you can contact us at: contact@glutax.ca
This policy may be modified. In case of minor changes, we will inform you by email 7 days before it takes effect. In case of major changes affecting the use of your data or your rights, we will inform you 30 days in advance and your explicit consent will be required during your next use of the application.
2. Personal Information Collected
2.1Identification information
• First and last name: To personalize your experience and generate your tax reports
• Email address: To create your account, essential communications and technical support
• Canadian province: To ensure compliance with CRA tax deductions applicable in your region
• Postal address: Stored locally on your device only, used for professional generation of your PDF reports
• User profile: Account creation date and status of your consents (e.g., acceptance of marketing communications)
• Email address: To create your account, essential communications and technical support
• Canadian province: To ensure compliance with CRA tax deductions applicable in your region
• Postal address: Stored locally on your device only, used for professional generation of your PDF reports
• User profile: Account creation date and status of your consents (e.g., acceptance of marketing communications)
2.2Financial data
• Grocery receipt images: Stored only on your device, not transmitted to our servers
• Gluten-free food data: Product names, prices, quantities, purchase dates and categories are managed locally on your device
• Custom categories: Created and stored locally on your device
• Annual tax credit amount: Only the total credit amount per tax year is collected and stored on our servers for statistical purposes
• Generated tax reports: PDF reports stored on our servers and your device with UUID reference numbers for authentication
• Gluten-free food data: Product names, prices, quantities, purchase dates and categories are managed locally on your device
• Custom categories: Created and stored locally on your device
• Annual tax credit amount: Only the total credit amount per tax year is collected and stored on our servers for statistical purposes
• Generated tax reports: PDF reports stored on our servers and your device with UUID reference numbers for authentication
2.3Technical data
• Account information and transactions: History of subscription-related events (purchases, renewals, cancellations via Apple), connection method (email/password or Sign In with Apple)
• Error logs: Technical information in case of malfunction, including your user identifier, stored on our servers
• Language preferences: Your device language (French or English) to customize the interface
• Error logs: Technical information in case of malfunction, including your user identifier, stored on our servers
• Language preferences: Your device language (French or English) to customize the interface
3. Collection and Use Purposes
3.1Primary purposes
• Tax deduction automation: Processing your receipts via artificial intelligence (Mistral AI) to extract receipt data and enhance user experience by avoiding manual food entry. Images transit securely through our servers to Mistral AI anonymously, without being stored on our servers.
• Tax report generation: Creation of annual reports summarizing your annual deductions with references to source receipts
• User experience improvement: Local memorization on your device of your product-to-category assignments to accelerate future processing. Useful for recurring purchases of the same item.
• Usage statistics: Analysis of annual tax credit amounts to improve the application.
• Tax report generation: Creation of annual reports summarizing your annual deductions with references to source receipts
• User experience improvement: Local memorization on your device of your product-to-category assignments to accelerate future processing. Useful for recurring purchases of the same item.
• Usage statistics: Analysis of annual tax credit amounts to improve the application.
3.2Secondary purposes
• Technical support: Resolution of technical problems and application improvement
• Essential communications: Subscription end notifications, annual report generation reminders, and important privacy policy updates
• Marketing communications and centralized management (with your explicit consent): Your contact information (first name, last name, email, language, registration date and subscription status) is centrally managed by our parent company, Noriven. With your consent, Noriven may send you information about new Glutax features. If you specifically consent, Noriven may also inform you about its future projects and applications. You can withdraw your consent at any time via application settings or the unsubscribe link in our emails.
• Legal protection: Retention of generated tax reports (identified by UUID) to verify document authenticity in case of claims or litigation, even after your account deletion
• Essential communications: Subscription end notifications, annual report generation reminders, and important privacy policy updates
• Marketing communications and centralized management (with your explicit consent): Your contact information (first name, last name, email, language, registration date and subscription status) is centrally managed by our parent company, Noriven. With your consent, Noriven may send you information about new Glutax features. If you specifically consent, Noriven may also inform you about its future projects and applications. You can withdraw your consent at any time via application settings or the unsubscribe link in our emails.
• Legal protection: Retention of generated tax reports (identified by UUID) to verify document authenticity in case of claims or litigation, even after your account deletion
4. Artificial Intelligence Processing
4.1Anonymous receipt analysis
Your receipt images are transmitted completely anonymously to Mistral AI via our secure backend server for data extraction (food names, quantities, prices, dates). Mistral AI performs OCR and data reconstruction. This process:
• Never associates your identity with analyzed receipts
• Uses API keys protected in our backend infrastructure
• Images are retained by Mistral AI for 30 days in accordance with their security and abuse prevention policy, then permanently deleted
• Mistral AI cannot use your images to train its artificial intelligence models
• Receipt images remain stored only on your device and are never kept on our servers
• Never associates your identity with analyzed receipts
• Uses API keys protected in our backend infrastructure
• Images are retained by Mistral AI for 30 days in accordance with their security and abuse prevention policy, then permanently deleted
• Mistral AI cannot use your images to train its artificial intelligence models
• Receipt images remain stored only on your device and are never kept on our servers
4.2Validation system
You retain full control to modify, correct or reject information extracted by artificial intelligence. In case of insufficient AI confidence (less than 50%), you are invited to manually enter information to enhance your experience while keeping the original receipt image as proof on your device.
5. Data Storage and Location
5.1Storage infrastructure
• Noriven databases (Main servers): Hosted on a private virtual server (VPS) provided by Servarica, located in Montreal, Quebec, Canada. Your user profile data (first name, last name, email, language, marketing consent, transaction/subscription history) is centralized and secured by Noriven to facilitate account management. Glutax-specific application data (generated PDF reports, tax credit amounts, province) is also stored there, segregated by project.
• Local storage on your device: Receipt images, expense data, custom categories, generated PDF reports and tax credit amounts.
• iCloud synchronization (optional): If you enable iCloud synchronization in the application settings, your expenses, categories, tax credit amounts, generated reports and PDF receipt images will also be stored on Apple servers in the United States.
• Local storage on your device: Receipt images, expense data, custom categories, generated PDF reports and tax credit amounts.
• iCloud synchronization (optional): If you enable iCloud synchronization in the application settings, your expenses, categories, tax credit amounts, generated reports and PDF receipt images will also be stored on Apple servers in the United States.
5.2Cross-border transfer
IMPORTANT NOTICE: Your personal information is stored on a private virtual server (VPS) provided by Servarica, located in Montreal, Quebec, Canada. Storage within Canada ensures the protection of your data in accordance with the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Law 25. Certain third-party providers may process data on our behalf where necessary for the operation of the service, audience measurement, communications, or support (see section 6.2 for the detailed list of providers).
If you enable iCloud synchronization, your data will also be transferred to Apple servers located in the United States, in accordance with Apple's privacy policy.
If you enable iCloud synchronization, your data will also be transferred to Apple servers located in the United States, in accordance with Apple's privacy policy.
5.3Retention period
• Account data (first name, last name, email, province): Retained until voluntary deletion of your account
• Annual tax credit amounts: Retained until voluntary deletion of your account
• Generated PDF reports: Retained indefinitely on our servers, even after your account deletion, for legal protection and authenticity verification purposes
• Receipt images: Retained locally on your device until individual deletion of associated expense
• Food and category data: Retained locally on your device until manual deletion
• Error logs: Retained on our servers only until processing and resolution of the error
• Data transmitted to Mistral AI: Retained by Mistral AI for 30 days in accordance with their abuse prevention policy, then permanently deleted
• Annual tax credit amounts: Retained until voluntary deletion of your account
• Generated PDF reports: Retained indefinitely on our servers, even after your account deletion, for legal protection and authenticity verification purposes
• Receipt images: Retained locally on your device until individual deletion of associated expense
• Food and category data: Retained locally on your device until manual deletion
• Error logs: Retained on our servers only until processing and resolution of the error
• Data transmitted to Mistral AI: Retained by Mistral AI for 30 days in accordance with their abuse prevention policy, then permanently deleted
6. Sharing and Disclosure
6.1No commercial sharing
We do not sell, rent, or share your personal information for commercial purposes with third parties.
6.2Essential service providers
We share certain of your data only with the following essential service providers:
• Servarica (VPS hosting — Montreal, Canada): Storage of your account data, PDF reports and annual tax credit amounts on our private server located in Canada
• Apple (payments): Processing of subscriptions via Apple In-App Purchase. Apple receives only the transaction information necessary for payment processing
• Mistral AI (receipt OCR processing): Anonymous analysis of your receipts for data extraction. See section 4 for complete details on this processing
• RevenueCat (subscription management): Receives only your de-identified user identifier and Apple transaction identifiers. Data is stored on AWS servers in the United States. RevenueCat also acts as a technical intermediary to securely transmit conversion events to our advertising partners.
• Meta Platforms (Facebook): We measure the effectiveness of our advertising campaigns in a strictly de-identified manner. Through RevenueCat, Meta receives purchase events (conversions) without any personally identifiable information. No name, email, or Apple advertising identifier (IDFA) is shared, making it impossible for Meta to personally identify you from this data.
• Servarica (VPS hosting — Montreal, Canada): Storage of your account data, PDF reports and annual tax credit amounts on our private server located in Canada
• Apple (payments): Processing of subscriptions via Apple In-App Purchase. Apple receives only the transaction information necessary for payment processing
• Mistral AI (receipt OCR processing): Anonymous analysis of your receipts for data extraction. See section 4 for complete details on this processing
• RevenueCat (subscription management): Receives only your de-identified user identifier and Apple transaction identifiers. Data is stored on AWS servers in the United States. RevenueCat also acts as a technical intermediary to securely transmit conversion events to our advertising partners.
• Meta Platforms (Facebook): We measure the effectiveness of our advertising campaigns in a strictly de-identified manner. Through RevenueCat, Meta receives purchase events (conversions) without any personally identifiable information. No name, email, or Apple advertising identifier (IDFA) is shared, making it impossible for Meta to personally identify you from this data.
6.3Legal disclosures
We may disclose your personal information only in the following circumstances:
• With your explicit consent
• To government authorities in case of legally binding request (e.g., court order, CRA request). We will endeavor to inform the affected user within a reasonable time before disclosing their information, unless we are legally prohibited from doing so or in exceptional circumstances (imminent danger, serious fraud, etc.)
• To protect our legal rights in case of litigation, claim or necessity to defend our legitimate interests
• With your explicit consent
• To government authorities in case of legally binding request (e.g., court order, CRA request). We will endeavor to inform the affected user within a reasonable time before disclosing their information, unless we are legally prohibited from doing so or in exceptional circumstances (imminent danger, serious fraud, etc.)
• To protect our legal rights in case of litigation, claim or necessity to defend our legitimate interests
7. Data Security
7.1Technical measures
• Encryption in transit: HTTPS/TLS for all data transmissions between your device and our servers
• Secure authentication:
• Email authentication with verification code
• Sign In with Apple
• Biometric authentication (Face ID/Touch ID) managed locally by iOS for subsequent connections, with secure token validation with our backend
• Secure JWT tokens: For all communications with our API
• Rate limiting: Maximum 10 receipt scans per day to prevent system abuse
• Regular backups: Secure database backups to prevent data loss
• Secure authentication:
• Email authentication with verification code
• Sign In with Apple
• Biometric authentication (Face ID/Touch ID) managed locally by iOS for subsequent connections, with secure token validation with our backend
• Secure JWT tokens: For all communications with our API
• Rate limiting: Maximum 10 receipt scans per day to prevent system abuse
• Regular backups: Secure database backups to prevent data loss
7.2Organizational measures
• Restricted access: Only the lead developer has access to systems containing your personal data
• Continuous monitoring: Monitoring of access and suspicious activities on our servers
• Security updates: Regular application of security patches for all our systems
• Continuous monitoring: Monitoring of access and suspicious activities on our servers
• Security updates: Regular application of security patches for all our systems
7.3Data breach notification
In accordance with Quebec's Law 25 and PIPEDA, in the event of a data security breach likely to cause real and serious harm, we commit to:
• Inform you by email within 72 hours of discovering the breach
• Provide you with a description of the nature of the breach, affected data, and measures taken to remedy it
• Provide contact information to obtain more information or ask questions
• Report the breach to competent authorities (Privacy Commissioner of Canada and Commission d'accès à l'information du Québec) if required by law
• Inform you by email within 72 hours of discovering the breach
• Provide you with a description of the nature of the breach, affected data, and measures taken to remedy it
• Provide contact information to obtain more information or ask questions
• Report the breach to competent authorities (Privacy Commissioner of Canada and Commission d'accès à l'information du Québec) if required by law
8. Your Rights and Controls
8.1Access and rectification rights
You can:
• View all your personal data directly in the application
• Modify your profile information (first name, last name, province) in settings
• Correct data extracted from receipts before validation
• Delete individual expenses and associated receipts
• View all your personal data directly in the application
• Modify your profile information (first name, last name, province) in settings
• Correct data extracted from receipts before validation
• Delete individual expenses and associated receipts
8.2Right to portability
• Complete export: Generation of PDF reports containing all your tax data
• Structured format: Reports organized by year with references to source receipts
• Authorized sharing: You can share your reports with accountants, tax advisors, or CRA
• Structured format: Reports organized by year with references to source receipts
• Authorized sharing: You can share your reports with accountants, tax advisors, or CRA
8.3Right to erasure
You can completely delete your account directly in the application settings. This action immediately and permanently deletes your Glutax-specific data as well as your centralized Noriven profile (first name, last name, email, account creation date, consents and subscription history), unless you are actively enrolled in another Noriven service.
Important: Generated PDF reports are retained on our servers even after your account deletion, in accordance with section 5.3, for legal protection and authenticity verification purposes. All other data is immediately deleted.
Important: Generated PDF reports are retained on our servers even after your account deletion, in accordance with section 5.3, for legal protection and authenticity verification purposes. All other data is immediately deleted.
8.4Right to withdraw consent
You can withdraw your consent for:
• Push notifications: Deactivatable in application settings
• Marketing communications: Unsubscribe link in each email or modification in application settings
• Push notifications: Deactivatable in application settings
• Marketing communications: Unsubscribe link in each email or modification in application settings
8.5Right to object
You can object to certain processing of your personal data, including:
• Use of your annual tax credit amounts for statistical purposes
• Non-essential communications
To exercise this right, contact us at contact@glutax.ca or modify your preferences in application settings.
• Use of your annual tax credit amounts for statistical purposes
• Non-essential communications
To exercise this right, contact us at contact@glutax.ca or modify your preferences in application settings.
8.6Right to file a complaint
If you believe that your personal information protection rights have not been respected, you have the right to file a complaint with the competent authorities:
• In Quebec: Commission d'accès à l'information du Québec
Website: www.cai.gouv.qc.ca
Phone: 1-888-528-7741
• In Canada: Privacy Commissioner of Canada
Website: www.priv.gc.ca
Phone: 1-800-282-1376
You can also contact us directly at contact@glutax.ca for any concerns regarding your personal data.
• In Quebec: Commission d'accès à l'information du Québec
Website: www.cai.gouv.qc.ca
Phone: 1-888-528-7741
• In Canada: Privacy Commissioner of Canada
Website: www.priv.gc.ca
Phone: 1-800-282-1376
You can also contact us directly at contact@glutax.ca for any concerns regarding your personal data.
9. Measurement and Operating Technologies
Unlike intrusive advertising tools, Glutax limits the use of third-party technologies to the strict minimum and ensures they are not used to personally profile you.
Website audience measurement:
• Umami: Our public website (glutax.ca) uses Umami, a privacy-friendly audience measurement tool. This tool allows us to understand website usage and improve our content, without using tracking cookies and without collecting personally identifiable information. Umami is hosted on our own VPS infrastructure (Servarica, Montreal, Canada) and is only loaded on our public production domain. Collected data includes pages viewed, visit duration, and general technical information (browser, device, country of origin).
Advertising measurement technologies:
• Meta Platforms (Facebook SDK): We use the Facebook SDK in a restricted manner solely to evaluate the success of our marketing campaigns, relying on Apple's secure SKAdNetwork framework. This tool only processes de-identified technical identifiers (such as an app installation identifier). No personal tracking identifier (IDFA) is collected and your browsing habits are not tracked. Since we do not collect any data for targeting or personal profiling purposes, Apple's tracking permission request (App Tracking Transparency) is not required.
Essential technologies:
The application uses technologies necessary for its proper functioning and your security:
• Session tokens (JWT): To maintain your connection securely between your device and our servers.
• Local storage: Usage preferences, food data, categories and receipts stored locally on your device via standard iOS technologies.
• IP address limiting: To prevent abuse, we monitor the number of API requests per IP address (maximum 10 receipt scans per day).
Website audience measurement:
• Umami: Our public website (glutax.ca) uses Umami, a privacy-friendly audience measurement tool. This tool allows us to understand website usage and improve our content, without using tracking cookies and without collecting personally identifiable information. Umami is hosted on our own VPS infrastructure (Servarica, Montreal, Canada) and is only loaded on our public production domain. Collected data includes pages viewed, visit duration, and general technical information (browser, device, country of origin).
Advertising measurement technologies:
• Meta Platforms (Facebook SDK): We use the Facebook SDK in a restricted manner solely to evaluate the success of our marketing campaigns, relying on Apple's secure SKAdNetwork framework. This tool only processes de-identified technical identifiers (such as an app installation identifier). No personal tracking identifier (IDFA) is collected and your browsing habits are not tracked. Since we do not collect any data for targeting or personal profiling purposes, Apple's tracking permission request (App Tracking Transparency) is not required.
Essential technologies:
The application uses technologies necessary for its proper functioning and your security:
• Session tokens (JWT): To maintain your connection securely between your device and our servers.
• Local storage: Usage preferences, food data, categories and receipts stored locally on your device via standard iOS technologies.
• IP address limiting: To prevent abuse, we monitor the number of API requests per IP address (maximum 10 receipt scans per day).
10. Subscription and Payment Management
10.1Subscription services
Subscriptions are managed by the following services:
• Apple In-App Purchase: Payment processing for monthly subscriptions ($3.99 before taxes) and annual subscriptions ($29.99 before taxes with 1 free month). Apple manages all your payment information, to which Glutax has no access.
• RevenueCat: Third-party subscription management service that receives only your anonymous Glutax user identifier and Apple transaction identifiers, without any personal information (name, email, address). Data is stored on AWS servers located in the United States in accordance with RevenueCat's privacy policy (https://www.revenuecat.com/privacy/).
• Apple In-App Purchase: Payment processing for monthly subscriptions ($3.99 before taxes) and annual subscriptions ($29.99 before taxes with 1 free month). Apple manages all your payment information, to which Glutax has no access.
• RevenueCat: Third-party subscription management service that receives only your anonymous Glutax user identifier and Apple transaction identifiers, without any personal information (name, email, address). Data is stored on AWS servers located in the United States in accordance with RevenueCat's privacy policy (https://www.revenuecat.com/privacy/).
10.2Managing your subscription
To manage your subscription, cancel it or request a refund, refer to Apple's policies available in your device settings (Settings > [Your name] > Subscriptions) or visit https://support.apple.com/
10.3Access after expiration
Without an active subscription, you will no longer have access to the application's features. However, your data remains stored and is not automatically deleted. You can access it again by renewing your subscription.
11. Minor Users
Glutax is exclusively intended for users aged 18 and over. We do not knowingly collect personal information from individuals under 18 years of age.
If you are aware that a minor has provided personal information, contact us immediately at contact@glutax.ca. If we discover that a minor has created an account, we will immediately delete all their personal data.
If you are aware that a minor has provided personal information, contact us immediately at contact@glutax.ca. If we discover that a minor has created an account, we will immediately delete all their personal data.
12. Breach Notifications
In the event of a data security breach likely to cause real and serious harm to your personal information, we commit to:
• Notify you by email within 72 hours of discovering the breach, in accordance with PIPEDA and Quebec's Law 25 requirements
• Inform you of the nature of the breach, categories of affected data, measures taken to remedy it, and contact information for obtaining more information
• Report the incident to competent authorities (Privacy Commissioner of Canada and Commission d'accès à l'information du Québec) according to required legal deadlines
• Notify you by email within 72 hours of discovering the breach, in accordance with PIPEDA and Quebec's Law 25 requirements
• Inform you of the nature of the breach, categories of affected data, measures taken to remedy it, and contact information for obtaining more information
• Report the incident to competent authorities (Privacy Commissioner of Canada and Commission d'accès à l'information du Québec) according to required legal deadlines
13. Modifications to this Policy
We may modify this privacy policy to reflect changes in our practices or legal requirements.
Minor changes (corrections, clarifications, non-substantive additions):
• Email notification 7 days before taking effect
• Your continued use of the application constitutes your acceptance of the modifications
• You retain the right to delete your account if you refuse the modifications
Major changes (new data uses, new third-party sharing, modifications to your rights):
• Email notification 30 days before taking effect
• Your explicit consent will be required during your next use of the application
• If you refuse the modifications, you will have the option to export your data and delete your account
All modification notifications will be sent to you by email, as these are essential communications from which you cannot unsubscribe.
The most recent version of this policy is always available in the application and bears the date of its last update.
Minor changes (corrections, clarifications, non-substantive additions):
• Email notification 7 days before taking effect
• Your continued use of the application constitutes your acceptance of the modifications
• You retain the right to delete your account if you refuse the modifications
Major changes (new data uses, new third-party sharing, modifications to your rights):
• Email notification 30 days before taking effect
• Your explicit consent will be required during your next use of the application
• If you refuse the modifications, you will have the option to export your data and delete your account
All modification notifications will be sent to you by email, as these are essential communications from which you cannot unsubscribe.
The most recent version of this policy is always available in the application and bears the date of its last update.
14. Contact and Complaints
14.1Contact us
For any questions regarding this privacy policy or the use of your personal data:
Email: contact@glutax.ca
Email: contact@glutax.ca
14.2Supervisory authorities
If you are not satisfied with our response to your concerns regarding personal information protection, you may file a complaint with the competent authorities. Complete contact information for these authorities is available in section 8.6 of this policy.
For Quebec residents:
Commission d'accès à l'information du Québec (CAI)
Website: www.cai.gouv.qc.ca
Phone: 1-888-528-7741
For other Canadian residents:
Privacy Commissioner of Canada
Website: www.priv.gc.ca
Phone: 1-800-282-1376
For Quebec residents:
Commission d'accès à l'information du Québec (CAI)
Website: www.cai.gouv.qc.ca
Phone: 1-888-528-7741
For other Canadian residents:
Privacy Commissioner of Canada
Website: www.priv.gc.ca
Phone: 1-800-282-1376
14.3Applicable law
This privacy policy is governed by the laws of Quebec and Canada. Any dispute arising from this policy or the use of the application will be resolved before the competent courts of the province of Quebec, to the extent permitted by applicable law.
14.4Business transfer
In the event of a merger, acquisition, asset sale or bankruptcy, your personal data could be transferred to a third party. In this case:
• We will inform you by email at least 30 days before the transfer
• The third party must respect this privacy policy or obtain your consent for a new policy
• You will have the option to delete your account before the transfer
• We will inform you by email at least 30 days before the transfer
• The third party must respect this privacy policy or obtain your consent for a new policy
• You will have the option to delete your account before the transfer