Privacy Policy

Introduction

Kayra Labs ("we," "us," or "our") operates the Cadig mobile application (the "App"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our App.

Cadig is designed for Canadian solo contractors, trades, and small businesses to generate CRA-compliant invoices and estimates. We are committed to protecting your privacy and complying with the Personal Information Protection and Electronic Documents Act (PIPEDA) and other applicable Canadian privacy laws.

Information We Collect

1. Account Information

When you create an account, we collect:

• Email address (required for authentication)
• Password (encrypted and never stored in plain text)
• Display name (optional)
• Profile picture (optional)

2. Business Information

To generate compliant invoices, you provide:

• Business name (required)
• Legal name (optional)
• CRA Business Number (optional)
• Business phone number (optional)
• Business address (street address, city, province, postal code)
• Business logo (optional)
• Default invoice terms (in English and/or French)
• Brand accent color (for invoice customization)

3. Client Information

When you add clients to your directory, you may store:

• Client names
• Email addresses
• Phone numbers
• Business addresses (including province)
• Notes about clients

Note: You control what client information you enter. We recommend only storing information necessary for invoicing purposes.

4. Product and Service Information

When you create items in your service library:

• Item/service names and descriptions
• Pricing information
• Service type categories (product, service, labor, consulting, digital, other)
• Unit types (hour, day, each, etc.)
• Tax treatment preferences

5. Invoice and Estimate Data

When you create invoices or estimates:

• Invoice/estimate numbers (automatically generated)
• Issue dates and due dates
• Line item descriptions, quantities, and prices
• Tax calculations (GST/HST/PST/QST based on client province)
• Invoice language preference (English or French)
• Custom terms and notes
• Payment status

6. Usage Information

We collect limited usage data to enforce quota limits:

• Monthly invoice count (for free tier users: 3 invoices per month)
• Subscription status (free or pro)

7. Payment Information

For Pro subscriptions, payment processing is handled by:

• Apple App Store (for iOS users)
• Google Play Store (for Android users)
• RevenueCat (subscription management service)

We do not directly collect or store your payment card details. Payment information is processed by Apple, Google, and RevenueCat according to their respective privacy policies.

8. Device and Technical Information

The App stores data locally on your device for offline functionality:

• Cached copies of your invoices, clients, and items
• App preferences (language, onboarding status)
• Authentication tokens
• Pending changes waiting to sync

How We Use Your Information

We use your information solely to provide and improve the Cadig service:

Primary Uses

1. Account Management: Creating and maintaining your account, authenticating you
2. Invoice Generation: Creating CRA-compliant invoices and estimates with accurate tax calculations
3. PDF Export: Generating printable/shareable invoice PDFs with your branding
4. Client Management: Organizing your client directory
5. Offline Functionality: Allowing you to work without an internet connection
6. Subscription Management: Managing free and pro tier features and usage limits

Secondary Uses

1. Customer Support: Responding to your inquiries and troubleshooting issues
2. Service Improvement: Understanding how features are used to improve the App
3. Legal Compliance: Meeting CRA requirements for invoice formatting and tax calculations

What We DON'T Do

• We do NOT sell your personal information to third parties
• We do NOT use your information for advertising or marketing purposes
• We do NOT share your client data with anyone
• We do NOT analyze your invoice content for purposes other than providing the service

Data Security

We take the security of your information seriously:

Technical Measures

• Encryption in Transit: All data transmitted between your device and our servers uses HTTPS/TLS 1.2+ encryption
• Encryption at Rest: Your data is stored in encrypted databases managed by Supabase (Canada region: ca-central-1)
• Password Security: Passwords are hashed using industry-standard bcrypt algorithms and never stored in plain text
• Access Controls: Row-Level Security (RLS) policies ensure you can only access your own data
• Private Storage: All uploaded files (logos, PDFs) are stored in private buckets with signed URLs that expire after 7 days

Organizational Measures

• Access to production systems is restricted to authorized personnel only
• We regularly review and update our security practices
• We use a multi-tenant architecture with strict data isolation

Device Security

Your device stores cached data in local storage. We recommend:

• Enabling device encryption (iOS and Android provide this by default)
• Using a strong device passcode or biometric authentication
• Keeping your device operating system updated

Third-Party Services

We use the following trusted third-party services:

1. Supabase (Backend Infrastructure)

• Purpose: Database, authentication, file storage
• Data Stored: All account, business, client, invoice data
• Location: Canada (ca-central-1 region)
• Privacy Policy: https://supabase.com/privacy

2. RevenueCat (Subscription Management)

• Purpose: Managing in-app purchases and subscriptions
• Data Shared: User ID, subscription status, purchase transactions
• Privacy Policy: https://www.revenuecat.com/privacy

3. Apple App Store / Google Play Store

• Purpose: Payment processing for Pro subscriptions
• Data Shared: Purchase transactions (handled directly by Apple/Google)
• Privacy Policies:
  • Apple: https://www.apple.com/legal/privacy/
  • Google: https://policies.google.com/privacy

4. Expo (App Framework)

• Purpose: Mobile app development framework and build services
• Data Shared: No user data processed; used only for app development
• Privacy Policy: https://expo.dev/privacy

Your Rights Under PIPEDA

As a Canadian user, you have the following rights:

1. Right to Access

You can access all your personal information directly within the App:

• View and edit your profile in Settings → Edit Profile
• View and edit business information in Settings → Business Information
• View all clients, items, and invoices in their respective sections

2. Right to Correction

You can update or correct your information at any time:

• Edit your profile, business details, clients, and items through the App
• Contact us if you need assistance correcting information

3. Right to Deletion

You can delete your account at any time:

• Go to Settings → Delete Account
• This action is irreversible and will permanently delete:

• Your account and profile
• All business information
• All clients, items, invoices, and estimates
• All uploaded files (logos, PDFs)
• All local cached data

4. Right to Withdraw Consent

You can stop using the App at any time. Simply:

• Delete your account (see above), or
• Uninstall the App from your device

5. Right to Complain

If you believe we have not complied with privacy laws, you can:

• Contact us at: support@cadig.app
• File a complaint with the Office of the Privacy Commissioner of Canada: https://www.priv.gc.ca/

Data Retention

Active Data

While your account is active, we retain:

• Account and business information: Indefinitely, until you delete your account
• Clients, items, invoices: Indefinitely, until you delete your account
• Archived clients and items: Retained but hidden from view; can be unarchived
• Uploaded files (logos, PDFs): Indefinitely, until you delete your account

CRA Note: The Canada Revenue Agency recommends keeping business records (including invoices) for at least 6 years. Cadig stores your data indefinitely to support this requirement, but you can delete your account at any time.

Temporary Data

• Authentication tokens: 1 hour (automatically refreshed)
• Cached data on device: Up to 24 hours (or until manually cleared)
• Offline pending changes: Until synced to the server
• Signed file URLs: 7 days

After Account Deletion

When you delete your account:

• All personal data is permanently deleted within 30 days
• We do not retain backups of deleted accounts
• This action cannot be undone

International Data Transfers

Your data is stored exclusively in Canada (Supabase ca-central-1 region). We do not transfer your data outside of Canada, except:

• RevenueCat (a U.S.-based service) receives your user ID and subscription status for payment processing
• Apple/Google process payments according to their global infrastructure

These transfers are necessary to provide the subscription service and comply with app store requirements.

Children's Privacy

Cadig is intended for business use by adults. We do not knowingly collect information from individuals under the age of 18. If you believe a minor has created an account, please contact us immediately at support@cadig.app.

Offline Functionality and Data Sync

Cadig is designed to work offline:

How Offline Mode Works

1. Local Storage: When offline, the App stores your changes on your device
2. Automatic Sync: When you reconnect to the internet, changes are automatically uploaded to our servers
3. Conflict Resolution: If conflicts occur (rare), the most recent change is kept

What You Can Do Offline

• View all previously loaded clients, items, and invoices
• Create and edit draft invoices
• Add new clients and items
• Mark invoices as sent (a temporary number is assigned; the real number is assigned when you sync)

What Requires Internet

• Initial login and signup
• PDF export and sharing
• Downloading data from other devices
• Subscription purchases

Data Security Offline

• Offline data is stored in your device's local storage
• We recommend enabling device encryption and using a strong passcode
• If your device is lost or stolen, your data may be accessible unless device encryption is enabled

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make changes:

1. We will update the "Last Updated" date at the top of this policy
2. For significant changes, we will notify you via:
   • An in-app notification, or
   • An email to your registered email address
3. Continued use of the App after changes indicates your acceptance of the updated policy

We encourage you to review this Privacy Policy periodically.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us:

For privacy-related inquiries, please include:

• Your registered email address
• A description of your inquiry or request
• Any relevant details to help us respond

We will respond to privacy requests within 30 days, as required by PIPEDA.

Consent

By creating an account and using Cadig, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy.

You can withdraw your consent at any time by:

1. Deleting your account (Settings → Delete Account), or
2. Uninstalling the App from your device