← Home

Security and Privacy

How your broker data and personal information is handled, stored, and protected.

Uploaded files are never stored

When you upload a broker export (IBKR Flex Query XML or Questrade Activity XLSX), the file is held in memory for the duration of the calculation and then discarded. It is not written to disk, not saved to a database, and not retained after your report is generated.

This is not a promise we could later break quietly: the calculation engine does not have a storage pathway for uploaded files. There is nowhere for them to go.

Calculation results are stored in your account

After a calculation completes, the output - your capital gains summary, disposition table, warnings, and report files - is saved to your account so you can download it again later. Your 25 most recent calculations are retained. You can delete any individual calculation from your history page, or delete your account entirely from your profile page, which removes all stored results.

Calculation data is stored in Supabase with row-level security policies enforced at the database layer. No calculation record is readable by any user other than the account that created it, even in the event of an application-layer bug.

Encryption in transit and at rest

All connections to ActiveACB are served over HTTPS with TLS 1.2 or higher. There are no unencrypted HTTP endpoints. Data stored in Supabase is encrypted at rest using AES-256. Your session tokens are short-lived JWTs issued and verified by Supabase Auth.

No third-party analytics or advertising

ActiveACB does not load Google Analytics, Meta Pixel, or any advertising or behavioural tracking scripts. The only third-party JavaScript loaded on the application is the Supabase client library, used for authentication and data access. There are no data brokers, retargeting pixels, or session recording tools.

Payments are processed by Stripe. When you subscribe, your payment details go directly to Stripe. They never pass through our servers.

Account and data deletion

You can delete your account at any time from your profile page. Deletion removes your email address from our authentication provider and permanently deletes all stored calculations and report files. There is no retention period after deletion: the removal is immediate and irreversible.

You can also delete individual calculations from your history without closing your account. Each calculation has a Delete button on its detail page that prompts for confirmation before removing the record.

PIPEDA compliance

ActiveACB operates under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private-sector privacy law. The principles that govern how we collect, use, and protect personal information are:

Incident response

In the event of a data breach or security incident affecting personal information, we will notify affected users by email within 72 hours of becoming aware of the incident, consistent with PIPEDA breach of security safeguards regulations. The notification will describe what data was affected, what we have done to contain the incident, and what steps you can take.

Contact

For security concerns, vulnerability reports, or privacy-related requests, contact [email protected]. We will respond within two business days.