Privacy Policy

Last updated: May 26, 2026

Stamped, Comptable Professionnel Agréé Inc. ("Stamped", "we", "our") operates from Québec, Canada. We comply with Québec's Act to modernize legislative provisions as regards the protection of personal information (commonly referred to as "Law 25" or "Loi 25"), the Act respecting the protection of personal information in the private sector (CQLR c. P-39.1), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and the General Data Protection Regulation (GDPR) where it applies.

Data Controller and Privacy Officer

Stamped, Comptable Professionnel Agréé Inc.
Privacy contact: engineering@stamped.ai
Pursuant to Law 25 and section 3.1 of the Act respecting the protection of personal information in the private sector, the person exercising the highest authority at Stamped is responsible for the protection of personal information and may delegate this function in writing. To reach the responsible person or their delegate, email engineering@stamped.ai.

Personal Information We Collect

Account and identity information

  • Email address, name, signature name, username, phone number
  • Job title, professional permit number, biography
  • Authentication data: hashed password (never stored in clear text), encrypted OAuth tokens, magic-link digests
  • Session metadata: IP address, user agent, sign-in timestamps
  • Preferences: time zone, locale, notification settings

Customer-uploaded service data

Stamped is a back-office platform for accounting firms and CPAs. Our customers (the firms) upload information about their own clients and engagements: tax and accounting documents, bank statements, financial statements, correspondence, and other data required to deliver the engagement. With respect to that data, Stamped acts as a processor on behalf of the firm, which remains the controller.

Cookies and usage data

We use cookies that are strictly necessary for the service to function (authentication, security) and, subject to your consent where applicable, analytics cookies. You may configure your browser to refuse non-essential cookies.

Purposes and Legal Bases

We process personal information for the following purposes:

  • Performance of contract – providing, operating, and maintaining the Stamped service; managing user accounts and subscriptions;
  • Legal obligations – meeting accounting, tax, and regulatory requirements applicable in Québec and Canada;
  • Legitimate interests – security, fraud prevention, service improvement, logging and audit;
  • Consent – non-essential analytics, marketing communications, and any other purpose for which we explicitly ask for your agreement.

Hosting Location and Transfers Outside Québec

Stamped's application data and primary database are hosted in Canada on Google Cloud Platform, in the Montréal region (northamerica-northeast1). Backups and the read replica are kept in the same region.

In accordance with section 17 of the Act respecting the protection of personal information in the private sector, we conduct a Privacy Impact Assessment before transferring personal information outside Québec. Some of our sub-processors process information outside Québec or Canada (see the list below). In those cases, we ensure by contract that the information receives equivalent protection.

Sub-processors and Third-Party Service Providers

We rely on the following sub-processors to provide the service. This list may be updated; material changes will be communicated on this page.

Infrastructure and operations

  • Google Cloud Platform (Google LLC) – application hosting, database, and backup storage. Location: Canada (Montréal).
  • Cloudflare, Inc. – content delivery, web application firewall (WAF), and DNS. Location: United States and global network.
  • Amazon Web Services (S3) (Amazon.com, Inc.) – storage of files uploaded via ActiveStorage. Location: United States or Canada depending on bucket configuration.

Accounting and financial integrations (customer-enabled)

  • Intuit QuickBooks – accounting integration. Location: United States.
  • Xero – accounting integration. Location: New Zealand / global.
  • Plaid Inc. – bank-data aggregation. Location: United States / Canada.
  • TaxPrep / Wolters Kluwer – tax preparation. Location: Canada.

Documents and messaging

  • Microsoft Graph (Microsoft Corporation) – SharePoint / OneDrive integration when enabled by the customer. Location: depends on the customer's Microsoft tenant.
  • Mailgun (Sinch) – inbound email handling via ActionMailbox. Location: United States or European Union depending on configuration.
  • Outbound SMTP provider – transactional email delivery.

Monitoring, security, and user experience

  • Sentry (Functional Software, Inc.) – application error monitoring. Location: United States.
  • Google reCAPTCHA (Google LLC) – bot and fraud protection. Location: United States.

Payments

  • Stripe, Inc. – payment processing. Stamped does not store full payment card data. Location: United States / Canada.

Artificial intelligence features

Some Stamped features rely on third-party generative AI models to assist users in carrying out their engagements. We do not allow third-party providers to train their models on our customers' data. Our contracts with these providers include zero data retention, or retention strictly limited to security and abuse-prevention purposes.

Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, or for the period required by law (including the record-keeping obligations of the Chartered Professional Accountants Act and the Income Tax Act). Account information is deleted or anonymized within 30 days of account termination or a verified deletion request, subject to any longer retention periods imposed by law. Security and audit logs may be retained for up to 12 months.

Your Rights

Under Law 25, PIPEDA, and, where applicable, the GDPR, you have the following rights:

  • Right of access – confirm whether we hold personal information about you and obtain a copy;
  • Right to rectification – have inaccurate, incomplete, or ambiguous information corrected;
  • Right to portability – receive the computerized personal information you provided to us in a structured, commonly used technological format (in force since September 22, 2024 under Law 25);
  • Right to de-indexation and to cease dissemination – require that we stop disseminating information or de-index a hyperlink to it, under the conditions set by law;
  • Right to withdraw consent at any time, without affecting the lawfulness of processing carried out previously;
  • Right to be informed of automated decisions that produce legal effects on you or significantly affect you, and to submit observations to a person who can review the decision;
  • Right to file a complaint with Québec's Commission d'accès à l'information (cai.gouv.qc.ca) or the Office of the Privacy Commissioner of Canada.

Exercising your rights

To exercise any of these rights, email engineering@stamped.ai. We will handle your request free of charge and respond within 30 days, in accordance with section 32 of the Act respecting the protection of personal information in the private sector. We may ask you to confirm your identity before acting on the request.

Automated Decision-Making

Stamped does not currently use any process based exclusively on automated processing that produces legal effects on users. If this changes, we will inform you and provide you with the opportunity to submit observations to a Stamped employee able to review the decision.

Confidentiality Incidents

In accordance with section 3.5 of the Act respecting the protection of personal information in the private sector, in the event of a confidentiality incident presenting a risk of serious injury, we will promptly notify Québec's Commission d'accès à l'information and the affected persons, and maintain a register of incidents that we will make available to the Commission on request.

Security

For details of the technical and organizational measures we implement, see our Security Statement.

Cookies and "Do Not Track"

Our site uses essential cookies and, subject to your consent, analytics cookies. We do not currently respond to browser "Do Not Track" signals, but you can manage your preferences through the consent banner or your browser settings.

Changes

We may update this policy to reflect changes to our practices or to legal requirements. Where the changes are material, we will post a notice on this page and, where appropriate, notify you by email.

Contact

For any questions about this policy or the processing of your personal information, email us at engineering@stamped.ai.