Legal

Privacy Policy

Effective June 30, 2026

Pratica ("we", "us", "our") provides a software-as-a-service platform for accounting firms. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the rights you have over your information. It applies to the Pratica web application at pratica.ca and any related services (collectively, the "Service").

Pratica is operated from British Columbia, Canada. We handle personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws, including Québec's Act respecting the protection of personal information in the private sector (Law 25). If you use the Service, you agree to this Privacy Policy.

1. Our role: who controls your data

Pratica handles two broad categories of personal information, and our role differs for each:

  • Account and usage information — information about you as a user of the Service (your name, login email, usage logs). For this information, Pratica acts as the party that decides why and how it is processed (a "controller" / the organization "responsible" for it under Law 25).
  • Customer Data — the data your firm puts into Pratica, including personal information about your firm's clients and team members. For Customer Data, your firm is the controller and Pratica acts as a service provider / processor that handles it only on your firm's documented instructions and to provide the Service. Your firm is responsible for having a lawful basis (such as consent) to put that information into Pratica, for giving its own clients any required privacy notice, and for the accuracy of that data.

If you are a client of a firm that uses Pratica and you want to access, correct, or delete information that firm holds about you, please contact the firm directly — it controls that information. We will assist the firm as its processor.

2. Information we collect

2.1 Information you provide

  • Account information — your name, email address, password (hashed), and profile preferences when you sign up.
  • Workspace data (Customer Data) — the data you and your firm enter into Pratica, including client (organization) records, contacts, work items, time entries, prospects, SOPs, and other operational information.
  • Billing information — if you become a paying customer, billing details are processed by our payment processor; we do not store full payment card numbers on our servers.
  • Communications — when you contact us by email or through the contact form, we receive the contents of your message and your contact details.

2.2 Information collected automatically

  • Usage data — pages visited, features used, timestamps, and approximate location (derived from IP address) for security and product improvement.
  • Device data — browser type, operating system, and device identifiers.
  • Analytics — we use Umami, a privacy-focused, cookieless analytics service, to measure aggregate, non-identifying site usage (such as page paths and referrers). It does not set advertising cookies and does not build cross-site or cross-device profiles of you.
  • Cookies — we use strictly-necessary cookies for authentication and session management only. We do not use advertising cookies.

2.3 Information from third-party services

If you choose to connect a third-party service (such as Google or Slack), we receive information from that service as described in Section 5 below.

3. How we use your information

  • To provide, operate, and maintain the Service.
  • To authenticate you and protect your account.
  • To improve the Service — diagnose technical issues, prevent fraud, and develop new features, using aggregated or de-identified data where feasible.
  • To respond to your support requests and communicate with you about the Service.
  • To send transactional emails (e.g. email verification, password reset, invoices).
  • To comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information, and we do not "trade" it for other consideration. We do not use your workspace data or any data we receive from Google APIs to train machine-learning or generative-AI models.

4. Artificial-intelligence features

Some features of the Service use artificial intelligence (for example, suggested to-dos, reconciliation assistance, and insights). When you use such a feature, the relevant Customer Data needed for that feature is sent to our AI sub-processors — Anthropic and OpenAI — which process it through their APIs solely to return a result to you.

  • These providers do not use data submitted through their APIs to train their models.
  • We do not use your Customer Data to train our own or any third party's models.
  • AI output is generated automatically and may be inaccurate or incomplete; it is decision-support that you and your firm review, not professional advice or an automated decision (see Section 10).

5. Google user data and Limited Use disclosure

Pratica offers optional integrations with Google services (Gmail, Google Calendar, Google Drive) so that your firm can bring client communications, scheduling, and documents alongside its work. You may connect or disconnect these integrations at any time from your account settings.

5.1 Scopes we request

When you connect your Google account to Pratica, we request these OAuth scopes:

  • https://www.googleapis.com/auth/userinfo.email — to identify which Google account is connected and display your email in the connection UI.
  • https://www.googleapis.com/auth/gmail.modify — to read your Gmail messages and metadata so that we can show client emails alongside the relevant work, and to modify labels (mark as read, archive). This scope does not permit permanent deletion of messages, and Pratica never permanently deletes messages from your Gmail account.
  • https://www.googleapis.com/auth/gmail.send — to send emails on your behalf from the Pratica interface (for example, replying to a client thread inside the app) and to create drafts you can review before sending.
  • https://www.googleapis.com/auth/calendar.events.readonly — to read your Google Calendar events so we can display them alongside your work in the Pratica calendar. We do not create, modify, or delete your calendar events.
  • https://www.googleapis.com/auth/drive.file — per-file access limited to folders and files that Pratica itself creates (for example, a client work folder). This scope does not give Pratica access to the rest of your Google Drive.

5.2 What we store from Google

  • OAuth tokens — refresh and short-lived access tokens, stored encrypted at rest, used to authenticate API calls on your behalf.
  • Email metadata and message content — we cache message identifiers, thread identifiers, sender / recipient addresses, subjects, snippets, timestamps, and the bodies of messages required to display them in the Pratica interface. Cached content is scoped to your workspace and accessible only to authorized members of that workspace.
  • Your email address — the address of the connected Google account, for display purposes.

5.3 Limited Use of Google user data

Pratica's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Google user data to provide or improve user-facing features that are prominent in the Pratica interface.
  • We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
  • We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
  • We do not allow humans to read Google user data unless (i) we have your affirmative consent for specific messages; (ii) doing so is necessary for security purposes such as investigating abuse; (iii) doing so is necessary to comply with applicable law; or (iv) the data has been aggregated and is used for internal operations.
  • We do not use Google user data to develop, improve, or train generalized or non-personalized AI and/or machine-learning models.

5.4 Revoking access and deletion on disconnect

You can disconnect Pratica's Google integration at any time from within Pratica (Settings → Integrations) or directly at myaccount.google.com/permissions. When you disconnect, we revoke and delete the associated OAuth tokens and promptly delete the cached Gmail content synced from your mailbox from our active systems; residual copies are purged from encrypted backups within 90 days, except where a copy must be retained for a legal reason described in Section 8.

6. How we share information — sub-processors

We share information only as described below. We do not sell your personal information.

  • Within your workspace — data you enter is visible to other authorized members of your firm's workspace, subject to the permission settings configured by your workspace administrators.
  • Legal obligations — we may disclose information if required by law, valid legal process, or to protect rights, property, or safety.
  • Business transfers — if Pratica is involved in a merger, acquisition, or asset sale, your information may be transferred, with notice and consistent with this Policy.

We use the following categories of vetted sub-processors to operate the Service. They are contractually required to protect your data and to use it only to provide services to us. This list is current as of the Effective Date; for the latest version, email privacy@pratica.ca.

  • Hosting & compute — Fly.io (United States).
  • Database — Neon (United States).
  • File storage — Cloudflare R2.
  • Transactional email — Resend.
  • Artificial intelligence — Anthropic and OpenAI (United States).
  • Product analytics — Umami.
  • Payments — our payment processor (for paid plans).
  • Integrations you connect — Google (Gmail, Calendar, Drive) and Slack, used only when you choose to connect them.

7. International data transfers

Pratica is operated from Canada, and some of our sub-processors store or process personal information in the United States and other countries. This means your personal information may be subject to the laws of those countries, including lawful access requests by their courts, law-enforcement, or national-security authorities. Before transferring personal information outside Québec, we conduct the privacy assessment required by Law 25, and where required we put appropriate safeguards in place (such as contractual protections / standard contractual clauses) for cross-border transfers.

8. Data retention

We retain workspace data for as long as the workspace remains active. If a workspace is deleted, its data is purged from our active systems within 30 days, and from encrypted backups within 90 days. Account-level data is retained while your account is active and for a reasonable period afterwards in case you reactivate. We may retain certain information longer where required by law (for example, financial records and audit logs).

9. Security

We use industry-standard administrative, technical, and physical safeguards to protect your information, including encryption in transit (TLS 1.2+), encryption of secrets at rest, role-based access controls within each workspace, and least-privilege access for our personnel. No method of transmission or storage is completely secure; if a personal-information breach occurs that creates a real risk of significant harm, we will notify affected individuals and the applicable authorities (in Canada, the Office of the Privacy Commissioner of Canada and, for Québec residents, the Commission d'accès à l'information) as required by law.

10. Your rights and choices

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you;
  • Correct information that is inaccurate or incomplete;
  • Delete your account and associated personal data;
  • Object to or restrict certain processing;
  • Export your data in a portable format;
  • Withdraw consent you have previously given; and
  • Lodge a complaint with a privacy regulator (see below).

10.1 Québec residents (Law 25)

If you are in Québec, you also have the rights conferred by Law 25, including the right to de-indexing and to data portability, and the right to complain to the Commission d'accès à l'information du Québec. Pratica has designated a Person Responsible for the Protection of Personal Information, who can be reached at privacy@pratica.ca.

10.2 Automated decision-making

We do not make decisions that produce legal effects about you, or similarly significantly affect you, based solely on automated processing of your personal information. Features such as metrics and AI suggestions are decision-support tools that you and your firm review and act on.

To exercise any of these rights, email privacy@pratica.ca. We will respond within the period required by applicable law. In Canada, you may also contact the Office of the Privacy Commissioner of Canada (www.priv.gc.ca).

11. Children

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us so that we can delete it.

12. Changes to this Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the Effective Date at the top of this page and, where appropriate, notify you by email or through the Service. Your continued use of the Service after a change takes effect constitutes acceptance of the updated Policy.

13. Contact us

If you have questions about this Privacy Policy or how we handle your personal information, contact our Person Responsible for the Protection of Personal Information at privacy@pratica.ca.