Privacy Policy

Last updated: May 2, 2026

This Privacy Policy describes how HST Hero ("we", "us", "our") collects, uses, and protects information about you when you use HST Hero ("Service"). We are committed to complying with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Canadian privacy law.

1. Information We Collect

We collect only what is necessary to provide the Service:

  • Email address — used to identify your account and for account-related communications.
  • Password — stored as a one-way bcrypt hash. We cannot recover your password.
  • Revenue entries — the amounts, dates, provinces, and optional descriptions you enter into the tracker. This data is scoped to your account.
  • Usage data — basic server logs (IP address, browser type, pages visited) retained for up to 30 days for security and debugging purposes.

We do not collect bank credentials, payment information, social insurance numbers, or any data beyond what you explicitly enter.

2. How We Use Your Information

We use your information to:

  • Provide and operate the Service
  • Authenticate you and protect your account
  • Respond to support requests
  • Detect and prevent fraud or abuse
  • Improve the Service

We do not sell, rent, or share your personal information with third parties for marketing purposes.

3. Data Storage and Security

Your data is stored in a PostgreSQL database hosted on Neon (neon.tech), with servers located in the United States. Data is encrypted in transit (TLS) and at rest. We apply industry-standard security practices, but no system is completely secure.

4. Data Retention

We retain your data for as long as your account is active. You may permanently delete your account and all associated data at any time from the Settings page. Deletion is immediate and irreversible.

5. Your Rights (PIPEDA)

Under Canadian privacy law, you have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate information
  • Withdraw consent and request deletion of your data

To exercise these rights, email us at privacy@hsthero.ca or use the self-serve deletion option in Settings.

6. Cookies and Sessions

We use a single encrypted session cookie (iron-session) to keep you logged in. This cookie is strictly necessary for the Service to function. We do not use tracking cookies, advertising cookies, or third-party analytics.

7. Third-Party Services

We use the following sub-processors:

  • Vercel — hosting and edge network (United States)
  • Neon — database (United States)

Each of these providers has their own privacy policies and security practices. By using the Service, you consent to your data being processed in the United States.

8. Children

The Service is not directed at children under 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, contact us and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date above. Continued use of the Service after changes constitutes acceptance of the updated policy.

10. Contact

Questions or concerns about privacy? Email us at privacy@hsthero.ca.