1. Who we are
[Veltafi Inc. — registered name pending incorporation/counsel] (“Veltafi,” “we,” or “us”) is a company organized under the laws of Quebec, Canada. We provide accounts-receivable cheque-processing services to Canadian small businesses. The person responsible for personal-information protection (Privacy Officer) is reachable at dpo@veltafi.com.
2. The personal information we collect, and why
We collect only what we need to provide the service. By category:
| Category | Examples | Specific purpose |
|---|---|---|
| Identity & contact | business name, contact name, email, phone, business address | account creation, authentication, support, billing communications |
| Financial | bank name, last 4 digits of account number, full bank account number | depositing collected funds to your account; full account number is required by your bank for direct-deposit setup |
| Cheque data | payer name, amount, cheque number, date, scanned front/back images, deposit-batch records | processing the cheques you receive, reconciling them to invoices, providing audit trail |
| Authorization | signed Limited Deposit Authorization (LDA) PDF | evidencing your authorization for us to handle incoming cheques addressed to you |
| Operational | status transitions, timestamps, audit log entries | security, fraud prevention, dispute resolution, regulatory compliance |
Per Quebec Law 25 §8, we only collect personal information that is necessary for the purposes listed above. We do not engage in automated decision-making that produces legal or significant effects on you.
3. How we collect it
- From you directly, when you complete the signup form or upload an LDA.
- From the cheques you scan and submit through the operator console.
- From our payment processor (Stripe), which provides us with your email, billing address, and a Stripe customer/subscription identifier — never your full card number.
- Automatically, by our servers: IP address, user agent, and session identifiers when you sign in (used for security and audit logging only; not for advertising or third-party tracking).
4. Third parties that process your information
We share information with the following processors strictly to deliver the service. Each is bound by a written agreement and processes your data only on our instructions.
| Processor | Purpose | Jurisdiction |
|---|---|---|
| Stripe | Payment processing, subscription billing | United States, Ireland |
| Supabase | Authentication, encrypted secret storage, audit log | United States or European Union (region configured per project) |
| Airtable | Customer and cheque metadata database | United States |
| Cloudflare R2 | Encrypted storage of cheque images and LDA PDFs | Eastern North America |
| Mindee | Optical character recognition of cheque images | European Union |
| Resend | Transactional email delivery | United States |
| Vercel | Application hosting and edge delivery | United States (and global edge) |
5. Cross-border transfers (Quebec Law 25 §17 disclosure)
Some of the processors above store and process information outside of Quebec, including in the United States and the European Union. Information stored outside Quebec may be subject to the laws of those jurisdictions, including lawful access requests. Before transferring your information outside Quebec, we conduct a Privacy Impact Assessment (Évaluation des facteurs relatifs à la vie privée) to confirm an adequate level of protection, as required by Law 25.
Sensitive information — your full bank account number and the LDA PDF — is encrypted before leaving our servers. Full bank account numbers are encrypted with AES-256-GCM using a key stored separately from the data.
6. How long we keep it
- Cheque records, deposit batches, and audit log entries: retained for seven (7) years from the date of creation, to satisfy Canadian tax and bank-reconciliation record-keeping requirements.
- Cheque images: retained for the same period, then permanently deleted.
- Encrypted bank account numbers: deleted within 30 days of account closure or upon valid deletion request, whichever is sooner.
- Account email, contact info: retained until account closure; deleted within 30 days thereafter, except information we must retain by law.
- Sign-in session and access logs: retained for 90 days.
7. Your rights
Under Quebec Law 25 and PIPEDA, you have the right to:
- Access the personal information we hold about you.
- Rectify information that is inaccurate, incomplete, or out of date.
- De-index or delete information that is no longer necessary, in certain circumstances.
- Portability: receive your information in a structured, commonly used format (effective September 22, 2024 under Law 25).
- Withdraw consent at any time, subject to legal and contractual restrictions.
- Complain to the Commission d'accès à l'information du Québec (CAI) or the Office of the Privacy Commissioner of Canada (OPC).
To exercise any of these rights, email dpo@veltafi.com. We respond within 30 days.
8. How we protect your information
- Authentication via single-use email magic links (no stored passwords).
- Row-level security in our database; least-privilege access by employees.
- Full bank account numbers encrypted with AES-256-GCM. Encryption keys stored separately from ciphertext.
- All cheque images and LDAs encrypted at rest. Image access uses 15-minute signed URLs; never public.
- Every state-changing action in the operator console is recorded in an immutable audit log.
- HTTPS in transit. Strict Content Security Policy. No third-party trackers.
9. Cookies and tracking
We use only first-party session cookies necessary to keep you signed in. We do not use advertising cookies, analytics that profile you across sites, or social-media trackers. No cookie consent banner is required because we use no non-essential cookies.
10. Children
Veltafi is a business-to-business service and is not directed at children under 14. We do not knowingly collect personal information from minors.
11. Changes to this policy
If we make a material change, we will notify active customers by email and require re-acceptance at next sign-in. The version string at the top of this page is recorded in our audit log alongside each consent.
12. Contact
Privacy Officer: dpo@veltafi.com
General: privacy@veltafi.com