Privacy Impact Assessment
Conducted by Bit Mentors Inc. · Last reviewed: April 2026
Prepared in accordance with Quebec Law 25 (Act to modernize legislative provisions as regards the protection of personal information) and the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
1. Project Description
ExpenseFlow is a web-based expense tracking application operated by Bit Mentors Inc. (Ottawa, Ontario) for Canadian self-employed professionals and contractors. The service allows users to upload bank statement CSV/XLSX files, auto-categorize transactions against CRA T1 General expense categories, and export CRA-compliant summaries for tax filing. Authentication is performed via magic link (passwordless email) or one-time passcode.
2. Personal Information Inventory
| Data Element | Purpose | Retention | Stored In |
|---|---|---|---|
| Email address | Account identity; sending magic links | Until account deletion | MongoDB (Canada) |
| Session token | Maintaining authenticated sessions | 30 days or until sign-out | MongoDB (Canada) |
| Transaction data (date, description, amount) | Expense categorization and reporting | Until user deletes data or account | MongoDB (Canada) |
| User settings (province, tax year, business name) | Personalizing HST calculations and exports | Until account deletion | MongoDB (Canada) |
| Anonymized transaction patterns (normalized text + category, no amounts) | Improving shared auto-categorization model | Indefinite (no PII) | MongoDB (Canada) |
| Newsletter email address | Sending tax tips and CRA updates | Until unsubscribe | Brevo (EU data centre) |
Banking credentials are never collected. Users export their own CSV/XLSX files from their bank and upload them directly. ExpenseFlow has no connection to any financial institution.
3. Information Flow Diagram
- User provides email address → magic link sent via Brevo SMTP → user clicks link → session cookie set in browser.
- User uploads bank statement CSV/XLSX → file parsed in server memory → transactions stored in MongoDB → file not retained on disk.
- On category correction → anonymized text pattern (no amount, no date, no name) written to shared
learned_patternscollection. - On export → transactions queried and formatted as CSV → delivered directly to browser; no copy stored.
- Newsletter signup → email address sent to Brevo API; not stored in MongoDB.
4. Identified Privacy Risks and Controls
4.1 Unauthorized Access to Transaction Data
Risk: A compromised or stolen session cookie could allow an attacker to view a user’s financial transactions.
Controls: Session tokens are 256-bit random values (crypto.randomBytes). Cookies are set HttpOnly, Secure, SameSite=Lax. Sessions expire after 30 days. Magic links expire after 24 hours and are single-use. Verify attempts are rate-limited (5 per 15 minutes, persisted in MongoDB across serverless instances). HTTPS is enforced via HSTS header (max-age=31536000, includeSubDomains, preload).
4.2 Exposure of Transaction Data via API
Risk: API routes could return another user’s data.
Controls: Every database query is scoped by userId derived from the authenticated session. No query accepts a userId from user-supplied input. Centralized auth middleware (middleware.ts) redirects unauthenticated requests before they reach API handlers.
4.3 Malicious File Upload
Risk: A crafted XLSX file could exploit parsing vulnerabilities.
Controls: ExcelJS 4.4+ (replacing the vulnerable SheetJS/xlsx 0.18.5) is used for XLSX parsing. File size is capped at 10 MB. Only .csv and .xlsx extensions are accepted. Files are parsed in memory and never written to disk.
4.4 Shared Pattern Learning Privacy
Risk: Shared patterns could inadvertently expose identifying information.
Controls: Only the normalized transaction description text and CRA category are written to shared patterns — no amount, date, uploadId, or userId. The normalization function strips numbers, punctuation, and short tokens before storage. Patterns with a count below 2 are excluded from the shared model to prevent single-user exposure.
4.5 Data Residency
Risk: Personal information could be stored or processed outside Canada.
Controls: The MongoDB Atlas cluster is configured to a Canadian region. Application hosting on Vercel may route compute through US or European edge nodes for latency; however, persistent data at rest remains on the Canadian MongoDB cluster. Newsletter email addresses are processed by Brevo (EU). Users are informed of this in the Privacy Policy.
4.6 Data Breach Response
In the event of a breach involving personal information, Bit Mentors Inc. will notify affected individuals and, where required by PIPEDA or Quebec Law 25, the Office of the Privacy Commissioner of Canada and/or the Commission d’accès à l’information du Québec within the required timeframes (72 hours for Quebec Law 25 where there is a risk of serious harm).
5. User Rights
- Access: Users can view all their transaction data within the application.
- Correction: Users can re-categorize transactions at any time.
- Deletion: Users can delete all transaction data via Settings → Delete All Data. Full account deletion is available by emailing info@expenseflow.ca.
- Portability: Users can export all their data as a CSV at any time.
- Withdrawal of consent: Users may unsubscribe from the newsletter at any time via the unsubscribe link in any email.
6. Conclusion
Based on this assessment, ExpenseFlow collects the minimum personal information necessary to provide the service. The identified risks are mitigated by appropriate technical controls. The application is designed with privacy by default: no banking credentials are collected, no files are retained after parsing, shared learning patterns contain no personally identifiable information, and users retain full control over their data at all times.
This PIA will be reviewed annually or when significant changes to data processing are introduced.
7. Contact
Privacy Officer: Bit Mentors Inc., Ottawa, Ontario
Email: info@expenseflow.ca