Privacy Policy

Last updated: March 15, 2026

1. Introduction

Onalys ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and website (collectively, the "Service").

Onalys is designed to support review under the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25), and applicable Canadian privacy requirements.

2. Information We Collect

2.1 Information You Provide

  • Email address (when requesting access or creating an account)
  • Name and profile information
  • Credit card metadata you choose to add (card name, issuer, reward rates, credit limit, and last four digits where needed)
  • Spending preferences and financial goals
  • Optional coaching preferences, merchant/category rules, budget goals, cooldown settings, and coach tone choices
  • Bill, subscription, receipt, tax, accounting, employee spend, vendor, or ticket-transfer details you choose to use with Onalys

2.2 Information Collected Automatically

  • Device information (device type, operating system)
  • Usage data (features used, interaction patterns)
  • Analytics data when analytics are enabled for the product or website

2.3 Information from Third Parties

  • Optional account or card data from approved providers, with your explicit consent
  • Optional bill, receipt, tax, accounting, employee spend, vendor, or ticket-transfer information you choose to provide or connect
  • Optional donation, savings, or investment partner data only if you later enable a supported partner feature

3. How We Use Your Information

  • To provide AI card routing and rewards optimization
  • To check credit usage across your cards
  • To calculate and compare rewards across card programs
  • To provide opt-in spending coaching, savings goals, budget rules, and accountability reminders you configure
  • To automate bill, subscription, saved-card, receipt, tax, accounting, and business-spend workflows you choose to use
  • To support approved AI payment execution inside your rules and permissions
  • To send you notifications about credit-usage thresholds, reward opportunities, approvals, bills, receipts, and payment records
  • To improve our Service through anonymized, aggregated analytics
  • To communicate with you about your account and updates

4. Data Security

We use security measures intended to reduce data risk, including:

  • Encryption at rest: Production systems are designed to use managed encrypted storage for sensitive records
  • Encryption in transit: Communications with hosted services use HTTPS/TLS
  • On-device processing: Where possible, sensitive context is processed locally on your device
  • Keychain storage: App authentication secrets, if used, are stored in iOS Keychain with platform protections
  • Apple payment protections: Tap-to-pay features use Apple NFC, Secure Element, and platform requirements where applicable
  • No portal credential storage: We do not design Onalys around storing bank, biller, merchant, or payroll passwords
  • No raw card numbers: We are designing Onalys so full card numbers are not stored in app storage
  • Data residency: Production data hosting and residency are reviewed as part of deployment and compliance operations

5. Data Sharing

We do not sell your personal information. We may share data with:

  • Approved service providers — only as necessary to provide the Service you request
  • Card, rewards, donation, savings, or investment partners — only where disclosed, supported, and permitted by your consent
  • Legal authorities — when required by Canadian law

We will never share your individual transaction data, spending patterns, or financial information with advertisers or data brokers.

6. Your Rights

Under PIPEDA and Quebec Law 25, you have the right to:

  • Access your personal information
  • Correct inaccurate information
  • Delete your account and all associated data
  • Withdraw consent for data processing at any time
  • Data portability — export your data in a machine-readable format
  • Opt out of profiling and automated decision-making
  • File a complaint with the Office of the Privacy Commissioner of Canada or the Commission d'accès à l'information du Québec

7. Data Retention

We retain your personal information only as long as necessary to provide the Service or meet legal, security, fraud-prevention, and audit obligations. When you delete your account, we start deletion of eligible personal data within 30 days. Some records may be retained only where required for legal, compliance, dispute, or security purposes. Anonymized, aggregated data may be retained for analytics purposes.

8. Children's Privacy

Onalys is not intended for individuals under the age of 18 (or 19 in British Columbia, New Brunswick, Newfoundland and Labrador, Nova Scotia, and the territories). We do not knowingly collect information from minors.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes via email or in-app notification. Your continued use of the Service after changes constitutes acceptance of the updated policy.

10. Contact Us

If you have questions about this Privacy Policy or your personal data, contact us at:

Onalys
Email: info@onalys.com

Back to Onalys