Back to Home

Privacy Policy

Last updated: March 2026

1. Who We Are

SR&EDgpt ("we," "us," or "our") provides an AI-powered platform that helps Canadian companies prepare Scientific Research and Experimental Development (SR&ED) tax incentive claims. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our website, platform, and services (collectively, the "Service").

We are committed to protecting your privacy and complying with applicable Canadian privacy legislation, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws.

2. Information We Collect

Account Information: Name, email address, company name, job title, and province of operation when you register, contact us, or join our waitlist.

Claim Data: R&D project descriptions, employee salaries, subcontractor costs, materials consumed, and other financial and technical details you provide to prepare your SR&ED claim.

Usage Data: Browser type, operating system, IP address, device identifiers, pages visited, features used, timestamps, and interaction patterns collected automatically when you use the Service.

Payment Information: Payment details are processed by our PCI-compliant third-party payment processor (Stripe). We do not store credit card numbers, bank account details, or other sensitive payment credentials on our servers. We may retain transaction IDs and billing records for accounting purposes.

Communications: Records of your communications with us, including support requests, feedback, and correspondence sent via our contact form or email.

Waitlist Data: If you join our waitlist, we collect your email address and company name solely to notify you about product updates and launch availability. Waitlist data is not shared with third parties and will be deleted within 30 days of your request. You may unsubscribe or request deletion at any time by emailing hello@sredgpt.com.

3. Legal Basis for Processing

We process your personal information on the following legal bases:

  • Contract performance: Processing necessary to deliver the Service you have requested (claim preparation, audit support)
  • Consent: Where you have given explicit consent, such as opting in to marketing communications
  • Legitimate interest: Platform improvement, fraud prevention, and security (using anonymized or aggregated data)
  • Legal obligation: Compliance with applicable laws, regulations, or court orders

4. How We Use Your Information

We use your information to:

  • Generate your SR&ED claim documents (T661 forms, technical narratives, tax schedules, audit packages)
  • Assess eligibility for SR&ED tax credits through our AI eligibility assessment
  • Process payments and deliver your completed claim
  • Provide audit support if your claim is selected for CRA review
  • Respond to your inquiries, support requests, and feedback
  • Improve our platform, AI models, and user experience (using anonymized, aggregated data only)
  • Send transactional communications (receipts, claim delivery notifications, account updates)
  • Detect, prevent, and address fraud, security issues, and technical problems

We will never use your identifiable claim data to train our AI models. Only fully anonymized and aggregated data patterns may be used for model improvement.

5. AI-Generated Content and Data Processing

Our platform uses artificial intelligence operating within a RAG (Retrieval-Augmented Generation) and Knowledge Base architecture to generate technical narratives, eligibility assessments, and claim documentation.

  • Our AI references only verified CRA policy documents and domain-specific knowledge
  • Your project data is processed solely to generate your claim. It is not shared with other users or used for unrelated purposes
  • AI processing may involve third-party AI providers (Anthropic) whose servers are located in the United States. Only the minimum data necessary for claim generation is transmitted, and it is not retained by these providers beyond processing
  • All AI-generated content is intended as a draft for your review. You are responsible for verifying the accuracy of your claim before submission to the CRA

6. Data Security

We implement technical and organizational measures to protect your information:

  • Encryption at rest: AES-256 encryption for all stored data
  • Encryption in transit: TLS 1.2+ encryption for all data transfers
  • Data storage: All stored data (account information, documents) is hosted within Canada
  • Access controls: Role-based access controls and principle of least privilege for internal access
  • Monitoring: Security monitoring and logging

While we use commercially reasonable safeguards, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention and Deletion

You may request deletion of your claim data at any time by emailing hello@sredgpt.com or through your account dashboard. We will complete deletion within 30 days of your request. Claim data not subject to a deletion request is retained for up to 30 days following your last login, after which it is permanently deleted.

We retain the following for legitimate business purposes:

  • Account information: Retained while your account is active
  • Transaction records: Retained for up to 7 years as required by Canadian tax and accounting regulations
  • Communications: Retained for up to 2 years to address ongoing inquiries or disputes
  • Anonymized usage data: May be retained indefinitely in aggregate form for platform improvement

8. Data Sharing and Third Parties

We do not sell, rent, or trade your personal information. We may share information only in the following limited circumstances:

  • Payment processors: To process payments securely (PCI-compliant providers)
  • Cloud infrastructure providers: Providers that store and process data on our behalf, bound by strict data processing agreements
  • AI service providers: Third-party AI providers (such as Anthropic) located in the United States, used solely for claim generation. Only the minimum necessary data is transmitted, pursuant to Anthropic's Data Processing Agreement, and is not retained by these providers
  • Analytics providers: We use Google Analytics (Google LLC) to understand usage patterns. Only anonymized and aggregated usage data is shared. See Section 10 for full details.
  • Legal requirements: When required by law, regulation, court order, or governmental request
  • Business transfers: In connection with a merger, acquisition, or sale of assets (with advance notice to affected users)
  • With your consent: When you have given explicit permission

All third-party service providers are contractually bound to protect your data and use it only for the purposes we specify.

9. Your Rights

Under PIPEDA and applicable provincial privacy laws, you have the right to:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete personal information
  • Deletion: Request deletion of your personal data. See Section 7 for our full retention and deletion policy, including how to submit a deletion request.
  • Withdraw consent: Withdraw your consent for data processing at any time, subject to legal or contractual restrictions
  • Unsubscribe: You may opt out of marketing communications at any time by emailing hello@sredgpt.com or clicking the unsubscribe link in any marketing email.
  • Complaint: Lodge a complaint with the Office of the Privacy Commissioner of Canada

To exercise any of these rights, contact us at hello@sredgpt.com. We will respond to your request within 30 days.

10. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

  • Essential cookies: Required for the platform to function properly (session management, security). These cannot be disabled.
  • Analytics cookies: We use Google Analytics (Google LLC, United States) to understand usage patterns and improve the Service. Google Analytics collects anonymized data including pages visited, session duration, and device type. You can opt out via the Google Analytics Opt-out Browser Add-on or by disabling analytics cookies in your browser settings. These are optional.
  • Preference cookies: Remember your settings and preferences for a better experience.

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect the functionality of the Service.

11. Data Breach Notification

In the event of a data breach that poses a real risk of significant harm, we will:

  • Notify affected individuals as soon as feasible
  • Report the breach to the Office of the Privacy Commissioner of Canada as required by PIPEDA
  • Take immediate steps to contain and remediate the breach
  • Maintain records of all breaches for at least two years

12. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will promptly delete it.

13. International Transfers

Your stored data (account information, documents, and records) is hosted within Canada. However, during claim generation, limited data may be transmitted to third-party AI service providers (such as Anthropic) whose servers are located in the United States. This data is transmitted securely via encrypted connections, used solely for processing your claim, and is not retained by these providers beyond the processing session.

We ensure that any cross-border data transfers are subject to appropriate contractual safeguards and data processing agreements that provide a level of protection consistent with PIPEDA. We also use Google Analytics, operated by Google LLC in the United States, which may process anonymized usage data outside Canada under Google's data processing terms.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by posting the updated policy on our website with a revised "Last updated" date and, where appropriate, via email notification at least 30 days before taking effect. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

15. Contact Us

If you have questions about this Privacy Policy, our data practices, or wish to exercise your privacy rights, contact us:

You may also file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.