Privacy Policy

How myCostBase collects, uses, stores, and protects your personal information.

Effective date: July 2, 2026

This Privacy Policy explains how myCostBase (“we,” “us,” or “our”) collects, uses, discloses, and protects information when you use our website and application.

1. What we collect

Account information

When you create an account, we collect contact and login details such as your name, email address, and password hash.

Tax ledger and import data

To provide ACB tracking and reconciliation, we store data you enter or import, including:

  • tax owner profiles and account classifications;
  • securities, transactions, and adjustments;
  • import mapping and validation outcomes;
  • reconciliation inputs and report metadata.

Billing information

Billing is processed by Stripe. We store billing references such as customer ID, subscription ID, and status. We do not store card numbers or CVV.

Usage and support data

We collect operational logs, account activity metadata, and support communications to secure, operate, and troubleshoot the service.

Website analytics and cookies

Our website may collect IP address, browser/device details, page activity, and cookie-related data. See Cookies below for details.

2. How we use information

We use information you give us because you’ve consented to it by creating an account, and because it’s necessary to run the Service and meet our legal obligations. Specifically, we use collected information to:

  • provide and operate myCostBase;
  • process billing and maintain subscription records;
  • secure accounts, detect abuse, and enforce access controls;
  • provide support and troubleshoot issues;
  • improve product reliability and usability;
  • comply with legal obligations and enforce our Terms.

If we ever send marketing emails, every message includes an unsubscribe link, and opting out won’t affect service or billing communications you need as a customer.

3. Cookies

Cookies are small text files stored on your device when you visit our website. Similar technologies are used for authentication, preferences, security, and analytics. Some are session cookies that clear when you close your browser; others persist for a set period so we can recognize you on return visits.

We use three categories:

  • Strictly necessary — account authentication, session security, and basic navigation. The Service won’t work correctly without these, so they can’t be turned off through our site.
  • Analytics — used to understand site performance and improve content and product messaging (see Google Analytics). Where local law requires consent before we set these, we honor that requirement.
  • Payments and billing — if you use billing pages, Stripe may set cookies for secure checkout and fraud prevention.

Some cookies are set by the third parties we use to operate the Service (Stripe, Google Analytics) rather than by myCostBase directly — their use is governed by their own policies. See Subprocessors for the full provider list.

You can control cookies through your browser’s settings, which let you view, block, or delete cookies on a site-by-site basis. Blocking strictly necessary cookies may affect site or app functionality, including staying signed in. We do not currently respond to browser “Do Not Track” signals, as there’s no common industry standard for how sites should interpret them.

4. Third-party providers

We use service providers to operate myCostBase. Current providers are listed on our Subprocessors page.

We may also disclose data where required by law, or in connection with a merger, acquisition, financing, or asset transfer.

We do not sell personal information.

5. Data retention

We retain data only as long as needed for service delivery, legal/accounting obligations, dispute resolution, and agreement enforcement.

Typical retention windows:

  • account and organization records: while account is active;
  • billing records: retained as required for tax and accounting;
  • operational and audit logs: retained for security and support;
  • support communications: retained as needed for service quality.

When you cancel or delete your account, we delete or anonymize your tax ledger and account data within 90 days, except for billing records we’re required to keep longer for tax and accounting purposes.

6. Security

myCostBase handles sensitive tax-lot and capital gains history, so we treat security as a layered set of practical safeguards rather than relying on any single control:

  • Authentication and account access — passwords are stored as secure one-way hashes, account access is restricted to authenticated users, and sensitive account actions require authorized session context.
  • Data handling — traffic is protected with HTTPS/TLS in transit, stored data is encrypted at rest, and access controls keep customer data scoped to authorized account context. Operational logs are used for security, troubleshooting, and abuse detection.
  • Import and ledger safety — imported transaction data is validated before commit, duplicate and validation warnings reduce silent data-quality failures, and corrections are tracked through audit-oriented history in the product workflow.
  • Billing security — billing is processed by Stripe; we don’t store raw card numbers or CVV, only the billing references needed for subscription management.
  • Backups — we take regular backups of application data to reduce the risk of data loss. Backups don’t replace exporting your own records, which you can do anytime from within the Service.
  • Internal access — we limit internal access to customer data to what’s needed to operate and support the Service.
  • Responsible disclosure — if you discover a potential security vulnerability, please report it through our contact page before disclosing it publicly. We investigate reports promptly and won’t pursue legal action against good-faith researchers who report responsibly and avoid accessing other customers’ data.

If a breach affects your personal information, we’ll notify you and any relevant authorities as required by applicable law.

No system is perfectly secure. You are responsible for securing account credentials and API keys.

7. International transfers

Your data may be processed in jurisdictions outside your own depending on provider infrastructure locations.

8. Your rights

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, or object to certain processing, and to withdraw consent where applicable.

To exercise any of these rights, email us at support@mycostbase.ca or use our Contact page. We’ll respond within 30 days.

9. Children’s privacy

myCostBase is not intended for children.

10. Policy updates

We may update this Privacy Policy and post the revised version with a new effective date.

11. Contact

Questions or privacy requests: