Clerra

Privacy Policy

Last updated: June 10, 2026

This Privacy Policy explains how Common Good Labs Inc. (“Common Good Labs,” “we,” “us,” or “our”), the operator of the Clerra platform (“Clerra,” the “Service”), collects, uses, discloses, and safeguards personal information. We are committed to protecting privacy in accordance with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

1. Who this policy applies to

Clerra serves two groups of people, and our role differs for each:

  • Firm users — accounting and bookkeeping firms (each, a “Firm”) and their staff who subscribe to and use Clerra. For personal information about Firm staff, Common Good Labs acts as a controller.
  • Firm clients — the clients of those Firms, including individuals who access a Firm’s client portal. For personal information that a Firm uploads or that a Firm’s clients submit through the portal (“Customer Data”), Common Good Labs acts as a processor / service provider on behalf of the Firm, which is the controller. The Firm’s own privacy practices govern how it handles that information.

2. Information we collect

  • Account information: name, email address, firm name, role, and authentication data (passwords are stored only as salted hashes; two-factor secrets where enabled).
  • Customer Data: information Firms enter or upload about their own clients — names, contact details, business numbers, tax and compliance attributes, documents (including receipts, bills, statements and returns), notes, messages, and time records.
  • Billing information: subscription plan and status, and a billing contact. Payment card details are collected and processed directly by our payment processor (Stripe); we do not store full card numbers.
  • Usage and technical data: log data, device and browser information, IP address, and actions recorded in the audit trail (sign-ins, document access, deletions, permission and export events) for security and accountability.
  • Communications: messages exchanged between a Firm and its clients within the Service, and any correspondence you send to us for support.

3. How we use information

  • To provide, operate, secure, and improve the Service;
  • To compute filing deadlines, generate work, and deliver the features a Firm uses;
  • To authenticate users, enforce access controls, and maintain the audit trail;
  • To process subscriptions and send transactional email (e.g. invitations, document requests, notifications);
  • To provide support and respond to enquiries;
  • To comply with legal obligations and enforce our Terms of Use.

We do not sell personal information, and we do not use Customer Data to train machine-learning models. We do not use Customer Data for advertising.

4. Legal basis and consent

We collect and use personal information with consent (express or implied) or as otherwise permitted or required by law. Firms are responsible for obtaining any consents required from their own clients before entering Customer Data into the Service, and for having a lawful basis to do so.

5. Data residency — your data stays in Canada

Customer Data and Firm account data are stored in Canada, in data centres located in the AWS ca-central-1 region (Montréal, Québec), through our infrastructure provider Supabase. We have designed the Service so that your operational data remains in Canada.

Certain limited service providers listed below may process narrow categories of data (such as billing identifiers or email delivery metadata) outside Canada. Where that occurs, the information is protected by contractual and technical safeguards. If a Firm chooses to enable an optional third-party integration (for example, a Google Workspace connection), data shared with that third party will be processed according to that third party’s terms and may transit or be stored outside Canada; such integrations are off by default and require the Firm to opt in.

6. Service providers (sub-processors)

We use a small number of trusted providers to operate the Service:

  • Supabase — database, authentication, and file storage (hosted in Canada, ca-central-1).
  • Vercel — application hosting and content delivery.
  • Stripe — subscription billing and payment processing.
  • Resend — delivery of transactional email.
  • Cloudflare — bot/abuse protection on sign-in and public forms.
  • Inngest — orchestration of background jobs (such as generating a complete client-file PDF).
  • Google — only where a user signs in with Google or a Firm opts into a Google Workspace integration.

Each provider is bound to use the information only to provide services to us and to protect it appropriately.

7. Security

We apply layered safeguards including encryption in transit and at rest, row-level data isolation between Firms (and between a Firm and its clients), least-privilege access controls, short-lived signed URLs for document downloads, optional two-factor authentication, CAPTCHA on public endpoints, and an audit trail of sensitive actions. No method of transmission or storage is perfectly secure, but we work to protect personal information using commercially reasonable measures appropriate to its sensitivity.

8. Retention

Because Clerra supports regulated financial and tax workflows, records (including documents and the audit trail) are retained for a configurable minimum period — seven (7) years by default — before they become eligible for deletion, consistent with common professional record-keeping practice in Canada. Firms may archive a client at any time. We retain account and Customer Data for as long as a Firm maintains its account and as required to meet legal, tax, and accounting obligations, after which it is deleted or de-identified.

9. Your rights

Subject to applicable law, you may request access to, or correction of, your personal information, and may withdraw consent (which may limit your ability to use the Service).

  • If you are a member of a Firm, contact your Firm administrator or us.
  • If you are a client of a Firm, please direct requests about your information to that Firm, which controls it; we will assist the Firm as its service provider.

You also have the right to complain to the Office of the Privacy Commissioner of Canada or your provincial regulator.

10. Cookies and similar technologies

We use strictly necessary cookies and local storage to keep you signed in, maintain security, and remember preferences. We do not use third-party advertising or cross-site tracking cookies.

11. Children

The Service is intended for businesses and is not directed to individuals under the age of majority. We do not knowingly collect personal information from children.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be posted here with a revised “Last updated” date, and where appropriate we will notify Firm administrators.

13. Contact us

Common Good Labs Inc. is the entity responsible for personal information handled under this policy. To exercise your rights or ask a question, contact our Privacy Officer at privacy@commongoodlabs.ca.