Legal

Privacy Policy

Last updated: April 21, 2026

This policy explains what personal information we collect, how we use it, and the rights you have under Canadian privacy law. We are committed to transparent, plain-language privacy practices. Questions? Write to privacy@kerevo.com.

1. Who We Are

Kerevo is operated by Kerevo Inc., a Canadian corporation headquartered in West Vancouver, British Columbia. We are the accountable party for the personal information you provide. Our designated Privacy Officer is reachable at privacy@kerevo.com or by mail to: Privacy Officer, Kerevo Inc., West Vancouver, BC, Canada. We comply with PIPEDA (federal), PIPA (BC), MFIPPA (Ontario schools), and Quebec's Law 25.

2. Personal Information We Collect

At account creation we collect your full name, email address, password (hashed), role (parent, student, teacher, school administrator), and — for accounts used by students — age and grade level. When a parent adds a child we collect the child's first and last name, age, grade, and selected career interest. Paying accounts provide billing information (processed by Stripe; we never store card numbers). When you use the Service we automatically collect session cookies, device and browser information, IP address (truncated after 90 days), pages viewed, features used, lesson completion events, simulated financial transactions, and chat or support messages. We do not collect any data from voice assistants, cameras, microphones, or location services.

3. How We Use Personal Information

We use your information to operate the Service (account access, simulation state, portfolio data, lesson progress), to send transactional communications required to run your account (account confirmation, password reset, weekly parent summaries, billing receipts), to provide customer support, to measure and improve the Service, to prevent fraud and abuse, and — only with your opt-in consent — to send marketing communications. We do not use automated decision-making or profiling that produces legal or similarly significant effects on users. We do not sell personal information and we do not share personal information with advertising networks.

4. Legal Basis and Consent

We rely on your consent to collect and use your personal information, in accordance with PIPEDA and provincial equivalents. For users under 13 (or under 14 in Quebec) we require verified parental consent, which is obtained through the parent-managed onboarding flow and logged with timestamp, IP address, and the exact text the parent agreed to. Students aged 13–17 provide their own consent but we recommend parental involvement. You may withdraw consent at any time by contacting privacy@kerevo.com; withdrawal ends future processing but does not unwind lawful processing already completed.

5. Children Under 13 (or Under 14 in Quebec)

Children's accounts are created only by a parent or legal guardian. The parent is the primary account holder, receives all billing and account notices, and may access, export, or delete the child's data at any time. We apply additional safeguards for children: no behavioural profiling, no targeted advertising, no retention beyond what is necessary to deliver the Service and provide the parent's requested reports. For Quebec residents we apply the Law 25 threshold of age 14.

6. Sharing with Service Providers

We share personal information with a small number of vetted service providers who process data on our behalf under written contracts that require confidentiality, security safeguards, and purpose limitation: (a) Supabase (database, authentication, file storage — data hosted in Canada when possible, otherwise in the United States with appropriate contractual protections); (b) Resend (transactional and marketing email delivery — United States); (c) Finnhub (market data for paper-trading simulation — no personal information is sent); (d) Stripe (payment processing, if a paid subscription is purchased — personal information limited to billing details); (e) Vercel (web hosting and edge network). We do not share personal information with any other party except when required by Canadian law or to protect our legal rights.

7. International Data Transfers

Some service providers store data outside of Canada (primarily the United States). When personal information is transferred outside Canada we rely on contractual data-protection clauses consistent with PIPEDA transfer requirements and, where appropriate, the Canadian Standard Contractual Clauses for international transfers. By using the Service, you acknowledge that your data may be processed in the United States by our providers, subject to the safeguards described above.

8. Retention

Account and simulation data are retained while your account is active. On account deletion we delete personal information within 90 days, except for (a) billing and transaction records retained for seven years to comply with the Income Tax Act and Canadian accounting standards, (b) aggregated and de-identified analytics data, and (c) records needed to defend a legal claim. Backup copies are overwritten in the normal backup rotation within 180 days. Session logs are truncated after 90 days. School roster data is retained only for the duration of the school contract and deleted on written request from the school.

9. Your Rights Under Canadian Privacy Law

You have the right to (a) access your personal information and receive a copy, (b) correct inaccurate or incomplete information, (c) withdraw consent for marketing communications at any time, (d) request deletion subject to statutory retention periods, (e) request portability in a structured machine-readable format (CSV or JSON), (f) complain to our Privacy Officer, and (g) escalate unresolved complaints to the Office of the Privacy Commissioner of Canada (1-800-282-1376 or priv.gc.ca), the BC Office of the Information and Privacy Commissioner, the Ontario Information and Privacy Commissioner, or the Commission d'accès à l'information du Québec. Most requests are answered within 30 days at no cost. Parents and guardians may exercise these rights on behalf of minor children.

10. Security Safeguards

We protect personal information with administrative, technical, and physical safeguards. All data is transmitted over TLS 1.2 or higher. Passwords are stored using industry-standard hashing (bcrypt/Argon2 via Supabase Auth). Database access is restricted to the minimum number of authorized personnel, all of whom are under confidentiality agreement. Row-Level Security is enforced in our database so users cannot access other users' records. We run an incident response plan, conduct vulnerability testing, and maintain backups encrypted at rest. Despite these measures, no security control is perfect; if you suspect a security incident, please notify security@kerevo.com immediately.

11. Breach Notification

In the event of a personal-information breach that creates a "real risk of significant harm" within the meaning of PIPEDA, we will notify affected individuals and the Office of the Privacy Commissioner of Canada as soon as feasible, typically within 30 days of confirming the breach. Notifications will describe the nature of the breach, the information affected, steps we are taking to contain it, and the steps you can take to protect yourself.

12. Cookies and Tracking

We use a small number of strictly necessary cookies to keep you logged in and to maintain session security; these cannot be disabled without breaking the Service. We use optional analytics cookies only if you accept them through our cookie banner; declining analytics does not affect your ability to use the Service. We do not use third-party advertising, behavioural retargeting, or cross-site tracking cookies. You may withdraw cookie consent at any time by clicking "Cookie settings" in the footer or by clearing your browser storage.

13. Canadian Anti-Spam Legislation (CASL)

Transactional emails (account confirmation, password reset, billing receipts, weekly parent summaries) are sent because they are required to run your account; these are not subject to CASL opt-in requirements. Marketing emails are sent only after you opt in at signup or later in settings. Every marketing email includes an unsubscribe link that takes effect within 10 business days, as required by section 11 of CASL. You may also email unsubscribe@kerevo.com to opt out.

14. Email Authentication

Our sending domain is authenticated with SPF, DKIM, and DMARC records to protect you against spoofed email purporting to come from Kerevo. If you ever receive a suspicious email claiming to be from us, please forward it to security@kerevo.com and delete it.

15. Canadian Schools — MFIPPA, PIPA, FIPPA

When a school board or independent school contracts Kerevo to serve its students, the school remains the custodian of student personal information. We act as a service provider processor under written agreement. We will assist the school with records requests, correction requests, and deletion requests, and we will make available on request a Data Processing Agreement that meets MFIPPA (Ontario), PIPA (BC), and FIPPA obligations. Student data is not used for any purpose other than delivering the Service and generating reports configured by the school or parent.

16. Updates to This Policy

We may update this Privacy Policy to reflect changes in law, service providers, or product features. Material changes will be communicated by email at least 30 days in advance and by notice on this page. The "last updated" date at the top of this page reflects the most recent revision. Prior versions are available on request.

17. Contacting Us

Privacy Officer — privacy@kerevo.com. General inquiries — hello@kerevo.com. Security issues — security@kerevo.com. Mailing address — Kerevo Inc., West Vancouver, BC, Canada. If you remain dissatisfied after contacting our Privacy Officer you may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca or 1-800-282-1376.