This Privacy Policy (the "Policy") describes how the Founder of Hadalos (the "Data Controller") collects, uses, retains, and protects the personal information of alpha program participants (the "Users").
This Policy is written in compliance with An Act to modernize legislative provisions as regards the protection of personal information (hereinafter "Law 25", CQLR, c. P-39.1) and the Personal Information Protection and Electronic Documents Act (hereinafter "PIPEDA", S.C. 2000, c. 5).
Pursuant to Law 25, the Data Controller assumes the function of Privacy Officer (RPRP) and is the designated contact for all requests relating to the rights of data subjects.
Hadalos applies the data minimization principle: only information strictly necessary for the operation of the application is collected. No data is collected for advertising or monetization purposes, structurally and not merely contractually.
| Category | Data Collected | Purpose |
|---|---|---|
| Identity | First name, last name | Identification in groups and invitations |
| Contact | Email address | Authentication, notifications, invitations |
| Security | Password (Argon2id hashed) | Secure authentication |
| Session | SHA-256 hash of a session token | Authenticated session maintenance (JWT is not stored) |
| Social ID (optional) | socialId — OAuth identifier (Google / Facebook / Apple) | Third-party provider authentication (if used) |
| Financial data | Accounts, transactions, accounting entries | Core financial management service |
| Groups | Group membership, RBAC role | Access rights management |
| Feedback | Comments and reports (if submitted) | Product improvement |
extractSessionMetadata) and stored in the sessions collection for multi-device management and suspicious activity detection.Hadalos does not collect and does not have access to the following data:
| Purpose | Legal Basis (Law 25) | Details |
|---|---|---|
| Account authentication and security | Consent / Service execution | Session management, JWT, email verification |
| Provision of accounting service | Service execution | Account management, transactions, ledger |
| Transactional communications | Service execution | Invitations, ownership transfer, password reset |
| Immutable audit log | Legitimate interest (security) | Integrity and traceability of operations |
| Product improvement | Consent | Only via voluntary feedback |
No data processing for marketing, profiling, or advertising purposes is performed in the alpha phase or in subsequent phases.
The User expressly consents to the processing of their personal information by checking the acceptance box during registration. The exact timestamp of this acceptance is recorded at the time of the click (field policyAcceptedAt), constituting electronic proof of consent. This consent is specific (defined purposes), informed (clear information provided), and freely given (no commercial pressure).
The User may withdraw their consent at any time by sending a written request to the Privacy Officer at: privacy@hadalos.com. Withdrawal of consent results in the cessation of the service and the deletion of data as described in Article 7.
The database is hosted in Canada (Azure Canada Central, Toronto). The application backend is hosted in the United States (Google Cloud Run, us-east1 region — South Carolina). This cross-border transfer is disclosed in accordance with Law 25 and PIPEDA requirements. The providers concerned are subject to contractual data protection commitments in accordance with these requirements.
| Component | Provider | Region / Location |
|---|---|---|
| Application (backend) | Google Cloud Run | us-east1 (South Carolina, USA) |
| Database | MongoDB Atlas | Azure Canada Central (Toronto) |
| Transactional emails | SMTP via NestJS | Provider to be specified per deployment config. |
| Landing page | Cloudflare Pages | Global CDN — static content only |
Hadalos uses the infrastructure providers listed above. These third parties act as technical processors and do not have access to the User's financial data. They are selected based on their compliance with security standards (ISO 27001, SOC 2) and their contractual commitment to data protection. Hadalos does not sell, rent, or share Users' personal information with third parties for commercial or advertising purposes.
Hadalos applies security-by-design principles: API responses do not reveal the existence or non-existence of an account or group to an unauthorized third party.
During the alpha phase, certain security measures intended for the production environment (penetration testing, external audit, SOC 2, continuous monitoring) are not yet in place. The User is informed of this and assumes this risk by participating in the program.
| Right | Response Time | Procedures |
|---|---|---|
| Access to data | 30 calendar days | Written request by email to the Privacy Officer |
| Rectification | 30 calendar days | Directly in the profile or by request |
| Deletion (right to erasure) | 30 calendar days | Written request for complete data deletion |
| Portability | Reasonable time | Export in structured format (CSV/JSON) |
| Objection / Withdrawal of consent | Immediate | Suspension of access and deletion |
| Notification of incidents | 72 hours (Law 25) | Email notification in case of serious incident |
To exercise one of these rights, send a written request to the Privacy Officer at privacy@hadalos.com with the subject: "Request | Privacy Rights | Hadalos". The Data Controller will acknowledge receipt within five (5) business days and provide a complete response within thirty (30) calendar days.
If you believe your rights have not been respected, you may file a complaint with the Commission d'accès à l'information du Québec (CAI) or the Privacy Commissioner of Canada (OPC).
| Data Type | Retention Period | Justification |
|---|---|---|
| Transactions and financial data | 7 years | Tax and accounting obligation (ITA, s. 230) |
| Groups, accounts, members | 3 years after closure | General civil prescription (CCQ, art. 2925) |
| Audit logs (audit trail) | 2 years | Fraud detection and forensics |
| Aggregated session statistics | 90 days | Performance analysis — non-personal data |
| Data after account deletion | Maximum 30 days | Complete deletion guaranteed |
| Security incident register | Duration required by Law 25 | Regulatory obligation (art. 90.3) |
Upon closure of the alpha program or upon a deletion request, the User's personal data is securely erased from all systems, including active backups, within a maximum period of thirty (30) days. Security incident logs may be retained to the extent required by law, in anonymized form.
In the event of a privacy incident presenting a serious risk of harm, the Data Controller shall:
An incident register is maintained in accordance with article 90.3 of the Access Act (Law 25). It contains the description of the incident, the information affected, the causes, the corrective measures, and the persons concerned.
Hadalos does not use cookies for authentication. Access tokens (JWT) are transmitted exclusively via the HTTP Authorization: Bearer header and stored client-side only. Only the SHA-256 hash of the session token is stored in the database for multi-device management purposes.
Hadalos does not integrate any advertising network, behavioral analytics tool, or third-party tracking technology.
Hadalos is not intended for minors (under 18 years of age). The Developer does not knowingly collect personal information from minors. If a minor were to participate in the alpha program, their data will be deleted as soon as this situation comes to the attention of the Data Controller.
The Developer reserves the right to modify this Policy at any time. Any material change will be notified by email to Users with five (5) business days' notice. The current version is always accessible at: hadalos.com/privacy-policy.
This Policy is governed by the laws of the province of Québec and the federal laws of Canada, including:
In the event of any divergence between the French and English versions (if applicable), the French version shall prevail.
For any question, request, or complaint regarding the protection of personal information:
Competent regulatory authorities:
© 2026 Hadalos. All rights reserved.
Confidential document | Closed internal Alpha Program | Law 25 / PIPEDA