Privacy Policy

BenefitsBridge Inc. ("BenefitsBridge", "we", "us", "our") operates the website at benefitsbridge.ca and the BenefitsBridge benefits audit service. We are incorporated in Canada.

Privacy questions: privacy@benefitsbridge.ca

We collect only what is necessary to provide the audit service:

• Email address — voluntarily provided when you request your audit results or join our early-access list. Used to send your report and, if you opt in, year-end benefit expiry reminders.
• Benefits booklet PDF — uploaded by you to perform the audit. This document belongs to you; it is processed solely to identify your unclaimed entitlements. We do not store it after processing.
• Receipt images — optionally uploaded to improve audit accuracy. Processed once and not retained.
• IP address — automatically logged for security rate-limiting (maximum 3 audit requests per IP per hour). Not linked to your email or stored beyond the current server session.
• Province and income range — optionally provided to check provincial program eligibility. Not stored.

We do not collect payment card data (no billing is live at this time). We do not collect your insurer portal credentials. We never access your claims history.

We do not sell, rent, or share your personal information with your insurer, your employer, or any advertiser.

Your information is processed by the following sub-processors:

• Anthropic, Inc. (United States) — Your benefits booklet PDF and any uploaded receipt images are sent to Anthropic's Claude API to perform the AI audit. This constitutes a cross-border transfer of personal information to the United States, which we disclose under PIPEDA s.7. Anthropic processes data under its Privacy Policyand does not use your data to train models without opt-in consent (as of this policy's effective date). The PDF is deleted from Anthropic's systems upon response and is not retained by us.
• Resend, Inc. (United States) — If you provide your email address, it is transmitted to Resend to deliver transactional email (your audit report, expiry alerts). Resend is SOC 2 Type II certified and processes data under its Privacy Policy.
• Amazon Web Services (Canada — ca-central-1) — Application servers and any stored account data are hosted on AWS Montreal. Data at rest does not leave Canada except for the specific processing described above.

By using BenefitsBridge, you consent to these cross-border transfers as described above.

• Benefits booklet PDFs — deleted immediately upon completion of the audit response. We do not retain a copy.
• Receipt images — deleted immediately upon extraction of claim details. We do not retain a copy.
• Email addresses — retained until you unsubscribe or request deletion. To unsubscribe, click the link in any email we send or write to privacy@benefitsbridge.ca.
• IP-based rate-limit records — held in server memory only; automatically cleared on server restart or after one hour.

As a Canadian resident, you have the right to:

• Access — request a copy of the personal information we hold about you.
• Correction — ask us to correct inaccurate personal information.
• Withdrawal of consent — withdraw consent to processing at any time, which may limit your ability to use the service.
• Deletion — request deletion of your personal information. Given our short retention periods, there may be little or nothing to delete.

To exercise any of these rights, email privacy@benefitsbridge.ca. We will respond within 30 days.

If you are unsatisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

BenefitsBridge uses:

• Essential session cookies — set by Next.js for standard web functionality. No consent required.
• Google Analytics 4 (if enabled) — anonymous pageview and event tracking. Governed by Google's Privacy Policy. You can opt out at tools.google.com/dlpage/gaoptout.
• Microsoft Clarity (if enabled) — anonymized session recording and heatmaps for UX improvement. No personally identifiable information is captured. Governed by Microsoft's Privacy Policy.

No advertising cookies or third-party tracking pixels are used.

We use HTTPS (TLS 1.2+) for all data in transit. PDF uploads are handled in-memory and never written to disk on our servers. We conduct periodic security reviews and follow OWASP best practices. No system is perfectly secure; in the event of a breach that affects your rights, we will notify you and the OPC as required by PIPEDA.

BenefitsBridge is intended for adults (18+) with employer health benefits. We do not knowingly collect personal information from anyone under 18. If we become aware of such collection, we will delete it immediately.

We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated by updating the "Last updated" date above and, where possible, by emailing users who have provided their address. Continued use of the service after a material change constitutes acceptance of the updated policy.

BenefitsBridge Inc.
Privacy Officer: privacy@benefitsbridge.ca
Website: www.benefitsbridge.ca