Rooftop

Privacy Policy

Last updated: May 1, 2026

Rooftop Wealth (“Rooftop”, “we”, “us”) operates rooftopwealth.ca — a Canadian retirement and financial planning tool. This policy explains what personal information we collect, how we use it, and what choices you have.

We are committed to compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal privacy law. We collect only what we need, we don't sell your data, and we give you control over it.

What we collect

Account information

Your email address — used to create your account, send a password reset link, and (if you opted in) deliver financial articles and product updates.

Financial plan data

The numbers you enter into the calculators: ages, account balances, contribution amounts, income estimates, province, retirement goals, and similar planning inputs. This data is hypothetical — we have no connection to your bank, your CRA My Account, or any investment platform.You type it in, we store it so your plan is there next time you visit.

Marketing preference

Whether you checked the “send me updates” box at sign-up. You can unsubscribe from any email at any time.

Payment information

Handled entirely by Stripe (see below). We receive your email address and a Stripe customer reference — never your credit card number, expiry, or CVV.

We never collect:

Social Insurance Number (SIN)Bank account numbersInvestment account credentialsCRA login informationGovernment ID

How we use your information

  • To create and maintain your account
  • To save and sync your financial plan across devices
  • To process your subscription via Stripe and manage billing
  • To send you a password reset email when requested
  • To deliver financial articles and product updates (only if you opted in)
  • To diagnose technical issues when you contact support
  • To improve the product — in aggregate, anonymised form only

We do not sell, rent, or trade your personal information to any third party for marketing purposes.

Third-party services

Rooftop uses reputable, industry-standard cloud providers for hosting, authentication, data storage, payment processing, and transactional email. Each provider is contractually bound to handle your data securely and in compliance with applicable privacy law.

StripePayment processing

Handles all subscription billing. Stripe is PCI-DSS Level 1 certified — the highest level of payment security. Rooftop never receives, transmits, or stores your card number, expiry, or CVV.

Stripe Privacy Policy →
Secure cloud infrastructure

Your account, plan data, and emails are handled by established, SOC 2-compliant cloud providers. All data is encrypted in transit (TLS) and at rest. No provider has access to your financial plan data beyond what is necessary to operate the service.

Security

All data is transmitted over HTTPS (TLS encryption). Data stored in our database is encrypted at rest. Access to the database is restricted to authorised team members only, and each user's data is isolated using Row-Level Security — meaning no user can query another user's records.

No security system is 100% impenetrable. If you suspect unauthorised access to your account, change your password immediately and contact us at hello@rooftopwealth.ca.

Unlinkable plan storage

Beyond standard encryption and access controls, your saved financial plan is stored in a way that even Rooftop's own administrators cannot trace back to you. We refer to this as unlinkable storage.

Your plan data is for your eyes only. We genuinely cannot read it as you, and we cannot tell a customer-support team member “this is so-and-so's plan.” The protection is structural, not based on policy promises.

Payments & billing

All payments are processed by Stripe. When you enter your card details, you are entering them directly into Stripe's secure form — Rooftop never receives, transmits, or stores your card number, expiry date, or CVV.

We store your Stripe customer ID (a reference like cus_xxx) so we can manage your subscription and offer you a self-serve billing portal where you can update your card, change plans, or cancel.

How long we keep your data

Active accounts: Data is retained for as long as your account exists.

After account deletion: Your personal data is deleted within 30 days of your request, except where retention is required by law (e.g., billing records for tax purposes, typically 7 years).

Subscription records: Stripe retains payment history according to their own retention policy and applicable financial regulations.

Your rights under PIPEDA

As a Canadian resident you have the right to:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Ask us to correct inaccurate or incomplete information.
  • Deletion: Request that we delete your account and personal data.
  • Withdraw consent: Unsubscribe from marketing emails at any time via the link in any email, or by contacting us.
  • Complaint: Lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) if you believe your rights have been violated.

To exercise any of these rights, email us at hello@rooftopwealth.ca with “Privacy Request” in the subject line. We will respond within 30 days.

Children's privacy

Rooftop is intended for adults. We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account, please contact us and we will delete it promptly.

Changes to this policy

We may update this policy from time to time. When we do, we will update the “Last updated” date at the top of the page. For material changes, we will notify you by email or by displaying a notice in the app before the change takes effect. Continued use of Rooftop after a change constitutes acceptance of the updated policy.

Questions about privacy?

We're a small team and we read every email.

hello@rooftopwealth.ca
← Back to Rooftop