Privacy Policy

Last updated: March 4, 2026

A&B Solutions Inc. ("we", "us", "our") operates Sorto, a desktop file organization application. This Privacy Policy explains how we collect, use, and protect your information.

1. Information We Collect

Account information: When you create an account, we collect your email address, a hashed password, and optionally your display name. Authentication is handled by Supabase.

Subscription & billing data: If you subscribe to a paid plan, payment is processed by Paddle.com (our Merchant of Record). We receive your subscription status, plan type, billing period, and Paddle customer identifier — but we do not receive or store your credit card details.

Team data: If you create or join a team, we store the team name, member email addresses, roles, and invitation records.

Usage & operational data: We track usage metrics including the number of files processed per month (with timestamps) for the purpose of enforcing plan limits. We also collect operational telemetry about processing batches — file counts, processing duration, error counts, and worker counts — to maintain service reliability. This telemetry does not include any document content.

Local data: Sorto stores the following data locally on your machine: your authentication session (encrypted), a 7-day log of renamed files (including file paths) for undo purposes, application settings, and local processing statistics. No client financial data, vendor data, or document content is stored locally beyond the duration of active processing.

No profiling: Sorto does not build profiles of your clients or vendors. Every document is processed fresh with no client data retained between sessions.

2. What We Do NOT Collect

• Your files on our servers: We do not store your document files on our servers. However, to perform AI-powered renaming, document text and page images are transmitted to OpenAI's API for processing. See Section 4 for details. We do not have access to your documents beyond what is required to perform this processing.
• Client or vendor profiles: We do not build or store profiles of your clients, vendors, or their financial data.
• Payment card details: Paddle handles all payment processing. We never see your card number.
• Browsing or tracking data: We do not use analytics trackers, cookies for advertising, or third-party tracking on our website or in our application.

3. How We Use Your Information

• To provide and maintain the Sorto service
• To manage your account and subscription
• To enforce usage limits based on your plan
• To send you important service-related communications (including team invitations)
• To improve the application based on aggregate usage patterns
• Automated document classification: OpenAI's API automatically classifies your documents to extract vendor name, date, and amount. This is an automated process — no automated decisions affect your legal rights or have significant legal effects. You retain full control and may contact support@sorto.ca to request human review of any processing result.

4. Third-Party Services

Sorto uses the following third-party services:

• OpenAI: Document text and rendered page images (JPEG) are transmitted to OpenAI's API to extract filing information (vendor name, date, amount). Before transmission, we automatically redact Social Insurance Numbers, Social Security Numbers, Employer Identification Numbers, payment card numbers (including 15-digit and 16-digit formats), and IBAN codes from document text. This redaction covers common patterns but may not catch all sensitive information in your documents. When redacted patterns are detected in a document, Sorto will not send page images to OpenAI for that document — only the redacted text is used. Under OpenAI's standard API data usage policy, API inputs and outputs may be retained for up to 30 days for abuse and misuse monitoring. We have applied for Zero Data Retention (ZDR) status, which would eliminate this retention window. ZDR status: pending — this page will be updated when confirmed. OpenAI states that API data is not used to train their models by default for API customers. For details, see OpenAI's Privacy Policy and OpenAI's Enterprise Privacy page.
• Supabase: We use Supabase for authentication, database storage, and serverless functions. Data stored includes: email address, display name, subscription status, team membership, usage logs, and operational telemetry. Supabase is hosted on AWS infrastructure. See Supabase's Privacy Policy.
• Paddle: Payment processing. Paddle acts as the Merchant of Record and data controller for payment data. See Paddle's Privacy Policy.
• Resend: We use Resend to send team invitation emails. Resend receives the invitee email address, inviter name, and team name solely for the purpose of delivering the invitation. See Resend's Privacy Policy.
• GitHub: The Sorto desktop application uses GitHub to deliver software updates. When checking for updates, your app version, operating system, and architecture are transmitted to GitHub. No personal data is transmitted. See GitHub's Privacy Policy.
• Cloudflare: Our website is hosted on Cloudflare Pages. All web traffic passes through Cloudflare's network. See Cloudflare's Privacy Policy.

Data transfers: Your data is processed by third parties located in the United States (OpenAI, Supabase, GitHub) and the United Kingdom (Paddle). By using Sorto, you consent to this cross-border transfer of data. We require that our service providers maintain appropriate security measures to protect your information.

5. Data Retention

We retain different types of data for different periods:

• Account profile data: Retained while your account is active. Deleted within 30 days of an account deletion request.
• Local rename log: Automatically purged after 7 days on your device.
• Team invitations: Automatically deleted 7 days after expiry.
• Operational telemetry: Automatically deleted after 90 days.
• Usage logs: Retained while your account is active.
• Local processing statistics: Stored on your device indefinitely (you may delete these files at any time).
• Document content sent to OpenAI: Under OpenAI's standard API policy, retained for up to 30 days for abuse monitoring, then deleted. We have applied for Zero Data Retention (ZDR) status, which would eliminate this retention window. ZDR status: pending. OpenAI states that API data is not used to train their models by default for API customers.

Aggregate, anonymized usage statistics may be retained indefinitely.

6. Data Security

We use industry-standard security measures including encrypted connections (HTTPS/TLS), hashed passwords, secure authentication tokens, and row-level database access controls. Authentication sessions are encrypted on your device using your operating system's secure storage. However, no method of transmission or storage is 100% secure.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: You can view your profile data in the app. To request a complete export of all data we hold about you, contact support@sorto.ca.
• Correction: You can update your display name and email address in the app settings.
• Deletion: You can delete your account directly from your account settings page. All data will be permanently deleted immediately. You may also contact support@sorto.ca if you need assistance.
• Portability: You can export your rename history as CSV from within the app. For a complete data export, contact support@sorto.ca.

8. Automated Decision-Making

Sorto uses OpenAI's API to automatically classify and extract information from your documents. This automated processing determines the suggested filename for each document. No automated decisions affect your legal rights or have significant legal effects. You retain full control — all suggestions can be reviewed and overridden before any file is renamed. To request human review of any result, contact support@sorto.ca.

9. Children's Privacy

Sorto is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children. By creating an account, you confirm that you are at least 16 years of age.

10. Privacy Officer

Privacy Officer: Founder, A&B Solutions Inc.
Contact: support@sorto.ca
12 Pinewoods Drive, Stoney Creek, Ontario, Canada, L8J 2T5

For privacy inquiries, data requests, or complaints, contact the Privacy Officer above. We are committed to resolving privacy concerns promptly.

11. Data Breach Notification

In the event of a data breach that poses a real risk of significant harm, we will notify the Office of the Privacy Commissioner of Canada (priv.gc.ca) and affected individuals as required by PIPEDA. Quebec residents will also be notified to the Commission d'accès à l'information (cai.gouv.qc.ca) within 72 hours, in accordance with Quebec's Law 25.

12. Complaint Rights

You have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca or the Commission d'accès à l'information du Québec at cai.gouv.qc.ca if you believe your privacy rights have been violated.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the application.

14. Contact

For privacy-related questions, contact us at support@sorto.ca.