Last updated: May 2026
Terpa is a Canadian-made wellness journal designed with privacy in mind. We aim to handle your personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Law 25, and other applicable Canadian privacy law. Your cannabis use information is sensitive — this page describes exactly what we collect, where it goes, and what protections apply.
To run Terpa we rely on infrastructure and service providers located in the United States. This includes our database, hosting, authentication, payment processor, and AI provider (listed in Third-Party Services below). When you use Terpa, your personal information — including journal data and any content you submit to AI features — is transferred to and processed in the United States.
Personal information held in the United States is subject to U.S. legal process and U.S. government access requests, which may differ from Canadian protections. We choose service providers that publish written security and data-handling commitments, and we use contractual safeguards where available. By using Terpa, you consent to this cross-border transfer.
What is encrypted: Your free-text journal notes are encrypted at rest using AES-256-GCM with a per-user key derived from a master secret. This means the notes column in our database is not readable without access to the master secret and your user identifier.
What is not encrypted at the field level: Other journal data (date, time, mood, strain, method, dose, cost, rating) and your profile information are stored in the database without additional encryption. They are protected by access controls and our database provider's storage-level encryption, but Terpa staff with database access could read them. We minimize this access.
If you require absolute confidentiality for a piece of information about your cannabis use, place it in the free-text notes field rather than in other fields.
As a Canadian resident, you have the right to:
Terpa uses only essential cookies required for the service to function:
We do not use advertising, analytics, or behavioural-tracking cookies.
You can delete your account at any time from the Settings page (Account → Danger Zone → Delete Account). When you confirm deletion, your account and associated personal data — including journal entries, attachments, profile, and stored AI scan data — are removed from our database. Backups may retain copies for a limited period before being overwritten by routine backup rotation.
If you have an active Stripe subscription, it will be cancelled automatically as part of account deletion. You will not be charged after the deletion timestamp.
We retain a minimal record of deleted accounts (Stripe customer reference, deletion timestamp) for tax, accounting, and fraud-prevention purposes for the period required by Canadian law.
We use the following service providers to operate Terpa. Each receives only the information needed for its function. All are based in the United States; see Cross-Border Data Transfers above.
Terpa is intended for adults 19 years of age or older in Canada. We do not knowingly collect personal information from anyone under 19. If you believe a minor has created an account, contact us at privacy@terpa.app and we will delete it.
We may update this Privacy Policy as the service evolves. Material changes will be communicated by email to your registered address and reflected in the "Last updated" date above.
For privacy inquiries, data-access requests, or to exercise your rights under PIPEDA or Law 25, contact us at privacy@terpa.app. We aim to respond within 30 days.
This Privacy Policy is governed by the laws of Canada, including PIPEDA and applicable provincial privacy legislation.
This policy reflects our current data practices to the best of our knowledge. It is being reviewed by Canadian privacy counsel; we will update it on receipt of their recommendations.