Privacy Policy

1. Introduction

TaxFly AI, Inc. ("TaxFly," "we," "us," or "our") is committed to protecting your privacy and the confidentiality of your clients' tax information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered tax preparation platform.

Given the sensitive nature of tax data, we implement enterprise-grade security measures and comply with IRS Publication 4557 (Safeguarding Taxpayer Data) and applicable data protection laws.

2. Information We Collect

2.1 Account Information

When you register for TaxFly AI, we collect:

• Name, email address, and phone number
• Company name and tax preparer license information
• Billing information (processed securely by Stripe)
• Password (encrypted and never stored in plain text)

2.2 Tax Documents and Client Data

To provide our AI extraction and processing services, we collect:

• Tax documents (W-2s, 1099s, receipts, etc.) uploaded by you or your clients
• Client information: names, Social Security Numbers, addresses, dates of birth
• Income, deduction, and financial data extracted from documents
• Tax form data and calculations
• Case notes, questions, and communications

2.3 Usage Data

We automatically collect:

• IP address, browser type, and device information
• Pages visited, features used, and time spent on the platform
• Actions taken (document uploads, exports, case status changes)
• Error logs and performance metrics

2.4 Cookies and Tracking Technologies

We use cookies and similar technologies for:

• Essential cookies: Authentication, session management, security
• Analytics cookies: Usage patterns, feature adoption, performance monitoring
• Preference cookies: Language, theme, and display settings

We do not use advertising or third-party tracking cookies.

3. How We Use Your Information

We use collected information to:

• Provide Services: Process documents, extract tax data, generate forms
• Improve AI Models: Train and refine extraction accuracy (using de-identified data only)
• Customer Support: Respond to inquiries, troubleshoot issues, provide assistance
• Billing: Process payments, send invoices, manage subscriptions
• Security: Detect fraud, prevent abuse, protect against security threats
• Communications: Send service updates, security alerts, and feature announcements
• Compliance: Meet legal obligations, respond to lawful requests, enforce our Terms
• Analytics: Understand usage patterns, measure feature adoption, improve user experience

4. Data Sharing and Disclosure

We do not sell, rent, or trade your data. We share information only in these limited circumstances:

4.1 Service Providers

We use trusted third-party service providers who process data on our behalf:

• Cloud Infrastructure: Supabase (database), AWS (storage)
• AI Processing: OpenAI, Anthropic (document extraction)
• Payment Processing: Stripe (billing and subscriptions)
• Email Services: Resend (transactional emails, notifications)
• Analytics: PostHog (privacy-focused product analytics)

All service providers are bound by strict data protection agreements and are prohibited from using your data for any purpose other than providing services to TaxFly AI.

4.2 Legal Requirements

We may disclose information if required by law or in response to:

• Court orders, subpoenas, or other legal processes
• IRS or state tax authority requests (with proper documentation)
• Law enforcement investigations (with valid legal authority)
• Protection of our rights, property, or safety

4.3 Business Transfers

If TaxFly AI is acquired, merged, or undergoes a business restructuring, your information may be transferred to the successor entity. We will notify you of any such change.

5. Data Security

We implement enterprise-grade security measures to protect your data:

5.1 Encryption

• In Transit: TLS 1.3 encryption for all data transmission
• At Rest: AES-256 encryption for stored documents and database records
• End-to-End: Client portal links use encrypted tokens

5.2 Access Controls

• Multi-tenant architecture with strict data isolation
• Role-based access controls (RBAC)
• Two-factor authentication (2FA) available for all accounts
• Automated session timeouts and password requirements

5.3 Infrastructure Security

• Regular security audits and penetration testing
• Automated vulnerability scanning
• Intrusion detection and prevention systems
• SOC 2 Type II compliance (certification in progress)
• Annual third-party security assessments

5.4 Employee Access

TaxFly AI employees have access to client data only when necessary for support or troubleshooting. All access is logged and monitored. Employees undergo background checks and sign confidentiality agreements.

6. AI Model Training and Data Usage

To improve our AI extraction models, we may use de-identified document data. We follow these strict principles:

• No PII in Training Data: Names, SSNs, addresses, and identifiable information are removed
• Aggregation: Data is aggregated across thousands of documents to prevent re-identification
• Opt-Out Available: You can opt out of contributing anonymized data to model training
• Third-Party AI: OpenAI and Anthropic do not train on your data (per our enterprise agreements)

To opt out of contributing anonymized data to model training, contact privacy@taxfly.ai.

7. Data Retention

We retain your data according to these policies:

• Active Accounts: Data retained for as long as your account is active
• Deleted Accounts: Data deleted within 30 days, except where required by law
• Tax Documents: Retained for 7 years to comply with IRS recordkeeping requirements
• Backups: May persist in backups for up to 90 days after deletion
• Audit Logs: Security and access logs retained for 2 years

You can request deletion of your account and data at any time, subject to legal retention requirements.

8. Your Privacy Rights

Depending on your location, you may have the following rights:

8.1 GDPR Rights (EU/UK Residents)

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Portability: Receive your data in a machine-readable format
• Restriction: Limit how we process your data
• Objection: Object to processing based on legitimate interests

8.2 CCPA Rights (California Residents)

• Know: Request disclosure of data collection and sharing practices
• Delete: Request deletion of your personal information
• Opt-Out: Opt out of sale of personal information (we do not sell data)
• Non-Discrimination: Equal service regardless of privacy choices

8.3 Exercising Your Rights

To exercise any of these rights, contact us at privacy@taxfly.ai. We will respond within 30 days. You may also submit requests through your account settings.

9. International Data Transfers

TaxFly AI is based in the United States. If you access our Service from outside the U.S., your information will be transferred to, stored, and processed in the United States.

We use Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EU/UK to the U.S. We also comply with applicable data protection frameworks.

10. Children's Privacy

TaxFly AI is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal data, we will delete it immediately.

11. Data Breach Notification

In the event of a data breach affecting your information, we will:

• Notify affected users within 72 hours of discovery
• Report to relevant authorities as required by law
• Provide details of the breach, data affected, and remediation steps
• Offer credit monitoring or identity protection services if appropriate

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before they take effect. The "Last Updated" date at the top indicates when the policy was last revised.

13. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices:

• Email: privacy@taxfly.ai
• Support: support@taxfly.ai
• Address: TaxFly AI, Inc., 123 Tax Lane, Wilmington, DE 19801

Data Protection Officer: For EU/UK data protection inquiries, contact our DPO atdpo@taxfly.ai