Privacy Policy

Taxlytic ("we," "us," or "our") provides automated tax intake software for independent tax preparers. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

1. Information We Collect

We collect the following categories of personal information:

Information Collected Automatically

When you use our platform, we automatically collect certain technical information including analytics events, authentication session data, and rate limit counters (ephemeral). This data is used for service operation, security, and improvement.

2. How We Use Your Information and Legal Basis

3. AI Processing and Automated Decision-Making

• (a) Chat AI: A large language model processes intake conversations. No AI provider trains on your data.
• (b) Document Extraction: AI extracts structured data from uploaded documents. No AI provider trains on your data.
• (c) Voice Calls: Speech-to-text, text-to-speech, and AI language model providers process voice calls. No provider trains on your data.

AI outputs may contain errors, omissions, or inaccuracies. All AI-processed data must be independently verified by a qualified tax professional before use in tax return preparation.

No automated decisions with legal or significant effects are made without human review by the designated tax preparer.

4. Voice Call Processing

• AI discloses its non-human identity at the start of every call (CA SB 1001, Maine Chatbot Act, FCC proposed rules)
• Calls are transcribed in real-time and stored for the preparer's records
• Voice processing uses industry-leading speech-to-text, text-to-speech, and AI providers
• SSN and sensitive data redacted from transcripts (last 4 digits only retained in text)
• Verbal consent obtained before collecting SSN or sensitive financial data
• Callers may decline AI at any time and request a human callback
• Transcript retention: 6 years per IRS record-keeping requirements
• PSTN leg is unencrypted (industry standard, same as any human phone call)

5. How We Share Your Information (Sub-Processor List)

A detailed sub-processor list with specific provider names is available upon request. Contact privacy@taxlytic.ai.

We do not sell, rent, or share your personal information with third parties for advertising, marketing, or any purpose unrelated to providing our service.

We will update this sub-processor list when adding new providers. Material changes will be communicated via email with 30 days notice.

6. Aggregate and Anonymized Data

We may create aggregate, de-identified, or anonymized data from personal information by removing identifiers. Anonymized data is not personal information and may be used for product improvement, industry benchmarking, and service analytics. We will not attempt to re-identify anonymized data.

7. Data Security and Compliance

Encryption

• TLS 1.2+ in transit, AES-256 at rest, SRTP for voice media
• Encryption keys rotated regularly

Network Security

Infrastructure protected by firewalls, DDoS protection, and rate limiting.

Access Controls

• Row Level Security (RLS) for preparer-scoped data isolation
• Multi-factor authentication for admin access
• Role-based access controls; employee/contractor access limited to need-to-know basis

Data Isolation

Multi-tenant architecture with logical isolation of customer data at the database level via RLS policies.

Infrastructure Certifications

Core infrastructure providers maintain SOC 2 certification. Provider-specific certification details are available upon request.

GLBA/FTC Safeguards Rule Compliance (16 CFR Part 314)

• Designated Qualified Individual overseeing security program
• Written risk assessment covering all data collection channels (including AI chat, document upload, and voice)
• Incident response plan with defined procedures and timelines
• Service provider contractual safeguards (all sub-processors)
• Annual security program review and update
• Breach notification to FTC within 30 days

IRS Publication 4557 Security Six

Antivirus, firewalls, MFA, encryption, secure data wiping, regular security updates.

• Penetration testing: Periodic vulnerability assessments and penetration testing
• Secure data disposal: Industry-standard data wiping procedures for decommissioned storage

Security vulnerability reporting: If you discover a security vulnerability, please report it to security@taxlytic.ai. We will acknowledge receipt within 48 hours and work to resolve confirmed vulnerabilities promptly.

8. Data Retention

Fraud exception: If a fraudulent return was prepared or no return was filed, data may be retained indefinitely per IRS requirements (no statute of limitations). After retention period expiration, data is securely deleted using industry-standard methods.

9. Data Breach Notification

Upon discovery of unauthorized access to personal information:

1. Immediate containment and investigation
2. Assessment of scope, affected data categories, and number of individuals
3. Notification to affected users within 30 days of discovery (per FTC Safeguards Rule)
4. Notification to FTC and applicable state attorneys general as required by law
5. Notification to affected preparers so they can inform their clients
6. Remediation measures and steps to prevent recurrence

• Texas: Within 60 days per Texas Business and Commerce Code 521.053
• California: "Expedient" per Cal. Civ. Code 1798.82

10. International Data Transfers

All personal data is processed and stored in the United States. If you access our services from outside the US, your data will be transferred to and processed in the US. By using our services, you consent to this transfer. We maintain contractual protections with all sub-processors.

We do not currently target services to EU/EEA residents. If we expand to serve international markets, we will implement appropriate transfer mechanisms (Standard Contractual Clauses or adequacy decisions).

11. IRC Section 7216 and Tax Return Information

• Taxlytic acts as an Information Service Provider (ISP) under IRC Section 7216
• Tax return information is processed solely to facilitate tax return preparation by the client's designated preparer (permitted use under 26 CFR 301.7216-2)
• The contractor safe harbor (26 CFR 301.7216-2(d)(2)) applies: sub-processors handle data only as necessary to provide the service, under contractual obligations
• No Section 7216 consent is required from clients solely to use this platform for intake collection
• Preparers remain responsible for their own Section 7216 compliance for any use or disclosure of client data beyond return preparation
• We do not use tax return information for marketing, advertising, or any non-service purpose

12. Government and Legal Requests

We may disclose personal information when required by law, subpoena, court order, or government investigation. We will use commercially reasonable efforts to notify affected users before disclosing their data to government authorities, unless:

• Notification is prohibited by law or court order
• Notification could create risk of harm to individuals
• Notification could compromise an investigation

We will challenge overbroad or inappropriate requests where feasible. The Stored Communications Act (18 USC 2702) governs our handling of government requests for electronic communications.

13. Your Privacy Rights

All Users

• Access personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your personal information
• Data portability (export in JSON format via dashboard)
• Opt out of PostHog analytics tracking
• Withdraw consent for AI processing
• Object to processing based on legitimate interest

California Residents (CCPA/CPRA)

• Right to know what personal information is collected, used, and shared
• Right to delete personal information
• Right to opt out of sale/sharing (we do not sell your data)
• Right to non-discrimination for exercising rights
• Right to limit use of sensitive personal information
• Right to correct inaccurate personal information
• Authorized agents may exercise rights on your behalf with written authorization

Virginia (VCDPA)

Access, correction, deletion, portability, opt-out of targeted advertising and profiling.

Colorado (CPA)

Access, correction, deletion, portability, opt-out of targeted advertising, profiling, and sale.

Connecticut (CTDPA)

Access, correction, deletion, portability, opt-out of sale, targeted advertising, and profiling.

Texas (TDPSA)

Access, correction, deletion, data portability.

How to Exercise Your Rights

Email privacy@taxlytic.ai. We will verify your identity and respond within 45 days (30 days for some state laws). If we need more time, we will notify you of the extension.

14. Cookies, Tracking, and Communications

We do not use advertising cookies, retargeting pixels, or third-party tracking for advertising purposes.

Marketing communications are opt-in only. You may unsubscribe at any time via the link in any marketing email. Operational and transactional emails (intake invitations, billing receipts, security alerts) cannot be opted out of while your account is active.

15. Consent to Electronic Communications

By using our services, you consent to receive communications from us electronically (email, in-app notifications). Electronic communications satisfy any legal requirement for written notice. Per the E-SIGN Act, electronic records and signatures have the same legal effect as physical documents.

16. Children's Privacy

Taxlytic is not intended for use by individuals under 18. We do not knowingly collect personal information from children. If discovered, we will delete such information within 30 days. If you believe a minor has provided personal information, contact privacy@taxlytic.ai.

17. Changes to This Policy

Material changes: 30-day advance notice via email plus an in-app reconsent banner. Continued use after the notice period constitutes acceptance.

Non-material changes: Updated "Last updated" date at the top of this page. We encourage you to review this policy periodically. Previous versions are available upon request.

18. Contact Information