Privacy Policy

How we collect, use, and protect your data. This page summarizes our practices; the full policy lives at /privacy-full.

Last Updated: May 20, 2026

At a Glance

AI Tax Accountant, LLC is a Florida limited liability company headquartered in Miami, Florida. We process accounting and tax documents you upload (including documents that may contain sensitive personal information such as Social Security numbers and account numbers) to produce GAAP-compliant financial statements and tax strategy reports. We do not sell your personal information, do not share it for cross-context behavioral advertising, and do not use your financial data to train AI models. Questions: privacy@aitaxaccountant.com.

Information We Collect

  • Account information (name, business email, password hash, business name, role)
  • Financial documents you upload (bank statements, credit card statements, tax returns, QuickBooks exports, P&L summaries, general ledgers, receipts) — these documents may contain sensitive personal information such as Social Security numbers, Employer Identification Numbers, and account numbers, all of which we treat as sensitive PII
  • Transaction data extracted from your uploads (dates, amounts, descriptions, categorizations)
  • Business profile (entity type, industry, officer compensation)
  • Usage data (pages visited, features used, processing job status, IP address, browser type)
  • Payment information processed by Stripe (we do not store full card numbers or CVV codes; we receive only customer ID, card brand, last four digits, expiration, billing ZIP, and subscription status)

How We Use Your Information

  • Tax processing: extract, classify, and categorize transactions from the documents you upload
  • Report generation: produce GAAP-compliant financial statements, general ledgers, and tax strategy memos
  • AI-assisted analysis using Anthropic Claude models — per Anthropic's commercial API terms, Anthropic does not use your data to train its models
  • Service improvement using aggregated, anonymized metrics only — we do not train any AI model on your data
  • Service communications (job completion, billing, security, support, policy updates)
  • Legal compliance with applicable law, court orders, and regulatory requests

Data Security

  • 256-bit TLS encryption in transit and AES-256 encryption at rest
  • Multi-factor authentication (MFA) enforced on every customer account
  • File validation on every upload: MIME type, size limit (20 MB), ClamAV malware scan
  • Role-based access controls + JWT authentication on all API requests
  • Audit logs of administrative access to customer data
  • Hosted on SOC 2 Type II compliant infrastructure (Supabase + Render); AI Tax Accountant, LLC is not independently SOC 2 certified

Your Rights

  • Access: download a copy of your data from Account Settings → Export
  • Correction: update your profile and business information at any time
  • Deletion: request deletion of your account and data from Account Settings → Delete Account or email privacy@aitaxaccountant.com
  • Portability: export financial reports in PDF, Excel, CSV, and IIF formats
  • California residents (CCPA/CPRA): right to know, right to delete, right to correct, right to opt out of sale (we do not sell), right to limit use of sensitive personal information, right to non-discrimination
  • EEA / UK / Switzerland residents (GDPR): all of the above plus right to restrict processing, right to object, right to data portability, right to withdraw consent, right to lodge a complaint with your supervisory authority

Data Retention

We retain personal information only as long as necessary to provide the Service or comply with legal obligations:

  • • Active subscribers: data retained for the duration of the subscription plus a 90-day grace period to export anything you want to keep
  • • Cancelled subscribers: customer data deleted from primary systems within 90 days after the grace period ends, unless a legal hold applies
  • • Encrypted backups: purged within 30 days after primary deletion
  • • Billing records and signed agreements: retained for 7 years to satisfy U.S. tax and record-keeping requirements
  • • Aggregated, anonymized analytics: may be retained indefinitely

Sub-Processors and Third-Party Services

To operate the Service we rely on the following sub-processors, each bound by a written data-protection agreement:

  • • Supabase, Inc. — database, authentication, object storage (SOC 2 Type II)
  • • Render Services, Inc. — application and API hosting (SOC 2 Type II)
  • • Stripe, Inc. — payment processing and subscription billing (PCI-DSS Level 1, SOC 1/SOC 2)
  • • Anthropic, PBC — AI models (Claude) for transaction classification and report drafting (SOC 2 Type II; does not train on customer API data)
  • • Microsoft Azure (Cognitive Services / Document Intelligence) — OCR for scanned PDFs (SOC 1, SOC 2, SOC 3, ISO 27001/27018, HIPAA BAA available)
  • • Resend, Inc. — transactional email delivery (SOC 2 Type II)
  • • Telegram Messenger Inc. — internal operational alerts only; receives only opaque job IDs and status codes, never customer PII

All sub-processors are contractually bound to protect your data and to use it only for the limited purpose for which we engage them. We do not sell, rent, trade, or barter your personal information.

Cookies & Tracking

We use a small number of cookies and similar technologies, scoped to operate the Service:

  • • First-party authentication cookies (required to keep you signed in)
  • • First-party preference cookies (remember non-sensitive UI preferences)
  • • Google Analytics 4 on our marketing site for aggregate analytics — IP anonymization enabled, no Google Signals, no ad personalization, no cross-device tracking
  • • Lovable first-party analytics (/~flock.js) on our customer portal — first-party only, no third-party cookies, no cross-site tracking, no customer data passed
  • • We do not use third-party advertising cookies, retargeting pixels, or session-replay tools

You can control or block cookies through your browser settings. We respect Global Privacy Control (GPC) signals.

Children's Privacy

The Service is intended for business use by adults 18 years of age and older. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact privacy@aitaxaccountant.com and we will delete it.

International Data Transfers

The Service is operated from the United States, and all customer data is stored in U.S.-based data centers (Supabase US region; Render U.S. regions). If you access the Service from outside the United States, your information will be transferred to and processed in the United States. Where required, we rely on appropriate safeguards (including Standard Contractual Clauses) put in place by our sub-processors to legitimize these transfers.

Changes to This Policy

We may update this Policy from time to time. For material changes (a new category of personal information, a new sub-processor that materially handles customer data, or a change in processing purpose), we will notify you by email and provide at least 30 days' advance notice before the change takes effect.

Questions About Your Privacy?

Contact us for any privacy-related inquiry. We respond to verifiable requests within 30 business days.

Email: privacy@aitaxaccountant.com (Subject: Privacy Inquiry)

AI Tax Accountant, LLC — a Florida limited liability company, Miami, Florida