Privacy Policy
Quick summary
- We collect what you upload (tax returns, client info, chat) plus minimal account / log data.
- We never sell your data and we don't use your client data to train AI models.
- Storage is encrypted on Cloudflare (US data centers).
- Data is processed by Anthropic (Claude) for AI analysis under their enterprise terms.
- Default retention: 1 year (3 years on Enterprise tier). Audit logs: 7 years.
1. Who we are
AI-TaxPlan is operated by I-Taxplan, a Florida-based tax-resolution firm (renato@i-taxplan.com). For questions about this policy, contact us at the address at the bottom.
2. Information we collect
| Category | Examples | Source |
|---|---|---|
| Account info | Name, email, password hash, CPA license #, PTIN, phone, firm details, logo | You provide |
| OAuth identity | Google / Apple sub, email, name (if you sign in via OAuth) | Identity provider |
| Client / case content | Client names, contact, filing status, tax-year cases, notes, uploaded PDFs (1040, schedules, W-2, 1099, K-1, etc.), chat messages, agent outputs, citations, feedback | You upload / generate |
| Usage & telemetry | Login time, IP, user-agent, audit log of actions you take, AI token usage, errors | Automatic |
| Billing | Plan, payment status (handled by Stripe; we do not store full card details) | Stripe |
3. How we use it
- To provide the Service: agent analysis, chat, PDF reports, knowledge-base lookups.
- To enforce subscription quotas and bill correctly.
- To detect abuse and protect the Service.
- To improve the Service via aggregate, de-identified usage statistics. We do not use your client content to train AI models.
- To send transactional email (invites, password resets, completion notices).
4. Sub-processors
- Cloudflare — hosting, storage (D1, R2, KV, Vectorize), DNS, CDN. US data centers (ENAM region).
- Anthropic — Claude API for AI analysis. Calls are made under Anthropic's API Terms; according to those terms, prompts and outputs sent via the API are not used to train Anthropic models.
- Resend — transactional email delivery.
- Stripe — payment processing (when activated).
- Google / Apple — OAuth identity verification (only if you choose those sign-in options).
5. Multi-tenant isolation
Each subscriber firm is a separate tenant. Database queries are scoped by firm_id; storage paths are scoped by firm_id; one firm cannot see another firm's data. Firm administrators can grant additional seats within their firm.
6. Data retention
- Active client and case data: retained while you are a paying subscriber.
- After cancellation: 30-day grace period for export, then archive for the retention window of your most recent plan (Solo / Firm: 1 year; Enterprise: 3 years), then permanent deletion.
- Audit logs: 7 years (for legal protection / professional records).
- You may request earlier deletion of specific cases or your account at any time. Some data may be retained as required by law or for billing records.
7. Security
- HTTPS enforced everywhere.
- Storage encrypted at rest by Cloudflare.
- Passwords hashed with PBKDF2 (200,000 iterations).
- Optional TOTP-based 2FA on every account.
- Comprehensive audit log of administrative actions, document access, and AI runs.
- Rate limits on chat and analysis endpoints to prevent abuse.
8. Your rights
If you are based in California, the EU, the UK, or other jurisdictions with privacy laws, you may have rights to access, correct, export, or delete your personal data. Contact us at renato@i-taxplan.com and we will respond within 30 days. Note: rights belonging to your end-clients (the people whose returns you upload) should generally be exercised through you, since you are their service provider; we offer technical support to help you fulfill those requests.
9. Cookies
We use a minimal set of strictly-necessary cookies for authentication and session management. We do not use advertising cookies. We may use a privacy-preserving analytics service (e.g., Plausible) on the marketing landing page; details are available on our cookie banner.
10. International transfers
Data is stored and processed in the United States. If you access the Service from outside the US, you consent to that transfer.
11. Children
The Service is not directed to children under 18 and does not knowingly collect their data. Some clients you serve may have minor dependents; their data appears solely as part of your client records.
12. Changes
We will notify subscribers of material changes by email or in-app notice 30 days in advance.
13. Contact
renato@i-taxplan.com · I-Taxplan, Miami, FL