Privacy Policy

1. Information We Collect

1.1 Personal Information

• Identity Information: Name, email address, phone number, business name
• Tax Identifiers (Encrypted): Social Security Number (SSN), Employer Identification Number (EIN), IRS Identity Protection PIN (IP PIN)
• Financial Information: Bank account details, credit card information (processed by Stripe), transaction history
• Business Information: Entity type, formation documents, business address, prior tax returns
• Professional Credentials: CPA license numbers, EA PTIN, attorney bar admissions (for professionals only)

1.2 Financial Data (via Plaid)

When you connect bank accounts through Plaid, we collect:

• Bank account numbers and routing numbers
• Transaction history (dates, amounts, merchants, categories)
• Account balances
• Account holder names

1.3 Documents You Upload

• Tax returns (current and prior years)
• W-2s, 1099s, K-1s, and other tax forms
• Receipts and expense documentation
• Bank statements and credit card statements
• Business formation documents
• IRS letters and correspondence

1.4 Automatically Collected Information

• Usage Data: Pages visited, features used, time spent, click patterns
• Device Information: IP address, browser type, operating system, device identifiers
• Cookies: Session cookies, preference cookies, analytics cookies (see Cookie Policy)
• Log Data: Access times, error logs, security events

2. How We Use Your Information

We use your information for the following purposes:

2.1 Provide Services

• Process and categorize financial transactions using AI
• Generate AI-powered tax insights and deduction suggestions
• Connect you with licensed tax professionals through our marketplace
• Enable professionals to access your data for tax preparation
• Process payments for subscriptions and professional services
• Generate financial reports (P&L, Balance Sheet, Schedule C)

2.2 AI Processing

AI Training Opt-Out: We do NOT use your personal tax data to train DynaTax AI models. We may use anonymized, aggregated data (with all personal identifiers removed) to improve AI accuracy. You can opt out by emailing privacy@dynatax.ai with "AI Opt-Out" in the subject line.

2.3 Security & Fraud Prevention

• Verify professional identities and credentials (via Veriff)
• Detect and prevent fraudulent activity
• Monitor for security threats and unauthorized access
• Maintain audit logs of sensitive data access

2.4 Legal Compliance

• Comply with IRS Publication 1075 tax data protection requirements
• Respond to lawful government requests
• Enforce our Terms of Service
• Comply with tax record retention requirements (7 years)

3. How We Share Your Information

We do not sell your personal information to third parties.

3.1 Tax Professionals You Engage

When you select a CPA, EA, or tax attorney through our marketplace, they receive access to:

• Your financial transaction data
• Uploaded tax documents and receipts
• AI-generated categorizations and insights
• Contact information

Professionals are independent contractors bound by professional confidentiality rules and their own privacy practices.

3.2 Service Providers (Subprocessors)

We share data with third-party service providers who process data on our behalf:

For complete subprocessor list and privacy policies, visit: /legal/subprocessors

3.3 Legal Requirements

We may disclose your information when required by law:

• In response to valid subpoenas, court orders, or government requests
• To comply with IRS or state tax authority requests
• To protect our rights, property, or safety
• In connection with fraud investigations

4. Data Security

4.1 Encryption

• At Rest: SSN, EIN, and IP PIN encrypted using AES-256-GCM with authentication tags
• In Transit: All data transmitted via TLS 1.3 encryption (HTTPS)
• Database: PostgreSQL with encryption enabled at database level
• Document Storage: S3 Server-Side Encryption (SSE) with AWS KMS

4.2 Access Controls

• Role-based access control (CLIENT, PRO, BOOKKEEPER, ADMIN)
• Multi-factor authentication for sensitive operations
• Organization-scoped data access (users only see their org's data)
• Audit logging of all SSN/EIN/IPPIN access

4.3 Monitoring

• 24/7 security monitoring and alerting
• Regular security audits and penetration testing
• Intrusion detection systems
• Failed login attempt tracking

5. Data Retention

We retain your data as follows:

• Tax Returns & Documents: 7 years after filing (IRS statute of limitations requirement)
• Bank Transactions: 7 years (GLBA + tax support requirement)
• SSN/EIN/IPPIN: 7 years after last tax return, then permanently deleted
• Audit Logs: Perpetual retention for security and compliance
• Account Data: 90 days after account termination, then deleted
• Professional Work Papers: 10 years (professional standards)

Automatic Deletion: Data is automatically deleted per the schedule above unless litigation hold or regulatory investigation requires extended retention.

6. Your Privacy Rights

6.1 California Residents (CCPA/CPRA Rights)

If you are a California resident, you have the right to:

• Know: Request disclosure of what personal information we collect, use, and share
• Delete: Request deletion of your personal information (subject to tax retention requirements)
• Correct: Request correction of inaccurate personal information
• Opt-Out: Opt out of "sale" or "sharing" of personal information (we don't sell data)
• Non-Discrimination: Not be discriminated against for exercising your rights

To Exercise Rights: Email privacy@dynatax.ai or call [Phone Number]
Response Time: We will respond within 45 days

6.2 All Users

• Access Your Data: Download your data from account settings
• Update Information: Correct inaccurate information in your profile
• Delete Account: Request account deletion (tax data retained 7 years per IRS)
• Opt Out of Marketing: Unsubscribe from promotional emails
• Revoke Consent: Disconnect bank accounts, disable AI processing

6.3 Data Portability

You can export your data in machine-readable format (JSON/CSV) from account settings. This includes:

• Transaction history
• Uploaded documents (PDF/images)
• AI-generated categorizations
• Financial reports

7. Children's Privacy

DynaTax is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we discover we have collected information from a child under 18, we will delete it immediately.

8. International Data Transfers

DynaTax is based in the United States. If you access our services from outside the U.S., your information will be transferred to, stored, and processed in the United States. By using DynaTax, you consent to this transfer.

European Union Users: We rely on Standard Contractual Clauses (SCCs) for EU data transfers.

9. Cookies & Tracking

We use cookies and similar technologies for:

• Essential Cookies: Session management, authentication (cannot be disabled)
• Analytics Cookies: Usage statistics, performance monitoring (can opt out)
• Preference Cookies: Save your settings and preferences

For details, see our Cookie Policy.

10. Data Breach Notification

In the event of a data breach affecting your personal information, we will:

• Notify you within 30 days of discovery
• Describe what information was compromised
• Explain steps we're taking to remediate
• Provide recommended actions (credit monitoring, password changes)
• Offer complimentary credit monitoring services if SSN compromised

11. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be notified via:

• Email notification 30 days before effective date
• Prominent notice on website
• Updated "Last Modified" date at top of policy

Continued use after changes indicates acceptance of modified policy.

12. Contact Us

For privacy questions, data requests, or to exercise your rights: