Privacy Policy

Last Updated: May 25, 2026 (v3.3)

1. Introduction

TaxScout.AI Inc. (“TaxScout.AI,” “we,” “us,” or “our”) is an AI-powered tax preparation platform designed for Certified Public Accountant (CPA) firms and their clients. This Privacy Policy describes how we collect, use, store, disclose, and protect personal information and tax return information when you use our services, including our website at www.taxscout.ai, our web-based platform, mobile applications, client portal, APIs, and any related services (collectively, the “Services”).

This Privacy Policy applies to all users of our Services, including CPA firm administrators, tax professionals (“Practitioners”), and taxpayer clients (“Clients” or “Taxpayers”) who interact with our platform through their CPA firm’s use of TaxScout.AI.

IMPORTANT: TaxScout.AI is a technology platform and service provider only. We are NOT a CPA firm, tax return preparer, enrolled agent, or tax advisor. We do not prepare, sign, or file tax returns. All tax preparation services and professional advice are provided solely by the CPA firm that has engaged you as a client.

TaxScout.AI processes sensitive tax return information subject to Internal Revenue Code (IRC) Section 7216 and Section 6713. We are committed to full compliance with all applicable federal, state, and international data protection laws.

2. Definitions

        “Tax Return Information” means any information furnished to or obtained by a tax return preparer in connection with the preparation of a tax return, as defined under IRC §7216 and Treasury Regulation §301.7216-1(b)(3).

        “Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual.

        “Practitioner / CPA Firm” means a CPA, Enrolled Agent, tax preparer, or other authorized professional who uses TaxScout.AI to prepare or assist in preparing tax returns. The CPA Firm is the data controller for Client data.

        “Client / Taxpayer” means an individual or entity whose tax return information is processed through the TaxScout.AI platform via their CPA firm.

        “AI Processing” means the use of artificial intelligence, machine learning, natural language processing, and automated data extraction technologies to process, analyze, and organize tax-related documents and data. All AI outputs are preliminary drafts subject to mandatory human review.

        “Customer” means the CPA firm or accounting practice that has entered into a subscription agreement with TaxScout.AI.

        “AI Output” means any data extraction, form population, preparation note, anomaly flag, or other result generated by TaxScout.AI’s automated systems. AI Outputs may contain errors and require professional verification.

3. Information We Collect

3.1 Information Provided Directly by CPA Firms (Customers)

        Firm registration information (firm name, EIN, PTIN, address, phone, email)

        Practitioner account information (name, professional credentials, email, role)

        Billing and payment information (processed via third-party payment processors)

        Firm preferences, workflow configurations, and integration settings

        Engagement letter templates and client intake configurations

3.2 Tax Return Information (Processed on Behalf of CPA Firms)

When CPA firms use our Services to prepare tax returns for their Clients, the following categories of tax return information may be processed through our AI systems:

        Taxpayer identification information (names, Social Security Numbers, EINs, ITINs)

        Financial information (income, wages, dividends, capital gains, deductions, credits)

        Source documents (W-2s, 1099s, K-1s, receipts, bank statements, brokerage statements)

        Tax organizer responses and preparation notes

        Prior year tax return data for comparison and carry-forward purposes

        Multi-state filing information

3.3 Information Collected Through the Client Portal

When Clients access the TaxScout.AI Client Portal at the invitation of their CPA firm:

        Email address provided for portal access

        Documents uploaded by the Client for tax preparation

        Messages and communications with the CPA firm through the portal

        Electronic signatures on engagement letters and consent forms

        Portal activity (login times, document upload timestamps)

        Mobile phone number (if provided for SMS notifications; see Section 4.4)

Clients access the portal only after agreeing to our Terms of Service and Privacy Policy via the portal login page. The CPA firm is responsible for ensuring appropriate client engagement agreements are in place.

3.4 Automatically Collected Information

        Device information (browser type, operating system, device identifiers)

        Log data (IP address, access times, pages viewed, referring URLs)

        Usage analytics (features used, session duration, interaction patterns) — collected via PostHog analytics (see Section 11)

        Cookies and similar tracking technologies (see Section 11)

3.5 WISP Assessment Data

When users complete the TaxScout.AI WISP (Written Information Security Plan) assessment wizard, we collect the following categories of information:

        Contact information (email address, name, firm name) provided during email capture

        Firm security posture information (44 self-reported assessment questions covering: firm basics, security team, data inventory, hardware inventory, current security measures, employee policies, data retention practices, incident readiness, and state compliance)

        Calculated security score and gap analysis derived from assessment responses

        Generated WISP documents and certificates (for subscribers only)

        E-signature records for WISP signing and employee acknowledgements (for subscribers only)

WISP assessment data does not include taxpayer PII (Social Security Numbers, tax return data, or financial information). The assessment collects information about the firm’s IT security practices and infrastructure only. All WISP assessment data is stored in encrypted databases within the United States.

3.6 Google Account and Gmail Data

If a Practitioner connects a Gmail or Google Workspace account to TaxScout.AI through Google OAuth, we may access and process Google user data authorized by that Practitioner, including:

        Google account profile information, such as name and email address, through the openid, email, and profile scopes

        Gmail message metadata, such as sender, recipients, subject, dates, thread IDs, message IDs, and headers needed to display and organize email threads

        Gmail message content and attachments for emails displayed, searched, classified, or processed inside the TaxScout.AI dashboard

        Outgoing email content sent by the Practitioner through TaxScout.AI using the connected Gmail account

        OAuth access tokens and refresh tokens required to maintain the Gmail connection

TaxScout.AI currently requests only the Gmail permissions necessary to provide the connected email experience: gmail.readonly to display and process Gmail messages inside TaxScout.AI, and gmail.send to send emails from the connected Gmail account at the Practitioner’s direction. TaxScout.AI does not request gmail.modify and does not modify, delete, label, archive, or mark Gmail messages as read or unread in the user’s Gmail account.

4. How We Use Information

4.1 Tax Return Preparation Services (Primary Purpose)

We use tax return information solely to provide our AI-powered tax preparation Services to CPA firms, including:

        Automated extraction and classification of data from uploaded tax documents

        AI-driven data entry into tax return forms and schedules

        Generating reviewer-ready tax return drafts with AI preparation notes

        Flagging anomalies, discrepancies, and potential issues for human review

        Providing year-over-year comparisons and variance analysis

        Supporting multi-state and complex return processing

All AI-generated outputs are preliminary drafts. The CPA firm’s Practitioner is solely responsible for reviewing, verifying, and approving all outputs before filing any tax return.

4.2 Service Improvement and Operations

        Maintaining and improving the accuracy of our AI models and algorithms using only de-identified, aggregated data

        Ensuring platform reliability, security, and performance

        Providing customer support and technical assistance

        Generating aggregated, de-identified analytics on platform usage

4.3 Legal and Compliance

        Complying with applicable laws, regulations, and legal processes

        Enforcing our Terms of Service and other agreements

        Protecting against fraud, unauthorized access, and security threats

4.4 SMS/Text Message Communications

If you opt in to receive text message notifications from TaxScout.AI or your CPA firm through the TaxScout.AI platform, you consent to receive transactional SMS/text messages at the mobile phone number you provide. These messages may include:

        Tax return status updates (e.g., return ready for review, return filed)

        Document requests and missing information alerts

        Payment reminders and invoice notifications

        Engagement letter and e-signature requests

        Appointment and deadline reminders

Message frequency varies based on your tax return activity and CPA firm communications. Message and data rates may apply. You may opt out of SMS communications at any time by replying STOP to any message. Reply HELP for assistance. Opting out of SMS does not affect your ability to use the Services or receive email communications. Carrier delivery is not guaranteed. SMS is not available in all areas.

Your mobile phone number is collected solely for the purpose of delivering these transactional messages and is not shared with third parties for marketing purposes, sold, or used for any purpose other than delivering the notifications described above. Phone numbers are retained only as long as you maintain an active account or until you opt out. For more information about how we handle your data, see Section 8 (Data Security) and Section 9 (Data Retention).

4.5 WISP Assessment and Compliance Services

We use WISP assessment data (described in Section 3.5) for the following purposes:

        Calculating a security score and identifying gaps in the firm’s security posture based on a rule-based scoring engine

        Generating a customized WISP document using AI (for subscribers only), tailored to the firm’s specific security measures and state compliance requirements

        Sending assessment results via email to the email address provided during the assessment

        Managing WISP document e-signatures, employee acknowledgements, and certificate generation for subscribers

        Sending annual WISP review reminders and PTIN renewal-related notifications

        Generating de-identified, aggregated statistics on security posture trends across tax professionals (no individual firm identifiable)

WISP assessment data is not used to train AI models. AI generation of WISP documents (for subscribers) uses the assessment responses as input context only and does not retain or learn from individual firm data.

4.6 Use of Google and Gmail Data

TaxScout.AI uses Google user data only to provide user-facing connected email features that are visible in the TaxScout.AI dashboard, including:

        Connecting and authenticating a Practitioner’s Gmail or Google Workspace account

        Displaying Gmail inboxes, email threads, messages, and attachments inside TaxScout.AI

        Searching, organizing, and classifying emails for tax workflow purposes

        Extracting tax-related attachments from emails and routing them into the CPA firm’s document workflow

        Sending emails or replies from the connected Gmail account when initiated by an authorized Practitioner

        Maintaining synchronization, audit logs, abuse prevention, security monitoring, and service reliability

TaxScout.AI does not use Google user data for advertising, retargeting, credit decisions, unrelated marketing, or sale to third parties. TaxScout.AI does not use Google user data to train, fine-tune, or improve generalized AI or machine learning models.

5. AI Data Processing, Accuracy, and Privacy by Design

TaxScout.AI is built with privacy at its core. Our AI systems are designed to protect taxpayer privacy throughout the document processing lifecycle.

5.1 Data Minimization and Security Controls

NOTICE: TaxScout.AI employs data minimization practices to protect sensitive information. Sensitive identifiers (such as Social Security Numbers) are stored in the database as last-4 digits only — full values are not persisted in application storage. Tax documents may be transmitted to third-party AI providers in their original form for extraction purposes via encrypted API channels. The following security controls protect this data:

        All data is transmitted over TLS 1.2+ encrypted connections

        All AI processing occurs within the United States

        AI model providers are contractually prohibited from retaining, storing, or using any data for model training

        Data Processing Agreements (DPAs) with strict use limitations govern all third-party AI processing

        Access to processing systems is restricted to minimum necessary personnel

5.2 No Training on Client Data

CRITICAL COMMITMENT: TaxScout.AI does not use any individual taxpayer’s tax return information to train, fine-tune, or improve our general-purpose AI models. Your clients’ data is never used as training data for machine learning models that serve other customers. Any model improvement uses only de-identified, aggregated data that cannot be traced back to any individual taxpayer.

5.3 AI Output Accuracy Disclaimer

AI SERVICES & ACCURACY NOTICE: The Services utilize artificial intelligence and machine learning technologies (“AI Features”) to extract data from documents and generate preliminary tax return drafts, preparation notes, and suggestions. You acknowledge and agree that:

        AI Features may produce inaccurate, incomplete, or erroneous results (“AI Errors”), including but not limited to incorrect data extraction, misclassification of income or deductions, mathematical errors, and incorrect form selection

        AI-generated outputs are PRELIMINARY DRAFTS ONLY and are not final tax returns

        All AI outputs require mandatory review, verification, and approval by a qualified tax professional (CPA, EA, or licensed preparer) before any reliance or filing

        TaxScout.AI disclaims all liability for errors in tax returns, penalties, interest, or other consequences resulting from unverified AI output

        The CPA firm and its Practitioners bear sole professional responsibility for the accuracy and completeness of all filed tax returns

Safe Harbor: TaxScout.AI employs commercially reasonable efforts to maximize AI accuracy, including multi-layer validation, confidence scoring, and automated anomaly detection. However, AI technology is inherently probabilistic and no AI system can guarantee 100% accuracy. TaxScout.AI’s liability is limited to ensuring commercially reasonable accuracy in its AI processing systems.

5.4 AI Processing Architecture

Our AI systems use a structured processing pipeline — documents are classified, segmented, and then processed by AI extraction models that output structured data validated against defined schemas. This approach provides auditability and traceability. Confidence scores are assigned to extracted data, and low-confidence results are automatically flagged for human review. Edge cases and ambiguous tax scenarios are escalated for Practitioner review.

5.5 Human-in-the-Loop Requirement

TaxScout.AI’s AI generates drafts and preparation notes, but all final review, judgment, and filing decisions must be made by qualified tax professionals. AI outputs are always subject to Practitioner review before any return is finalized or filed. No tax return is automatically filed without explicit human approval.

5.6 Third-Party AI Providers

TaxScout.AI utilizes third-party AI model providers for document OCR, data extraction, and natural language processing. The following safeguards are in place:

        All third-party AI providers are bound by Data Processing Agreements (DPAs) or terms of service with strict use limitations

        Third-party AI providers are contractually prohibited from using any data for model training or improvement

        All processing occurs within the United States

        TaxScout.AI employs data minimization in storage (last-4 digits of sensitive identifiers). Tax documents may be transmitted to AI providers in their original form for extraction purposes via encrypted API channels

        AI providers are contractually prohibited from retaining Customer data beyond the processing request

6. IRC Section 7216 Compliance

TaxScout.AI recognizes the critical importance of IRC §7216, which imposes criminal penalties on tax return preparers who knowingly or recklessly make unauthorized disclosures or uses of tax return information.

6.1 TaxScout.AI Is NOT a Tax Return Preparer

TAXSCOUT.AI IS NOT A REGISTERED TAX RETURN PREPARER, CPA FIRM, ENROLLED AGENT, OR TAX ADVISOR. TaxScout.AI provides software tools and AI-assisted technology services only. We do not prepare, review, sign, or file tax returns. We do not provide tax advice, legal advice, or accounting advice. The CPA firm that engages you as a client is your tax return preparer and bears all professional responsibilities associated with that role.

6.2 Our Role Under §7216

TaxScout.AI operates as an auxiliary service provider and technology platform that assists CPA firms (tax return preparers) in the preparation of tax returns. Under Treasury Regulation §301.7216-1(b)(2)(iii), our services qualify as auxiliary services provided in connection with tax return preparation.

6.3 Permissible Use Without Separate Taxpayer Consent

Under Treasury Regulation §301.7216-2(d), disclosures to processors and auxiliary service providers for the purpose of tax return preparation generally do not require separate taxpayer consent, provided the information is used solely for return preparation purposes. TaxScout.AI’s processing of tax return information falls within this permissible use.

TaxScout.AI provides CPA firms with the following tools to ensure comprehensive compliance:

        A Technology Platform Acknowledgment clause is included in the engagement letter template provided to CPA firms for use with their clients

        The Client Portal login requires agreement to TaxScout.AI’s Terms of Service and Privacy Policy before any data can be submitted

        CPA firms are encouraged to obtain express §7216 consent from their clients where required under their specific circumstances, consistent with Revenue Procedure 2013-14

6.4 Data Use Restrictions

TaxScout.AI strictly adheres to the following §7216 restrictions:

        We do not use tax return information for any purpose other than assisting in tax return preparation

        We do not sell, rent, or lease taxpayer data to any third party

        We do not use tax return information for marketing or solicitation of non-tax services

        We do not disclose tax return information to any unauthorized third party

        We do not share taxpayer data with advertising networks, data brokers, or analytics platforms

        We do not use taxpayer data to train general-purpose AI models

        We maintain audit trails of security-sensitive data access and processing activities

7. Data Sharing and Third-Party Disclosures

7.1 Categories of Recipients

We may share information with the following categories of recipients, solely as necessary to provide our Services:

        CPA Firm Personnel: Tax return information is accessible only to authorized Practitioners within the subscribing CPA firm.

        Cloud Infrastructure and Hosting Providers: We use Amazon Web Services (AWS) for file storage, Supabase for database and authentication, and Vercel for application hosting. All providers process data under Data Processing Agreements (DPAs).

        AI Model Providers: Data is transmitted to third-party AI models (including Google Gemini, Anthropic Claude, and OpenAI) for document processing under strict DPA protections. See Section 5.6 for details on safeguards.

        Background Job Processing: Inngest is used for asynchronous workflow orchestration (document processing, notifications) under DPA protections.

        Payment Processors: Billing information is processed by PCI-compliant payment processors (Stripe). We do not store credit card numbers.

        E-Signature Providers: Engagement letters and consent forms are processed through secure e-signature platforms (Documenso) with full audit trails.

        Email Delivery: Transactional emails (OTP codes, notifications, invitations) are sent via Resend.

        Security and Performance: Cloudflare provides CDN, DDoS protection, and bot mitigation. Sentry provides error monitoring. These services process access metadata and error traces.

        Product Analytics: PostHog collects anonymized usage analytics to improve the platform (see Section 11).

        Professional Advisors: Our legal counsel, auditors, and compliance consultants, bound by confidentiality obligations.

7.2 We Do NOT Share Information With

        Advertising networks or ad technology companies

        Data brokers or information resellers

        Social media platforms

        Any entity for purposes unrelated to tax return preparation

        Any public or general-purpose AI chatbot (ChatGPT, Gemini, etc.) in their consumer-facing forms

7.3 Google API Services User Data and Limited Use

TaxScout.AI’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We do not sell, rent, or transfer Google user data to advertising platforms, data brokers, information resellers, or social media platforms. We do not use Google user data for serving ads, retargeting, personalized advertising, or determining creditworthiness.

We transfer Google user data only as necessary to provide or improve the user-facing connected email features described in this Privacy Policy, to maintain security, to comply with applicable law, or with the user’s explicit consent. For example, Gmail attachments that a Practitioner routes into the tax document workflow may be processed by our secure infrastructure and approved service providers solely for tax document extraction, classification, storage, and workflow automation.

Human access to Google user data is restricted to authorized personnel and only when necessary to provide support requested by the Customer, investigate security or abuse issues, comply with law, or maintain the Services.

7.4 Legal Disclosures

We may disclose information when required by law, regulation, subpoena, court order, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

7.5 Subpoena and Legal Hold Procedure

Upon receipt of a valid legal process requiring disclosure of Customer data, TaxScout.AI will: (a) promptly notify Customer unless legally prohibited from doing so; (b) limit disclosure to the minimum information required by the legal process; and (c) cooperate with Customer’s efforts to obtain a protective order or other appropriate remedy.

8. Data Security

8.1 Infrastructure Security

        All data is hosted on Amazon Web Services (AWS) and Supabase within the United States

        All data is encrypted in transit using TLS 1.2+

        All data is encrypted at rest using AES-256 server-side encryption

        Role-based access controls (RBAC) with row-level security ensure least-privilege access and multi-tenant isolation

        Multi-factor authentication (MFA) available for all administrative and practitioner access

        Automated vulnerability scanning via CI/CD pipeline (Snyk, OWASP ZAP, dependency audits)

TaxScout.AI’s infrastructure is designed to meet the security requirements outlined in IRS Publication 4557 (Safeguarding Taxpayer Data).

8.2 Application Security

        Secure development lifecycle (SDLC) practices with automated linting, security scanning, and CI/CD pipelines

        DDoS mitigation and bot protection via Cloudflare

        Audit logging of security-sensitive data access events, including document downloads, exports, and PII operations

        HSTS enforcement with preload for all client-facing interfaces

        CSRF protection for all state-changing API endpoints

8.3 Organizational Security

        Background checks for all employees with production access

        Mandatory security awareness training

        Confidentiality and non-disclosure agreements

        Business continuity and disaster recovery plans

Incident Response Plan: TaxScout.AI maintains a formal Incident Response Plan, reviewed and updated annually, which governs our response to security incidents. The plan includes defined roles and responsibilities, escalation procedures, containment protocols, forensic investigation processes, and communication requirements.

8.4 Cyber Liability Insurance

TaxScout.AI maintains cyber liability insurance coverage to protect against data security incidents. This coverage provides financial protection for incident response costs, notification expenses, and potential liability arising from data breaches.

8.5 GLBA Compliance

Tax return preparers may be considered “financial institutions” under the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule (16 CFR Part 314). As a technology service provider to CPA firms, TaxScout.AI maintains an information security program designed to comply with the Safeguards Rule, including administrative, technical, and physical safeguards to protect customer financial information. Our security measures described in this Section 8 are designed to meet or exceed the requirements of the FTC Safeguards Rule.

9. Data Retention and Deletion

9.1 Retention Periods

        Tax Return Information: Retained for the duration of the CPA firm’s active subscription plus a maximum of seven (7) years, consistent with IRS record-keeping requirements, unless a shorter period is requested.

        Engagement Letters & Signatures: Retained for seven (7) years with full audit trail (signer identity, IP address, timestamp, device information).

        Account Information: Retained for the duration of the account plus three (3) years after termination.

        Usage and Log Data: Retained for up to two (2) years.

        Billing Records: Retained for seven (7) years for tax and audit compliance.

        WISP Assessment Data: Assessment responses and security scores are retained for the duration of the account. For free (non-subscriber) assessments, data is retained for three (3) years from the date of the assessment or until deletion is requested. Generated WISP documents and certificates are retained for the duration of the subscription plus seven (7) years. WISP version history is retained alongside the current document.

9.2 Deletion and Data Portability

Upon account termination or written request by the CPA firm:

        All tax return information will be securely deleted or returned within sixty (60) days

        Deletion uses industry-standard secure erasure methods, including cryptographic erasure (crypto-shredding) where applicable, ensuring that encrypted data becomes permanently unrecoverable upon key destruction

        CPA firms may request data export in standard formats prior to termination

        Written confirmation of data deletion provided upon request

        Backup copies purged within ninety (90) days of deletion request

9.3 Google Account Disconnection, Revocation, and Deletion

Practitioners may disconnect a Gmail or Google Workspace account from TaxScout.AI at any time through the TaxScout.AI dashboard. When an account is disconnected, TaxScout.AI deletes the stored OAuth tokens for that account and stops accessing new Gmail data.

Users may also revoke TaxScout.AI’s access through their Google Account permissions page at https://myaccount.google.com/permissions.

Upon written request by the CPA firm, TaxScout.AI will delete cached Gmail message data and related metadata, subject to legal, tax, security, backup, and contractual retention requirements described in this Privacy Policy. Tax documents or attachments imported from Gmail into a client tax workflow become Tax Return Information and are retained or deleted according to the Tax Return Information retention rules in Section 9.1.

10. CPA Firm Responsibilities

As the data controller for their Clients’ tax return information, the CPA firm agrees to:

        Execute an appropriate engagement letter with each Client before uploading their data to TaxScout.AI, including a Technology Platform Acknowledgment

        Obtain any additional §7216 consents required under the CPA firm’s specific circumstances

        Review and verify all AI-generated outputs before filing any tax return

        Maintain appropriate professional liability (E&O) insurance

        Comply with all applicable professional standards (AICPA, state boards)

        Notify TaxScout.AI promptly of any suspected data breach or unauthorized access

        Ensure that only authorized personnel within the firm access Client data

        Maintain the confidentiality of all account credentials and access tokens

        Implement reasonable security practices within the CPA firm’s own systems and networks

The CPA firm shall indemnify, defend, and hold harmless TaxScout.AI from and against any claims, losses, damages, liabilities, and expenses (including reasonable attorneys’ fees) arising from or related to: (a) the CPA firm’s unauthorized or unlawful processing of Personal Data; (b) any claim by a data subject or regulatory authority resulting from the CPA firm’s failure to obtain required consents or authorizations; or (c) the CPA firm’s failure to review and verify AI-generated outputs before filing.

11. Cookies and Tracking Technologies

        Essential Cookies: Required for platform functionality, authentication, session management, security (CSRF tokens), and Cloudflare verification. Cannot be disabled.

        Analytics (PostHog): We use PostHog for pseudonymized usage analytics, including session recordings and feature usage tracking. PostHog data is used solely to improve the platform and is not shared with third parties for advertising. Analytics data does not include tax return information or Client PII.

        Preference Cookies: Store user preferences (theme, layout). Can be disabled.

We do NOT use advertising cookies, tracking pixels, or third-party cookies for behavioral advertising.

12. Your Rights and Choices

12.1 Rights for All Users

        Access: Request a copy of personal data we hold about you

        Correction: Request correction of inaccurate or incomplete data

        Deletion: Request deletion, subject to legal retention requirements

        Data Portability: Request data in a structured, machine-readable format

        Opt-out: Opt out of non-essential communications

        SMS Opt-out: Reply STOP to any text message to immediately stop receiving SMS notifications. You may also contact us at [email protected] to opt out.

        Google Account Revocation: Disconnect a connected Gmail or Google Workspace account from TaxScout.AI and/or revoke TaxScout.AI’s access through your Google Account permissions page.

12.2 CPA Firm Rights (Data Controllers)

        Direct TaxScout.AI to delete all Client data upon request

        Receive data processing records and audit reports

        Approve or reject sub-processor changes

        Terminate data processing at any time with data return or deletion

12.3 California Residents (CCPA/CPRA)

        Right to know what personal information is collected and used

        Right to delete personal information

        Right to opt out of sale/sharing (Note: TaxScout.AI does not sell personal information)

        Right to non-discrimination

        Right to correct inaccurate personal information

12.4 State Privacy Rights

Residents of states with comprehensive privacy laws — including Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states that have enacted consumer privacy legislation — have rights similar to those described in Section 12.3, which may include:

        Right to access, correct, and delete personal data

        Right to data portability

        Right to opt out of targeted advertising (Note: TaxScout.AI does not engage in targeted advertising)

        Right to opt out of sale of personal data (Note: TaxScout.AI does not sell personal data)

        Right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects

        Right to appeal a denial of a privacy rights request

To exercise any of these rights, contact us at [email protected]. We will respond within the timeframe required by your state’s applicable law (typically 30–45 days). We do not discriminate against users who exercise their privacy rights.

12.5 EU/EEA Data Subjects (GDPR)

EU/EEA residents have additional rights under GDPR, including the right to lodge a complaint with a supervisory authority.

12.6 Exercising Your Rights

Contact us at [email protected]. We will respond within thirty (30) days.

13. Children’s Privacy

Our Services are designed for tax professionals and are not directed at individuals under 16. We do not knowingly collect personal information from children.

14. International Data Transfers

TaxScout.AI stores and processes data primarily within the United States. All tax return information remains on U.S.-based servers. We do not intentionally transfer SSNs or taxpayer identification numbers outside the United States. Certain infrastructure providers (such as Cloudflare) may process access metadata at global edge nodes for performance and security purposes.

15. Data Breach Notification

        Affected CPA firms notified within seventy-two (72) hours of confirming a breach, to the extent TaxScout.AI has sufficient information to provide meaningful notification

        Detailed information about breach nature and scope

        Regulatory authorities notified as required by law

        Cooperation with CPA firms in notifying affected Taxpayers

        Immediate containment, investigation, and remediation

        Post-incident report with root cause analysis

16. Sub-Processors

Sub-Processor

Purpose

Data Processed

Location

Amazon Web Services (AWS)

File storage (S3)

Documents, PDFs (encrypted at rest)

US (us-east-1)

Supabase

Database, authentication

All structured platform data

United States

Google Cloud (Gemini)

Document OCR, AI extraction

Tax document content

United States

Anthropic (Claude)

AI-assisted chat, reasoning

Contextual tax data summaries

United States

OpenAI

AI-assisted chat, reasoning

Contextual tax data summaries

United States

Vercel

Application hosting, serverless

Request and session metadata

United States

Inngest

Background job orchestration

Document and entity metadata

United States

Stripe

Payment processing

Billing information only

United States

Resend

Transactional email delivery

Email addresses, notification content

United States

Documenso

E-signatures

Engagement letters, signatures

United States

Cloudflare

Security, CDN, bot protection

Access metadata, IP addresses

Global (edge)

Sentry

Error monitoring

Error traces, request metadata

United States

PostHog

Product analytics

Anonymized usage events

United States

17. Changes to This Privacy Policy

We will notify CPA firms of material changes at least thirty (30) days in advance via email and/or platform notice. Continued use after the effective date constitutes acceptance.

18. Contact Information

TaxScout.AI Inc.

1 Broadway, Cambridge, MA 02142

Attn: Privacy Officer

Email: [email protected]

Website: www.taxscout.ai/privacy

Privacy Policy | TaxScout.ai