Last Updated: May 25, 2026 (v3.3)
1. Introduction
TaxScout.AI Inc. (“TaxScout.AI,” “we,” “us,” or “our”) is an AI-powered tax preparation platform designed for Certified Public Accountant (CPA) firms and their clients. This Privacy Policy describes how we collect, use, store, disclose, and protect personal information and tax return information when you use our services, including our website at www.taxscout.ai, our web-based platform, mobile applications, client portal, APIs, and any related services (collectively, the “Services”).
This Privacy Policy applies to all users of our Services, including CPA firm administrators, tax professionals (“Practitioners”), and taxpayer clients (“Clients” or “Taxpayers”) who interact with our platform through their CPA firm’s use of TaxScout.AI.
IMPORTANT: TaxScout.AI is a technology platform and service provider only. We are NOT a CPA firm, tax return preparer, enrolled agent, or tax advisor. We do not prepare, sign, or file tax returns. All tax preparation services and professional advice are provided solely by the CPA firm that has engaged you as a client.
TaxScout.AI processes sensitive tax return information subject to Internal Revenue Code (IRC) Section 7216 and Section 6713. We are committed to full compliance with all applicable federal, state, and international data protection laws.
2. Definitions
• “Tax Return Information” means any information furnished to or obtained by a tax return preparer in connection with the preparation of a tax return, as defined under IRC §7216 and Treasury Regulation §301.7216-1(b)(3).
• “Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual.
• “Practitioner / CPA Firm” means a CPA, Enrolled Agent, tax preparer, or other authorized professional who uses TaxScout.AI to prepare or assist in preparing tax returns. The CPA Firm is the data controller for Client data.
• “Client / Taxpayer” means an individual or entity whose tax return information is processed through the TaxScout.AI platform via their CPA firm.
• “AI Processing” means the use of artificial intelligence, machine learning, natural language processing, and automated data extraction technologies to process, analyze, and organize tax-related documents and data. All AI outputs are preliminary drafts subject to mandatory human review.
• “Customer” means the CPA firm or accounting practice that has entered into a subscription agreement with TaxScout.AI.
• “AI Output” means any data extraction, form population, preparation note, anomaly flag, or other result generated by TaxScout.AI’s automated systems. AI Outputs may contain errors and require professional verification.
3. Information We Collect
3.1 Information Provided Directly by CPA Firms (Customers)
• Firm registration information (firm name, EIN, PTIN, address, phone, email)
• Practitioner account information (name, professional credentials, email, role)
• Billing and payment information (processed via third-party payment processors)
• Firm preferences, workflow configurations, and integration settings
• Engagement letter templates and client intake configurations
3.2 Tax Return Information (Processed on Behalf of CPA Firms)
When CPA firms use our Services to prepare tax returns for their Clients, the following categories of tax return information may be processed through our AI systems:
• Taxpayer identification information (names, Social Security Numbers, EINs, ITINs)
• Financial information (income, wages, dividends, capital gains, deductions, credits)
• Source documents (W-2s, 1099s, K-1s, receipts, bank statements, brokerage statements)
• Tax organizer responses and preparation notes
• Prior year tax return data for comparison and carry-forward purposes
• Multi-state filing information
3.3 Information Collected Through the Client Portal
When Clients access the TaxScout.AI Client Portal at the invitation of their CPA firm:
• Email address provided for portal access
• Documents uploaded by the Client for tax preparation
• Messages and communications with the CPA firm through the portal
• Electronic signatures on engagement letters and consent forms
• Portal activity (login times, document upload timestamps)
• Mobile phone number (if provided for SMS notifications; see Section 4.4)
Clients access the portal only after agreeing to our Terms of Service and Privacy Policy via the portal login page. The CPA firm is responsible for ensuring appropriate client engagement agreements are in place.
3.4 Automatically Collected Information
• Device information (browser type, operating system, device identifiers)
• Log data (IP address, access times, pages viewed, referring URLs)
• Usage analytics (features used, session duration, interaction patterns) — collected via PostHog analytics (see Section 11)
• Cookies and similar tracking technologies (see Section 11)
3.5 WISP Assessment Data
When users complete the TaxScout.AI WISP (Written Information Security Plan) assessment wizard, we collect the following categories of information:
• Contact information (email address, name, firm name) provided during email capture
• Firm security posture information (44 self-reported assessment questions covering: firm basics, security team, data inventory, hardware inventory, current security measures, employee policies, data retention practices, incident readiness, and state compliance)
• Calculated security score and gap analysis derived from assessment responses
• Generated WISP documents and certificates (for subscribers only)
• E-signature records for WISP signing and employee acknowledgements (for subscribers only)
WISP assessment data does not include taxpayer PII (Social Security Numbers, tax return data, or financial information). The assessment collects information about the firm’s IT security practices and infrastructure only. All WISP assessment data is stored in encrypted databases within the United States.
3.6 Google Account and Gmail Data
If a Practitioner connects a Gmail or Google Workspace account to TaxScout.AI through Google OAuth, we may access and process Google user data authorized by that Practitioner, including:
• Google account profile information, such as name and email address, through the openid, email, and profile scopes
• Gmail message metadata, such as sender, recipients, subject, dates, thread IDs, message IDs, and headers needed to display and organize email threads
• Gmail message content and attachments for emails displayed, searched, classified, or processed inside the TaxScout.AI dashboard
• Outgoing email content sent by the Practitioner through TaxScout.AI using the connected Gmail account
• OAuth access tokens and refresh tokens required to maintain the Gmail connection
TaxScout.AI currently requests only the Gmail permissions necessary to provide the connected email experience: gmail.readonly to display and process Gmail messages inside TaxScout.AI, and gmail.send to send emails from the connected Gmail account at the Practitioner’s direction. TaxScout.AI does not request gmail.modify and does not modify, delete, label, archive, or mark Gmail messages as read or unread in the user’s Gmail account.
4. How We Use Information
4.1 Tax Return Preparation Services (Primary Purpose)
We use tax return information solely to provide our AI-powered tax preparation Services to CPA firms, including:
• Automated extraction and classification of data from uploaded tax documents
• AI-driven data entry into tax return forms and schedules
• Generating reviewer-ready tax return drafts with AI preparation notes
• Flagging anomalies, discrepancies, and potential issues for human review
• Providing year-over-year comparisons and variance analysis
• Supporting multi-state and complex return processing
All AI-generated outputs are preliminary drafts. The CPA firm’s Practitioner is solely responsible for reviewing, verifying, and approving all outputs before filing any tax return.
4.2 Service Improvement and Operations
• Maintaining and improving the accuracy of our AI models and algorithms using only de-identified, aggregated data
• Ensuring platform reliability, security, and performance
• Providing customer support and technical assistance
• Generating aggregated, de-identified analytics on platform usage
4.3 Legal and Compliance
• Complying with applicable laws, regulations, and legal processes
• Enforcing our Terms of Service and other agreements
• Protecting against fraud, unauthorized access, and security threats
4.4 SMS/Text Message Communications
If you opt in to receive text message notifications from TaxScout.AI or your CPA firm through the TaxScout.AI platform, you consent to receive transactional SMS/text messages at the mobile phone number you provide. These messages may include:
• Tax return status updates (e.g., return ready for review, return filed)
• Document requests and missing information alerts
• Payment reminders and invoice notifications
• Engagement letter and e-signature requests
• Appointment and deadline reminders
Message frequency varies based on your tax return activity and CPA firm communications. Message and data rates may apply. You may opt out of SMS communications at any time by replying STOP to any message. Reply HELP for assistance. Opting out of SMS does not affect your ability to use the Services or receive email communications. Carrier delivery is not guaranteed. SMS is not available in all areas.
Your mobile phone number is collected solely for the purpose of delivering these transactional messages and is not shared with third parties for marketing purposes, sold, or used for any purpose other than delivering the notifications described above. Phone numbers are retained only as long as you maintain an active account or until you opt out. For more information about how we handle your data, see Section 8 (Data Security) and Section 9 (Data Retention).
4.5 WISP Assessment and Compliance Services
We use WISP assessment data (described in Section 3.5) for the following purposes:
• Calculating a security score and identifying gaps in the firm’s security posture based on a rule-based scoring engine
• Generating a customized WISP document using AI (for subscribers only), tailored to the firm’s specific security measures and state compliance requirements
• Sending assessment results via email to the email address provided during the assessment
• Managing WISP document e-signatures, employee acknowledgements, and certificate generation for subscribers
• Sending annual WISP review reminders and PTIN renewal-related notifications
• Generating de-identified, aggregated statistics on security posture trends across tax professionals (no individual firm identifiable)
WISP assessment data is not used to train AI models. AI generation of WISP documents (for subscribers) uses the assessment responses as input context only and does not retain or learn from individual firm data.
4.6 Use of Google and Gmail Data
TaxScout.AI uses Google user data only to provide user-facing connected email features that are visible in the TaxScout.AI dashboard, including:
• Connecting and authenticating a Practitioner’s Gmail or Google Workspace account
• Displaying Gmail inboxes, email threads, messages, and attachments inside TaxScout.AI
• Searching, organizing, and classifying emails for tax workflow purposes
• Extracting tax-related attachments from emails and routing them into the CPA firm’s document workflow
• Sending emails or replies from the connected Gmail account when initiated by an authorized Practitioner
• Maintaining synchronization, audit logs, abuse prevention, security monitoring, and service reliability
TaxScout.AI does not use Google user data for advertising, retargeting, credit decisions, unrelated marketing, or sale to third parties. TaxScout.AI does not use Google user data to train, fine-tune, or improve generalized AI or machine learning models.
5. AI Data Processing, Accuracy, and Privacy by Design
TaxScout.AI is built with privacy at its core. Our AI systems are designed to protect taxpayer privacy throughout the document processing lifecycle.
5.1 Data Minimization and Security Controls
NOTICE: TaxScout.AI employs data minimization practices to protect sensitive information. Sensitive identifiers (such as Social Security Numbers) are stored in the database as last-4 digits only — full values are not persisted in application storage. Tax documents may be transmitted to third-party AI providers in their original form for extraction purposes via encrypted API channels. The following security controls protect this data:
• All data is transmitted over TLS 1.2+ encrypted connections
• All AI processing occurs within the United States
• AI model providers are contractually prohibited from retaining, storing, or using any data for model training
• Data Processing Agreements (DPAs) with strict use limitations govern all third-party AI processing
• Access to processing systems is restricted to minimum necessary personnel
5.2 No Training on Client Data
CRITICAL COMMITMENT: TaxScout.AI does not use any individual taxpayer’s tax return information to train, fine-tune, or improve our general-purpose AI models. Your clients’ data is never used as training data for machine learning models that serve other customers. Any model improvement uses only de-identified, aggregated data that cannot be traced back to any individual taxpayer.
5.3 AI Output Accuracy Disclaimer
AI SERVICES & ACCURACY NOTICE: The Services utilize artificial intelligence and machine learning technologies (“AI Features”) to extract data from documents and generate preliminary tax return drafts, preparation notes, and suggestions. You acknowledge and agree that:
• AI Features may produce inaccurate, incomplete, or erroneous results (“AI Errors”), including but not limited to incorrect data extraction, misclassification of income or deductions, mathematical errors, and incorrect form selection
• AI-generated outputs are PRELIMINARY DRAFTS ONLY and are not final tax returns
• All AI outputs require mandatory review, verification, and approval by a qualified tax professional (CPA, EA, or licensed preparer) before any reliance or filing
• TaxScout.AI disclaims all liability for errors in tax returns, penalties, interest, or other consequences resulting from unverified AI output
• The CPA firm and its Practitioners bear sole professional responsibility for the accuracy and completeness of all filed tax returns
Safe Harbor: TaxScout.AI employs commercially reasonable efforts to maximize AI accuracy, including multi-layer validation, confidence scoring, and automated anomaly detection. However, AI technology is inherently probabilistic and no AI system can guarantee 100% accuracy. TaxScout.AI’s liability is limited to ensuring commercially reasonable accuracy in its AI processing systems.
5.4 AI Processing Architecture
Our AI systems use a structured processing pipeline — documents are classified, segmented, and then processed by AI extraction models that output structured data validated against defined schemas. This approach provides auditability and traceability. Confidence scores are assigned to extracted data, and low-confidence results are automatically flagged for human review. Edge cases and ambiguous tax scenarios are escalated for Practitioner review.
5.5 Human-in-the-Loop Requirement
TaxScout.AI’s AI generates drafts and preparation notes, but all final review, judgment, and filing decisions must be made by qualified tax professionals. AI outputs are always subject to Practitioner review before any return is finalized or filed. No tax return is automatically filed without explicit human approval.
5.6 Third-Party AI Providers
TaxScout.AI utilizes third-party AI model providers for document OCR, data extraction, and natural language processing. The following safeguards are in place:
• All third-party AI providers are bound by Data Processing Agreements (DPAs) or terms of service with strict use limitations
• Third-party AI providers are contractually prohibited from using any data for model training or improvement
• All processing occurs within the United States
• TaxScout.AI employs data minimization in storage (last-4 digits of sensitive identifiers). Tax documents may be transmitted to AI providers in their original form for extraction purposes via encrypted API channels
• AI providers are contractually prohibited from retaining Customer data beyond the processing request
6. IRC Section 7216 Compliance
TaxScout.AI recognizes the critical importance of IRC §7216, which imposes criminal penalties on tax return preparers who knowingly or recklessly make unauthorized disclosures or uses of tax return information.
6.1 TaxScout.AI Is NOT a Tax Return Preparer
TAXSCOUT.AI IS NOT A REGISTERED TAX RETURN PREPARER, CPA FIRM, ENROLLED AGENT, OR TAX ADVISOR. TaxScout.AI provides software tools and AI-assisted technology services only. We do not prepare, review, sign, or file tax returns. We do not provide tax advice, legal advice, or accounting advice. The CPA firm that engages you as a client is your tax return preparer and bears all professional responsibilities associated with that role.
6.2 Our Role Under §7216
TaxScout.AI operates as an auxiliary service provider and technology platform that assists CPA firms (tax return preparers) in the preparation of tax returns. Under Treasury Regulation §301.7216-1(b)(2)(iii), our services qualify as auxiliary services provided in connection with tax return preparation.
6.3 Permissible Use Without Separate Taxpayer Consent
Under Treasury Regulation §301.7216-2(d), disclosures to processors and auxiliary service providers for the purpose of tax return preparation generally do not require separate taxpayer consent, provided the information is used solely for return preparation purposes. TaxScout.AI’s processing of tax return information falls within this permissible use.
TaxScout.AI provides CPA firms with the following tools to ensure comprehensive compliance:
• A Technology Platform Acknowledgment clause is included in the engagement letter template provided to CPA firms for use with their clients
• The Client Portal login requires agreement to TaxScout.AI’s Terms of Service and Privacy Policy before any data can be submitted
• CPA firms are encouraged to obtain express §7216 consent from their clients where required under their specific circumstances, consistent with Revenue Procedure 2013-14
6.4 Data Use Restrictions
TaxScout.AI strictly adheres to the following §7216 restrictions:
• We do not use tax return information for any purpose other than assisting in tax return preparation
• We do not sell, rent, or lease taxpayer data to any third party
• We do not use tax return information for marketing or solicitation of non-tax services
• We do not disclose tax return information to any unauthorized third party
• We do not share taxpayer data with advertising networks, data brokers, or analytics platforms
• We do not use taxpayer data to train general-purpose AI models
• We maintain audit trails of security-sensitive data access and processing activities
7. Data Sharing and Third-Party Disclosures
7.1 Categories of Recipients
We may share information with the following categories of recipients, solely as necessary to provide our Services:
• CPA Firm Personnel: Tax return information is accessible only to authorized Practitioners within the subscribing CPA firm.
• Cloud Infrastructure and Hosting Providers: We use Amazon Web Services (AWS) for file storage, Supabase for database and authentication, and Vercel for application hosting. All providers process data under Data Processing Agreements (DPAs).
• AI Model Providers: Data is transmitted to third-party AI models (including Google Gemini, Anthropic Claude, and OpenAI) for document processing under strict DPA protections. See Section 5.6 for details on safeguards.
• Background Job Processing: Inngest is used for asynchronous workflow orchestration (document processing, notifications) under DPA protections.
• Payment Processors: Billing information is processed by PCI-compliant payment processors (Stripe). We do not store credit card numbers.
• E-Signature Providers: Engagement letters and consent forms are processed through secure e-signature platforms (Documenso) with full audit trails.
• Email Delivery: Transactional emails (OTP codes, notifications, invitations) are sent via Resend.
• Security and Performance: Cloudflare provides CDN, DDoS protection, and bot mitigation. Sentry provides error monitoring. These services process access metadata and error traces.
• Product Analytics: PostHog collects anonymized usage analytics to improve the platform (see Section 11).
• Professional Advisors: Our legal counsel, auditors, and compliance consultants, bound by confidentiality obligations.
7.2 We Do NOT Share Information With
• Advertising networks or ad technology companies
• Data brokers or information resellers
• Social media platforms
• Any entity for purposes unrelated to tax return preparation
• Any public or general-purpose AI chatbot (ChatGPT, Gemini, etc.) in their consumer-facing forms
7.3 Google API Services User Data and Limited Use
TaxScout.AI’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
We do not sell, rent, or transfer Google user data to advertising platforms, data brokers, information resellers, or social media platforms. We do not use Google user data for serving ads, retargeting, personalized advertising, or determining creditworthiness.
We transfer Google user data only as necessary to provide or improve the user-facing connected email features described in this Privacy Policy, to maintain security, to comply with applicable law, or with the user’s explicit consent. For example, Gmail attachments that a Practitioner routes into the tax document workflow may be processed by our secure infrastructure and approved service providers solely for tax document extraction, classification, storage, and workflow automation.
Human access to Google user data is restricted to authorized personnel and only when necessary to provide support requested by the Customer, investigate security or abuse issues, comply with law, or maintain the Services.
7.4 Legal Disclosures
We may disclose information when required by law, regulation, subpoena, court order, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
7.5 Subpoena and Legal Hold Procedure
Upon receipt of a valid legal process requiring disclosure of Customer data, TaxScout.AI will: (a) promptly notify Customer unless legally prohibited from doing so; (b) limit disclosure to the minimum information required by the legal process; and (c) cooperate with Customer’s efforts to obtain a protective order or other appropriate remedy.
8. Data Security
8.1 Infrastructure Security
• All data is hosted on Amazon Web Services (AWS) and Supabase within the United States
• All data is encrypted in transit using TLS 1.2+
• All data is encrypted at rest using AES-256 server-side encryption
• Role-based access controls (RBAC) with row-level security ensure least-privilege access and multi-tenant isolation
• Multi-factor authentication (MFA) available for all administrative and practitioner access
• Automated vulnerability scanning via CI/CD pipeline (Snyk, OWASP ZAP, dependency audits)
TaxScout.AI’s infrastructure is designed to meet the security requirements outlined in IRS Publication 4557 (Safeguarding Taxpayer Data).
8.2 Application Security
• Secure development lifecycle (SDLC) practices with automated linting, security scanning, and CI/CD pipelines
• DDoS mitigation and bot protection via Cloudflare
• Audit logging of security-sensitive data access events, including document downloads, exports, and PII operations
• HSTS enforcement with preload for all client-facing interfaces
• CSRF protection for all state-changing API endpoints
8.3 Organizational Security
• Background checks for all employees with production access
• Mandatory security awareness training
• Confidentiality and non-disclosure agreements
• Business continuity and disaster recovery plans
Incident Response Plan: TaxScout.AI maintains a formal Incident Response Plan, reviewed and updated annually, which governs our response to security incidents. The plan includes defined roles and responsibilities, escalation procedures, containment protocols, forensic investigation processes, and communication requirements.
8.4 Cyber Liability Insurance
TaxScout.AI maintains cyber liability insurance coverage to protect against data security incidents. This coverage provides financial protection for incident response costs, notification expenses, and potential liability arising from data breaches.
8.5 GLBA Compliance
Tax return preparers may be considered “financial institutions” under the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule (16 CFR Part 314). As a technology service provider to CPA firms, TaxScout.AI maintains an information security program designed to comply with the Safeguards Rule, including administrative, technical, and physical safeguards to protect customer financial information. Our security measures described in this Section 8 are designed to meet or exceed the requirements of the FTC Safeguards Rule.
9. Data Retention and Deletion
9.1 Retention Periods
• Tax Return Information: Retained for the duration of the CPA firm’s active subscription plus a maximum of seven (7) years, consistent with IRS record-keeping requirements, unless a shorter period is requested.
• Engagement Letters & Signatures: Retained for seven (7) years with full audit trail (signer identity, IP address, timestamp, device information).
• Account Information: Retained for the duration of the account plus three (3) years after termination.
• Usage and Log Data: Retained for up to two (2) years.
• Billing Records: Retained for seven (7) years for tax and audit compliance.
• WISP Assessment Data: Assessment responses and security scores are retained for the duration of the account. For free (non-subscriber) assessments, data is retained for three (3) years from the date of the assessment or until deletion is requested. Generated WISP documents and certificates are retained for the duration of the subscription plus seven (7) years. WISP version history is retained alongside the current document.
9.2 Deletion and Data Portability
Upon account termination or written request by the CPA firm:
• All tax return information will be securely deleted or returned within sixty (60) days
• Deletion uses industry-standard secure erasure methods, including cryptographic erasure (crypto-shredding) where applicable, ensuring that encrypted data becomes permanently unrecoverable upon key destruction
• CPA firms may request data export in standard formats prior to termination
• Written confirmation of data deletion provided upon request
• Backup copies purged within ninety (90) days of deletion request
9.3 Google Account Disconnection, Revocation, and Deletion
Practitioners may disconnect a Gmail or Google Workspace account from TaxScout.AI at any time through the TaxScout.AI dashboard. When an account is disconnected, TaxScout.AI deletes the stored OAuth tokens for that account and stops accessing new Gmail data.
Users may also revoke TaxScout.AI’s access through their Google Account permissions page at https://myaccount.google.com/permissions.
Upon written request by the CPA firm, TaxScout.AI will delete cached Gmail message data and related metadata, subject to legal, tax, security, backup, and contractual retention requirements described in this Privacy Policy. Tax documents or attachments imported from Gmail into a client tax workflow become Tax Return Information and are retained or deleted according to the Tax Return Information retention rules in Section 9.1.
10. CPA Firm Responsibilities
As the data controller for their Clients’ tax return information, the CPA firm agrees to:
• Execute an appropriate engagement letter with each Client before uploading their data to TaxScout.AI, including a Technology Platform Acknowledgment
• Obtain any additional §7216 consents required under the CPA firm’s specific circumstances
• Review and verify all AI-generated outputs before filing any tax return
• Maintain appropriate professional liability (E&O) insurance
• Comply with all applicable professional standards (AICPA, state boards)
• Notify TaxScout.AI promptly of any suspected data breach or unauthorized access
• Ensure that only authorized personnel within the firm access Client data
• Maintain the confidentiality of all account credentials and access tokens
• Implement reasonable security practices within the CPA firm’s own systems and networks
The CPA firm shall indemnify, defend, and hold harmless TaxScout.AI from and against any claims, losses, damages, liabilities, and expenses (including reasonable attorneys’ fees) arising from or related to: (a) the CPA firm’s unauthorized or unlawful processing of Personal Data; (b) any claim by a data subject or regulatory authority resulting from the CPA firm’s failure to obtain required consents or authorizations; or (c) the CPA firm’s failure to review and verify AI-generated outputs before filing.
11. Cookies and Tracking Technologies
• Essential Cookies: Required for platform functionality, authentication, session management, security (CSRF tokens), and Cloudflare verification. Cannot be disabled.
• Analytics (PostHog): We use PostHog for pseudonymized usage analytics, including session recordings and feature usage tracking. PostHog data is used solely to improve the platform and is not shared with third parties for advertising. Analytics data does not include tax return information or Client PII.
• Preference Cookies: Store user preferences (theme, layout). Can be disabled.
We do NOT use advertising cookies, tracking pixels, or third-party cookies for behavioral advertising.
12. Your Rights and Choices
12.1 Rights for All Users
• Access: Request a copy of personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion, subject to legal retention requirements
• Data Portability: Request data in a structured, machine-readable format
• Opt-out: Opt out of non-essential communications
• SMS Opt-out: Reply STOP to any text message to immediately stop receiving SMS notifications. You may also contact us at [email protected] to opt out.
• Google Account Revocation: Disconnect a connected Gmail or Google Workspace account from TaxScout.AI and/or revoke TaxScout.AI’s access through your Google Account permissions page.
12.2 CPA Firm Rights (Data Controllers)
• Direct TaxScout.AI to delete all Client data upon request
• Receive data processing records and audit reports
• Approve or reject sub-processor changes
• Terminate data processing at any time with data return or deletion
12.3 California Residents (CCPA/CPRA)
• Right to know what personal information is collected and used
• Right to delete personal information
• Right to opt out of sale/sharing (Note: TaxScout.AI does not sell personal information)
• Right to non-discrimination
• Right to correct inaccurate personal information
12.4 State Privacy Rights
Residents of states with comprehensive privacy laws — including Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states that have enacted consumer privacy legislation — have rights similar to those described in Section 12.3, which may include:
• Right to access, correct, and delete personal data
• Right to data portability
• Right to opt out of targeted advertising (Note: TaxScout.AI does not engage in targeted advertising)
• Right to opt out of sale of personal data (Note: TaxScout.AI does not sell personal data)
• Right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects
• Right to appeal a denial of a privacy rights request
To exercise any of these rights, contact us at [email protected]. We will respond within the timeframe required by your state’s applicable law (typically 30–45 days). We do not discriminate against users who exercise their privacy rights.
12.5 EU/EEA Data Subjects (GDPR)
EU/EEA residents have additional rights under GDPR, including the right to lodge a complaint with a supervisory authority.
12.6 Exercising Your Rights
Contact us at [email protected]. We will respond within thirty (30) days.
13. Children’s Privacy
Our Services are designed for tax professionals and are not directed at individuals under 16. We do not knowingly collect personal information from children.
14. International Data Transfers
TaxScout.AI stores and processes data primarily within the United States. All tax return information remains on U.S.-based servers. We do not intentionally transfer SSNs or taxpayer identification numbers outside the United States. Certain infrastructure providers (such as Cloudflare) may process access metadata at global edge nodes for performance and security purposes.
15. Data Breach Notification
• Affected CPA firms notified within seventy-two (72) hours of confirming a breach, to the extent TaxScout.AI has sufficient information to provide meaningful notification
• Detailed information about breach nature and scope
• Regulatory authorities notified as required by law
• Cooperation with CPA firms in notifying affected Taxpayers
• Immediate containment, investigation, and remediation
• Post-incident report with root cause analysis
16. Sub-Processors
Sub-Processor | Purpose | Data Processed | Location |
Amazon Web Services (AWS) | File storage (S3) | Documents, PDFs (encrypted at rest) | US (us-east-1) |
Supabase | Database, authentication | All structured platform data | United States |
Google Cloud (Gemini) | Document OCR, AI extraction | Tax document content | United States |
Anthropic (Claude) | AI-assisted chat, reasoning | Contextual tax data summaries | United States |
OpenAI | AI-assisted chat, reasoning | Contextual tax data summaries | United States |
Vercel | Application hosting, serverless | Request and session metadata | United States |
Inngest | Background job orchestration | Document and entity metadata | United States |
Stripe | Payment processing | Billing information only | United States |
Resend | Transactional email delivery | Email addresses, notification content | United States |
Documenso | E-signatures | Engagement letters, signatures | United States |
Cloudflare | Security, CDN, bot protection | Access metadata, IP addresses | Global (edge) |
Sentry | Error monitoring | Error traces, request metadata | United States |
PostHog | Product analytics | Anonymized usage events | United States |
17. Changes to This Privacy Policy
We will notify CPA firms of material changes at least thirty (30) days in advance via email and/or platform notice. Continued use after the effective date constitutes acceptance.
18. Contact Information
TaxScout.AI Inc.
1 Broadway, Cambridge, MA 02142
Attn: Privacy Officer
Email: [email protected]
Website: www.taxscout.ai/privacy