Privacy & Security Policy

1. Our Commitment

Taxably, Inc. (“Taxably,” “we,” “us”) is committed to protecting the privacy and security of our users and their clients. This policy describes how we collect, use, store, and protect information when you use the Taxably web application and Taxably Sync desktop agent (collectively, the “Service”).

2. Architecture & Data Flow

Taxably is designed with a privacy-first architecture. Understanding how data flows through our system is essential to understanding our privacy posture:

Local Processing. Taxably Sync runs as a Windows agent on your workstation. It monitors folders that your existing practice management software (TaxDome, Canopy, Google Drive) already syncs to your machine. Raw client documents — PDFs, images, scanned files — are read and processed locally on your hardware.

Redacted Metadata Only. When Taxably Sync detects a new file, it extracts text content locally and redacts personally identifiable information (PII) including Social Security numbers, bank account numbers, dates of birth, and other sensitive identifiers before sending any data to our cloud classification API. Only redacted, anonymized metadata is transmitted.

Local Write-Back. After classification, Taxably Sync moves or copies the original file to the appropriate folder on your local drive. Your practice management software then syncs the organized file back to the cloud. At no point does the raw document leave your machine through Taxably.

3. Information We Collect

Account Information. When you create an account, we collect your name, email address, firm name, and password (stored as a salted bcrypt hash). We never store passwords in plaintext.

Classification Metadata. Redacted document metadata sent to our API for classification, including document type predictions, confidence scores, and anonymized text excerpts. This data is retained to improve classification accuracy.

Device Information. When you link a workstation via Taxably Sync, we collect a device identifier, operating system version, and agent version number for compatibility and support purposes.

Usage Analytics. We collect anonymized usage data including feature usage patterns, classification volumes, and error rates. We do not use third-party analytics trackers.

Audit Logs. Every classification, file action, and user review decision is logged for compliance and accountability purposes. These logs are accessible to you through the Taxably dashboard.

4. Information We Never Collect

We do not collect, transmit, or store raw client documents, tax returns, Social Security numbers, bank account numbers, or any other unredacted personally identifiable information belonging to your clients.

We do not sell, rent, or share any user data with third parties for marketing or advertising purposes. We do not display advertisements in our products.

5. Security Measures

Encryption in Transit. All communications between Taxably Sync and our cloud API are encrypted using TLS 1.3. All web traffic to taxably.ai is served over HTTPS.

Encryption at Rest. Account data, classification metadata, and audit logs stored on our servers are encrypted at rest using AES-256 encryption.

Infrastructure. Our cloud infrastructure is hosted on Amazon Web Services (AWS) in the United States, using services that maintain SOC 2, ISO 27001, and FedRAMP compliance.

Authentication. We support multi-factor authentication (TOTP-based) for all accounts. Passwords are hashed using bcrypt with unique salts. Session tokens are short-lived and rotated regularly.

Device Linking. Workstations are paired to accounts using a one-time 6-digit code with a short expiration window. No passwords are stored on the local device.

6. Data Retention & Deletion

Classification metadata and audit logs are retained for the duration of your account. When you delete your account, all associated data — including classification history, device registrations, and audit logs — is permanently deleted within 30 days.

Raw documents are never stored by Taxably and therefore are not subject to our retention policies. They remain on your local machine and within your practice management system.

7. Third-Party Services

We use the following third-party services in the operation of Taxably:

Amazon Web Services (AWS) — Cloud infrastructure, compute, storage, and content delivery.

Stripe — Payment processing. We do not store credit card numbers; all payment data is handled by Stripe in accordance with PCI DSS Level 1 compliance.

Anthropic / OpenAI — AI model providers used for document classification. Only redacted metadata is sent to these services. We maintain data processing agreements with all AI providers.

8. Your Rights

You may request access to, correction of, or deletion of your personal data at any time by contacting us at privacy@taxably.ai. We will respond within 30 days.

You may export your classification history and audit logs from the Taxably dashboard at any time.

9. Regulatory Compliance

Taxably is designed to support compliance with IRS Publication 4557 (Safeguarding Taxpayer Data), the Gramm-Leach-Bliley Act (GLBA), and applicable state privacy regulations. Our privacy-first architecture — where raw documents never leave your machine — is specifically designed to minimize regulatory risk for tax practitioners.

Taxably, Inc. is a Delaware C-Corporation headquartered in Tucson, Arizona.

10. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you by email and post the updated policy on this page. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

11. Contact

For privacy questions, data requests, or security concerns, contact us at privacy@taxably.ai or write to: Taxably, Inc., Tucson, AZ 85719.