Your data, in plain English.

Taxottic is a tax forecasting and deduction-tracking service operated by Techno Optics LLC, a Massachusetts limited liability company ("we", "us", "Taxottic"). Contact: contact@taxottic.com.

For data-protection inquiries (GDPR / CCPA requests, deletion, portability): privacy@taxottic.com.

We only collect what we need to forecast your taxes and run your account. We do not buy data about you.

• Account info from sign-in: email, full name, profile photo (when supplied by Google or Microsoft). Used for authentication and to greet you.
• Tax profile you enter: filing status, state, dependents, business profile fields. Used to run forecasts.
• Income and expense entries you log or import. Used to calculate your federal + state tax estimate, surface deductions, and produce reports you ask for (Schedule C export).
• Bank connection metadataif you connect a bank via Plaid: the institution name, last-four account mask, and per-transaction merchant + amount + date. We do not see your bank login. See "Bank connections" below.
• Bella conversations: messages you send to our in-app guide. Used to generate replies and improve Bella's answers.
• Operational data: timestamps, IP address (at request time, not stored long-term), browser user-agent, and usage events necessary for security, debugging, and billing.

When you connect a bank account through Plaid, your bank credentials are entered into Plaid's secure interface and never reach Taxottic servers. Plaid returns an access token and the transaction stream we display.

Plaid's privacy practices are documented at plaid.com/legal. You can disconnect a bank at any time from Banks » Disconnect; we then revoke the access token and stop syncing.

• To operate the service (sign-in, forecasts, exports).
• To send service emails: receipts, security alerts, quarterly-tax reminders you opted into.
• To improve the product, in aggregated and de-identified form.
• To comply with law, respond to lawful requests, and protect our rights.

We do not use your data to train any third party's general AI model. Bella's replies are generated by Anthropic on your behalf for your session and are not retained by Anthropic for training (per our Anthropic enterprise agreement).

We rely on a short list of vetted vendors to operate Taxottic. See the full list with their roles and data residency at /legal/subprocessors. We update that page when we add or change a vendor.

Application data is stored in the United States (Supabase, Postgres, AWS us-east-1) and served via Vercel's global edge. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Backups are encrypted and retained for 30 days.

Wherever you live, you can ask us to:

• Access the personal data we hold about you.
• Correct data that is wrong or incomplete.
• Export your data in a portable format (CSV + JSON).
• Delete your account and all associated personal data.
• Restrict certain processing (e.g. opt out of analytics).
• Object to processing where we rely on legitimate interests.
• Withdraw consent at any time where processing is based on consent.

California residents have additional rights under the CCPA / CPRA, including the right to know, the right to delete, the right to correct, and the right to opt out of any "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioural advertising.

EU / UK residents have rights under the GDPR / UK GDPR. The legal bases we rely on are: performance of a contract (operating the service you signed up for), legitimate interests (security, fraud prevention, product improvement), and consent (marketing emails, optional cookies).

To exercise any right, write to privacy@taxottic.com. We respond within 30 days. You can also lodge a complaint with your local data protection authority.

We retain your data while your account is active. When you delete your account, personal data is deleted within 30 days from production systems and within 90 days from encrypted backups. We may retain de-identified, aggregated data for analytics indefinitely.

Tax-related records you ask us to keep (Schedule C exports you have generated) follow IRS retention guidance: typically 7 years from the relevant tax year. You may delete them earlier from the app.

Companies and bank connections — 30-day recycle bin. When you close a company or disconnect a bank, the item is moved to a per-user recycle bin at /settings/recycle-bin. During the 30-day grace window you can restore it in one click or permanently delete it now. After 30 days, the item is hard-deleted automatically — the company (with all its income, expenses, and transactions) or the bank connection (with its accounts and historical transactions) is removed from the database. Encrypted backups age out of retention on the schedule above. We do not keep a separate “deleted customer” archive.

You can always export everything we have on you first, before deleting, at /settings/data. The download is a single JSON file including items currently in the recycle bin.

Taxottic is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has signed up, write to privacy@taxottic.com and we will delete the account.

We use a small number of cookies, all of them strictly necessary for sign-in and session continuity. We do not set advertising or cross-site tracking cookies. Details: /legal/cookies.

Our security posture is summarised at /legal/security. If you believe you have found a vulnerability, please email security@taxottic.com. We respond within 2 business days.

When you sign in with Google, we receive your name, email address, and profile picture via the OpenID Connect openid email profile scopes. Taxottic's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not sell Google user data, do not share it with third parties for advertising, and do not use it for any purpose other than authenticating your Taxottic session and personalising your account.

We will tell you (in-app banner + email) when we make material changes. Routine updates are reflected by the "Last updated" date at the top of this page.