Privacy Policy

Last updated: February 2026

1. Information We Collect

We collect the following information when you use our services:

  • Wallet addresses — Solana public keys provided when connecting a Phantom wallet for crypto payments or Token Access Program membership.
  • Hashed IP addresses — Your IP address is hashed using SHA-256 with a daily rotating salt before storage. We never store plaintext IP addresses.
  • Payment history — Records of Stripe checkout sessions and crypto payment transactions, including amounts, timestamps, and tool access granted.
  • Page view analytics — Anonymous page view counts (page name and timestamp only). No personal identifiers are attached to analytics data. This tracking only occurs if you accept analytics cookies via the consent banner.

2. How We Use Your Information

  • Payment processing — To verify payments, grant tool access, and manage access tokens.
  • Anonymous analytics — To understand which tools are used most and improve the service. Analytics are fully anonymous and consent-based.
  • Fraud prevention — Rate limiting, nonce verification for wallet authentication, and hashed IP tracking to prevent abuse.

3. Data Retention

We retain data for limited periods and automatically purge it afterwards:

  • Payment records — Kept indefinitely for revenue and audit purposes.
  • Analytics data — Page views, daily unique counts, and feedback are retained for 1 year (365 days). Visitor-level analytics are pruned after 7 days.
  • Authentication logs — Login attempts and auth logs are retained for 90 days.
  • Admin logs — Visitor logs, error logs, and processing logs are capped at fixed row limits and retained for up to 90 days.
  • Short-lived data — Access tokens, payment sessions, and authentication nonces are cleaned automatically by background jobs (hourly, every 30 minutes, and every 10 minutes respectively).

Automated background jobs enforce these retention limits on a continuous schedule. After the retention period, data is permanently deleted.

4. Cookies

This site uses two types of cookies:

  • Functional cookies (required) — An httpOnly authentication cookie that stores your access token after payment. This cookie is essential for tool access and cannot be disabled. It is not accessible to JavaScript and is only sent to our server.
  • Analytics tracking (optional) — When you accept analytics via the consent banner, anonymous page view data is sent to our server. If you choose "Functional Only," no analytics data is collected. You can change your preference by clearing your browser's localStorage for this site.

5. Third-Party Sharing

We do not sell, trade, or share your personal data with third parties. The following external services are used as part of our operations:

  • Stripe — Processes card payments. Stripe handles payment card data under their own privacy policy. We do not store card numbers.
  • Solana RPC — We communicate with the Solana blockchain via RPC to verify crypto payments, check token balances, and process wallet transactions. Wallet addresses and transaction amounts are publicly visible by nature of the blockchain.
  • Anthropic Claude API — Transaction data from uploaded files may be sent to the Anthropic Claude API for AI-powered classification (Smart Labeler) and unknown bank/CSV format analysis. Only transaction descriptions and amounts are sent; no personally identifiable information is included. Anthropic's data handling is governed by their privacy policy.
  • Sentry — If configured, error reports (stack traces, request metadata) may be sent to Sentry for crash monitoring. No uploaded file content is included in error reports.

6. Data Security

  • IP addresses are hashed before storage and never stored in plaintext.
  • Access tokens are stored in httpOnly cookies, preventing JavaScript access.
  • Uploaded files are read into memory for processing. Generated output files (Excel workbooks) are written to the server's temporary directory for download and are cleaned after retrieval. We do not permanently store your bank statements or financial documents.
  • CSRF protection validates request origins on all state-changing operations.
  • Rate limiting prevents abuse of all API endpoints.

7. Your Rights

  • You can decline analytics tracking at any time via the cookie consent banner. To reset your choice, clear localStorage for this site in your browser settings.
  • Uploaded files are not permanently stored. They are processed in memory, and generated outputs are written to a temporary directory for download and then cleaned.
  • Payment and analytics data is automatically deleted after the retention periods listed above.

If you have questions about this privacy policy, please contact your tax preparer or service administrator.