Privacy Policy

IRS Notice Responder is an information and document drafting service. We help users understand IRS notices and prepare response letters. We are not a tax preparation firm, law firm, or financial advisor. Users sign and submit all responses themselves.

Information You Provide Directly

IRS notices you upload. These may include your name, address, Social Security Number or Employer Identification Number, tax year, amounts owed, and IRS reference numbers.

Information you enter on forms. Full legal name, mailing address, phone number, and any free-text explanations you provide when generating a response letter.

Account information. If you create an account, we collect your email address and a hashed password (or use a magic link, depending on the method you choose).

Payment information. Card details and billing address are collected and processed by Paddle, our payment processor. We do not directly store credit card numbers.

Support communications. When you contact us, we keep a record of that correspondence.

Information We Collect Automatically

Usage data. Pages visited, time spent on the site, features used, errors encountered.

Device and browser data. IP address, browser type, operating system, screen size, referring URL.

Cookies and similar technology. Used to keep you signed in, remember your preferences, and measure how the Service is used. See Section 8 for details.

Information We Do Not Collect

• We do not knowingly collect information from children under 18.
• We do not collect biometric data, precise geolocation, or sensitive health information.
• We do not collect information about your political opinions, religious beliefs, or other special categories of data unless you voluntarily disclose them in a response letter (which we discourage).

We use the information we collect to:

• Analyze the IRS notice you upload and generate a draft response letter
• Process your payment and manage your account or subscription
• Send you the response letter and follow-up reminders if you opt in
• Provide customer support when you contact us
• Improve the Service in aggregate, anonymized form. We do not train AI models on your data. See Section 5.
• Comply with legal obligations and protect against fraud
• Communicate with you about service updates, security issues, or changes to this policy

We do not use your information to sell you unrelated products or to target you with advertising on other websites.

We share your information only as described below. We do not sell your personal information.

Service Providers

We use third-party services to operate the Service. These providers are contractually required to protect your data and use it only to provide their services to us:

• Anthropic (anthropic.com): Processes the contents of your IRS notice to generate analysis and response letters. Anthropic does not use this data to train their models.
• Supabase (supabase.com): Hosts our database and user authentication.
• Paddle (paddle.com): Processes payments and manages subscriptions. Paddle acts as the merchant of record.
• Lovable (lovable.app): Hosts our web application.
• Cloudflare: Provides network security, content delivery, and DDoS protection.
• Resend (resend.com): Delivers transactional emails (receipts, response letters, account notifications).
• Google Analytics (google.com/analytics): Collects aggregated usage data such as which pages you visit, how long you stay, and which browser and device you use. Google may set cookies and process this data on their servers. We do not share personally identifiable information such as your name, email, or IRS notice contents with Google Analytics. Google's privacy practices are governed by Google's own privacy policy at policies.google.com/privacy.

Legal and Safety

We may disclose information when required by law (subpoena, court order, government request) or when we believe disclosure is necessary to protect rights, property, or safety. We will notify you of such requests when legally permitted to do so.

Business Transfers

If we are acquired, merged, or sell substantially all of our assets, your information may be transferred to the acquiring entity. We will notify you of any such change before the transfer is complete.

Aggregated or De-Identified Information

We may share aggregated or de-identified information that cannot reasonably be used to identify you. For example, "10,000 users used our service in Q1 2026" contains no personal information.

We use Anthropic's Claude AI to analyze your IRS notice and generate response letters. You should know:

• The full contents of your IRS notice, including any personal information shown on it, are sent to Anthropic's API for processing.
• Anthropic has committed contractually to not use API data to train their models.
• Anthropic stores API request data for a limited period (currently up to 30 days) for abuse prevention purposes. We have no control over this retention.
• The analysis and letter drafting happens in real time. We do not retain a copy of the request to Anthropic beyond the output we receive.
• Google Analytics tracks aggregated usage patterns of our AI features (which features you use, how often) but does not see the contents of your IRS notices or response letters.

If you are uncomfortable with AI processing of your tax information, this Service is not for you. We disclose this clearly so you can make an informed choice.

We take reasonable measures to protect your information:

• All connections to our Service use HTTPS encryption (TLS 1.2 or higher).
• IRS notice uploads are stored in encrypted form (AES-256 at rest).
• Access to user data is restricted to authorized personnel on a need-to-know basis.
• Passwords are hashed using industry-standard algorithms. We never see your password in plain text.
• We monitor for security incidents and have procedures to respond to breaches.

No system is perfectly secure. While we take strong measures to protect your data, we cannot guarantee absolute security. If a data breach occurs that affects your personal information, we will notify you as required by applicable law.

We retain different categories of data for different periods:

• IRS notice files you upload: Retained for 90 days after upload to support customer service inquiries, then automatically deleted. You may request earlier deletion by contacting us.
• Generated response letters: Retained for 180 days in your account for re-download, then automatically deleted.
• Account data (email, account settings): Retained as long as your account is active. Deleted within 30 days of account closure.
• Payment records: Retained for 7 years as required by tax and accounting laws.
• Customer support communications: Retained for 3 years.
• Server logs containing IP addresses: Retained for 90 days for security purposes, then deleted or anonymized.
• Google Analytics data: Retained according to our Google Analytics settings (currently 2 months) and Google's own retention policies.

You can request deletion of your data at any time. See Section 9 for how to make such requests.

We use cookies and similar technologies for the following purposes.

Essential cookies. These are required for the Service to function. They keep you signed in, remember your session, maintain security, and process payments. You cannot disable these and continue to use the Service.

Google Analytics. We use Google Analytics to understand how visitors use our Service so we can improve it. Google Analytics uses cookies to collect information such as:

• Which pages you visit and in what order
• How long you spend on each page
• Whether you complete key actions (uploading a notice, completing a purchase)
• Your approximate geographic location (city-level, derived from IP address)
• The device, browser, and operating system you use
• The website or search query that brought you to us

We have configured Google Analytics with IP anonymization enabled, which means Google does not store your full IP address. We have not enabled Google Signals or advertising features, so Google Analytics is not used to target you with ads on other websites.

Google may still process this data in accordance with their own privacy policy at policies.google.com/privacy. Google's data is processed in the United States and other countries where Google operates.

You can opt out of Google Analytics in several ways:

• Install the Google Analytics Opt-out Browser Add-on at tools.google.com/dlpage/gaoptout
• Use a browser with tracking protection enabled (Brave, Firefox with strict tracking protection, Safari)
• Use a content blocker that blocks Google Analytics
• Decline analytics cookies via our cookie banner (if you live in a region where we display one)

No advertising cookies. We do not use cookies to retarget you with ads on other websites. We do not sell or share your data with advertising networks.

Browser controls. You can manage cookies through your browser settings. Disabling essential cookies will prevent the Service from working correctly. Disabling analytics cookies will not affect functionality.

Depending on where you live, you may have certain rights regarding your personal information. We honor these rights for all users where reasonably possible, regardless of jurisdiction.

Universal rights we offer

• Access: Request a copy of the personal information we have about you.
• Correction: Ask us to correct inaccurate information.
• Deletion: Ask us to delete your information. Some information may be retained as required by law (e.g., payment records for 7 years).
• Export: Request your data in a portable, machine-readable format.
• Opt out of marketing: Unsubscribe from non-essential emails at any time.

California residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act including the right to know what categories of personal information we collect, the right to delete your personal information, the right to opt out of "sale" or "sharing" (we do neither), and the right not to be discriminated against for exercising these rights.

Virginia, Colorado, Connecticut, Utah, and other state residents

Residents of these states have rights similar to those described above under their respective state laws. The same request process applies.

How to exercise your rights

To exercise any of the rights described above, contact us through the support channels available on our website. We will respond within 30 days. We may need to verify your identity before processing certain requests.

The Service is not directed at children under 18. We do not knowingly collect information from anyone under 18. If you believe a minor has used the Service, contact us and we will delete their information.

We are based in the United States and our infrastructure is primarily located in the US. If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States, which may have different data protection laws than your home country.

We do not currently market the Service to users outside the United States. If you are located in the European Union, United Kingdom, or another jurisdiction with strict data protection laws, this Service may not be appropriate for you.

We may update this Privacy Policy from time to time. When we do, we will:

• Post the updated policy on this page
• Update the "Last Updated" date at the top
• For material changes, notify you by email (if we have your email) at least 30 days before the changes take effect

Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

For questions, concerns, or requests related to your privacy, contact us through the support channels available on our website.