Privacy Policy

1. Introduction

HOATax, Inc. ("we," "our," or "us") operates the website hoatax.ai and provides AI-powered tax preparation software for homeowners associations. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. By using HOATax, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We collect the following categories of information:

3. How We Use Your Information

• Provide the service: Prepare and generate Form 1120-H and state tax returns using the data you provide.
• Process tax returns: Calculate tax liability, apply exemption tests, and populate official IRS and state tax forms.
• AI document extraction: Send uploaded documents to our AI provider to extract income, expense, and balance sheet figures.
• Improve accuracy: Analyze extraction quality in aggregate to improve our AI prompts and calculation logic. We do not use your specific documents for this purpose without your consent.
• Customer support: Respond to your inquiries, troubleshoot issues, and process guarantee claims.
• Billing and account management: Process payments, issue refunds, and manage your subscription or filing history.
• Transactional communications: Send emails related to your account, filings, and payment receipts.
• Legal compliance: Maintain records as required by applicable law and respond to lawful requests.

4. AI and Document Processing

HOATax uses artificial intelligence provided by Anthropic (Claude) to extract financial data from your uploaded documents. Here is what you should know:

• Documents are transmitted to Anthropic's API over encrypted connections solely for the purpose of extracting financial line items.
• Your documents and extracted data are not used to train AI models — by Anthropic or by HOATax — without your explicit consent.
• Anthropic processes your data under its API terms and privacy policy. See anthropic.com/privacy.
• Uploaded documents are retained in encrypted storage unless you delete them or close your account. You may delete individual documents at any time from your dashboard.
• Extracted data (income/expense line items) is stored in our database for use in your current and future filings within the same tax year.

5. Data Sharing

We do not sell your personal data. We share information only as necessary to operate the service:

• Stripe — Payment processing. See stripe.com/privacy.
• Clerk — Authentication and user identity management. See clerk.com/privacy.
• Cloudflare — Document storage (Cloudflare R2) and CDN/security (Cloudflare WAF). See cloudflare.com/privacypolicy.
• Anthropic — AI-powered document extraction via Claude API.
• Neon — PostgreSQL database hosting for tax and account data.
• Resend — Transactional email delivery.
• Vercel — Application hosting and serverless functions.

We may also disclose information if required to do so by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, or investigate fraud.

6. Data Security

We implement multiple layers of security to protect your data:

• Encryption at rest: Uploaded documents are stored in Cloudflare R2 with server-side encryption. Database records containing sensitive fields (EINs) are additionally encrypted at the application layer.
• Encryption in transit: All data is transmitted over HTTPS/TLS. API calls to third-party services use encrypted connections.
• Signed URLs with expiration: Document access URLs are time-limited signed URLs that expire after a short window, preventing unauthorized access via shared links.
• Access controls: All API endpoints enforce authentication and row-level authorization. You can only access data belonging to your organization.
• Secure authentication: User authentication is managed by Clerk, which provides industry-standard security including MFA support and session management.

No method of electronic storage or transmission is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

7. Data Retention

• Active accounts: Account information and tax filing data are retained for as long as your account remains active.
• Financial documents and returns: Uploaded documents and generated tax returns are retained for 7 years to comply with IRS record retention guidelines applicable to tax returns.
• Account closure: If you close your account, we will delete or anonymize your personal data within 30 days, subject to any legal retention obligations (e.g., the 7-year rule for tax records).
• Payment records: Transaction records are retained as required by financial regulations and our agreements with Stripe.

8. Your Rights

You have the following rights with respect to your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete personal data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements (e.g., tax records). We will inform you if a deletion request cannot be fully honored.
• Data portability: Request an export of your tax data, extracted financials, and generated returns in a machine-readable format.
• Opt-out of communications: Unsubscribe from marketing emails at any time using the unsubscribe link in any email or by contacting us. Transactional emails related to your account and filings cannot be opted out of while your account is active.

To exercise any of these rights, contact us at privacy@hoatax.ai. We will respond within 30 days.

9. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

• Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties we share it with.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions permitted by law.
• Right to Opt-Out of Sale: We do not sell personal information. There is nothing to opt out of.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, contact us at privacy@hoatax.ai with the subject line "CCPA Request."

10. Children's Privacy

HOATax is not designed for or directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have inadvertently collected personal information from a child under 13, we will delete it promptly. If you believe we may have collected information from a child under 13, please contact us at privacy@hoatax.ai.

11. Cookies

We use essential cookies for authentication (managed by Clerk) and session management. We do not use advertising cookies or third-party tracking cookies. Stripe and Clerk may set their own cookies as necessary for payment processing and authentication functionality. You can control cookie settings through your browser, but disabling essential cookies may affect your ability to sign in or use the service.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — such as new data uses, new third-party sharing, or changes that reduce your rights — we will notify you via email to the address on your account at least 14 days before the change takes effect. Non-material changes (e.g., clarifications, formatting) will be posted on this page with an updated "Last updated" date. Your continued use of the service after the effective date constitutes acceptance of the updated policy.

13. Contact

For questions, requests, or concerns about this Privacy Policy or our data practices, please contact: