Privacy Policy

Last Updated: 04/20/2025

Welcome to the privacy statement of Neo.Tax. Our greatest asset is your trust in us to handle your valuable data properly. We would never compromise that trust by misusing any information you trust us with. This privacy policy will inform you as to how we look after your data and tell you about your privacy rights and how the law protects you.

Purpose of This Privacy Statement

This privacy notice explains how Neo.Tax collects, uses, and protects your personal data when you interact with our products and services. It also outlines your rights under applicable data protection laws, including the General Data Protection Regulation (GDPR).

Whether we’re acting as a data controller for our Marketing & Business Development activities, or as a data processor on behalf of our customers for tax automation services, we encourage you to read this notice to understand how and why your data is processed.

Privacy Statement Changes

We may update this Privacy statement occasionally. We will email you for changes we think are important to you. Current version of this privacy statement will always be located on our website and app.

The Data We Collect About You

Personal data, or personal information, means any information about an individual or related business from which that person can be identified or that is linked to information that identifies a specific individual. We may collect, use, store and transfer different kinds of personal data, which we have grouped together as follows:

Identity Data includes first name, maiden name, last name, username or similar identifier, title, date of birth, and gender.
Contact Data includes billing address, email address, telephone, mobile numbers, and other contact information.
Financial Data includes bank account information, credit card information, and other payment instrument information.
Profile Data includes username and password, your purchases or orders, your interests, preferences, feedback, and survey responses.
Usage Data includes information about how you use our applications and services.

We also collect, use and share Aggregated Data such as statistical data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users using a specific feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.
‍
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

If You Fail To Provide Personal Data

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to provide you with services. In this case, we may have to cancel a service you have with us but we will notify you if this is the case at the time.

How We Use Your Data

We are showing our commitment to the highest standards of privacy rights by outlining below a description of all the ways we plan to use your data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. We will never disclose, share or sell your data without your consent, unless required to do so by law. We only retain your data for as long as is necessary and for the purpose(s) specified in this statement.

As a Processor, we process employee/project data on behalf of our customers to: generate tax credit analyses, categorize transactions, store and delete data according to controller instructions. We do not make any independent decisions about how this data is used. Controllers provide the legal basis and respond to data subject requests.

As a Controller, we process business contact data for outreach to relevant professionals based on legitimate interest related to marketing and business development. You may object at any time to our use of your data for direct marketing (see “Your Rights” below).

Please contact us if you need more details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

To correspond with the IRS of your behalf

Types of Data
‍Business content information
Industry and line of business(es)
EIN & TIN
Signature
Business owners’ contact info

‍Lawful basis for processing including basis of legitimate interest
‍Necessary to comply with a legal obligation

To accurately categorize your business transactions real-time as they happen

Types of Data
‍Accounting workbooks
Accounting general ledger
Payroll systems
Prior years' tax returns

‍Lawful basis for processing including basis of legitimate interest
Performance of a contract with you
Necessary for our legitimate interests (to keep our records updated, and to study how customers use our products/services)

To match business transactions with their respective context (e.g., receipts, invoices, travel itineraries) to appropriately determine deductibility of expenses

Types of Data
‍Emails
Attachments
Credit card transactions
Bank transactions
Calendar events

To uncover all possible deductions for your business

Types of Data
‍Emails
Attachments
Credit card transactions
Bank transactions
Calendar events
Payroll information
Accounting workbooks

‍Lawful basis for processing including basis of legitimate interest
‍Performance of a contract with you
Necessary for our legitimate interests (to keep our records updated, and to study how our customers use our products/services)

To optimize your tax strategy in ways that no human can

Types of Data
‍Prior years' tax returns

To train our models using your inputs on categorization

Types of Data
‍Your input on item categorizations and tax strategies

To use data analytics to improve our website, products/services, marketing, customer relationships and experiences

Types of Data
‍Technical Usage

To market our products and services to you

Types of Data
‍Name
Email addresses

‍Lawful basis for processing including basis of legitimate interest
Necessary for our legitimate interests (to provide you product and service updates)

Sharing Of Your Data

For the purposes set out in the table above, we may share your data with:

Sub-Processors with whom we are collaborating for the purposes for which we collected the data
Relevant law enforcement officials or third parties (e.g. auditors or investigators) to investigate fraud.
Relevant regulators or law enforcement officials in response to a valid request for information where we believe disclosure is in accordance with applicable law, regulation or legal process.

We require all Sub-Processors to respect the security of your personal data and to treat it in accordance with the law. All sub-processors are bound by data protection terms and undergo regular due diligence. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

List of our Sub-Processors and related purposes:

Name of Sub-processor: Google Cloud.
- Sub-contracted activities: Backend cloud infrastructure.
Name of Sub-processor: Neon.
- Sub-contracted activities: Data storage.
Name of Sub-processor: Vercel.
- Sub-contracted activities: Frontend cloud infrastructure.
Name of Sub-processor: CircleCI.
- Sub-contracted activities: Continuous integration.
Name of Sub-processor: Baseten.
- Sub-contracted activities: Backend ML infrastructure.
Name of Sub-processor: Modal.
- Sub-contracted activities: AI hosting platform.
Name of Sub-processor: OpenAI.
- Sub-contracted activities: Advanced Al models and API.
Name of Sub-processor: Merge.dev.
- Sub-contracted activities: Project management data.
Name of Sub-processor: Finch.
- Sub-contracted activities: HR/payroll data.

Where We Store Your Data

Your personal data is stored in the United States of America. For our customers in the EU and UK, we use GDPR-approved safeguards, including Standard Contractual Clauses (SCCs) and The UK’s International Data Transfer Addendum (if applicable) as we transfer your data outside the EU/UK.

Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. Some measures to protect data include:

SOC 2 Type 2 controls
AES-256 encryption
Role-based access controls
Incident response protocols

In addition, we limit access to your personal data to third parties or Sub-Processors who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

Data Breach Notification

We have robust procedures in place to detect, investigate, and respond to personal data breaches.

If we act as a controller and a breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the appropriate supervisory authority within 72 hours and, where required, also inform you without undue delay.

If we act as a processor on behalf of a customer, we will promptly notify the controller of any data breach affecting personal data we process for them, in line with our contractual and legal obligations.

Our response includes containment, impact assessment, mitigation, and documentation of all breach-related activity in accordance with GDPR Articles 33 and 34

Data Retention

How long will we use your data: We will only retain your personal data for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. In some circumstances you can ask us to delete your data: see “Your Rights” below for further information. Moreover, in some circumstances we will anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Your Rights

As an individual, you may have the right to:

Access your personal data
Request correction or deletion
Object to or restrict processing
Withdraw consent (where applicable)
File a complaint with a data protection authority

If we process your data as a controller (e.g., for outreach), you may contact us directly to exercise your rights.

If we process your data as a processor (e.g., on behalf of a customer), we will refer your request to the controller (our customer), as required by GDPR Article 28(3)(e).

To exercise your rights, please email: privacy@neo.tax

Contact Details

If you have any questions or concerns about this privacy notice or how we handle data, please contact:

Neo.Tax Privacy Team

privacy@neo.tax

‍