Privacy Policy
-p-800.avif)
Last Updated: 04/20/2025
Welcome to the privacy statement of Neo.Tax. Our greatest asset is your trust in us to handle your valuable data properly. We would never compromise that trust by misusing any information you trust us with. This privacy policy will inform you as to how we look after your data and tell you about your privacy rights and how the law protects you.
Purpose of This Privacy Statement
This privacy notice explains how Neo.Tax collects, uses, and protects your personal data when you interact with our products and services. It also outlines your rights under applicable data protection laws, including the General Data Protection Regulation (GDPR).
Whether we’re acting as a data controller for our Marketing & Business Development activities, or as a data processor on behalf of our customers for tax automation services, we encourage you to read this notice to understand how and why your data is processed.
Privacy Statement Changes
We may update this Privacy statement occasionally. We will email you for changes we think are important to you. Current version of this privacy statement will always be located on our website and app.
The Data We Collect About You
Personal data, or personal information, means any information about an individual or related business from which that person can be identified or that is linked to information that identifies a specific individual. We may collect, use, store and transfer different kinds of personal data, which we have grouped together as follows:
- Identity Data includes first name, maiden name, last name, username or similar identifier, title, date of birth, and gender.
- Contact Data includes billing address, email address, telephone, mobile numbers, and other contact information.
- Financial Data includes bank account information, credit card information, and other payment instrument information.
- Profile Data includes username and password, your purchases or orders, your interests, preferences, feedback, and survey responses.
- Usage Data includes information about how you use our applications and services.
We also collect, use and share Aggregated Data such as statistical data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users using a specific feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
If You Fail To Provide Personal Data
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to provide you with services. In this case, we may have to cancel a service you have with us but we will notify you if this is the case at the time.
How We Use Your Data
We are showing our commitment to the highest standards of privacy rights by outlining below a description of all the ways we plan to use your data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. We will never disclose, share or sell your data without your consent, unless required to do so by law. We only retain your data for as long as is necessary and for the purpose(s) specified in this statement.
As a Processor, we process employee/project data on behalf of our customers to: generate tax credit analyses, categorize transactions, store and delete data according to controller instructions. We do not make any independent decisions about how this data is used. Controllers provide the legal basis and respond to data subject requests.
As a Controller, we process business contact data for outreach to relevant professionals based on legitimate interest related to marketing and business development. You may object at any time to our use of your data for direct marketing (see “Your Rights” below).
Please contact us if you need more details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
To correspond with the IRS of your behalf
Types of Data
Business content information
Industry and line of business(es)
EIN & TIN
Signature
Business owners’ contact info
Lawful basis for processing including basis of legitimate interest
Necessary to comply with a legal obligation
To accurately categorize your business transactions real-time as they happen
Types of Data
Accounting workbooks
Accounting general ledger
Payroll systems
Prior years' tax returns
Lawful basis for processing including basis of legitimate interest
Performance of a contract with you
Necessary for our legitimate interests (to keep our records updated, and to study how customers use our products/services)
To match business transactions with their respective context (e.g., receipts, invoices, travel itineraries) to appropriately determine deductibility of expenses
Types of Data
Emails
Attachments
Credit card transactions
Bank transactions
Calendar events
Lawful basis for processing including basis of legitimate interest
Performance of a contract with you
Necessary for our legitimate interests (to keep our records updated, and to study how customers use our products/services)
To uncover all possible deductions for your business
Types of Data
Emails
Attachments
Credit card transactions
Bank transactions
Calendar events
Payroll information
Accounting workbooks
Lawful basis for processing including basis of legitimate interest
Performance of a contract with you
Necessary for our legitimate interests (to keep our records updated, and to study how our customers use our products/services)
To optimize your tax strategy in ways that no human can
Types of Data
Prior years' tax returns
Lawful basis for processing including basis of legitimate interest
Performance of a contract with you
Necessary for our legitimate interests (to keep our records updated, and to study how our customers use our products/services)
To train our models using your inputs on categorization
Types of Data
Your input on item categorizations and tax strategies
Lawful basis for processing including basis of legitimate interest
Performance of a contract with you
Necessary for our legitimate interests (to keep our records updated, and to study how our customers use our products/services)
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences
Types of Data
Technical Usage
Lawful basis for processing including basis of legitimate interest
Performance of a contract with you
Necessary for our legitimate interests (to keep our records updated, and to study how our customers use our products/services)
To market our products and services to you
Types of Data
Name
Email addresses
Lawful basis for processing including basis of legitimate interest
Necessary for our legitimate interests (to provide you product and service updates)
Sharing Of Your Data
For the purposes set out in the table above, we may share your data with:
- Sub-Processors with whom we are collaborating for the purposes for which we collected the data
- Relevant law enforcement officials or third parties (e.g. auditors or investigators) to investigate fraud.
- Relevant regulators or law enforcement officials in response to a valid request for information where we believe disclosure is in accordance with applicable law, regulation or legal process.
We require all Sub-Processors to respect the security of your personal data and to treat it in accordance with the law. All sub-processors are bound by data protection terms and undergo regular due diligence. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
List of our Sub-Processors and related purposes:
- Name of Sub-processor: Google Cloud.
- Sub-contracted activities: Backend cloud infrastructure.
- Name of Sub-processor: Neon.
- Sub-contracted activities: Data storage.
- Name of Sub-processor: Vercel.
- Sub-contracted activities: Frontend cloud infrastructure.
- Name of Sub-processor: CircleCI.
- Sub-contracted activities: Continuous integration.
- Name of Sub-processor: Baseten.
- Sub-contracted activities: Backend ML infrastructure.
- Name of Sub-processor: Modal.
- Sub-contracted activities: AI hosting platform.
- Name of Sub-processor: OpenAI.
- Sub-contracted activities: Advanced Al models and API.
- Name of Sub-processor: Merge.dev.
- Sub-contracted activities: Project management data.
- Name of Sub-processor: Finch.
- Sub-contracted activities: HR/payroll data.
Where We Store Your Data
Your personal data is stored in the United States of America. For our customers in the EU and UK, we use GDPR-approved safeguards, including Standard Contractual Clauses (SCCs) and The UK’s International Data Transfer Addendum (if applicable) as we transfer your data outside the EU/UK.
Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. Some measures to protect data include:
- SOC 2 Type 2 controls
- AES-256 encryption
- Role-based access controls
- Incident response protocols
In addition, we limit access to your personal data to third parties or Sub-Processors who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
Data Breach Notification
We have robust procedures in place to detect, investigate, and respond to personal data breaches.
If we act as a controller and a breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the appropriate supervisory authority within 72 hours and, where required, also inform you without undue delay.
If we act as a processor on behalf of a customer, we will promptly notify the controller of any data breach affecting personal data we process for them, in line with our contractual and legal obligations.
Our response includes containment, impact assessment, mitigation, and documentation of all breach-related activity in accordance with GDPR Articles 33 and 34
Data Retention
How long will we use your data: We will only retain your personal data for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. In some circumstances you can ask us to delete your data: see “Your Rights” below for further information. Moreover, in some circumstances we will anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
Your Rights
As an individual, you may have the right to:
- Access your personal data
- Request correction or deletion
- Object to or restrict processing
- Withdraw consent (where applicable)
- File a complaint with a data protection authority
If we process your data as a controller (e.g., for outreach), you may contact us directly to exercise your rights.
If we process your data as a processor (e.g., on behalf of a customer), we will refer your request to the controller (our customer), as required by GDPR Article 28(3)(e).
To exercise your rights, please email: privacy@neo.tax
Contact Details
If you have any questions or concerns about this privacy notice or how we handle data, please contact:
Neo.Tax Privacy Team