Privacy Policy

Last updated: May 7, 2026

Contents

  1. Information We Collect
  2. How We Use Your Information
  3. Third-Party Sub-processors
  4. Cookies & Tracking
  5. Client Tax Data
  6. Data Security
  7. Data Retention
  8. Your Rights
  9. California Privacy Rights (CCPA)
  10. Children's Privacy
  11. Do Not Track
  12. Changes to This Policy
  13. Contact

1. Information We Collect

We collect information in three ways:

Information you provide directly:

  • Account information: name, email address, firm name, and password when you register
  • Payment information: billing address and payment method details, processed by Stripe (we do not store full card numbers)
  • Uploaded content: tax documents, client data, and other files you submit to use the Service
  • Communications: messages you send to our support team

Information collected automatically:

  • Usage data: features used, queries submitted (excluding uploaded document content), session duration, and interaction logs
  • Device and log data: IP address, browser type, operating system, referring URLs, and error logs
  • Cookies and similar technologies: see the Cookies section below

Information from third parties:

  • If you authenticate via Google or another identity provider, we receive basic profile information (name, email) from that provider

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and improve the CPA Pilot Service
  • Process your subscription and communicate billing-related information
  • Send transactional emails (account confirmations, password resets, invoices)
  • Send product updates and feature announcements (you can unsubscribe at any time)
  • Respond to your support requests and inquiries
  • Monitor and analyze usage patterns to improve product quality and reliability
  • Detect, prevent, and address fraud, security incidents, and abuse
  • Comply with legal obligations

We do not sell your personal data to third parties. We do not use uploaded tax documents or client data for any purpose other than delivering the Service to you.

3. Third-Party Sub-processors

To provide the Service, we share data with the following categories of sub-processors, each contractually bound to appropriate data protection standards:

Sub-processorPurposeData shared
StripePayment processingName, email, billing address, payment method
Google AnalyticsWebsite analyticsAnonymized usage and device data
AI LLM providersAI output generationYour prompts and uploaded content (processed only; not used for training)
Cloud hosting providerInfrastructure & storageAll data stored on the platform

4. Cookies & Tracking

We use cookies and similar technologies for the following purposes:

  • Essential cookies: Required for the Service to function, including authentication sessions and security tokens. These cannot be disabled.
  • Preference cookies:Remember your settings, such as dark/light mode, so you don't have to reset them on each visit.
  • Analytics cookies: We use Google Analytics to understand how visitors interact with our website. Google Analytics collects anonymized data such as pages visited, time on page, and referral source. This data is aggregated and does not identify individual users. You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.

Most browsers allow you to control cookies through their settings. Disabling certain cookies may affect the functionality of the Service.

5. Client Tax Data

CPA Pilot is a productivity tool for tax professionals. When you upload client documents or enter client information to use the Service, that data is processed solely to generate the outputs you request. We do not use client data for any other purpose, share it with unauthorized third parties, or use it to train AI models.

Tax professionals using cloud-based tools may have their own professional obligations regarding client data confidentiality under applicable licensing rules and firm policies. CPA Pilot's role is limited to processing data on your behalf as a service provider; compliance with professional obligations specific to your practice is your responsibility.

6. Data Security

We implement industry-standard security measures to protect your information, including TLS encryption in transit and AES-256 encryption at rest. Our infrastructure follows SOC 2-aligned security practices, including access controls, audit logging, and regular security reviews. No method of transmission over the Internet is completely secure; we cannot guarantee absolute security, but we take reasonable steps to protect your data.

7. Data Retention

  • Account data is retained for the duration of your active subscription, plus 30 days after cancellation to allow for reactivation.
  • Uploaded documents and generated outputs are retained for 90 days from the date of upload, after which they are automatically deleted from our systems.
  • Billing records are retained for 7 years as required by applicable tax and accounting regulations.
  • Support communications are retained for 3 years.

You may request deletion of your account and associated data at any time by contacting [email protected]. We will process deletion requests within 30 days, subject to any legal retention obligations.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data, subject to legal retention requirements
  • Portability: Request your data in a structured, machine-readable format
  • Objection: Object to processing of your data for direct marketing purposes
  • Restriction: Request that we restrict processing of your data in certain circumstances

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA:

  • Right to Know: Know what personal information we collect, use, disclose, and sell (we do not sell personal information)
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To submit a CCPA request, contact us at [email protected] with "California Privacy Request" in the subject line.

10. Children's Privacy

CPA Pilot is a professional platform intended for use by licensed tax professionals and adults aged 18 and over. We do not knowingly collect personal information from individuals under 18. If we learn that we have inadvertently collected information from a minor, we will delete it promptly.

11. Do Not Track

Some browsers offer a "Do Not Track" (DNT) setting that signals to websites that you do not want to be tracked. Because there is no consistent industry standard for responding to DNT signals, our website does not currently alter its behavior based on DNT signals. You can limit analytics tracking using the Google Analytics opt-out tool described in the Cookies section above.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by email or by posting a notice in the Service before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact

Privacy questions or requests: [email protected]
CPA Pilot · Wilmington, DE

CPA Pilot Privacy Policy - Client Tax Data & Privacy Rights - CPA Pilot