CirclesTaxCirclesTax

Privacy Policy

Effective Date: February 19, 2026

This Privacy Policy explains how CirclesTax ("we", "us") collects, uses, and protects information when you use our Service. This policy is provided in accordance with Internal Revenue Code Section 7216 and applicable federal and state privacy laws.

1. Information We Collect

Account Information: Name, email address, and password (hashed with bcrypt, 12 rounds) when you create an account.

Tax Return Information: Income (W-2, 1099), deductions, credits, dependents, and all other data you enter to prepare your tax return. This includes:

  • Social Security Numbers (SSNs): Collected for you, your spouse, and your dependents as required for IRS form preparation. SSNs are encrypted at rest using AES-256-GCM encryption with a unique initialization vector per record. SSNs are never stored in plaintext.
  • Bank Account Numbers: If you provide direct deposit information, account numbers are encrypted at rest using the same AES-256-GCM encryption standard.
  • Employer Identification Numbers (EINs): Collected from W-2 and 1099 forms.

Documents: Files you upload to the document vault (W-2s, 1099s, receipts).

Usage Data: We use privacy-friendly analytics (Umami, self-hosted) to understand how the Service is used. This data is aggregated and does not include personal tax information.

2. How We Use Your Information

Under Internal Revenue Code Section 7216, we are required to obtain your consent before using your tax return information for purposes other than preparing your return. Your data is used for:

  • Preparing and generating your federal and state tax return documents
  • Performing tax calculations and generating IRS forms (Form 1040 and related schedules)
  • Providing account management features (password reset, profile updates)
  • Sending transactional emails (welcome, password reset, return status)
  • Improving the Service (aggregated, anonymized data only)

We do not use your tax return information for marketing, advertising, or any purpose other than tax preparation unless you provide separate written consent under IRC §7216.

3. Information We Do Not Share

  • We do not sell or share your personal or tax information with third parties for marketing
  • We do not use advertising trackers or third-party cookies
  • We do not share your data with any third-party analytics providers
  • We do not disclose your tax return information except as required by law (e.g., valid legal process)

4. Data Security

We employ multiple layers of security to protect your data:

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS)
  • Encryption at Rest: Sensitive PII (SSNs, bank account numbers) is encrypted using AES-256-GCM with per-record initialization vectors
  • Password Security: Passwords are hashed using bcrypt with 12 salt rounds and are never stored in plaintext
  • Multi-Factor Authentication: TOTP-based two-factor authentication is available and recommended for all accounts
  • Access Controls: Role-based access controls limit data access to authorized users only
  • Infrastructure: Self-hosted on dedicated servers with firewall rules, not shared cloud infrastructure

While we implement industry-standard security measures, no method of transmission or storage is 100% secure. We maintain a Written Information Security Plan (WISP) as required by IRS Publication 4557.

5. Data Retention

Your tax return data is retained as long as your account is active. After account deletion:

  • Account information is deleted within 30 days
  • Tax return data (including encrypted SSNs and financial data) is permanently deleted within 30 days
  • Uploaded documents are permanently deleted within 30 days
  • Anonymized, aggregated analytics data may be retained

We recommend retaining your tax records for at least 3 years per IRS guidance (IRS Publication 17). Download your returns before requesting account deletion.

6. IRC Section 7216 Disclosure

As a provider of tax preparation software subject to IRC §7216, we are subject to strict federal rules governing the use and disclosure of tax return information. Key protections include:

  • Tax return information is used solely for tax preparation purposes unless you provide separate consent
  • Unauthorized disclosure is a federal crime punishable by up to 1 year imprisonment and/or $1,000 fine per violation
  • You may revoke any consent to use your tax data at any time by contacting [email protected]

7. Third-Party Services

We use the following services to operate CirclesTax. All services are self-hosted on our infrastructure:

  • Email: Self-hosted mail server (Mailcow) for transactional emails
  • Analytics: Self-hosted Umami (privacy-friendly, no cookies, no personal data)
  • Hosting: Self-hosted dedicated infrastructure
  • Payment: Stripe for subscription billing (Stripe processes payment data under their own privacy policy; we do not store full card numbers)

8. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data and account
  • Export your tax return data (PDF download)
  • Revoke consent for tax data use under IRC §7216
  • Request information about what data we hold and how it is used

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice on the Service. The effective date at the top of this policy indicates when it was last revised.

10. Contact

Questions about this policy? Email us at [email protected].