Privacy Policy

Effective Date: June 19, 2026

Overview

Paloma Tech Inc., a Delaware corporation ("Paloma," "we," "us," or "our"), provides practice management software for tax accounting firms and their clients. This Privacy Policy explains what personal information we collect, how we use it, and the choices you have. By using our services at palomatax.com ("the Service"), you agree to the practices described in this policy.

Information We Collect

Information you provide

  • Account information: name, email address, phone number, and password when you register.
  • Client and firm information: business name, address, taxpayer identification numbers (EIN/SSN), and other details entered during onboarding or tax intake.
  • Tax documents: W-2s, 1099s, and other tax or financial documents you upload to the Service.
  • Communications: messages, notes, and questionnaire responses submitted through the platform.

Connected third-party accounts

Accounting staff may optionally connect external accounts to power specific features. We access only the data necessary to provide the features you enable, and only after you authorize the connection.

Google

  • Gmail and Calendar (read-only): We read email messages and metadata and calendar events to help accounting staff identify client-related correspondence and track deadlines. We do not send email or change calendar events.
  • Google Drive (read and write): We read Drive file metadata to surface relevant documents and, where you authorize it, create or update files to facilitate document sharing between accounting staff and clients. We do not delete Drive files without your explicit action.

Microsoft 365

  • Outlook and Calendar (read-only): We read email messages, metadata, and calendar events to help staff identify client correspondence and track deadlines.
  • OneDrive and SharePoint (read and write): Where you authorize it, we read and write files and document libraries to synchronize documents between Paloma and your organization's Microsoft tenant. SharePoint synchronization mirrors documents into storage that your organization owns and controls.

QuickBooks Online (read-only)

  • We read accounting data such as trial balances, profit-and-loss statements, and transaction details to support tax preparation. We do not modify your QuickBooks records.

Usage and technical data

  • Log data: IP address, browser type, pages visited, and timestamps.
  • Cookies and similar technologies for session management and analytics.

How We Use Your Information

  • To provide, operate, and maintain the Service.
  • To process tax intake, organize documents, and facilitate communication between accounting firms and their clients.
  • To power AI-assisted document parsing and analysis that helps accounting staff prepare tax returns more efficiently.
  • To authenticate users and protect account security, including SMS-based two-factor authentication for accounting firm staff.
  • To facilitate electronic signature of engagement letters and similar documents.
  • To send transactional notices (e.g., document upload confirmations, deadline reminders).
  • To improve and debug the Service using aggregated, de-identified platform analytics. This use applies to general usage data only — it does not apply to data obtained from connected Google, Microsoft, or QuickBooks accounts, which is governed exclusively by the limited-use commitments described below.
  • To comply with legal obligations.

We do not use your data to display advertisements, build advertising profiles, or sell your information to third parties.

Google API Services — Limited Use Disclosure

Paloma's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We access Google user data only to provide or improve the features described in this policy (tax practice management, document collection, and scheduling). We do not use Google data for any other purpose.
  • We do not transfer Google user data to third parties except as necessary to provide the Service (e.g., cloud hosting infrastructure), and only under confidentiality obligations.
  • We do not use Google user data to serve advertisements or for advertising purposes.
  • We do not allow humans to read Google user data unless: (a) we have your explicit permission; (b) it is necessary for security purposes such as investigating abuse; or (c) it is required by applicable law. For example, if you connect your Gmail account, emails surfaced through the platform are visible to your accounting firm's authorized staff as part of the service you explicitly authorized when connecting your Google account.
  • We do not use Google user data for purposes unrelated to providing the Service.

Microsoft APIs — Limited Use

When you connect a Microsoft 365 or SharePoint account, Paloma's use of data received through Microsoft Graph and related Microsoft APIs is limited to providing and improving the features you enable (client correspondence, document collection and synchronization, and scheduling). We do not use Microsoft data to serve advertisements or build advertising profiles, we do not sell it, and we transfer it to third parties only as necessary to operate the Service and under confidentiality obligations. We do not allow humans to read Microsoft user data except with your permission, for security purposes, or as required by law. SharePoint synchronization writes documents into storage controlled by your own organization's Microsoft tenant.

How We Store and Protect Your Information

  • Data is stored on industry-standard cloud infrastructure with encryption at rest and in transit (TLS 1.2+).
  • Sensitive fields such as Social Security Numbers and Employer Identification Numbers are encrypted at the application layer (AES-256-GCM) before being written to the database.
  • Access to production data is restricted to authorized personnel only, using role-based access controls.
  • Authentication tokens are hashed (SHA-256) before storage. We support two-factor authentication for accounting firm staff.
  • We are actively working toward SOC 2 Type II compliance and maintain an ongoing security program including access reviews, audit logging, and vulnerability management.
  • In the event of a security breach affecting your personal data, we will notify affected users promptly and in accordance with applicable law, including Utah's breach notification requirements.

Who We Share Your Information With

We do not sell your personal information. We share data only with:

  • Service providers (subprocessors): cloud hosting and storage, AI-assisted document processing, email and SMS delivery, electronic signature, product analytics, and error monitoring providers. We require subprocessors to handle your data under appropriate confidentiality and data-protection obligations. A current list of named subprocessors is available to customers on request.
  • Your accounting firm: If you are a client, documents and information you submit are accessible to the accounting firm that invited you.
  • Legal requirements: If required by law, subpoena, or to protect the rights, property, or safety of Paloma, our users, or the public.

Your Rights and Choices

  • Access and correction: You may access and update your account information at any time through your account settings.
  • Deletion: You may request deletion of your account and associated data by contacting us at the address below. We will comply within 30 days except where retention is required by law or legitimate business purpose.
  • Revoke connected-account access: You may disconnect any connected Google, Microsoft, or QuickBooks account at any time from your account settings. You may also revoke access directly through Google, Microsoft, or Intuit. Revoking access will disable the related features but will not affect other Service functionality.
  • Cookies: You may disable cookies in your browser, though some features of the Service may not function properly as a result.
  • Marketing communications: You may opt out of non-transactional emails by clicking "unsubscribe" in any such email.

Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Tax documents and related data are retained for a minimum of seven years to support tax compliance obligations, unless you request earlier deletion and no legal hold applies.

Data obtained from connected accounts (Google, Microsoft, or QuickBooks) via OAuth is retained only as long as you maintain an active connection in your account settings. Revoking access stops further collection; data previously synchronized is retained only as part of your accounting records and is subject to the same retention schedule above.

Children's Privacy

The Service is not directed at children under 13, and we do not knowingly collect personal information from children under 13.

California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, our business purpose for collecting it, and the categories of third parties we share it with.
  • Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions (e.g., information necessary to comply with a legal obligation or complete a transaction).
  • Right to Opt Out of Sale: We do not sell your personal information. No opt-out is required, but you may contact us to confirm this at any time.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise these rights, contact us at stevie@palomatax.com. We will respond within 45 days.

Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new effective date and, where appropriate, by email. Continued use of the Service after any change constitutes acceptance of the updated policy.

Contact Us

For questions, data requests, or privacy concerns, contact us at:

Paloma Tech Inc.

75 West Center Street

Provo, UT 84601

Email: stevie@palomatax.com

Website: palomatax.com