Privacy Policy

Paloma Tech Inc., a Delaware corporation ("Paloma," "we," "us," or "our"), provides practice management software for tax accounting firms and their clients. This Privacy Policy explains what personal information we collect, how we use it, and the choices you have. By using our services at palomatax.com ("the Service"), you agree to the practices described in this policy.

• To provide, operate, and maintain the Service.
• To process tax intake, organize documents, and facilitate communication between accounting firms and their clients.
• To power AI-assisted document parsing and analysis that helps accounting staff prepare tax returns more efficiently.
• To authenticate users and protect account security.
• To send transactional notices (e.g., document upload confirmations, deadline reminders).
• To improve and debug the Service using aggregated, de-identified platform analytics. This use applies to general usage data only — it does not apply to Google user data, which is governed exclusively by the Google API Limited Use requirements described below.
• To comply with legal obligations.

We do not use your data to display advertisements, build advertising profiles, or sell your information to third parties.

Paloma's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We access Google user data only to provide or improve the features described in this policy (tax practice management, document collection, and scheduling). We do not use Google data for any other purpose.
• We do not transfer Google user data to third parties except as necessary to provide the Service (e.g., cloud hosting infrastructure), and only under confidentiality obligations.
• We do not use Google user data to serve advertisements or for advertising purposes.
• We do not allow humans to read Google user data unless: (a) we have your explicit permission; (b) it is necessary for security purposes such as investigating abuse; or (c) it is required by applicable law. For example, if you connect your Gmail account, emails surfaced through the platform are visible to your accounting firm's authorized staff as part of the service you explicitly authorized when connecting your Google account.
• We do not use Google user data for purposes unrelated to providing the Service.

• Data is stored on industry-standard cloud infrastructure (including Supabase and Vercel) with encryption at rest and in transit (TLS 1.2+).
• Sensitive fields such as Social Security Numbers and Employer Identification Numbers are encrypted at the application layer (AES-256-GCM) before being written to the database.
• Access to production data is restricted to authorized personnel only, using role-based access controls.
• Authentication tokens are hashed (SHA-256) before storage. We support two-factor authentication for accounting firm staff.
• We are actively working toward SOC 2 Type II compliance and maintain an ongoing security program including access reviews, audit logging, and vulnerability management.
• In the event of a security breach affecting your personal data, we will notify affected users promptly and in accordance with applicable law, including Utah's breach notification requirements.

We do not sell your personal information. We share data only with:

• Service providers (subprocessors): Cloud hosting (Vercel, Supabase), AI inference (AWS Bedrock), email delivery (Resend), and error monitoring (Sentry). Each subprocessor is bound by data processing agreements.
• Your accounting firm: If you are a client, documents and information you submit are accessible to the accounting firm that invited you.
• Legal requirements: If required by law, subpoena, or to protect the rights, property, or safety of Paloma, our users, or the public.

• Access and correction: You may access and update your account information at any time through your account settings.
• Deletion: You may request deletion of your account and associated data by contacting us at the address below. We will comply within 30 days except where retention is required by law or legitimate business purpose.
• Revoke Google access: You may disconnect your Google account at any time from your account settings or through Google's security settings. Revoking access will disable Google-powered features but will not affect other Service functionality.
• Cookies: You may disable cookies in your browser, though some features of the Service may not function properly as a result.
• Marketing communications: You may opt out of non-transactional emails by clicking "unsubscribe" in any such email.

We retain your personal information for as long as your account is active or as needed to provide the Service. Tax documents and related data are retained for a minimum of seven years to support tax compliance obligations, unless you request earlier deletion and no legal hold applies.

Google account data obtained via OAuth is retained only as long as you maintain an active Google connection in your account settings. Revoking access stops further collection; data previously synchronized is retained only as part of your accounting records and is subject to the same retention schedule above.

The Service is not directed at children under 13, and we do not knowingly collect personal information from children under 13.

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, our business purpose for collecting it, and the categories of third parties we share it with.
• Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions (e.g., information necessary to comply with a legal obligation or complete a transaction).
• Right to Opt Out of Sale: We do not sell your personal information. No opt-out is required, but you may contact us to confirm this at any time.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise these rights, contact us at stevie@palomatax.com. We will respond within 45 days.

We may update this policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new effective date and, where appropriate, by email. Continued use of the Service after any change constitutes acceptance of the updated policy.

For questions, data requests, or privacy concerns, contact us at: