SendTax Privacy Policy (U.S.)
Effective date: March 30, 2026
Who we are
SendTax is a product of Howell & Gibbs LLC ("SendTax," "we," "us," "our").
Mailing address: 228 Park Ave S PMB 165512, New York, New York 10003-1502. Principal office for NY filings: Queens County, New York.
Scope & audience
This Policy applies to: (a) PTIN-holding tax preparers who use SendTax; and (b) U.S. tax filers (age 18+) who use SendTax to share documents with a preparer.
We operate only in the United States. We do not knowingly serve minors.
What we collect
Information you provide directly:
- Tax documents & data you or your preparer upload or connect (e.g., W-2/1099s, K-1s, receipts, IDs, messages).
- Account & contact info (name, email, phone).
- Payments handled by Stripe; SendTax does not store full card numbers. Stripe is a PCI-DSS Level 1 provider; using hosted Checkout/Elements keeps our PCI scope minimal (typically SAQ A).
Information collected automatically:
- Log & usage data: IP address, browser type, pages visited, actions taken, timestamps, and referring URLs.
- Device data: device type, operating system, and unique device identifiers.
Cookies & tracking technologies
We use cookies and similar tracking technologies to operate the service, understand how it is used, and improve it. We use:
- Essential cookies — required for authentication and session management. These cannot be disabled.
- Analytics — we use PostHog for product analytics so we understand how users move through SendTax. Autocapture and session replay are disabled; we only record explicit milestone events. No tax document content is captured.
You can instruct your browser to refuse cookies, but some parts of the service may not function properly as a result.
How we use data
- Provide the service (receive, store, transmit to the designated preparer; support; troubleshooting).
- Security & compliance (fraud, incident response, legal obligations).
- Improvement: We may create de-identified synthetic datasets and aggregate statistics to improve tax-prep features and safety inside SendTax. Where tax data is involved, we follow IRC §7216: tax return information (including statistical compilations) is tightly restricted and, absent a specific exception, requires taxpayer consent for use or disclosure beyond return preparation. We do not disclose outside the U.S. without §7216-compliant consent (and note special limits for SSNs).
No ads / no selling: We do not sell personal information and we do not use tax data for marketing.
If state privacy laws apply, most "customer financial" data is GLBA-exempt, but we still honor applicable non-GLBA rights for residual data like site analytics.
Legal bases for processing
We process your personal information only when we have a valid legal basis to do so:
- Contract performance — processing necessary to provide the service you signed up for.
- Legal obligation — processing required to comply with applicable law (e.g., IRS e-file requirements, GLBA, NY SHIELD Act).
- Legitimate interests — operating, securing, and improving SendTax, where those interests are not overridden by your rights.
- Consent — where required by law (e.g., IRC §7216 consent for certain uses of tax return information), we obtain your explicit consent before processing.
Sharing
We share data only with:
- Your preparer / firm you select.
- Vendors (U.S.-based) under contract who must protect data and (where handling tax return information) are treated as §7216 "tax return preparers," receive required notices, and are restricted to allowed auxiliary services. The current list of vendors processing customer information on our behalf is maintained at our Sub-Processor List.
- Payments via Stripe.
- Legal (regulatory, court orders, safety).
Business transfers: If SendTax is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website before your data becomes subject to a different privacy policy.
Data location
We store and process data in the United States.
If a non-U.S. transfer is ever proposed, we will seek §7216-compliant consent first (and would not include SSNs in non-U.S. disclosures).
Retention & deletion
- Default: We retain customer information for up to 7 years after last activity on your account, consistent with AICPA professional guidance for tax-data retention and applicable tax-data retention obligations. Specific data categories may be retained for shorter or longer periods as described in our Data Retention & Deletion Policy.
- IRS e-file records: certain authorizations (e.g., Forms 8878/8879) must be retained 3 years (due date or IRS-received date, whichever is later), per IRS Publication 1345.
Security
We maintain a written information security program consistent with the FTC Safeguards Rule (risk assessment; access control; encryption or compensating controls; MFA; secure development; monitoring/logging; incident response; vendor oversight; annual reporting) and with NY SHIELD Act "reasonable safeguards".
If a notification event involves 500+ consumers, we notify the FTC within 30 days of discovery as required, and provide any required state notices (NY presently requires consumer notice, with updated timelines).
For e-file ecosystem expectations (e.g., EV TLS certificate for public-facing tax sites, weekly external ASV scans, U.S. domain registration, next-business-day incident reporting to IRS), we align with IRS Pub. 1345.
Your choices & rights
- No marketing emails by default; you can opt-in anytime, and opt-out at any time.
- You may request access, correction, or deletion of account information. Some data cannot be deleted while needed for legal obligations (e.g., 3-year retention items) or platform security.
- State privacy rights (e.g., CA/CO/CT/VA/UT etc.) generally do not apply to GLBA-covered customer financial data but can apply to non-GLBA data (site usage); we honor those rights as applicable.
To exercise any of these rights, email us at [email protected] with your request. We will respond within 30 days.
Do Not Track
Some browsers offer a "Do Not Track" (DNT) setting. We currently do not respond to DNT signals, as no uniform standard for doing so has been established. If a standard is adopted, we will update this policy accordingly.
Children
Not for individuals under 18. We do not knowingly collect children's data.
Changes
We will post updates and change the "Effective date." Material changes will be notified to account holders.
Contact
[email protected]
Howell & Gibbs LLC, 228 Park Ave S PMB 165512, New York, New York 10003-1502