California Consumer Privacy Act (CCPA/CPRA) Addendum

This CCPA/CPRA Privacy Addendum (“Addendum”) supplements the TaxWallet Privacy Policy and applies exclusively to California residents (“Consumers”) using the TaxWallet marketing website, dashboard (app.taxwallet.ai), or mobile applications.

For tax professionals and their clients, this Addendum also applies where personal information of California residents is processed through TaxWallet.

In the event of conflict between this Addendum and another TaxWallet policy, the stricter data protection standard applies.

Under the CCPA and CPRA, TaxWallet acts as a:

• Service Provider for tax professionals and organizations using our platform, and

• Data Processor under equivalent terminology in GDPR-aligned jurisdictions.

TaxWallet does NOT:

• Sell or share personal information,

• Use consumer data for cross-context behavioral advertising,

• Retain, use, or disclose personal information outside the scope of providing contracted services.

In the past 12 months, TaxWallet may have collected the following categories of personal information as defined by the CCPA/CPRA:

A. Identifiers

• Name, phone number, email, mailing address.

• Account credentials, device ID, hashed session IDs.

B. Personal Records

• Taxpayer documents (W-2s, 1099s, ID records) uploaded by you or your tax professional.

C. Protected Characteristics

• Taxpayer or dependent data required for tax return preparation.

TaxWallet does not infer protected class information.

D. Commercial Information

• Subscription details, purchase history, billing receipts.

• Encrypted credit card information (excluding CVV).

E. Internet / Device Activity

• Session tracking strictly for security, uptime, and fraud prevention.

• GA4 analytics (non-personal, anonymized).

F. Geolocation Data

• Approximate location for fraud controls, device security, and e-sign validation.

G. Audio/Visual

• Only if submitted for identity verification (selfie + ID match).

H. Sensitive Personal Information

• Taxpayer SSNs, EINs, and financial details needed to prepare a tax return.

• These are collected only under lawful tax preparation compliance.

TaxWallet does not use Sensitive Personal Information for profiling or cross-context advertising.

TaxWallet does NOT knowingly collect:

• Biometric data beyond mobile selfie verification for identity checks,

• Psychological profiles,

• Genetic or medical data (TaxWallet is not a HIPAA-regulated entity),

• Precise geolocation tracking,

• Device sensors (microphone, photos, contacts) beyond explicit user-supplied content.

We use personal information exclusively for:

• Providing tax preparation, e-file, and workflow services,

• Authenticating users, identity verification, and fraud prevention,

• Secure document storage, encrypted communication, and e-sign workflows,

• Billing and subscription management via encrypted gateways,

• Mobile app notifications and secure device identification,

• System diagnostics, uptime monitoring, and GA4 analytics.

TaxWallet does not use personal information for:

• Behavioral advertising,

• Retargeting,

• Data monetization.

TaxWallet does not sell or share personal information as defined under CCPA/CPRA.

California residents have the right to:

• Request disclosure of personal information categories collected,

• Request access to specific personal information,

• Request deletion of personal information (subject to IRS and regulatory retention laws),

• Request correction of inaccurate data,

• Opt-out of data selling or sharing (TaxWallet does not sell or share),

• Limit use of Sensitive Personal Information (already restricted by default).

To exercise rights, email support@taxwallet.ai or submit a request through the dashboard.

To protect consumer data, TaxWallet requires strict identity verification before processing CCPA/CPRA requests.

Verification methods may include:

• SMS verification,

• Email verification,

• Mobile app device binding,

• Document validation,

• Knowledge-based authentication (KBA).

Failure to verify identity will result in denial of the request.

Certain data cannot be deleted or restricted due to legal obligations, including:

• IRS and state record-keeping requirements,

• Anti-fraud, AML, and identity validation data,

• E-signature audit logs,

• Banking / refund transfer compliance logs,

• Payment history required by PCI and financial regulators.

TaxWallet will notify the consumer when a request cannot be fulfilled for statutory reasons.

TaxWallet does not discriminate against consumers for exercising CCPA/CPRA rights.

However, deleting or restricting core information may affect the ability to:

• Use TaxWallet Services,

• Access tax files,

• Receive notifications,

• Authenticate into accounts.

TaxWallet contractually prohibits subcontractors or vendors from:

• Selling personal information,

• Retaining or disclosing information outside service delivery,

• Using information for their own marketing or analytics purposes.

All subcontractors are bound by strict confidentiality and IRS Publication 4557 security standards.

TaxWallet may process Sensitive Personal Information solely to:

• Prepare, file, and store tax returns,

• Perform identity verification,

• Prevent fraud and unauthorized access,

• Meet IRS and state legal obligations.

TaxWallet does not use Sensitive Personal Information to infer consumer characteristics, profiles, or automated decision-making unrelated to tax preparation.

TaxWallet adheres to strict data minimization principles:

• We retain data only for as long as necessary to fulfill regulatory and operational requirements.

• Tax return data is retained according to IRS and state mandates.

• Billing records are retained according to PCI and financial regulations.

• Mobile app identifiers and device records may rotate for security purposes.

This Addendum applies equally to data collected via TaxWallet mobile applications, including:

• Device IDs,

• Push notification tokens,

• App session logs,

• Document uploads scanned via device camera.

No mobile advertising identifiers (IDFA/GAID) are collected or used.

All disputes arising under this Addendum are subject to the Arbitration Agreement & Class-Action Waiver included in TaxWallet’s Terms of Service.

Consumers waive all rights to class actions, representative actions, or jury trials.

TaxWallet CCPA/CPRA Privacy Office

Email: support@taxwallet.ai

We respond promptly to all verified CCPA/CPRA requests.