Mobile App Terms & Privacy Policy

These Mobile App Terms & Privacy Disclosures (“Mobile Terms”) apply to your use of the TaxWallet mobile applications (“App”) for iOS and Android. By installing, accessing, or using the App, you agree to these Mobile Terms in addition to the TaxWallet Terms of Service, Privacy Policy, and Data Processing Addendum.

If you do not agree, you must uninstall the App immediately.

The App provides taxpayer and tax professional tools including:

• Secure document upload & scanning,

• Biometric login & authentication,

• Account access & messaging,

• Refund status monitoring,

• E-signature execution & approvals,

• Notifications, reminders, and alerts,

• Multi-office administrative features.

The App is an extension of the TaxWallet Platform and uses the same secure backend, authentication system, and encrypted communication channels.

The App may request access to certain device permissions. All permissions are used solely for securely delivering TaxWallet services and are never used for advertising, resale, or unrelated tracking.

1. Camera — used ONLY for capturing document photos, ID verification images, and profile photos. Images are never used for analytics or facial recognition beyond voluntary verification workflows.

2. Photos / Media / Files — used for uploading tax documents, receipts, financial forms, and identity records. The App does not scan or access files outside of the user-selected documents.

3. Microphone (Optional) — used ONLY if future voice-note or audio support features are added. Currently not required.

4. Notifications — used for security alerts, e-signature requests, refund status updates, document requests, KBA verifications, appointment reminders, and system announcements.

5. Biometric Authentication (FaceID / TouchID / Android Biometrics) — used for secure login, MFA, and identity confirmation for high-risk actions such as e-signatures, payments, and sensitive data access.

6. Device Storage — used for caching encrypted tokens, temporary files, and images pending secure upload. No unencrypted personal data is stored on the device.

7. Device Identifier (Installation ID) — automatically generated to secure sessions, prevent fraud, detect suspicious activity, and simplify support. Never used for advertising or profiling.

8. Foreground Location (When the App Is Open) — used ONLY for:

• recommending nearby tax professionals based on the user’s current location,

• showing partner or preparer office locations on the map,

• assisting users in navigating to a scheduled appointment.

9. Background Location (While App Is Not Actively In Use) — used ONLY for:

• notifying tax professionals when a client is arriving for a scheduled appointment,

• enabling location-dependent check-ins for mobile appointments,

• allowing preparers to receive arrival alerts when the feature is enabled.

Background location is processed ONLY for these limited operational purposes and never for advertising or third-party tracking.

10. No Access to Sensitive System Data

• The App does NOT access contacts, SMS messages, call logs, email contents, or background device data.

• The App does NOT collect or track precise location history outside of the appointment-related features described above.

11. Permission Revocation — Users may revoke any permission at any time via device settings. Certain features may become unavailable if required permissions are disabled.

The App collects the minimum amount of information required to function securely:

• Name, email, and phone number already stored in your TaxWallet account;

• Installation ID and device type information;

• Login activity, crash logs, and performance diagnostics;

• Documents, images, and data voluntarily uploaded by the user;

• Security metadata required for e-signature compliance (IP, timestamp, device characteristics).

The App does not collect advertising identifiers (IDFA or GAID).

The App does not collect clipboard data or background-running data.

The App does not use:

• Third-party ad trackers,

• Behavioral analytics tools,

• Social media tracking pixels,

• Data reselling networks.

Analytics are strictly limited to crash reporting, system diagnostics, and anonymous performance metrics required for platform stability.

Upon installation, the App generates a secure Device Installation ID. This is used to:

• Recognize your device after login,

• Secure sessions and prevent unauthorized access,

• Support fraud detection and anomaly monitoring.

The Device ID is never sold, shared, or used for advertising purposes.

The App supports e-signature workflows compliant with ESIGN, UETA, IRS Pub. 1345, and identity verification rules.

When signing documents, the App collects:

• Timestamp,

• IP address,

• Device information,

• Signature intent confirmation,

• KBA or biometric confirmation where applicable.

All signature-related data becomes part of a permanent audit record.

The App applies advanced mobile security measures including:

• TLS 1.2+ encrypted communication,

• Encrypted local storage for tokens,

• Biometric MFA support,

• Automatic logout after inactivity,

• Session token rotation,

• Jailbreak/root detection where applicable.

TaxWallet prohibits the use of modified or compromised devices for security-sensitive actions.

The App does not share personal data with any third parties except:

• The connected tax professional or preparer,

• IRS/state agencies for e-file submissions,

• Banking/refund-transfer partners (when initiated by the user or tax professional),

• Authorized merchant processors that the user connects for payment purposes.

No data is shared for advertising, profiling, or resale.

If the App is used to submit payments:

• Credit card information is encrypted before leaving the device,

• CVV is never stored, transmitted, or retained,

• TaxWallet cannot decrypt stored card data,

• Repeat charges use processor-issued tokens (“Wallet IDs”).

All financial liability for in-app payments rests solely with the user and their merchant processor, as defined in the Merchant Processing Addendum.

Users may request account deletion at any time by contacting support@taxwallet.ai.

Certain data cannot be deleted immediately due to IRS and regulatory retention requirements (e.g., audit logs, tax return information, e-signature records).

Upon verified deletion request:

• Login access is terminated,

• Personal profile data is removed where legally allowed,

• Retained data is archived solely for compliance purposes.

The App is not intended for children under age 13.

We do not permit standalone accounts for minors.

Taxpayer dependent information is permitted only as part of a professional tax preparation workflow initiated by an adult user or preparer.

Users may not:

• Violate any Acceptable Use Policy,

• Upload illegal, fraudulent, or harmful content,

• Attempt to reverse-engineer or bypass App security,

• Use the App on rooted or jailbroken devices,

• Misuse document scanning or identity tools,

• Attempt unauthorized access to another user’s data.

Violations may result in immediate account suspension or termination.

The App may update automatically. Continued use constitutes acceptance of updated Mobile Terms.

TaxWallet may modify or discontinue mobile features at any time without liability.

TaxWallet Mobile Compliance Office

Email: support@taxwallet.ai

We respond promptly to all App Store/Play Store compliance requests.

The App includes an optional feature that allows users to generate Time-Based One-Time Passwords (TOTP) for use with external services such as tax software, banking portals, CRMs, government portals, and other integrations that support RFC 6238-compliant authentication.

When a user adds a TOTP configuration (QR code or secret key), the following terms apply:

1. On-Device Storage by Default — All TOTP secret keys are stored locally on the user's device in encrypted form using platform-secure cryptography:

• iOS: Secure Enclave / Keychain encryption,

• Android: StrongBox / Keystore hardware-backed encryption.

TOTP keys are never transmitted to TaxWallet servers unless the user explicitly enables encrypted backup (see below).

2. Encrypted Backup (Optional) — Users may opt-in to encrypted cloud backup so TOTP secrets can be restored when reinstalling the App or moving to a new device. When enabled:

• TOTP data is encrypted using a key derived from the user's login credentials and device factors,

• TaxWallet cannot decrypt or access user TOTP data; only the user's authenticated session can unlock it.

Backup encryption uses a zero-knowledge model: TaxWallet has no visibility into the contents of stored TOTP secrets.

3. No Sharing or Analytics — TOTP keys are not used for analytics, do not leave the user's device (unless encrypted backup is enabled), and are never shared with any third party.

4. User Responsibility — Users are solely responsible for:

• Backing up their TOTP secrets (if desired),

• Keeping their device secure,

• Maintaining access to recovery methods for external services.

TaxWallet is not responsible for loss of access to third-party accounts resulting from missing TOTP backups, device loss, or user misconfiguration.

5. No Access to Underlying Accounts — TaxWallet does not access, control, or authenticate into any service for which TOTP codes are generated. We merely provide a secure authenticator interface.

6. Security Events & Monitoring — For fraud prevention, TaxWallet may log:

• timestamps of TOTP usage events,

• device identifier,

• IP address.

These logs NEVER include TOTP secret keys or the codes generated.

7. Deleting TOTP Data — Users may remove individual TOTP entries at any time. When removed:

• all local encrypted data is destroyed,

• cloud backups (if enabled) are securely purged.

TaxWallet retains no ability to restore deleted TOTP keys.

8. Compliance & Encryption Standards — TOTP storage and backup systems comply with:

• NIST SP 800-63-3 (Authenticator Assurance Level 2),

• RFC 6238 (TOTP standard),

• IRS Publication 4557 security controls,

• FTC Safeguards Rule encryption requirements.