Mobile App Permissions Disclosure

This Mobile App Permissions Disclosure ("Disclosure") describes every device-level permission requested by the TaxWallet mobile applications on iOS and Android. This Disclosure is provided in accordance with the Apple App Store Review Guidelines, Google Play Data Safety Requirements, the Gramm-Leach-Bliley Act (GLBA), the FTC Safeguards Rule, applicable privacy laws, and industry best practices for secure authentication and document handling.

TaxWallet adheres to a strict least-privilege policy. Each permission is used solely to provide essential functionality requested by the user, and never for advertising, analytics, cross-app tracking, data resale, or unrelated processing.

TaxWallet does **not** collect, track, sell, or share device-level identifiers, precise location data, or biometric data for advertising or profiling purposes.

The App may request access to the following device permissions. All permissions are used exclusively for delivering TaxWallet services and are not accessible by third parties except where required for secure processing.

1. Camera — used ONLY to capture tax documents, W-2s, receipts, identity documents, signatures, or enrollment profile photos. Profile photos are used solely for one-time identity verification by comparing them to the submitted ID image. TaxWallet does NOT perform facial recognition, does NOT enroll biometric templates, and does NOT use any images for analytics, training, or unrelated purposes.

2. Photos / Media / Files — used for secure upload of documents voluntarily selected by the user. The App does not browse, scan, index, or access media outside user-selected files.

3. Microphone (Optional) — used only if the user enables voice-note or audio-support features. This capability is fully optional and disabled by default.

4. Notifications — used for security alerts, e-signature requests, refund status updates, KYC verification prompts, appointment reminders, and critical account notices. Notifications are never used for marketing without explicit consent.

5. Biometric Authentication (FaceID / TouchID / Android Biometrics) — enables secure login, MFA verification, and identity confirmation for sensitive actions. Biometric templates are never stored or transmitted by TaxWallet. All biometric matching is performed by the device’s secure enclave.

6. Device Storage — used only to cache encrypted session tokens, MFA secrets, temporary image files, and regulatory-required artifacts. No unencrypted personal data is ever stored on the device.

7. App Installation Identifier (Non-Tracking) — automatically generated to support fraud monitoring, secure session continuity, and customer support. Not used for advertising, cross-site tracking, or analytics.

8. Foreground Location (While App Is Open) — used only when assisting users with:

• locating nearby tax professionals or partner offices,

• viewing location-based appointment options,

• navigating to a scheduled appointment.

9. Background Location (Optional) — used only when the user enables appointment navigation reminders or location-dependent check-ins. Background location is processed solely on the device and is not transmitted unless needed for the selected feature.

10. No Access to Sensitive System Data — TaxWallet does not access contacts, SMS messages, call logs, device identifiers outside the OS sandbox, calendars, Bluetooth data, or Wi-Fi/Bluetooth environment signals.

Each permission is required only to support a core, user-requested function such as:

• Uploading IRS forms, receipts, or supporting tax records,

• Completing identity verification (KYC/AML),

• Executing secure MFA authentication workflows,

• Navigating to tax appointments or local offices,

• Delivering legally binding electronic signatures (ESIGN/UETA).

TaxWallet does not request any permission that is not tied to a direct, user-facing workflow. All permissions are evaluated annually under GLBA and FTC Safeguards Rule requirements.

All data accessed through device permissions is processed according to the TaxWallet Privacy Policy and IRS Pub. 1345 security specifications.

• All files uploaded to the platform are encrypted in transit (TLS 1.3+) and at rest (AES-256).

• No biometric templates or raw biometric data are ever stored by TaxWallet.

• Location data, when used, is stored only long enough to complete the requested operation.

• Cached data on-device is encrypted using operating-system–level secure storage.

TaxWallet does not integrate any advertising SDKs, cross-app tracking frameworks, or analytics tools that access device permissions.

Only security-essential frameworks (e.g., camera capture, biometric authentication, encrypted storage) provided by Apple or Google are used.

TaxWallet does **not** share permission-derived data with external advertising platforms, data brokers, or social networks.

Users may revoke any previously granted permission at any time using device Settings. If a permission is disabled, the App will simply disable the associated feature without restricting access to the rest of the platform.

Examples:

• Disabling Camera prevents document capture but does not affect existing uploads.

• Disabling Biometrics defaults login to password + MFA.

• Disabling Location disables office finder features but not filing tools.

TaxWallet never overrides a user's device-level permission settings.

TaxWallet may update this Disclosure to reflect new features, regulatory obligations, or platform requirements. Users will be notified of material changes in accordance with the TaxWallet Terms of Service.

Continued use of the App following an update constitutes acceptance of the revised Disclosure.