Legal
Privacy Policy
Effective May 17, 2026
Atamatax — raison individuelle, Suisse (registration pending CHF 100k revenue threshold)("Atamatax", "we", "us") operates the Atamatax tax-filing service at atamatax.com. This Privacy Policy describes what information we collect from you, how we use it, with whom we share it, and the controls you have over it.
What we collect
- Account information — your email address and an authentication password hash stored in Supabase Auth.
- Tax-return inputs — your US tax status (citizen or green-card holder), country of residence, filing status, and the figures you enter directly into the wizard.
- Brokerage data— when you connect a US brokerage via Plaid Inc. ("Plaid") we receive holdings, transactions, security identifiers, and account balances for the accounts you authorize. We do not receive your brokerage username or password — those go directly to Plaid.
- Payment information — when you finalise your return, Stripe processes the payment. We receive the resulting Checkout Session id and amount; we never receive your card number.
- Operational logs — Vercel records request IPs, timestamps, and user-agent strings for the routes you hit. We review these only to debug or investigate abuse.
How we use it
- Generate IRS forms (1040 + schedules, 8621, 8938, FBAR, 1116, 8833) as a draft PDF package today, and (once our integrated e-file via an authorised ERO ships, target Q3 2026) transmit them through the IRS Modernized e-File system on your behalf.
- Compute PFIC determinations, foreign-tax credit estimates, and treaty positions from your imported holdings.
- Send you transactional emails (sign-in confirmation, filing acknowledgement, refund or rejection notices) via Resend.
- Improve the product. Aggregated, de-identified usage statistics inform what we build next.
Plaid specifically
We use Plaid to retrieve brokerage holdings and transactions on your behalf. By connecting a brokerage you also agree to Plaid's End User Privacy Policy. Plaid acts as a service provider to Atamatax for the purpose of enabling brokerage data access. The Plaid access tokens we receive are encrypted at rest with AES-256-GCM and never returned to the browser.
Who we share it with
- IRS Modernized e-File & FinCEN BSA — once integrated e-file via an authorised ERO ships (target Q3 2026), the tax forms you sign and authorize us to transmit, plus the identifying data required to file them. Until then, you sign and transmit the PDF package yourself and we share nothing with the IRS or FinCEN.
- Stripe, Inc. — only the data needed to charge you (email, amount, IP address as part of fraud signals).
- Plaid Inc. — your brokerage account credentials (handled directly by Plaid, never seen by us) and metadata about which institutions you connect.
- Supabase / Vercel / Resend — sub-processors that host the database, the application servers, and transactional email. None of them sell your data; they act under their own DPAs.
- Law enforcement — only when compelled by a valid US legal process and only the minimum scope demanded.
We do not sell your personal information to advertisers, data brokers, or any third party.
Where we store it
Tax-return data, brokerage tokens (encrypted), and account credentials live in a US-hosted Supabase Postgres database. Static assets and serverless functions run on Vercel. Database backups are retained encrypted by Supabase for up to 30 days.
How long we keep it
We retain filed returns and associated brokerage snapshots for seven years after the tax year, matching the IRS standard for return reconstruction. Account credentials are kept for as long as the account is active and deleted within 90 days after you ask us to close the account.
Your rights
You can request a copy of your data, ask us to correct it, or ask us to delete it. Email support@atamatax.com from the address on file. We respond within 30 days.
Residents of the EU/EEA, the UK, and Switzerland. For these users, Atamatax acts as a data controllerwithin the meaning of Regulation (EU) 2016/679 (the "GDPR") and the UK GDPR. Our legal basis for processing your tax-return inputs, brokerage data, and account information is the performance of the contract you enter into when you create an account and use the Service (Art. 6(1)(b) GDPR); for technical and operational logs we also rely on our legitimate interest in maintaining a secure and functional service (Art. 6(1)(f) GDPR). You have the right to:
- access the personal data we hold about you (Art. 15);
- have inaccurate data rectified (Art. 16);
- request erasure of your data (Art. 17), subject to our seven-year retention obligation for filed returns and supporting workpapers;
- restrict our processing (Art. 18);
- receive your data in a portable, machine-readable form (Art. 20);
- object to processing based on legitimate interest (Art. 21);
- withdraw any consent you previously gave (without affecting prior processing).
To exercise any of these rights, email support@atamatax.com. You also have the right to lodge a complaint with a supervisory authority — for residents of France, the CNIL (cnil.fr/en/plaintes); for other EU/EEA member states, the authority listed at edpb.europa.eu; for the UK, the ICO (ico.org.uk).
California residents. You have additional rights under the CCPA / CPRA: to know what personal information we collect and disclose, to delete personal information, to correct inaccurate personal information, and to opt out of any sale or sharing. We do not sell or share personal information for cross-context behavioural advertising.
Security
Production database access is restricted to two server-side keys. All connections to Atamatax and our sub-processors are encrypted in transit (TLS 1.2+). Plaid access tokens, social-security numbers, and other sensitive fields are encrypted at the application layer (AES-256-GCM) before they hit the database. Service-role keys never reach the browser.
No system is perfect. If we discover a security incident affecting your data we will notify you within 72 hours of confirming the incident, and we will publish a post-mortem on the same domain.
Children
Atamatax is not directed at and does not knowingly collect information from individuals under 16. If you believe a child has provided us data, email support@atamatax.com.
Changes to this policy
We will notify you by email at least 14 days before material changes take effect. The effective date at the top is updated whenever the policy changes.
Contact
Atamatax — raison individuelle, Suisse (registration pending CHF 100k revenue threshold)
Email: support@atamatax.com