Skip to main content
AtamataxAtamatax
Start my return

Legal

Privacy Policy

Effective May 17, 2026

Atamatax LLC("Atamatax", "we", "us") operates the Atamatax tax-filing service at atamatax.com. This Privacy Policy describes what information we collect from you, how we use it, with whom we share it, and the controls you have over it.

What we collect

  • Account information — your email address and an authentication password hash stored in Supabase Auth.
  • Tax-return inputs — your US tax status (citizen or green-card holder), country of residence, filing status, and the figures you enter directly into the wizard.
  • Brokerage data— when you connect a US brokerage via Plaid Inc. ("Plaid") we receive holdings, transactions, security identifiers, and account balances for the accounts you authorize. We do not receive your brokerage username or password — those go directly to Plaid.
  • Payment information — when you e-file, Stripe processes the payment. We receive the resulting Checkout Session id and amount; we never receive your card number.
  • Operational logs — Vercel records request IPs, timestamps, and user-agent strings for the routes you hit. We review these only to debug or investigate abuse.

How we use it

  • Generate IRS forms (1040 + schedules, 8621, 8938, FBAR, 1116, 8833) and transmit them through approved IRS Modernized e-File intermediaries on your behalf.
  • Compute PFIC determinations, foreign-tax credit estimates, and treaty positions from your imported holdings.
  • Send you transactional emails (sign-in confirmation, filing acknowledgement, refund or rejection notices) via Resend.
  • Improve the product. Aggregated, de-identified usage statistics inform what we build next.

Plaid specifically

We use Plaid to retrieve brokerage holdings and transactions on your behalf. By connecting a brokerage you also agree to Plaid's End User Privacy Policy. Plaid acts as a service provider to Atamatax for the purpose of enabling brokerage data access. The Plaid access tokens we receive are encrypted at rest with AES-256-GCM and never returned to the browser.

Who we share it with

  • IRS Modernized e-File & FinCEN BSA — the tax forms you sign and authorize us to transmit, plus the identifying data required to file them.
  • Stripe, Inc. — only the data needed to charge you (email, amount, IP address as part of fraud signals).
  • Plaid Inc. — your brokerage account credentials (handled directly by Plaid, never seen by us) and metadata about which institutions you connect.
  • Supabase / Vercel / Resend — sub-processors that host the database, the application servers, and transactional email. None of them sell your data; they act under their own DPAs.
  • Law enforcement — only when compelled by a valid US legal process and only the minimum scope demanded.

We do not sell your personal information to advertisers, data brokers, or any third party.

Where we store it

Tax-return data, brokerage tokens (encrypted), and account credentials live in a US-hosted Supabase Postgres database. Static assets and serverless functions run on Vercel. Database backups are retained encrypted by Supabase for up to 30 days.

How long we keep it

We retain filed returns and associated brokerage snapshots for seven years after the tax year, matching the IRS standard for return reconstruction. Account credentials are kept for as long as the account is active and deleted within 90 days after you ask us to close the account.

Your rights

You can request a copy of your data, ask us to correct it, or ask us to delete it. Email support@atamatax.com from the address on file. We respond within 30 days. California residents have additional rights under the CCPA; EU/UK residents under the GDPR (we are not a controller of EU resident financial data today and will update this policy when that changes).

Security

Production database access is restricted to two server-side keys. All connections to Atamatax and our sub-processors are encrypted in transit (TLS 1.2+). Plaid access tokens, social-security numbers, and other sensitive fields are encrypted at the application layer (AES-256-GCM) before they hit the database. Service-role keys never reach the browser.

No system is perfect. If we discover a security incident affecting your data we will notify you within 72 hours of confirming the incident, and we will publish a post-mortem on the same domain.

Children

Atamatax is not directed at and does not knowingly collect information from individuals under 16. If you believe a child has provided us data, email support@atamatax.com.

Changes to this policy

We will notify you by email at least 14 days before material changes take effect. The effective date at the top is updated whenever the policy changes.

Contact

Atamatax LLC
Email: support@atamatax.com