Privacy & Data Security

Effective Date: January 1, 2025 | Last Reviewed: June 2026

Your privacy is the bedrock of our CPA and Enrolled Agent practice. As federally‑authorized tax professionals, we are bound by the Gramm‑Leach‑Bliley Act (GLBA), Internal Revenue Code §7216, IRS Publication 4557, the AICPA Code of Professional Conduct, and all applicable state data protection laws. This policy explains in exhaustive detail how we collect, use, protect, share, and retain your non‑public personal information (“NPI”) when you engage our firm for tax preparation, accounting, or advisory services.

1. Information We Collect

We adhere to the data minimization principle, collecting only the personal information necessary to fulfill our engagement, comply with IRS e‑file requirements, and meet professional standards. Below is a comprehensive breakdown of the categories and specific data elements we may process.

1.1 Identity & Personal Data

• Full legal name (including former names, aliases, and maiden names if relevant for tax history)
• Social Security Number (SSN) or Individual Taxpayer Identification Number (ITIN)
• Date of birth, place of birth (city, state, country)
• Government‑issued photo identification: driver’s license, state ID, passport (used exclusively for identity verification, Form W‑7 ITIN applications, and e‑file authentication)
• Spouse and dependent information: names, SSNs/ITINs, dates of birth, relationship
• Marital status and date of marriage (if applicable for filing status)
• Mailing address, physical address, email address, telephone numbers, fax (if applicable)
• Emergency contact information (optional, only if provided voluntarily)
• Occupation, employer name, industry, and job title (as required for tax forms and Schedule C)
• Signature (electronic or physical) for engagement letters, consent forms, and e‑file authorizations
• IP address and device fingerprint when interacting with our secure portal – used solely for security and session integrity

1.2 Financial & Tax Data

• Income documents: W‑2, 1099 series (NEC, INT, DIV, B, K, MISC, etc.), 1098 series, SSA‑1099, RRB‑1099
• Schedule K‑1 (from partnerships, S‑corporations, trusts, estates)
• Brokerage and investment statements including cost basis, wash sales, and cryptocurrency transactions (wallets, exchanges, mining income)
• Bank account and routing numbers for direct deposit of refunds, direct debit for balance due, and payment processing
• Prior‑year tax returns (federal and state), IRS transcripts, and all IRS/state correspondence, including notices and audit letters
• Business financial records: profit & loss statements, balance sheets, general ledgers, trial balances, asset depreciation schedules, inventory records
• Foreign financial accounts (FBAR/FinCEN Form 114, FATCA Form 8938, Form 3520, 5471, etc.)
• Health insurance documents (Forms 1095‑A, 1095‑B, 1095‑C) when required for Premium Tax Credit or individual mandate calculations
• Real estate records: mortgage interest statements (Form 1098), property tax bills, closing statements
• Education expenses: Form 1098‑T, student loan interest statements (Form 1098‑E)
• Charitable contribution receipts, non‑cash donation records, and appraisals
• Retirement account statements (IRA, 401(k), pension distributions, Form 1099‑R)
• Health Savings Account (HSA) and Medical Savings Account (MSA) distributions
• Gambling winnings/losses, jury duty pay, alimony, and other miscellaneous income documents

1.3 Technical & Portal Data

• IP address, browser type, operating system – logged for session security and fraud prevention
• Portal login timestamps, pages viewed, actions taken within the secure client area (e.g., upload, download, message)
• Email metadata: sender, recipient, timestamp, subject line when communicating with us
• Device fingerprint (anonymized) used for anomaly detection on client portal access
• We do not use screen recording or keystroke logging technologies

1.4 Data We Do Not Collect

We do not request or knowingly process sensitive categories of data such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for identification, health information beyond what is required on tax forms (and only if voluntarily supplied), or information about sex life or sexual orientation. If such data is inadvertently included in documents you provide, we will not use it for any purpose and will advise you to redact it.

1.5 Sources of Information

We collect information directly from you (via secure portal uploads, intake forms, email, phone, or in‑person meetings), from your authorized representatives (e.g., spouse, power of attorney), and from third parties with your consent (e.g., prior tax preparers, financial advisors, IRS transcripts via Form 8821). We also generate data internally, such as tax calculations, workpapers, and engagement notes.

2. How We Use Your Information

Every use of your NPI is tied directly to the professional services you have engaged. We do not use your data for secondary purposes without explicit consent. The following list details all processing activities:

• Tax Return Preparation, Review, and Filing: To accurately prepare, review, and e‑file federal and state income tax returns, extensions, amended returns, and associated schedules. This includes calculations, error checking, and compliance with IRS guidelines.
• ITIN Applications (Form W‑7): To assist with ITIN applications, including certifying identity documents for submission to the IRS, and navigating the ITIN renewal process.
• Tax Planning & Advisory: To provide projections, estimated tax calculations, and strategic tax planning based on your financial profile. This involves analyzing your current data to forecast future tax liabilities.
• IRS/State Correspondence & Audit Representation: To respond to notices, prepare audit documentation, and represent you before taxing authorities (with executed Power of Attorney forms). This includes correspondence analysis and drafting responses.
• Billing & Payment Processing: To calculate engagement fees, generate invoices, and process payments via Stripe. Full credit card numbers are never stored on our systems.
• Identity Verification & E‑File Authentication: As required by the IRS, we use your SSN/ITIN and photo ID to verify your identity before transmitting returns. This is mandatory for e‑file.
• Client Communication: To provide status updates, request missing information, schedule appointments, and deliver completed returns. We use encrypted email where possible.
• Regulatory Compliance: To comply with IRS record‑keeping rules, Anti‑Money Laundering (AML) regulations, Know Your Customer (KYC) requirements, and professional standards. This includes retaining documents for mandated periods.
• Quality Assurance & Training: Anonymized, aggregated data may be used internally for process improvement and staff training – never in a manner that identifies individual clients.
• Fraud Detection & Prevention: IP addresses and access logs are analyzed for suspicious patterns to protect your account.

Prohibition on Secondary Use: Under IRC §7216 and AICPA Ethics Rule 1.700.001, we are prohibited from using your tax return information for any purpose other than the preparation of your return without your explicit, written consent. This includes marketing other services, selling information to third parties, or sharing with affiliates.

Consent for Specific Uses: If we ever wish to use your data for a purpose not covered by this policy (e.g., a client testimonial or case study), we will obtain a separate, signed consent form compliant with IRS regulations (Form 7216 consent).

3. Information Sharing & Subprocessors

We share your NPI only with trusted service providers and only to the extent necessary. All providers are contractually bound to confidentiality and security standards at least as protective as our own. We do not sell your data.

3.1 Categories of Third‑Party Recipients

• Tax Software & E‑File Transmitters: Professional tax preparation software (SOC‑2 Type II certified) used to calculate tax, perform diagnostics, and e‑file returns.
• Cloud Storage & Backup: Encrypted, SOC‑2 compliant cloud infrastructure for secure workpaper retention.
• Payment Processor (Stripe): PCI‑DSS Level 1 certified; we never see or store complete card numbers.
• Electronic Signature Provider: For secure digital signing of engagement letters and IRS consent forms.
• Email & Communication Services: For transactional emails and secure client messaging (TLS 1.2+ enforced).
• Document Sharing & Portal: Encrypted client portal for uploads and downloads.
• Legal & Compliance: Disclosures required by court order, subpoena, or government investigation – only the specific information demanded, after notice to you if permitted.

3.2 Current Subprocessors Table

We do not transfer personal data internationally for core tax processing. In the rare event that data must transit through a non‑US server, it remains encrypted and protected by adequate safeguards. A complete and up‑to‑date subprocessor list is available upon request.

3.3 No Sale or Sharing for Advertising

We do not sell, rent, or trade your personal information to any third party for monetary or other valuable consideration. We do not share data for cross‑context behavioral advertising.

4. Data Security Measures

Our information security program is modelled after NIST SP 800‑171, the IRS Publication 4557 “Safeguarding Taxpayer Data” guide, and the GLBA Safeguards Rule. We implement administrative, technical, and physical safeguards to protect your data.

4.1 Technical Controls

• Encryption: Data in transit is protected via TLS 1.2 or higher; data at rest is encrypted with AES‑256. Backups are also encrypted.
• Multi‑Factor Authentication (MFA): Enforced for all staff access to client systems, email, and administrative panels.
• Access Controls: Role‑based access – only team members assigned to your engagement can view your file. All access is logged and reviewed quarterly.
• Intrusion Detection & Prevention: Firewalls, anti‑malware, and anomaly detection systems monitor our network 24/7.
• Secure Portal: We provide a dedicated, encrypted client portal for all document exchanges. We strongly advise against sending sensitive documents via email.
• Vulnerability Management: Regular penetration testing and software patching.
• Endpoint Protection: All devices used for client work are encrypted and centrally managed.
• Data Loss Prevention (DLP): Tools that prevent unauthorized transfer of sensitive data outside the network.

4.2 Administrative Controls

• Annual security awareness training for all personnel, including phishing simulations.
• Background checks on employees with access to client data.
• Written Information Security Plan (WISP) reviewed and updated annually.
• Data classification policy to identify and protect sensitive data.
• Vendor risk management program with annual reviews of subprocessors.
• Incident response and business continuity planning.

4.3 Physical Controls

• Physical access to offices is restricted and monitored (badge access, CCTV).
• Paper documents received are immediately scanned into the secure portal, then cross‑shredded on‑site using DIN 66399 P‑4 shredders. No paper client files are maintained.
• Servers and network equipment are housed in SOC‑2 certified data centers with 24/7 security.

4.4 Your Role

You are responsible for maintaining the confidentiality of your portal credentials. Use a strong, unique password and enable MFA where available. Notify us immediately if you suspect unauthorized access to your account.

5. Data Retention & Destruction

5.1 Retention Periods

In accordance with IRS Revenue Procedure 97‑22, AICPA professional standards, and applicable statutes of limitation, we retain the following records:

• Tax returns and workpapers: Minimum of seven (7) years from the date of filing (or the due date, whichever is later).
• Engagement letters and consents: Seven (7) years after the termination of the client relationship.
• ITIN application records: Seven (7) years after submission.
• Financial statements and audit‑related documents: As required by professional standards (typically 7‑10 years).
• Corporate and estate tax records: May be retained longer due to complex statute limitations (e.g., 10+ years).
• General correspondence and non‑tax documents: Retained as needed for business purposes, typically not exceeding 7 years.

5.2 Destruction Process

Upon expiration of the retention period, records are securely destroyed in a manner that renders them permanently unreadable:

• Electronic records: Cryptographic erasure or overwriting per NIST SP 800‑88 guidelines.
• Physical media: Shredded using cross‑cut shredders meeting DIN 66399 security level P‑4 or higher.
• Certification of destruction is maintained where required.

Early Deletion Requests: Due to legal retention obligations, we cannot delete tax return information before the retention period expires. Non‑tax‑related data (e.g., contact details, general correspondence) can be deleted upon request, subject to our recordkeeping policies.

6. Your Rights & How to Exercise Them

Depending on your jurisdiction, you have the following rights regarding your personal data. We will honor all verifiable requests to the extent permitted by law and professional requirements.

6.1 Right to Access

You may request a copy of the personal information we hold about you. We will provide this in a commonly used electronic format within 45 days. A reasonable fee may be charged for excessive requests.

6.2 Right to Rectification

If you believe any information is inaccurate or incomplete, you have the right to have it corrected. We will update our records promptly upon verification.

6.3 Right to Deletion (Erasure)

You may request deletion of your personal data. However, we cannot delete information that is part of an active or past tax filing until the retention period expires, or that is otherwise required to be maintained by law (e.g., IRS recordkeeping, AML). For data not subject to such requirements, we will comply with deletion within 45 days.

6.4 Right to Restrict Processing

Under certain conditions, you can ask us to limit how we process your data. This may apply if you contest accuracy, the processing is unlawful, or you object to processing.

6.5 Right to Data Portability

You can request a copy of your tax data in a structured, commonly used, machine‑readable format (e.g., PDF, CSV of transaction data).

6.6 Right to Object

You can object to processing of your data for direct marketing (which we do not engage in) or in certain other circumstances.

6.7 Right to Non‑Discrimination

We will not discriminate against you for exercising any of your privacy rights. This includes denying services, charging different prices, or providing a different level of service.

6.8 Right to Opt‑Out of Sale/Sharing

We do not sell personal information, so an opt‑out mechanism is unnecessary. However, we respect all legal opt‑out preference signals where required.

6.9 How to Submit a Request

Email business@yellowbusinessservices.com or call (917) 997‑9255. We may ask for identity verification (e.g., confirm SSN last four, date of birth, or signed request) to protect your data. An authorized agent may submit a request on your behalf with written permission.

We will respond within 45 days, with a possible 45‑day extension if reasonably necessary (you will be notified).

7. Client Responsibilities

Protecting your data is a shared responsibility. As a client, you agree to:

• Provide accurate, complete, and truthful information necessary for your engagement.
• Use the secure portal for all document uploads – never email unencrypted sensitive documents.
• Maintain the confidentiality of your portal login credentials and not share them with unauthorized individuals.
• Enable multi‑factor authentication if offered by the portal.
• Promptly inform us of any changes to your contact information.
• Notify us within 24 hours if you suspect unauthorized access to your account, loss of credentials, or any data breach involving information you shared with us.
• Keep copies of all documents you submit for your own records.
• Understand that while we take extensive precautions, no method of electronic transmission or storage is 100% secure, and you accept the inherent risks.

8. GLBA & IRS §7216 Compliance

8.1 Gramm‑Leach‑Bliley Act (GLBA)

Our firm is a “financial institution” under the GLBA. We comply with both the Financial Privacy Rule (15 U.S.C. §§ 6801‑6809) and the Safeguards Rule (16 C.F.R. Part 314). This includes:

• Providing this clear, conspicuous privacy notice annually.
• Implementing a comprehensive Written Information Security Plan (WISP) that covers risk assessment, access controls, encryption, incident response, and vendor oversight.
• Designating a qualified individual (our Enrolled Agent / Privacy Officer) responsible for the information security program.
• Conducting periodic risk assessments and adjusting safeguards accordingly.
• Requiring all service providers to implement and maintain appropriate safeguards through contractual agreements.
• Ensuring proper disposal of consumer information.

8.2 Internal Revenue Code §7216

IRC §7216 and Treasury Regulations §301.7216‑1 et seq. prohibit any tax return preparer from using or disclosing a client’s tax return information for any purpose other than the preparation of the return without the client’s explicit, written consent. Our firm:

• Never uses tax return information for marketing, solicitation, or any purpose unrelated to tax preparation without a signed, time‑limited consent that explains the specific use.
• Obtains consent via IRS‑compliant forms (e.g., Form 7216) before using data for any secondary purpose.
• Trains all staff on the strict confidentiality requirements of §7216 and the associated civil and criminal penalties for violation.
• Maintains records of all §7216 consents for the required period.

8.3 IRS Publication 4557

We follow the security recommendations in IRS Publication 4557, “Safeguarding Taxpayer Data,” including employee background checks, malware protection, secure document disposal, and keeping operating systems patched.

9. AICPA Code of Professional Conduct

As a firm operating under the ethical standards of the American Institute of Certified Public Accountants (AICPA), we adhere to the Code’s confidentiality requirements, especially:

• Rule 1.700.001 – Confidential Client Information Rule: A member in public practice shall not disclose any confidential client information without the specific consent of the client.
• Rule 1.400.001 – Acts Discreditable Rule: We must not commit any act that would discredit the profession, including mishandling client data.
• Rule 1.300.001 – Due Professional Care: We must exercise due professional care in all services, which includes safeguarding client information.
• Interpretation 1.700.040: Provides guidance on safeguarding client information in an electronic environment, including encryption, access controls, and secure disposal.
• Interpretation 1.700.060: Addresses the disclosure of client information to third parties, requiring client consent unless a legal or professional obligation exists.

We treat all client information, whether oral, written, or electronic, as confidential. This obligation continues even after the client relationship ends.

9.1 Peer Review & Quality Control

We may be subject to AICPA‑sponsored peer reviews or other quality control inspections. In such cases, reviewers are bound by confidentiality agreements and will not disclose client‑specific information.

10. Breach Notification

We maintain a detailed Incident Response Plan. In the unlikely event of a security breach involving your NPI:

• We will contain the breach immediately and engage forensic experts if necessary.
• We will notify affected clients without unreasonable delay and no later than 45 calendar days from discovery, as required by most state breach notification laws.
• The notification will describe the nature of the breach, categories of information involved, steps we are taking to mitigate harm, and recommended actions for you (e.g., credit monitoring).
• We will offer complimentary credit monitoring and identity theft protection services if SSNs, financial account numbers, or driver’s license numbers were exposed.
• We will report the breach to relevant state attorneys general, federal regulators (including the FTC and IRS), and any other required entities.
• A record of the breach and our response will be maintained as required by law.

We carry cyber liability insurance to cover the costs associated with notification, credit monitoring, and legal defense.

11. Children’s Privacy & COPPA

Our services are not directed at children under the age of 13, and we do not knowingly collect personal information from children. If we become aware that we have inadvertently received data from a child under 13 without parental consent, we will delete it immediately. We comply with the Children’s Online Privacy Protection Act (COPPA) where applicable.

For dependents under 18 listed on a tax return, we collect only the information required by the IRS and treat it with the same confidentiality as all client data.

12. International Data Transfers

While our services are primarily for U.S. domestic taxpayers, we also serve U.S. citizens living abroad and certain non‑resident aliens with U.S. filing obligations.

12.1 Transfers Outside the U.S.

Core tax processing and data storage occur within the United States. If data must be transferred internationally (e.g., if you reside abroad and we correspond), it remains protected by the same encryption and contractual safeguards.

For clients in the European Economic Area (EEA), the UK, or Switzerland, we ensure adequate safeguards for such transfers, typically through Standard Contractual Clauses (SCCs) or reliance on an adequacy decision where applicable. By engaging our services, you consent to the transfer of your data to the United States for processing.

12.2 Data Subject Rights for Non‑U.S. Residents

If you are located in a jurisdiction with comprehensive data protection laws (e.g., GDPR, UK GDPR, PIPEDA), we extend the same rights described in Section 6, and you may also have the right to lodge a complaint with your local supervisory authority.

13. State‑Specific Privacy Rights

U.S. state privacy laws provide additional rights. Below is a detailed summary. All rights are subject to applicable exemptions (e.g., GLBA, IRS data).

13.1 California (CCPA/CPRA)

• Categories Collected: Identifiers, commercial information, financial data, internet activity, geolocation data, inferences.
• Business Purpose: Tax preparation, accounting, identity verification, billing.
• Rights: Know, Delete, Correct, Opt‑Out of Sale/Sharing (we do not sell/share), Limit use of Sensitive PI (SSN only used for tax purposes).
• Retention: Seven years minimum (GLBA/IRS), after which data is destroyed.
• Authorized Agent: Permitted with written permission.
• Non‑Discrimination: Guaranteed.

13.2 Virginia (VCDPA)

• Rights: Confirm processing, access, correct, delete, portability, opt‑out of targeted advertising, profiling, sale.
• We do not engage in targeted advertising or profiling. No sale of data.
• Appeal process available.

13.3 Colorado (CPA), Connecticut (CTDPA), Utah (UCPA)

Similar rights to Virginia, with minor variations. We honor all applicable rights. For details specific to your state, please contact us.

13.4 Nevada (NRS 603A)

We do not sell covered information. You may still submit a verified opt‑out request, which we will honor.

13.5 Other States

We comply with all state privacy laws in effect, including those in Oregon, Texas, Montana, Iowa, Delaware, Tennessee, Indiana, Florida, and any others as they come into force. Contact us for a jurisdiction‑specific addendum.

Do Not Track Signals: Our website does not respond to browser DNT signals because no consistent industry standard exists. You can manage cookies via browser settings.

14. Cookies & Tracking Technologies

We use minimal cookies and analytics to ensure site functionality, security, and continuous improvement.

You can block or delete cookies through browser settings. Note that disabling essential cookies may prevent the scheduling form and payment functions from working. We do not use tracking for advertising or profiling.

15. Data Inventory & Classification

We maintain a detailed data inventory that maps all personal data we collect, process, and store. Data is classified into three tiers:

• Confidential / Sensitive: SSN, ITIN, financial account numbers, full tax returns – highest protection, encrypted at rest and in transit, strict access control, never sent via unencrypted email.
• Internal Use Only: Workpapers, engagement notes, internal communications – protected by access controls and encryption, not shared externally.
• Public / Non‑Sensitive: Business contact information (firm phone, address) – already publicly available, minimal restrictions.

This classification drives our security controls, retention schedules, and incident response priorities. The inventory is reviewed and updated annually or upon significant change.

16. Privacy Impact Assessments (PIA)

We conduct a Privacy Impact Assessment whenever we introduce a new system, process, or third‑party service that involves the collection or processing of NPI. The PIA evaluates:

• What data is collected and why.
• How it will be used, stored, and shared.
• Potential privacy risks and mitigations.
• Compliance with GLBA, IRS, and AICPA requirements.

Our most recent PIA was completed in January 2025 and covered our online scheduling system and client portal integration. PIAs are retained and available for review by regulatory bodies upon request.

17. Business Continuity & Disaster Recovery

We maintain a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) to ensure the availability and integrity of your data during unexpected events.

• All critical systems and client data are backed up daily with encrypted off‑site storage.
• Recovery Time Objective (RTO) for critical systems is less than 24 hours.
• Recovery Point Objective (RPO) is less than 1 hour (data loss limited to last hour of transactions).
• Alternate work locations and remote access capabilities enable continued service during office unavailability.
• The BCP/DRP is tested annually.

In the event of a disaster, your tax records remain protected and retrievable, ensuring we can meet filing deadlines and regulatory obligations.

18. Employee Confidentiality & Training

All employees and contractors sign confidentiality agreements as a condition of employment. These agreements prohibit the disclosure or misuse of client information, even after termination of employment.

18.1 Training Program

• Annual data privacy and security training covering GLBA, IRS §7216, phishing awareness, password hygiene, and incident reporting.
• Role‑specific training for staff handling sensitive data (e.g., SSNs, financial accounts).
• Quarterly security reminders and simulated phishing tests.
• Immediate reporting of any suspected privacy or security incident to the Privacy Officer.

19. Vendor & Third‑Party Risk Management

We assess all third‑party service providers before engagement and annually thereafter. The assessment covers:

• Security certifications (SOC‑2, ISO 27001, PCI‑DSS).
• Data handling practices and encryption standards.
• Incident response capabilities.
• Compliance with GLBA and applicable laws.

Contracts with subprocessors include data protection addenda, confidentiality clauses, and audit rights. We maintain a registry of all active third‑party relationships.

20. Data Subject Request Procedures

We have established a formal process to handle privacy requests efficiently:

1. Receipt: Request received via email, phone, or mail. Logged with timestamp.
2. Identity Verification: We may ask for proof of identity (e.g., government ID, knowledge‑based questions).
3. Assessment: Determine applicability (e.g., whether data is subject to legal holds or retention obligations).
4. Fulfillment: Provide access, correction, deletion, or other action within 45 days.
5. Communication: Respond in writing, documenting the action taken or explaining any denial.
6. Appeal: If denied, you may request an internal review, which we will complete within 45 days.

21. Record of Processing Activities (ROPA)

We maintain a Record of Processing Activities as required by certain state laws and as a best practice. The ROPA documents:

• Categories of data subjects (clients, dependents, etc.).
• Categories of personal data processed (identity, financial, technical).
• Purposes of processing (tax preparation, advisory, etc.).
• Data retention periods and deletion triggers.
• Recipients of data (subprocessors, IRS, state agencies).
• Technical and organizational security measures.

The ROPA is reviewed quarterly and updated as needed.

22. Consent Management

Where processing is based on consent (e.g., use of testimonials, marketing communications), we obtain explicit, informed consent via a clear affirmative action. You may withdraw consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

For tax‑related processing, consent is not the primary legal basis; rather, it is the necessity to perform the engagement contract and compliance with legal obligations.

23. Professional Notices & Legal References

23.1 Circular 230

Any U.S. tax advice contained in this communication (including this website) is not intended or written to be used, and cannot be used, for the purpose of avoiding penalties under the Internal Revenue Code or promoting, marketing, or recommending any transaction or matter addressed herein.

23.2 No Legal Advice

This privacy policy does not constitute legal advice. For legal questions regarding your data protection rights, consult an attorney.

23.3 Governing Law

This policy and all privacy‑related matters are governed by the laws of the State of New York (and Mississippi, as applicable), without regard to conflict of law principles, and applicable federal laws of the United States. Any disputes shall be resolved in the courts of New York County, New York.

23.4 Key Legal References

• Gramm‑Leach‑Bliley Act (15 U.S.C. § 6801 et seq.)
• IRS Code §7216 and Treasury Regulations §301.7216‑1
• IRS Publication 4557, “Safeguarding Taxpayer Data”
• AICPA Code of Professional Conduct, Sections 1.700, 1.300, 1.400
• California Consumer Privacy Act (CCPA/CPRA), Cal. Civ. Code §1798.100 et seq.
• Virginia Consumer Data Protection Act (VCDPA), Va. Code §59.1‑575 et seq.
• Colorado Privacy Act (CPA), C.R.S. §6‑1‑1301 et seq.
• Connecticut Data Privacy Act (CTDPA), Conn. Gen. Stat. §42‑515 et seq.
• Utah Consumer Privacy Act (UCPA), Utah Code §13‑61‑101 et seq.
• NIST SP 800‑171, “Protecting Controlled Unclassified Information in Nonfederal Systems”

24. Changes to This Policy

We may update this policy periodically. The latest version will be posted here with a revised “Effective Date.” For material changes, we will provide prominent notice on our website homepage and, for active clients, a direct email notification at least 30 days before the change takes effect (where feasible). Your continued use of our services after the effective date constitutes acceptance of the updated policy. We encourage you to review this page annually.

Historical versions of this policy are available upon request.

25. Contact & Complaints

If you have questions about this policy, wish to exercise your rights, or need to report a privacy concern, contact our Privacy Officer:

Privacy Officer: Pradip Dubaria, Enrolled Agent
Email: business@yellowbusinessservices.com
Phone: (917) 997‑9255
Mailing Address: Yellow Business Services Co., 1450 Broadway, New York, NY 10018 (and 3900 Lakeland Drive, Flowood, MS 39232)

If you are dissatisfied with our response, you may file a complaint with the Federal Trade Commission (FTC), the IRS Taxpayer Advocate Service, your state Attorney General, or (for EU/UK residents) your local data protection authority.