Privacy & Data Security

Last updated: January 1, 2025

Your privacy is not just a policy; it is the cornerstone of our CPA and Enrolled Agent practice. As tax professionals, we are bound by strict ethical standards and federal laws—including the Gramm-Leach-Bliley Act (GLBA), Internal Revenue Code §7216, and IRS Publication 4557—to protect the confidentiality of your nonpublic personal information. We treat every client’s financial data with the same care and security we demand for our own.

1. Information We Collect

We collect only the information necessary to provide professional tax and accounting services. This information is gathered through our secure intake form, client portal, and direct communications.

• Identity Information: Full legal name, Social Security Number (SSN), Individual Taxpayer Identification Number (ITIN), date of birth, and government-issued photo ID numbers.
• Financial Information: W-2s, 1099s (NEC, INT, DIV, B, K), 1098s, brokerage statements, bank account numbers (for direct deposit/debit), cryptocurrency transaction records, and foreign financial account details.
• Contact Data: Email address, phone number, and physical address.
• Technical Data: IP addresses and browser type when you interact with our secure portal (strictly for fraud prevention and access logs).

We do not collect or retain any information beyond what is required to complete your tax filing or other engaged services.

2. How We Use Your Information

• To prepare and electronically file your Federal and State tax returns.
• To communicate with you regarding your tax status, missing documents, or IRS/State notices.
• To process payments for our services (via secure third-party processors like Stripe).
• To comply with legal obligations, including Anti-Money Laundering (AML) and Know Your Customer (KYC) laws, as well as IRS e-file authentication requirements.
• To maintain workpapers and records as required by professional standards and IRS regulations.

Strict Policy: We do not sell, rent, or trade your personal information to third parties for marketing purposes. Your data is used exclusively for the tax and accounting services you have engaged us to perform.

3. Information Sharing & Third Parties

We may share your information with trusted third parties solely to facilitate our services, and only to the extent required:

• Tax Software Providers: To calculate tax liability and electronically file returns with the IRS/State agencies. These providers are contractually bound to maintain confidentiality and security.
• Secure Cloud Storage: To securely store your documents (SOC‑2 compliant providers). All files are encrypted at rest and in transit.
• Payment Processors: To facilitate billing (we do not store full credit card numbers on our servers).
• Legal Requirement: If compelled by a valid court order, subpoena, or government investigation, we will disclose only the information specifically requested and will notify you unless prohibited by law.

We maintain a list of current subprocessors and will annually verify their SOC‑2 certifications or equivalent security credentials. A current list is available upon request.

4. Data Security Measures

We utilize industry-standard safeguards to protect your data, consistent with IRS Publication 4557 and NIST cybersecurity frameworks:

• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES‑256). Our client portal uses bank‑grade encryption.
• Access Control: We enforce Multi-Factor Authentication (MFA) and strict role-based access controls for all staff. Only personnel directly involved in your engagement may access your file.
• Secure Portal: We strictly advise clients not to email sensitive documents (like SSNs or W‑2s). We provide a secure, encrypted portal for all document uploads.
• Physical Security: Any paper documents received are scanned and uploaded to the encrypted portal, then securely shredded. We do not maintain paper client files.

Client Portal Responsibility: You are responsible for maintaining the confidentiality of your portal login credentials. Use strong, unique passwords and enable two‑factor authentication if available. Notify us immediately if you suspect unauthorized access.

5. Data Retention & Your Rights

In accordance with CPA professional standards and IRS regulations (including IRS Revenue Procedure 97‑22), we are required to retain copies of tax returns, workpapers, and supporting documentation. Generally, we retain records for seven (7) years from the date of filing. For dormant clients (no active engagement for over 7 years), records are securely destroyed in a manner that renders them permanently unreadable.

Your rights:

• You may request a copy of any information we hold about you at any time.
• You may request correction of inaccurate information.
• Given our legal obligation to retain tax records, we cannot delete information that is part of an active or past tax filing until the retention period expires. For other data (e.g., contact information), we will accommodate deletion requests promptly, provided no legal retention requirement applies.
• You may request a list of the third‑party service providers with whom we have shared your information for the purpose of delivering our services.

To exercise any of these rights, please contact our Privacy Officer at business@yellowbusinessservices.com. We will respond within 45 days as required by applicable law.

6. Client Responsibility

To help us protect your data, please:

• Never send SSNs, bank details, or tax documents via unencrypted email.
• Use the secure portal link we provide for all document uploads.
• Keep your portal credentials confidential and enable two‑factor authentication if available.
• Inform us immediately if you suspect unauthorized access to your account or any data breach.

7. GLBA & IRS Compliance

As a tax preparation firm, we comply with the Gramm-Leach-Bliley Act (GLBA) Financial Privacy Rule and Safeguards Rule. This includes:

• Annual privacy notices to clients explaining our data sharing practices.
• A comprehensive written information security plan (WISP) that outlines how we protect your nonpublic personal information.
• Designation of a responsible person to oversee data security.
• Regular risk assessments and employee training on data protection.

Under Internal Revenue Code §7216, we are prohibited from using or disclosing your tax return information for purposes other than the preparation of your tax return without your explicit, written consent. This consent is obtained via a separate form if ever needed (e.g., for client testimonials or referrals).

We do not use automated decision‑making or profiling that produces legal effects concerning you.

8. Breach Notification

In the unlikely event of a data breach involving your personal or financial information, we will notify you without unreasonable delay, in accordance with applicable state and federal laws. Our incident response plan includes:

• Immediate containment and assessment of the breach.
• Notification to affected clients within the timeframe required by law (generally 45 days or sooner).
• Description of the nature of the breach, categories of information involved, and steps we have taken to mitigate the impact.
• Recommendations for steps you can take to protect yourself, such as credit monitoring or fraud alerts.

9. Children’s Privacy & International Clients

Our services are not directed at children under the age of 13, and we do not knowingly collect information from children. If we learn that we have inadvertently received information from a child under 13, we will delete it immediately.

While our services are primarily for U.S. taxpayers, we also serve U.S. citizens residing abroad and certain non‑resident aliens. For clients in jurisdictions with data protection laws (e.g., GDPR in Europe), we honor applicable rights to access, rectification, erasure, and portability of personal data, subject to U.S. legal retention requirements. International transfers of data are protected by the same encryption and contractual safeguards described above.

10. Additional State Privacy Rights

Depending on your state of residence, you may have additional rights under laws such as the California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), or Nevada Privacy Law. These may include:

• Right to know what personal information we collect, use, and disclose.
• Right to access and obtain a portable copy of your data.
• Right to request deletion (subject to legal retention requirements).
• Right to opt out of the sale or sharing of personal information for targeted advertising (we do not sell or share data for such purposes).

We do not respond to “Do Not Track” signals because no uniform standard has been adopted. However, you may exercise your privacy rights by contacting us directly.

11. Professional Notices

Circular 230 Disclosure: Any U.S. tax advice contained in this website (or any communication from our firm) is not intended or written to be used, and cannot be used, for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code.

California Residents: Under the CCPA, you may have specific rights regarding your data. However, data collected for the purpose of tax preparation is largely exempt from CCPA deletion requests due to federal retention mandates (GLBA). We do not sell personal information.

GDPR: While our services are directed at U.S. taxpayers, we respect data subject rights under GDPR where applicable. Contact us for more information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The latest version will be posted on this page with a revised effective date. For material changes, we will provide prominent notice on our website or directly to active clients via email. Your continued use of our services after the effective date constitutes acceptance of the updated policy.