Privacy Policy

Last updated: June 25, 2026

RAG Tax AI ("RAG Tax AI", "we", "us", or "the App") provides AI-assisted tax return review, workpaper preparation, client request workflows, tax research support, document analysis, accounting software integrations, and related CPA firm productivity tools. This Privacy Policy explains what information we collect, how we use it, how we protect it, and what choices authorized users have.

This policy is written for firms and professionals using RAG Tax AI in connection with tax, accounting, and advisory work. The App is not intended for children, consumer social use, or unrelated personal data processing.

1. Information we collect

• Account and login information: usernames, display names, role assignments, hashed passwords, account status, spending limits, and session metadata needed to authenticate users and administer access.
• Uploaded tax and financial materials: tax returns, workpapers, organizer files, notices, trial balances, financial statements, PDFs, spreadsheets, images, and other documents users submit for review, preparation, extraction, or analysis.
• Client and workflow records: client names, entity details, tax years, return types, deadlines, tracker items, review findings, notes, firm library entries, generated drafts, and user-entered workflow data.
• Accounting software data: when authorized by a user, the App may retrieve reports and related data from connected accounting platforms such as QuickBooks Online and Xero, including profit and loss reports, balance sheets, trial balances, accounts, contacts, and other report data needed for tax workflows.
• Google account data: when authorized by a user, the App may access selected Google services such as Google Drive file metadata/content selected by the user, Gmail draft/compose functionality, and the user's Google email address, depending on the scopes granted.
• AI usage and cost data: model used, action type, token counts, estimated processing costs, timestamps, duration, and related operational metadata used for budgets, security, auditing, and service monitoring.
• Technical and security logs: IP-derived request information, browser and device metadata, server logs, rate-limit events, error logs, audit events, and security diagnostics.
• Access request data: information submitted through the "Request access" form, such as email, firm/company/person name, and estimated annual filed returns.

2. How we use information

• Authenticate users, enforce role-based access, manage administrator functions, and protect accounts.
• Analyze uploaded documents and accounting data to assist with tax return review, workpaper preparation, estimated tax workflows, notices, client deliverables, research, and related CPA firm operations.
• Generate AI-assisted summaries, review points, issue lists, workpapers, client request drafts, calculations, and other outputs requested by users.
• Connect to user-authorized third-party services such as Google Drive, Gmail, QuickBooks Online, and Xero.
• Track token usage, apply user-level spending limits, prevent excessive usage, troubleshoot errors, improve reliability, and secure the App.
• Respond to access requests, support questions, security issues, and administrative needs.

3. AI processing

RAG Tax AI uses third-party AI model providers, including Anthropic Claude, to process prompts and user-provided materials for the requested workflows. Information submitted for AI-assisted review may be sent to those providers solely to generate the requested output. Users should review all AI-generated outputs before relying on them. The App is a professional assistance tool and does not replace qualified tax judgment, CPA review, or firm quality-control procedures.

4. Google API data

If you connect a Google account, RAG Tax AI uses Google data only to provide user-facing features requested inside the App, such as selecting Drive materials for review or creating Gmail drafts. The App does not sell Google user data, does not use Google user data for advertising, and does not transfer Google user data except as necessary to provide the requested feature, comply with law, or protect the App. OAuth tokens are stored server-side and are not exposed to the browser.

5. Accounting integrations

If you connect QuickBooks Online, Xero, or another accounting platform, RAG Tax AI uses the authorized connection to retrieve accounting reports and related business data needed for tax review, workpaper preparation, reconciliation, and analysis. OAuth tokens are stored server-side. Users can revoke access from within the relevant provider account or by contacting an administrator.

6. How we share information

We do not sell personal information, client tax information, Google user data, or accounting data. We may share information only with:

• Service providers that host, secure, operate, or process the App, including AI model providers and infrastructure providers.
• Connected third-party platforms at the user's direction, such as Google, QuickBooks Online, or Xero.
• Firm administrators who manage users, budgets, access, security, and workflow operations.
• Legal or security recipients when required to comply with law, enforce terms, investigate abuse, protect users, or defend legal rights.

7. Data retention

Retention depends on the type of information and the purpose for which it is used. Account records, audit logs, cost logs, workflow records, access requests, and OAuth tokens may be retained while needed to operate the App, maintain security, support firm workflows, comply with legal obligations, or preserve business records. Uploaded files may be processed temporarily or retained when a workflow requires persistent storage. Administrators may request deletion or revocation of user accounts, OAuth tokens, or stored records, subject to legal, tax, accounting, backup, and security requirements.

8. Security

RAG Tax AI uses administrative, technical, and organizational safeguards designed to protect information, including authenticated access, role separation, HTTPS transport, server-side token handling, password hashing, budget enforcement, rate limiting, and audit logging. No system can guarantee absolute security, so users should avoid uploading unnecessary sensitive information and should promptly report suspected unauthorized access.

9. User responsibilities

Users are responsible for ensuring they have authority to upload, connect, or process client materials in the App. Users should review generated outputs, preserve required source documents, follow firm policies, comply with applicable tax and privacy laws, and avoid sharing credentials or unauthorized access.

10. Your choices

• You may disconnect Google, QuickBooks Online, Xero, or other connected services through the provider account or by contacting an administrator.
• You may request deletion or correction of account information where legally and operationally permitted.
• Administrators may disable accounts, reset passwords, change spending limits, or remove access.

11. Changes to this policy

We may update this Privacy Policy as the App evolves, including when new integrations, workflows, vendors, or security features are added. The "Last updated" date reflects the latest version.

12. Contact

For questions about this Privacy Policy, access, data deletion, or connected accounts, contact us at ramiroflores@ragtax-ia.com.