Privacy Policy

Last updated: April 2026

Notice of Privacy Practices — Financial Information

Federal law requires us to tell you how we collect, share, and protect your personal financial information. Please read this notice carefully.

What we collect: We collect personal information such as your name, address, Social Security number, income, and tax documents you provide to us in connection with tax preparation and advisory services.

What we share: We do not sell your personal financial information. We share it only as necessary to provide services to you (see Section 5 — Service Providers) or as required by law.

How we protect it: We use technical, administrative, and physical safeguards described in our Written Information Security Program (WISP) to protect your information. Staff with access to client data are required to use multi-factor authentication and are bound by confidentiality obligations.

1. Information We Collect

We collect the following categories of information:

  • Identity data: Name, email address, and account credentials you provide when accessing the Portal
  • Tax and financial documents: W-2s, 1099s, K-1s, bank statements, identity documents, and other files you upload
  • Usage and security data: IP addresses, browser type, session timestamps, and actions taken within the Portal — collected for security audit and compliance purposes
  • AI-extracted data: When you consent to automated document analysis, structured data fields (such as employer name, income figures, and tax year) may be extracted from your documents by automated means (see Section 3)

2. How We Use Your Information

We use the information we collect to:

  • Provide tax preparation, advisory, and related professional services
  • Communicate with you about your documents, account status, and deadlines
  • Maintain immutable security audit logs as required by applicable law
  • Comply with IRS record-keeping obligations (IRS Publication 552)
  • Detect, investigate, and prevent security incidents and fraud
  • Comply with our obligations under the Gramm-Leach-Bliley Act (GLBA) and IRS Publication 4557 (Safeguarding Taxpayer Data)

3. Automated Document Analysis (AI Processing)

With your separate consent at the time of upload, documents you upload may be processed by automated data-extraction technology powered by Google's Gemini AI service. This processing extracts structured data fields (such as payer name, amounts, and tax year) to assist our staff in reviewing your documents.

This disclosure is made pursuant to Treasury Regulation §301.7216-2. By providing consent at upload, you authorize HLin CPA to use Google's Gemini AI service to process your tax information for the purpose of document preparation assistance. You may decline this consent; document upload and review will proceed without automated extraction.

Google processes this data subject to its Data Processing Addendum. We use the Gemini API; data submitted via the API is not used to train Google's models by default. Please review Google's retention terms for the API tier in use.

4. Document Storage and Security

Documents are stored using AES-256 encryption at rest and TLS 1.2+ encryption in transit. Access is restricted by role-based controls: only authorized HLin CPA staff may access your documents. All document access is logged in a tamper-resistant audit log recording the actor, action, timestamp, and IP address.

Every uploaded file is scanned for malware before it is made available to staff. Infected files are quarantined and never retained.

Our security practices are governed by a Written Information Security Program (WISP) maintained pursuant to IRS Publication 4557 and the FTC Safeguards Rule (16 CFR Part 314).

5. Service Providers (Subprocessors)

We use the following third-party service providers to operate the Portal. Each is bound by data processing agreements and confidentiality obligations:

  • Supabase, Inc. — database, authentication, and file storage (hosted on AWS us-east-1)
  • Vercel, Inc. — application hosting and content delivery
  • Resend, Inc. — transactional email delivery
  • Cloudmersive, Inc. — virus and malware scanning of uploaded files
  • Google LLC (Gemini API) — automated document data extraction (only when you provide separate consent — see Section 3)
  • Upstash, Inc. — rate limiting and abuse prevention
  • Cloudflare, Inc. — bot protection (CAPTCHA verification at login)

We do not sell your personal information to any of these providers or to any other party.

6. Data Retention

Tax documents and associated records are retained for seven (7) years from the date of upload, consistent with IRS Publication 552 record-keeping requirements. This retention period applies even if you request deletion of your personal information (see Section 7), as retention is required by law and falls within the exemption provided under California Civil Code §1798.105(d)(2).

After the mandatory retention period, documents are permanently and securely deleted. You will receive advance notice before permanent deletion occurs.

Security audit logs are retained for [ATTORNEY REVIEW: confirm retention period] years to satisfy applicable regulatory requirements.

7. Your Rights (California Residents — CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, and how we use and share it
  • Right to Delete: You may request deletion of your personal information, subject to our legal retention obligations (see Section 6)
  • Right to Correct: You may request correction of inaccurate personal information we hold about you
  • Right to Opt Out: We do not sell or share your personal information for cross-context behavioral advertising
  • Right to Limit Use of Sensitive Information: We use sensitive information (such as Social Security numbers) only as necessary to provide tax preparation services
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights

To exercise these rights, contact us at the address in Section 10. We will respond to verifiable requests within 45 days (extendable by an additional 45 days when reasonably necessary), as required by law.

8. Security Incident Notification

In the event of a security incident involving your personal information, we will notify you in accordance with California Civil Code §1798.82 and other applicable law. Notification will be provided without unreasonable delay and, where required, within the timeframes prescribed by law.

To report a suspected security vulnerability or incident, contact security@hlincpa.com.

9. Cookies and Tracking

The Portal uses essential session cookies for authentication only. We do not use third-party tracking, advertising, or analytics cookies. No personal information is shared with advertising networks.

10. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or a prominent notice within the Portal at least 30 days before the changes take effect. Continued use of the Portal after the effective date constitutes acceptance of the revised Policy.

11. Contact Us

For questions about this Privacy Policy, to exercise your rights, or to report a security concern, contact us at:

Harry C. Lin, CPA — A Professional Corporation
888 S. Brea Canyon Road, Suite 225
Diamond Bar, CA 91789
Tel: (626) 810-3403
Email: privacy@hlincpa.com
www.harrylincpa.com
Terms of Service · Back to sign in