California Residents: Your Privacy Rights
Under the California Consumer Privacy Act (CCPA), you have the right to know what personal data we collect, request deletion of your data, and opt-out of data sales (we don't sell your data).
To exercise your rights, email support@deductmax.com with "CCPA Request" in the subject line.
1. Introduction
deductmax.com ("Service", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our tax calculation service.
By using DeductMax, you consent to the data practices described in this Privacy Policy. If you do not agree with our policies, please do not use the Service.
2. Information We Collect
Information You Provide Directly:
- Account Information: Email address, name (if provided), password (hashed and encrypted)
- Google OAuth Data: If you sign up using Google, we receive your email address and profile information
- Receipt Images: Photos or scans of receipts you upload (JPEG, PNG, PDF, HEIC, TIFF, WebP, GIF, BMP, AVIF formats)
- Mileage Data: CSV files from mileage tracking apps (MileIQ, Everlance, TripLog) or manual entry
- Vehicle Information: Make, model, year, license plate number, odometer readings, date placed in service
- Financial Data: Expense amounts, vendor names, transaction dates, business use percentages, tax year
- Payment Information: Payment details are processed by Stripe; we store only transaction IDs, amounts, and payment status (not full credit card numbers)
Information Collected Automatically:
- Browser Fingerprints: User agent, language, platform, screen resolution, color depth, timezone
- IP Addresses: Your IP address is logged for security and analytics
- Session Activity: Pages visited, buttons clicked, time spent on pages
- Device Information: Device type, operating system, browser type and version
- Cookies: Session cookies for authentication, analytics cookies for usage tracking
Information Generated by Our Service:
- OCR Text: Text extracted from your receipts using AI/machine learning
- AI Analysis: Categorized expense data, confidence scores, flagged items
- Tax Calculations: Deduction amounts, business use percentages, audit risk assessments
- PDF Reports: Generated reports with calculations and supporting data
3. How We Use Your Information
We use your personal information for the following purposes:
- Provide the Service: Process receipts, perform OCR, calculate tax deductions, generate reports
- Account Management: Create and manage your account, authenticate logins, send verification emails
- Payment Processing: Process payments via Stripe, track purchase history
- Customer Support: Respond to inquiries, troubleshoot technical issues, provide usage guidance
- Service Improvement: Analyze usage patterns, improve OCR accuracy, fix bugs, develop new features
- Legal Compliance: Comply with tax laws, respond to legal requests, prevent fraud
- Communications: Send transactional emails (verification codes, calculation completion, important updates)
We do NOT use your data for:
- Selling or renting personal information to third parties
- Targeted advertising based on your financial data
- Sharing your tax calculations with anyone except you
4. Third-Party Data Sharing
We share your data with the following third-party service providers to operate the Service:
| Third Party | Data Shared | Purpose |
|---|
Mistral AI
Privacy Policy | Receipt images (base64 encoded) | OCR text extraction from images and PDFs |
Anthropic (Claude AI)
Privacy Policy | OCR-extracted text | Receipt analysis and expense categorization |
AWS S3
Privacy Policy | Receipt images, PDF reports | Cloud file storage with encryption |
Stripe
Privacy Policy | Email, payment information | Payment processing and billing |
Mailgun
Privacy Policy | Email addresses | Transactional emails (verification codes, notifications) |
Google OAuth
Privacy Policy | Email, profile information | Account authentication (if you sign up with Google) |
Data Processing Locations:
- Mistral AI: Europe (France)
- Anthropic (Claude): United States
- AWS S3: US-East-1 region (United States)
- Stripe: United States
- Mailgun: United States
We do NOT sell your personal information to third parties.
5. Data Security
We implement industry-standard security measures to protect your data:
- Encryption in Transit: All data transmitted between your browser and our servers uses HTTPS/TLS encryption
- Encryption at Rest: Receipt images in AWS S3 are encrypted using server-side encryption (AES-256)
- Password Protection: Passwords are hashed using bcrypt before storage; we never store plaintext passwords
- Access Controls: Database access is restricted to authorized personnel only
- Authentication: JWT (JSON Web Tokens) with 1-hour expiration for access tokens, 30-day expiration for refresh tokens
- Presigned URLs: Receipt image URLs expire after 7 days for security
No Guarantee of Absolute Security: Despite our best efforts, no internet transmission or electronic storage is 100% secure. You use the Service at your own risk.
6. Data Retention
How Long We Keep Your Data:
- Active Session Data: Until you complete your calculation or 90 days of inactivity, whichever comes first
- Receipt Images: 7 years (IRS audit statute of limitations) or until you request deletion
- OCR Text and Calculations: 7 years or until you request deletion
- Account Data: Until you close your account, plus 30 days for backup retention
- Analytics Data: Aggregated and anonymized data may be retained indefinitely for service improvement
- Payment Records: Stripe retains payment records for 7 years to comply with tax laws; we cannot delete these
We do NOT automatically delete your data. You must request deletion if you want your data removed before the 7-year retention period.
7. Your Privacy Rights
For All Users:
- Access Your Data: Request a copy of the personal information we have about you
- Correct Inaccurate Data: Update or correct errors in your account information
- Delete Your Data: Request deletion of your personal information (see Section 9)
- Export Your Data: Download your receipts, calculations, and reports in portable formats (PDF, CSV)
- Opt-Out of Communications: Unsubscribe from non-essential emails (transactional emails cannot be disabled)
California Residents (CCPA Rights):
Under the California Consumer Privacy Act (CCPA), California residents have additional rights:
- Right to Know: Request disclosure of categories and specific pieces of personal information collected
- Right to Delete: Request deletion of personal information (with certain exceptions for legal compliance)
- Right to Opt-Out of Sale: We do NOT sell personal information, so this right does not apply
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
How to Exercise Your Rights:
Email support@deductmax.com with subject line "CCPA Request" or "Privacy Rights Request". We will respond within 30 days.
8. Cookies and Tracking Technologies
We use essential cookies for authentication and analytics cookies for usage tracking. You can disable non-essential cookies via browser settings.
9. How to Delete Your Data
Email support@deductmax.com with subject line "Delete My Data". We will process deletion within 30 days. Deletion is permanent and cannot be undone.
Privacy in Summary:
- ✓ We collect receipt images, mileage data, and financial information to provide our service
- ✓ Your data is shared with AI providers (Mistral, Anthropic) for OCR and analysis
- ✓ We do NOT sell your personal information
- ✓ Data is encrypted in transit (HTTPS) and at rest (S3)
- ✓ We retain data for 7 years unless you request deletion
- ✓ California residents have CCPA rights (access, deletion)
- ✓ Email support@deductmax.com to exercise your privacy rights