Privacy Policy

Deductiv (“Deductiv,” “we,” “us”) is an AI tax assistant for U.S.-based self-employed individuals, freelancers, and small business owners. We help you find deductible business expenses across your email and bank accounts, organize them for tax filing, and track 1099 income.

This policy explains what information we collect, how we use it, who we share it with, and the choices you have. By using Deductiv, you agree to this policy.

Contact: privacy@deductiv.io

2.1 Account information

When you sign up we collect your email address, name, password (stored as a bcrypt hash by Supabase Auth — we never see your plaintext password), and optional business details (business name, EIN, entity type, industry, fiscal year).

2.2 Financial data from Plaid

If you connect a bank or credit card account, we use Plaid Inc. as the data provider. Plaid securely connects to your financial institution and returns:

• Account metadata (institution name, account name, account type, last four digits of account numbers, currency)
• Transaction history (date, amount, merchant name, category, transaction description, location when available)
• Account balances

We use this data to identify deductible business expenses and 1099 income. We never see and never store your bank login credentials — those go directly from you to Plaid and never touch Deductiv’s servers. Plaid’s own privacy practices are described at plaid.com/legal.

2.3 Email data from Google (Gmail)

If you connect your Gmail account, we use the Gmail API under Google’s OAuth 2.0 framework. We request the following scopes:

• gmail.readonly — to read receipt emails for expense extraction
• gmail.send — to send 1099 requests on your behalf, only when you click “Send”
• gmail.modify — to label processed receipts so we don’t re-scan them

Google API Services User Data — Limited Use disclosure: Deductiv’s use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use Gmail data only to provide and improve the user-facing features of Deductiv (deduction extraction, 1099 tracking).
• We do not sell Gmail data, transfer it for advertising, or use it for any purpose unrelated to the features above.
• We do not allow humans to read Gmail data, except (a) with your explicit consent, (b) for security investigations, (c) to comply with applicable law, or (d) in aggregated, anonymized form for internal operations.

2.4 Deduction records and AI inputs/outputs

We store the deduction records we extract from your email and bank data (vendor, amount, date, category, our confidence score, your edits and notes). We may send sanitized excerpts of your data (e.g., the body of a receipt email, a transaction description) to our AI sub-processor (Anthropic) to categorize the expense. We do not include your name, email address, or bank account numbers in these prompts.

2.5 1099 client data

If you use Deductiv to send 1099s, we store the names, business names, mailing addresses, EINs/SSNs, email addresses, and payment amounts of your contractors and clients. This data is used solely to generate and send 1099 forms on your behalf.

2.6 Subscription & payment data

Payments are processed by Stripe (web) and Apple In-App Purchase (mobile). We never see your full card number. We store your subscription status, plan, period end date, and Stripe customer ID. See Stripe’s privacy policy at stripe.com/privacy.

2.7 Device and usage data

We log standard server-side request data (IP address, timestamp, endpoint, user agent) for security and debugging. Error reports are sanitized to exclude personally identifying information. We do not currently use third-party analytics or advertising trackers.

• Provide the service: extract deductions from email and bank data, categorize them, prepare them for tax filing, send 1099s.
• AI categorization: send sanitized excerpts to Anthropic (Claude API) to classify expenses and answer your questions in the in-app chat.
• Account & subscription management: authenticate you, process payments, send transactional emails (receipts, security alerts).
• Security: detect fraud, abuse, and unauthorized access; maintain an audit log of privileged actions.
• Legal compliance: respond to lawful requests and comply with applicable regulations.

We do not sell your personal information. We do not use your financial data for advertising. We do not use your data to train AI models.

We share data only with the sub-processors below, each of which is contractually bound to protect it:

We may also disclose data when required by law, to enforce our terms, or in connection with a merger, acquisition, or sale of assets (in which case we will notify you).

• In transit: all client/server communication uses TLS 1.2 or higher.
• At rest: Supabase encrypts all database storage at rest. Sensitive credentials (OAuth refresh tokens, Plaid access tokens) are additionally encrypted at the application layer with AES-256-GCM before storage.
• Access control: every database table containing user data has Postgres Row Level Security enforced, so users can only read and write their own rows.
• Authentication: Supabase Auth with bcrypt password hashing and short-lived JWTs. Multi-factor authentication is available and required before connecting a bank account.
• Mobile device storage: auth tokens are stored in the iOS Keychain or Android Keystore.
• Audit trail: every privileged action writes to an immutable audit log, retained 24 months.

No system is perfectly secure. If you discover a vulnerability, please report it to security@deductiv.io.

We keep your data for as long as your account is active. When you delete your account, we permanently delete your personal data within 30 days, except:

• Audit log entries are retained for 24 months for security and compliance.
• Payment and tax records may be retained as required by U.S. tax law (typically 7 years).
• Backups are purged on a rolling 30-day cycle after primary deletion.

You can request earlier deletion of specific records (e.g., an individual deduction) at any time from within the app.

You can, at any time:

• Access & export: download all of your data in machine-readable format from Settings.
• Correct: edit or delete any deduction, client, or profile field directly in the app.
• Delete: permanently delete your account and all associated data; processed within 30 days.
• Disconnect Plaid: revoke bank access from Settings, or from your own bank’s connected-app management page. We immediately stop pulling new data, and we delete the stored Plaid access token.
• Disconnect Google: revoke Gmail access from Settings, or at myaccount.google.com/permissions.

California residents (CCPA/CPRA): you have the right to know what personal information we collect, to delete it, to correct it, and to opt out of any “sale” or “sharing” of personal information. We do not sell or share personal information for cross-context behavioral advertising. To exercise any right, email privacy@deductiv.io.

Other U.S. state rights (Virginia, Colorado, Connecticut, Utah, and others): you have similar access, deletion, and correction rights. Same contact.

Deductiv is intended for adults running their own businesses. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us information, contact us and we will delete it.

Deductiv is operated from and stores data in the United States. If you access the service from outside the U.S., you consent to the transfer and processing of your data in the U.S.

The Deductiv web app uses first-party cookies strictly necessary for authentication (your Supabase session). We do not use third-party analytics, advertising, or tracking cookies. The mobile app stores its session in the iOS Keychain or Android Keystore — no cookies.

We may update this policy as the product and applicable law evolve. The “Effective date” at the top reflects the most recent update. Material changes will be communicated via email or in-app notice before they take effect.

Questions, requests, or complaints: privacy@deductiv.io.