Template — review with counsel to match your jurisdiction
Privacy Policy
This Privacy Policy explains how AITA ("we", "us") collects, uses, and shares personal data when you use the AITA platform, websites, and related services (the "Service"). For workspace data uploaded by our business customers, we act as a processor under the DPA.
1. Data we collect
- Account data: name, business email, role, workspace membership, authentication metadata.
- Workspace content: tax documents, transaction extracts, vendor information, notes, and other data uploaded by customers.
- Usage telemetry: session timestamps, feature events, IP address, browser and device information, error logs.
- Billing data: handled by Stripe; we do not store card numbers.
- Support data: messages exchanged with our support team.
2. How we use data
- Deliver, secure, and improve the Service.
- Authenticate users and prevent abuse.
- Provide support and respond to enquiries.
- Send transactional emails (billing, security, product changes).
- Comply with legal obligations.
We do not sell personal data. We do not use customer workspace content to train third-party foundation models.
3. Legal bases (GDPR / UK GDPR)
Contract (to provide the Service to you); legitimate interests (securing and improving the Service, direct communications with existing customers); consent (optional cookies, marketing emails); legal obligation (tax, accounting, responding to lawful requests).
4. Sub-processors and sharing
We share personal data with vetted sub-processors that support the Service, listed at /trust. We may disclose data where required by law or to protect rights, property, or safety. We do not sell or rent personal data.
5. International transfers
Data may be processed in the EEA, UK, or US. Transfers outside the EEA/UK to countries without an adequacy decision rely on the EU Standard Contractual Clauses and the UK IDTA.
6. Retention
Account and workspace data are retained while your subscription is active and for up to 30 days after termination, after which they are deleted from primary stores. Backups expire within the provider's point-in-time recovery window (currently 7 days). Billing records are retained for the period required by applicable tax law.
7. Security
We apply the technical and organisational measures summarised at /trust, including encryption in transit and at rest, role-based access, MFA for administrators, and audit logging.
8. Your rights
Subject to applicable law you may request access, correction, deletion, portability, restriction, or objection to processing of your personal data. To exercise these rights, email privacy@aita.tax. If your workspace is managed by an employer or organisation, please contact them first — we act as a processor on their behalf. You also have the right to lodge a complaint with a supervisory authority.
9. Cookies
We use strictly necessary cookies for authentication and session management, and minimal analytics cookies where enabled. You can control cookies via your browser.
10. Children
The Service is not directed to individuals under 16 and we do not knowingly collect their personal data.
11. Changes
We may update this Policy from time to time. Material changes will be notified via email or in-product notice at least 30 days in advance.
12. Contact
Privacy questions and data-subject requests: privacy@aita.tax.
Last updated: 2026-07-10. See also: Terms of Service, DPA.