Privacy notice.

• Account data — email, name, password hash (handled by Clerk; we never see the password).
• Filing data — payer EIN, payee TIN, payee name, address, and 1099 amounts that you upload as part of a submission.
• Billing data — Stripe customer ID, subscription tier, and invoice history. Card numbers are held by Stripe; we receive only the last four digits and brand for display.
• Operational logs — request timestamps, IPs, user agents, and IRS submission acknowledgements. Used for debugging and audit trails.

• To convert your FIRE / CSV / Excel files into IRIS XML and submit them to the IRS on your behalf.
• To bill you for the subscription tier you chose.
• To diagnose issues, prevent abuse, and produce an audit trail for IRS submissions.

We do not sell, rent, or share your data with marketing networks, advertising vendors, or LLM training pipelines.

• Source files (FIRE / CSV / Excel uploads): processed in-memory and not retained as raw blobs.
• Structured records (parsed Form1099Record rows): retained for the IRS-recommended 4 years from the due date of the return, then deleted.
• Generated IRIS XML: same 4-year retention, available for re-download and corrections.
• Account data: kept while your account is active. Deletion on request, subject to legal hold.
• Billing records: retained per Stripe’s policies and applicable tax law (typically 7 years).

IRISfile is built on a small set of compliance-grade vendors: Clerk (auth), Supabase (Postgres), Stripe (billing), Vercel / Cloudflare (hosting + edge), and the IRS A2A API. Each processes data only as needed to deliver their part of the stack. See /security for the up-to-date list and posture.

You can access, correct, or delete your data at any time by writing to privacy@irisfile.co. We respond within 30 days. California, EU, and UK residents have additional rights under CCPA / GDPR / UK GDPR; we honor those on request.

PixelCove LLC operates IRISfile. Questions: privacy@irisfile.co.