N
NoticeInbox

Privacy Policy

Last updated: June 14, 2025

1. Who We Are

NoticeInbox ("we", "us", "our") is an IRS and state tax notice deadline tracker for CPA firms. Our contact email is hello@noticeinbox.com.

This Privacy Policy explains what data we collect, how we use it, and the measures we take to protect it — including specific details about how we handle sensitive client information contained in forwarded tax notices.

2. Data We Collect

Account data

  • Name and email address of each team member.
  • Firm name and billing information (handled by Paddle).
  • Login sessions managed by Supabase Auth.

Notice and deadline data

  • Notice type (e.g., CP2000), issue date, and computed response deadline.
  • The email subject and sender of the forwarded notice, for audit purposes.
  • Confirmation status and the CPA who confirmed each deadline.

What we do NOT store

  • Raw email bodies containing PII in plain text. The body is processed in memory, PII is stripped, and the stripped text is discarded after classification.
  • Taxpayer Social Security Numbers, Employer Identification Numbers, phone numbers, dollar amounts, or street addresses.
  • PDF attachments after text extraction is complete. We do not archive the original PDFs.

3. How PII Is Handled

When a notice is forwarded to your firm inbox, we extract the text and apply an automated redaction step before any further processing:

  • Social Security Numbers (format 000-00-0000) are replaced with [SSN].
  • Employer Identification Numbers (format 00-0000000) are replaced with [EIN].
  • Dollar amounts, phone numbers, email addresses, street addresses, ZIP codes, and title-cased name patterns are similarly redacted.

Only after redaction is the text sent to Google's Gemini API for notice classification. The AI receives no taxpayer-identifying information. Redaction is applied even when classification can be done by our local rule-based catalog.

4. How We Use Data

  • To provide the Service: classify notices, compute deadlines, and display them in your dashboard.
  • To send transactional emails: deadline reminders, trial expiration notices, account confirmations.
  • To enforce billing via Paddle and manage your subscription.
  • To improve the notice classification catalog based on aggregated, non-PII patterns (notice codes and response-day counts only).

We do not sell your data, share it with advertisers, or use it for purposes beyond operating and improving the Service.

5. Data Isolation Between Firms

All tables that hold firm-specific data enforce PostgreSQL Row-Level Security (RLS). Each query is automatically scoped to your organization ID — a user in one firm is physically unable to read another firm's notices, clients, or deadlines, even through an application bug.

6. Third-Party Services

SupabasePrivacy policy

Database, authentication, and file storage. Data is stored in the US East region by default.

Google Gemini APIPrivacy policy

AI notice classification. Receives only redacted notice text — no PII. Google's data-processing terms apply.

ResendPrivacy policy

Inbound email routing (your firm inbox address) and outbound transactional email. Resend receives the raw forwarded notice; we apply PII redaction before downstream processing.

PaddlePrivacy policy

Payment processing and billing. Paddle is our Merchant of Record and collects payment and billing information under their own privacy policy.

VercelPrivacy policy

Application hosting. Vercel may collect request logs including IP addresses per their privacy policy.

7. Data Retention

  • Active subscription: notice and deadline data is retained for the life of the subscription.
  • After account termination: data is retained for 30 days, then permanently deleted, unless a longer period is required by law.
  • Raw email bodies: processed in memory and discarded; not retained at all.

8. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, export, or delete your personal data. To make a request, email us at hello@noticeinbox.com. We will respond within 30 days.

Note: client taxpayer data (SSNs, EINs, etc.) is not stored by us — if you have a request relating to a specific taxpayer, that must be directed to your own firm as the data controller.

9. Cookies and Analytics

We use only functional cookies required for authentication (session tokens managed by Supabase). We do not use advertising cookies or cross-site tracking. We may use privacy-respecting analytics (e.g., aggregate page-view counts) with no personally identifiable information collected.

10. Security

We use industry-standard measures including HTTPS in transit, encryption at rest via Supabase, row-level access controls, and automated PII redaction before any third-party AI call. No system is perfectly secure; if you discover a vulnerability please disclose it responsibly to hello@noticeinbox.com.

11. Children

The Service is intended for professional use by adults. We do not knowingly collect data from anyone under 18.

12. Changes to This Policy

We may update this policy to reflect changes in our practices or the law. Material changes will be communicated by email at least 14 days before they take effect.

13. Contact

Questions or requests: hello@noticeinbox.com