← unlevered.io
Legal

Privacy Policy

Effective Date: April 11, 2026
Last Updated: April 11, 2026
Operator: StayGuard LLC d/b/a Unlevered.io

This Privacy Policy describes how StayGuard LLC d/b/a Unlevered.io ("Unlevered," "we," "us," or "our") collects, uses, stores, and shares information when advisors and their clients use the Unlevered Tax Strategy Portal (the "Platform"). It applies to both the advisor-facing portal and the client-facing portal.

We treat client tax data with the same standard of care a CPA practice would. We do not sell client data, we do not use it to train machine learning models, and we do not share it with anyone outside the parties listed in Section 5.

1. Information We Collect

1.1 Advisor account information. When an advisor creates an account, we collect: name, email address, professional credentials (e.g., CPA, EA), firm name, firm logo (if uploaded), and password (hashed by Supabase Auth). If the advisor enables MFA, we store an encrypted TOTP secret.

1.2 Client information uploaded by the advisor. Advisors enter or upload client tax information including: full name, email, phone number, filing status, income figures, deductions, business details, real estate holdings, retirement contributions, equity compensation, and other tax-relevant data. Advisors may also upload supporting documents such as W-2s, 1099s, K-1s, and prior tax returns.

1.3 Information clients provide directly.If an advisor invites a client to the client portal, the client may submit information directly via the public tax engine link or upload documents. This information goes to the advisor's firm and is treated as part of that firm's data.

1.4 Usage and audit data. We log every privileged action in the Platform: logins, document uploads, document downloads, plan generation, plan delivery, client deletion, data export, MFA enrollment, IP allowlist changes. Each entry includes the actor user ID, firm ID, action name, source IP address, user agent, and timestamp.

1.5 Billing information. Subscription and payment information is processed by Stripe. We do not store full payment card details on our own infrastructure. We store the Stripe customer ID and subscription metadata.

2. How We Use Information

We use information for the following purposes only:

  • To provide the Platform to the advisor and their clients.
  • To run the deterministic tax strategy engine on client data the advisor enters.
  • To generate the plan documents and PDFs the advisor delivers to clients.
  • To send notifications (in-portal and, in the future, email) about activity on the advisor's account.
  • To bill the advisor under the Practice Plan ($99/month + $5 per report).
  • To enforce security: detect suspicious activity, run audit logs, support investigations.
  • To respond to support requests from the advisor.

We do not use client tax data to train any machine learning model. We do not use it for advertising. We do not use it to derive aggregate insights for sale to third parties.

3. Tax AI Chat and Document Extraction

The Platform includes a Tax AI Chat feature and an optional document extraction feature that send data to a third-party AI provider (currently Anthropic). When you use these features:

  • Tax AI Chat: Your question is sent to Anthropic along with general tax research context retrieved from our public tax knowledge base. We do not include any specific client name, identifier, or PII in chat requests unless the advisor explicitly types it into the chat input.
  • Document extraction: Uploaded tax documents are sent to Anthropic for field extraction. The extracted text and field values return to the Platform and are stored against the client record. The original document is not retained by the AI provider beyond the processing window.

Anthropic has its own data processing terms. Per their commercial agreement, customer data submitted via the API is not used for model training. Advisors who do not want any client data sent to Anthropic should not use the Tax AI Chat or document extraction features.

4. How We Store and Protect Information

4.1 Hosting. The Platform runs on Netlify (application) and Supabase (database, storage, auth). Both providers maintain SOC 2 Type II compliance and operate from AWS US regions. Unlevered does not run its own server infrastructure.

4.2 Encryption at rest. All Supabase Postgres data is encrypted at rest with AES-256 managed by AWS KMS. All Supabase Storage objects (uploaded documents) are encrypted at rest with AES-256.

4.3 Encryption in transit. All connections use TLS 1.2 or higher with modern cipher suites. HSTS is enabled for the production domain.

4.4 Application-layer encryption. Particularly sensitive fields (MFA secrets, encrypted SSN columns, encrypted phone numbers, encrypted file paths) are additionally encrypted with AES-256-GCM at the application layer using NIST SP 800-38D authenticated encryption.

4.5 Multi-tenant isolation. Every database query enforces firm-level isolation via Row Level Security policies. Even if application code has a bug that tries to query across firms, the database refuses.

4.6 Document access.Uploaded documents are never served via public URLs. Access is granted through short-lived signed URLs (default 60 seconds) bound to the requesting user's session.

5. Who We Share Information With

We share information only with the following parties, only for the purposes listed, and only under written data processing agreements where applicable:

  • Supabase, Inc.: Database, storage, authentication. Required to operate the Platform.
  • Netlify, Inc.: Application hosting and CDN. Required to serve the Platform.
  • Stripe, Inc.: Subscription billing and payment processing. Receives advisor email, firm name, and billing details.
  • Anthropic PBC: Tax AI Chat and document extraction. Receives the specific text or document the advisor sends. Subject to the limits described in Section 3.
  • Email provider (Phase 2): Once Unlevered enables outbound email delivery, an email service provider will receive recipient email addresses and message content for the purpose of delivering plan and notification emails.

We do not sell client data. We do not share client data with advertisers, data brokers, or any party not listed above. We do not use client data to train any model.

We may disclose information if required to do so by law (subpoena, court order, valid government request) or to protect the safety, rights, or property of Unlevered, our customers, or others.

6. Data Retention and Deletion

6.1 Retention period. Active client records and audit logs are retained for seven years from the last engagement, aligned with IRS recordkeeping guidance for tax preparers. After seven years, records are eligible for automatic purge unless under legal hold.

6.2 Deletion requests. Advisors can request deletion of their own account or any client record by contacting support@unlevered.io. Upon a valid deletion request, we will delete the requested records within 30 days, log the deletion in the audit trail, and provide a deletion certificate. Some records (audit logs, billing records) may be retained longer where required by law.

6.3 Subscription termination. If an advisor cancels their subscription, their data is retained for 30 days in a wind-down period during which they can export it. After 30 days the data is moved to cold storage and eligible for deletion under the 7-year retention rule.

7. Your Rights

Depending on the jurisdiction the data subject is in, you may have the following rights under applicable law (CCPA, CPRA, GDPR, and similar):

  • The right to know what personal information we have collected about you.
  • The right to request a copy of that information in a portable format.
  • The right to request correction of inaccurate information.
  • The right to request deletion of your information.
  • The right to opt out of any sale or sharing of personal information (we do not sell or share, so this is automatic).
  • The right to non-discrimination for exercising any of the above rights.

For advisors, these rights are exercised through the Settings page or by emailing support@unlevered.io. For clients whose information is held in an advisor's portal, requests should be directed to the advisor in the first instance. The advisor controls the data; Unlevered processes it on the advisor's behalf.

8. International Users

Unlevered operates from the United States. If you access the Platform from outside the U.S., your information will be transferred to and processed in the U.S. By using the Platform you consent to this transfer. The Platform is not currently designed to comply with all GDPR requirements; if you are a data subject in the EU/EEA, please contact us before using the Platform with EU clients.

9. Children's Privacy

The Platform is not directed at children under 13 and we do not knowingly collect personal information from children under 13. If you believe we have collected such information, contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced via email or in-app notification at least 30 days before they take effect. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.

11. Contact

Questions about this Privacy Policy, data subject requests, or data security concerns: support@unlevered.io

StayGuard LLC d/b/a Unlevered.io