LEGAL

Privacy Policy

Last updated: March 27, 2026

At Toozi, your privacy isn't just a legal obligation — it's a core principle. We built this product to help you manage your business, not to harvest your data. This policy explains what we collect, why, and what we do (and don't do) with it.

What We Collect

  • Account information: name, email address, phone number, and business type provided during signup
  • Financial data: transactions, invoices, expenses, and tax estimates you create or that sync from connected accounts
  • Usage data: how you interact with Toozi (pages visited, features used, SMS messages sent to our system)
  • Device information: browser type, operating system, and IP address for security purposes
  • Payment information: billing details are processed and stored by Stripe — we never see or store your full card number

How We Use Your Data

  • To power your Toozi experience: categorizing expenses, generating invoices, calculating tax estimates, sending reminders
  • To communicate with you via SMS, email, and in-app notifications
  • To improve our product based on aggregate usage patterns (never individual data)
  • To detect and prevent fraud, abuse, or security threats
  • To comply with legal obligations (tax reporting requirements, law enforcement requests with valid legal process)

What We Don't Do

This is the important part:

  • We do NOT sell your data to anyone. Ever. Period.
  • We do NOT share your financial data with advertisers
  • We do NOT use your data to build advertising profiles
  • We do NOT sell or rent your email address or phone number
  • We do NOT allow third-party tracking or analytics companies to access your financial data

Data Security

  • All data is encrypted in transit using TLS 1.3
  • All data is encrypted at rest using AES-256 encryption
  • Authentication is powered by Supabase Auth with support for multi-factor authentication (MFA)
  • We use row-level security (RLS) in our database — your data is only accessible to you
  • Regular security audits and penetration testing
  • SOC 2 compliance in progress

Third-Party Services

We use the following third-party services to operate Toozi:

  • Supabase: database and authentication
  • Stripe: payment processing and invoice payment acceptance via Stripe Connect
  • Brevo: email and SMS delivery
  • Google Calendar: calendar integration (only when you explicitly connect it)
  • Anthropic: AI features (your data is processed but never stored by Anthropic for training)
  • Plaid: bank account connection and transaction data — governed by Plaid's Privacy Policy at plaid.com/legal
  • Twilio: SMS message delivery — your phone number and message content are transmitted through Twilio's platform
  • TaxJar: sales tax calculation and jurisdiction data
  • SignNow: electronic document signing for proposals
  • IRS MeF: your tax return data is transmitted directly to the IRS via the Modernized e-File system

Each service has its own privacy policy, and we only share the minimum data necessary for each service to function.

AI & Automated Data Processing

Toozi uses artificial intelligence powered by Anthropic Claude to process your data and provide automated features.

Data processed by AI includes:

  • Transaction descriptions and amounts
  • SMS messages you send to Toozi
  • Uploaded documents (PDFs, receipts, bank statements)
  • Conversation history with the Toozi assistant
  • Business profile information (industry, entity type, location)

How AI processing works: Your data is sent via encrypted API to Anthropic Claude for real-time processing. Anthropic processes your data solely to generate a response and does not store, retain, or use your data for model training or any other purpose.

AI is used for:

  • Automatic expense/income categorization
  • Quarterly tax estimation
  • Conversational SMS assistant
  • Document and receipt data extraction
  • Personalized business habit recommendations
  • Calendar event billing detection
  • Sales tax calculation assistance

AI inputs and outputs are stored in Toozi's database as part of your account data and are subject to the same retention, security, and deletion policies as all other account data.

You can avoid AI processing by not using the SMS assistant, auto-categorize, document import, or AI advisor features. Core manual features (invoicing, time tracking, bill management) function without AI.

Cookies & Local Storage

Toozi does not use third-party tracking cookies, advertising cookies, or behavioral analytics cookies.

We use browser local storage for essential functionality only:

  • Authentication session token (toozi-auth-token) to keep you signed in
  • Tax settings preferences for your filing configuration
  • UI state such as dismissed banners and onboarding progress
  • Cached data for application performance

All local storage is essential/functional and is used solely to operate the application. We do not use cookies or local storage for advertising, cross-site tracking, or profiling.

No cookie consent banner is required because we do not use non-essential cookies. This disclosure is provided for transparency.

SMS Communications

We offer SMS-based features through our AI assistant. By providing your phone number and consenting to SMS:

  • You may receive transactional messages (invoice confirmations, payment alerts, tax reminders)
  • You may interact with our AI assistant via text message
  • Message and data rates may apply based on your carrier
  • Reply STOP at any time to unsubscribe from all SMS communications
  • Reply HELP for assistance
  • SMS message content and your responses may be logged to provide the service and improve accuracy
  • We use Twilio to deliver SMS messages — see twilio.com/legal/privacy for their policy

No sharing of SMS opt-in data. All of the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties for their own purposes, excluding aggregators and providers of the text message services.

Bank Account Data (Plaid)

When you connect a bank account through Plaid:

  • We access read-only transaction data to help categorize your income and expenses
  • We never store your bank username or password — authentication is handled entirely by Plaid
  • We only access the accounts and date ranges you explicitly authorize
  • Bank connection tokens are encrypted and stored securely
  • You can disconnect your bank at any time from Settings → Connections
  • Plaid's data practices are governed by their Privacy Policy at plaid.com/legal
  • We do not use your bank data for any purpose other than providing the Toozi service to you

Tax Return Data & SSN Handling

When you prepare and file tax returns through Toozi:

  • Your Social Security Number (SSN) is required by the IRS for e-filing and is transmitted via encrypted connection directly to IRS systems
  • SSNs are encrypted at rest using AES-256 encryption and are never displayed in full after entry
  • Your tax return data (income, deductions, credits) is stored securely and only accessible by you
  • We transmit your return via the IRS Modernized e-File (MeF) system using a secure encrypted SOAP connection
  • We retain copies of submitted returns to provide you with filing history — you can delete these from your account at any time
  • We are registered with the IRS as an Electronic Return Originator (EFIN: 969341)
  • We do not share your tax data with any third party except the IRS and applicable state tax agencies as required for filing
  • Your tax data is never used for advertising, marketing, or sold to data brokers

Payment Processing (Stripe)

Subscription payments are processed by Stripe:

  • We never see, store, or have access to your full credit card number
  • Card data is tokenized and stored by Stripe under PCI DSS compliance
  • We store only the last 4 digits and card type for display purposes
  • Stripe Connect is used to facilitate payment acceptance for your business invoices — your customers' payment data is governed by Stripe's privacy policy
  • See stripe.com/privacy for Stripe's full privacy policy

Your Rights

You have the right to:

  • Access all data we store about you
  • Export your data at any time
  • Correct any inaccurate information
  • Delete your account and all associated data from Settings → Delete Account
  • Opt out of marketing communications

Data Retention

  • Active accounts: we retain your data as long as your account is active
  • Deleted accounts: all personal data is permanently deleted within 30 days of account deletion
  • Legal obligations: some financial records may be retained for up to 7 years as required by tax law

Children's Privacy

Toozi is not intended for use by anyone under the age of 18. We do not knowingly collect data from minors.

California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

Toozi does not sell your personal information to third parties.

Toozi does not share your personal information for cross-context behavioral advertising.

As a California resident, you have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Request correction of inaccurate personal information
  • Obtain a copy of your personal information in a portable format
  • Not be discriminated against for exercising your privacy rights

To exercise any of these rights, contact us at hello@toozitax.app or text (844) 482-4881. We will respond to verified requests within 45 days.

Changes to This Policy

We may update this policy from time to time. We'll notify you of significant changes via email or in-app notification. Continued use of Toozi after changes constitutes acceptance.

Contact

Questions about privacy? Email us at hello@toozitax.app or text us at (844) 482-4881.