Privacy Policy & Taxpayer Data Safeguards

Effective Date: 01/01/2026

1. Purpose and Scope

This Privacy Policy describes how Sommer Bookkeeping (“we,” “us,” or “our”) collects, uses, stores, and safeguards taxpayer information through our secure tax document collection portal (the “Portal”).

We are committed to protecting Federal Tax Information (FTI) and Personally Identifiable Information (PII) in accordance with IRS Publication 4557 – Safeguarding Taxpayer Data, applicable federal and state laws, and industry best practices.

2. Information We Collect

We collect only information necessary to provide tax preparation, filing, and related professional services.

a. Taxpayer Information

Name, address, and date of birth
Social Security Number (SSN) or Taxpayer Identification Number (TIN)
Prior-year and current-year tax returns
IRS forms (e.g., W-2, 1099, K-1, 941, 940)
Payroll, income, and expense documentation
Business ownership and financial records

b. Authentication & Access Data

Usernames and encrypted credentials
Multi-factor authentication data
Login timestamps and access history
IP addresses and device metadata

3. Use of Taxpayer Data

Taxpayer data is used solely for authorized and lawful purposes, including:

Collecting and organizing tax documentation
Preparing and filing federal, state, and local tax returns
Responding to IRS or state agency inquiries
Maintaining required records under IRS regulations
Ensuring system security, integrity, and auditability

We do not use taxpayer data for marketing, advertising, or non-tax-related purposes.

4. Storage and Hosting of Taxpayer Data

All uploaded documents and associated taxpayer data are stored in a private S3 object storage bucket configured with the following safeguards:

No public access or public bucket exposure
Access restricted via authenticated application credentials
Logical separation of customer data
Audit logging and access monitoring

S3 is used strictly as a secure storage provider and does not have independent authorization to access taxpayer data.

5. Safeguards for Taxpayer Data (IRS Pub 4557)

We maintain a Written Information Security Plan (WISP) consistent with IRS Publication 4557, incorporating administrative, technical, and physical safeguards.

a. Administrative Safeguards

Designated Data Security Officer
Periodic risk assessments
Mandatory security awareness training
Written incident response and data breach procedures
Least-privilege access for employees and contractors

b. Technical Safeguards

Multi-factor authentication for system access
Role-based authorization controls
Continuous logging and monitoring
Regular patching and vulnerability remediation

c. Physical Safeguards

Secure cloud infrastructure controls
Restricted access to systems containing taxpayer data
Policies governing remote access and endpoint security

Taxpayer data may be disclosed only in the following circumstances:

To authorized tax professionals involved in your engagement
To IRS, state, or local tax authorities when legally required
To vetted service providers supporting secure operations (e.g., hosting or security services), under written confidentiality agreements
When required by law, subpoena, or court order

We do not sell or disclose taxpayer data for advertising, analytics, or profiling purposes.

7. Incident Response and Data Breach Notification

In the event of a suspected or confirmed data security incident involving taxpayer information, we will:

Immediately contain and assess the incident
Activate our IRS-aligned Incident Response Plan
Notify affected individuals as required by law
Coordinate with the IRS, state agencies, and law enforcement when applicable
Implement corrective actions to prevent recurrence

8. Data Retention and Secure Disposal

Taxpayer data is retained only as long as necessary to:

Provide professional tax services
Comply with IRS and state record retention requirements
Address audits, disputes, or legal obligations

When data is no longer required, it is securely deleted or rendered unreadable in accordance with IRS data disposal guidelines.

9. User Responsibilities

Users are responsible for:

Maintaining the confidentiality of login credentials
Using strong, unique passwords
Enabling and maintaining multi-factor authentication
Promptly reporting suspected unauthorized access

Failure to follow basic security practices may increase risk to taxpayer data.

10. Your Rights

Subject to applicable law and IRS requirements, you may request:

Access to your personal information
Correction of inaccurate data
Deletion of data where legally permissible

Requests may be limited by mandatory tax record retention laws.

11. Policy Updates

This Privacy Policy may be updated periodically to reflect changes in IRS guidance, legal requirements, or security practices. Updates will be posted within the Portal with a revised effective date.

12. Contact Information

For questions regarding this Privacy Policy or our data protection practices, contact:

Sommer Bookkeeping
Email: [info@sommerbookkeeping.com]