Privacy Policy

At White Owl, privacy is not a compliance checkbox — it is foundational to our business model. We operate a marketplace connecting clients with tax professionals, which means you trust us with some of the most sensitive information about your financial life. We take that trust seriously.

This Privacy Policy describes how White Owl AI Inc. (“White Owl”, “we”, “us”, “our”) collects, uses, discloses, and protects your personal information when you use our Platform. It applies to all Users — Clients, Tax Professionals, Enterprise Users, and visitors.

This Policy applies to all personal information collected through:

• The White Owl website (whiteowl.app and subdomains)
• The White Owl web application and mobile applications
• The Document Vault and all document storage features
• In-platform messaging, video, and communication tools
• API integrations with third-party services
• Enterprise platform instances and white-label deployments
• Any communications with our team (email, support tickets, phone)

This Policy does not apply to the practices of Tax Professionals acting as independent data controllers with respect to client data they manage in their own professional systems. Tax Professionals who handle client data are responsible for their own compliance with applicable professional confidentiality laws and data protection regulations.

3.1 Information You Provide Directly

3.2 Information We Collect Automatically

3.3 Information from Third Parties

• Credential Verification Partners: Confirmation of license status and disciplinary records from state licensing boards, IRS PTIN database, bar associations, and equivalent foreign authorities.
• Identity Verification Services: Identity verification results (pass/fail, confidence score) — not raw document scans.
• Payment Processors: Transaction confirmation, tokenized payment identifiers, fraud risk signals — we never receive or store raw card numbers.
• Social / SSO Providers: If you register via Google or LinkedIn, we receive your name, email, and profile photo per that platform's permissions.

For Users in the European Economic Area (EEA) and United Kingdom, we process personal data under the following legal bases:

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide Platform services, including account management, Engagement facilitation, payment processing, and Document Vault operation.
• Legitimate Interests (Art. 6(1)(f)): Platform security, fraud prevention, product improvement using anonymized data, and business analytics — balanced against your privacy rights.
• Legal Obligation (Art. 6(1)(c)): Compliance with applicable laws including tax reporting, anti-money laundering requirements, and regulatory mandates.
• Consent (Art. 6(1)(a)): Marketing communications, optional features such as jurisdiction-day tracking, and AI training using identified data (where applicable). You may withdraw consent at any time.
• Special Categories (Art. 9): We do not intentionally collect special-category data. Where tax-related data incidentally reveals health, racial, or other sensitive information, processing is based on your explicit consent and professional necessity.

6.1 Sharing Within Engagements

When you initiate an Engagement, you authorize the Tax Professional you select to access your profile information and specific Document Vault documents you designate. This sharing is necessary to deliver the services you requested and is governed by the Tax Professional's professional confidentiality obligations.

6.2 Service Providers (Sub-processors)

We share data with carefully vetted service providers who process data on our behalf under strict contractual data processing agreements, including:

• Payment processing: Stripe (payment card processing and escrow management)
• Cloud infrastructure: AWS / GCP (encrypted data storage and compute)
• Identity verification: Stripe Identity (credential and ID verification)
• E-signature: DocuSign / HelloSign (document execution)
• Communications: Transactional email, SMS notification providers
• Analytics: Privacy-respecting analytics for Platform improvement (anonymized/aggregated data only)
• Security: DDoS protection, fraud detection, penetration testing partners

All sub-processors are contractually prohibited from using your data for any purpose other than providing services to White Owl. A full list of sub-processors is available at whiteowl.app/sub-processors.

6.3 Legal Disclosure

We may disclose personal information when required by law, court order, subpoena, or regulatory demand; to enforce our Terms; to protect the safety of Users or the public; or in connection with a merger, acquisition, or asset sale (with advance notice to affected Users).

6.4 With Your Consent

We may share your data for purposes not described above with your explicit consent, which you may withdraw at any time.

Because the Document Vault contains some of the most sensitive financial and personal information our Users possess, we apply enhanced protections beyond our standard data practices:

7.1 Tax Professional Access to Documents

Tax Professionals must agree to the Tax Professional Addendum, which includes binding obligations regarding the confidentiality and professional handling of Client documents — obligations that supplement and are independent of their applicable professional conduct rules (including IRC § 7216 restrictions on tax return preparer use of return information).

8.1 What AI Features Process

Our AI Tools process data to provide matching, document classification, research, and compliance features. The data used by each feature is:

• Matching Algorithm: Profile data, engagement history, jurisdiction preferences, and anonymized outcome data — never raw Client tax documents.
• Document Classification: Document content you upload to the Vault, processed in memory to extract structure and metadata. Raw document content is not retained by the classification model beyond the processing session.
• AI Research Tools: Your research queries and the jurisdictional context you provide. Query logs are retained in anonymized form for quality improvement.
• Compliance Checker / Day Counter: Location and date data you explicitly input. This feature is entirely user-initiated and requires explicit activation.

8.2 AI Model Training

We use anonymized, aggregated, de-identified metadata — such as engagement duration, document type categories, and matching outcome signals — to improve our AI features. This data cannot be linked back to any individual User. We will never use identified personal data or named tax documents to train AI models without explicit written consent.

We implement a comprehensive security program appropriate for a platform handling sensitive financial and tax data, including:

• Encryption: AES-256 encryption at rest for the Document Vault and all sensitive data stores; TLS 1.3+ for all data in transit.
• Access Controls: Role-based access control (RBAC) for all internal systems; principle of least privilege for all Platform personnel.
• Authentication: Multi-factor authentication (MFA) required for all Tax Professionals and all internal Platform personnel; strongly recommended for all Clients.
• Monitoring: Continuous security monitoring, intrusion detection, and anomaly alerting.
• Penetration Testing: Regular third-party penetration testing and vulnerability assessments.
• Incident Response: Documented data breach response plan with regulatory notification procedures compliant with GDPR (72-hour notification), CCPA, and applicable state breach notification laws.
• Personnel: Background checks for all personnel with access to User data; mandatory privacy and security training.

You may request deletion of your personal data before the end of a retention period. Deletion requests are subject to our legal obligations to retain certain data (e.g., financial records required by tax law). We will inform you of any data we are legally required to retain when processing your deletion request.

Upon account closure, you have 90 days to export your Document Vault contents. After this window, Vault data will be deleted on a rolling basis per our retention schedule, except as required by law.

White Owl is based in the United States. When Users from the EEA, UK, Canada, Australia, UAE, and other jurisdictions use the Platform, their data is transferred to and processed in the United States, which may not provide the same level of data protection as their home jurisdiction.

For EEA and UK Users, we rely on the following transfer mechanisms:

• Standard Contractual Clauses (SCCs): We have implemented the European Commission's approved SCCs with all sub-processors receiving EEA data.
• UK International Data Transfer Agreements (IDTAs): Where required for UK personal data.
• Adequacy Decisions: Where the European Commission has recognized the destination country as providing adequate protection.

For Canadian Users, cross-border transfers are conducted in compliance with PIPEDA's accountability and safeguard principles. For Australian Users, we comply with APPs 8.1–8.2 regarding overseas disclosure.

Subject to applicable law, all Users have the following rights regarding their personal data:

To exercise any right, contact us at privacy@whiteowl.app. We will respond within 30 days (or the shorter period required by applicable law). We may need to verify your identity before processing requests. We will not discriminate against you for exercising your privacy rights.

White Owl AI Inc., 1209 Orange Street, Wilmington, DE 19801, USA, is the Data Controller for personal data of EEA and UK Users. Our EU representative (if applicable) is To be appointed.

EEA and UK Users have the right to lodge a complaint with their local supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. In Ireland, this is the Data Protection Commission (DPC). We encourage you to contact us first at privacy@whiteowl.app so we may resolve any concerns directly.

Automated Decision-Making: Our AI matching algorithm produces recommendations that Clients and Tax Professionals are free to accept or disregard. Matching recommendations are not binding automated decisions in the sense of GDPR Art. 22. No fully automated decision with significant legal effect is made about Users without human involvement.

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have additional rights:

• Right to Know: The categories and specific pieces of personal information we collect, use, disclose, and sell.
• Right to Delete: Request deletion of personal information we have collected, subject to legal exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: We use sensitive personal information (financial data, tax records) only to the extent necessary to provide Platform services.
• Non-Discrimination: We will not discriminate against you for exercising CCPA rights.

In the preceding 12 months, we have collected the following categories of personal information: Identifiers; Personal information under Cal. Civil Code § 1798.80; Financial information; Commercial information; Internet or electronic network activity; Professional or employment information; Inferences about preferences.

We have not sold personal information in the preceding 12 months. To submit a CCPA request, contact privacy@whiteowl.app or call 1-800-WHITEOWL. Authorized agents may submit requests on your behalf with written authorization.

For Canadian Users, White Owl complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. We collect only the personal information necessary for identified purposes, and only with consent. Canadian Users may withdraw consent, subject to legal and contractual restrictions.

Our Chief Privacy Officer is responsible for ensuring compliance with PIPEDA obligations. Canadian Users who have concerns about our privacy practices may contact the Privacy Commissioner of Canada at priv.gc.ca.

16.1 Types of Cookies We Use

16.2 Managing Cookies

You can manage cookie preferences through our Cookie Preference Center (accessible via the cookie banner or footer link). You may also configure your browser to refuse or delete cookies, though this may affect Platform functionality. For analytics opt-out, you may also use browser-level Do Not Track signals, which we honor.

The Platform is not directed to individuals under the age of 18 (or the age of majority in their jurisdiction). We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a minor, we will delete it promptly. If you believe a minor has provided personal information through the Platform, please contact privacy@whiteowl.app.