Legal

Privacy Policy

Effective: April 1, 2026 · GatherDoc, Inc. · Questions: legal@gatherdoc.io

Plain-English Summary: GatherDoc is a B2B service used by accounting firms. We collect firm account data and End Client contact metadata (names, emails, phone numbers) to power automated document follow-up sequences. We never store tax returns, SSNs, or financial data. End Client PII is automatically deleted within 7 days of collection completion. We do not sell data. Ever.

Contents

Who We Are
Data We Collect
How We Use Data
What We Do Not Store
Auto-Deletion Policy
Data Sharing & Disclosure
Third-Party Services
Messaging & Communications
Security
Data Retention
Your Rights
California Privacy Rights (CCPA)
International Users & GDPR
Children’s Privacy
Changes to This Policy
Contact Us

Section 1

Who We Are

GatherDoc, Inc. (“GatherDoc,” “we,” “us,” or “our”) operates the GatherDoc document chase automation platform for accounting professionals. This Privacy Policy explains how we collect, use, and protect information in connection with our services.

GatherDoc acts as a data processor (and a CCPA “service provider”) on behalf of accounting firms (“Firms”) with respect to End Client data. The Firm is the data controller for its clients’ personal information. GatherDoc acts as a data controller for information about Firm accounts and users.

GatherDoc also operates as an auxiliary service provider as defined under Treasury Regulation § 301.7216-1(b)(2), providing document collection communications in connection with tax return preparation. In this capacity, GatherDoc uses taxpayer contact information solely for the purpose of delivering authorized document collection reminders on behalf of the subscribing Firm, and for no other purpose.

Section 2

Data We Collect

We collect two categories of data:

Firm Account Data - Information about the accounting firm and its staff members:

Data Type	Examples	Source
Account identity	Name, email address, firm name	You, at signup
Authentication	Login credentials (managed by Clerk)	Clerk auth provider
Billing	Subscription plan, billing history (card data held by Stripe)	Stripe payment processor
Usage data	Feature usage, chase counts, session logs	Automatically collected
Support communications	Emails, help requests	You, when contacting support

End Client Data - Information about the Firm’s tax clients, imported by the Firm:

Data Type	Examples	Source
Contact information	Name, email address, phone number	Firm import / Portal sync
Return metadata	Return type (1040, 1120-S, etc.), tax year	Firm import
Collection status	Readiness score, chase count, status label	GatherDoc system
Communication log	Message timestamps, delivery status, opt-outs	GatherDoc system

Section 3

How We Use Data

We use the data we collect to:

Provide, operate, and maintain the GatherDoc Service
Send automated Chase Sequence emails and SMS messages to End Clients on the Firm’s behalf
Process Subscription payments via Stripe
Authenticate Firm users via Clerk
Sync client status with connected Portals (TaxDome, SmartVault) via Zapier
Generate chase history logs and readiness reports for Firms
Provide customer support and respond to inquiries
Detect and prevent fraud, abuse, or security incidents
Comply with legal obligations
Improve the Service using anonymized, aggregated analytics

We do not use End Client data for any purpose other than providing the Service to the Firm that imported it. We do not use End Client data for marketing, advertising, or profiling.

Section 4

What We Do Not Store

GatherDoc is a metadata and communication tool only. We have zero access to, and do not store, any of the following:

Social Security Numbers (SSNs) or Individual Taxpayer Identification Numbers (ITINs)
Employer Identification Numbers (EINs)
Tax return contents or tax return data of any kind
W-2s, 1099s, K-1s, or any tax source documents
Bank account numbers, credit card numbers, or financial account data
Financial statements, balance sheets, or income data
Health information or HIPAA-protected data
Attorney-client privileged communications

Our system design enforces these limits at the data model level - these fields do not exist in our database schema.

Section 5

Auto-Deletion Policy

PII Auto-Delete: When an End Client’s status reaches “Collection Complete,” all associated End Client PII - name, email, and phone number - is automatically and permanently deleted from GatherDoc’s systems within 7 days. This is irreversible.

After auto-deletion, the following non-PII metadata is retained for the Firm’s audit log:

Return type and tax year (no client name)
Chase count and communication timestamps
Collection completion date
Readiness score history

This auto-deletion policy is a core feature of GatherDoc designed to minimize data retention and reduce compliance risk for accounting firms. The 7-day window allows for any necessary record-keeping before permanent deletion.

Firms that require longer retention of End Client contact data must maintain that data in their own practice management systems. GatherDoc is not designed or intended to serve as a long-term client contact database.

Section 7

Third-Party Services

GatherDoc uses the following third-party services to operate. Each has its own privacy policy:

Provider	Purpose	Data Shared
Clerk	User authentication & session management	Firm user email, name, login metadata
Stripe	Payment processing	Billing contact, subscription data (no card data stored by us)
Neon	Serverless Postgres database hosting	All application data (encrypted at rest)
Zapier	Webhook automation for Portal integrations	Status updates, workflow triggers
SendGrid	Transactional email delivery	End Client email address, message content
Twilio	SMS delivery	End Client phone number, message content

Section 8

Messaging & Communications

To End Clients (on behalf of the Firm): GatherDoc sends automated email and SMS messages to End Clients solely as directed by the Firm. Every outbound SMS includes a STOP opt-out instruction. Every outbound email includes the Firm’s identity and an opt-out mechanism, as required by CAN-SPAM. Opt-out requests are processed immediately and respected in all future sequences.

To Firm Users: We send transactional emails related to your account (billing receipts, password resets, important service notices). We may also send product updates and tips. You may opt out of non-transactional emails at any time.

GatherDoc does not send marketing or promotional messages to End Clients. Chase Sequences are operational messages sent at the direction of the Firm and are limited to document collection communications.

Section 9

Security

We implement industry-standard technical and organizational security measures to protect data against unauthorized access, alteration, disclosure, or destruction, including:

Encryption in transit (TLS 1.2+) and at rest for all stored data
Row-level security (RLS) in our database, scoped to individual firms
Multi-factor authentication (TOTP) enforced for all Firm accounts via Clerk
Strict API authentication with short-lived session tokens
Regular security reviews and dependency updates

No method of transmission over the internet or electronic storage is 100% secure. While we use commercially reasonable safeguards, we cannot guarantee absolute security.

Breach Notification: In the event of a confirmed data breach affecting End Client personal information or Firm account data, we will notify affected Firm customers within 72 hours of our confirmation of the breach, as required under GDPR Article 33 and applicable US state breach notification laws. Notification will be sent to the primary email address on your account and will describe the nature of the breach, the data affected, and the steps we have taken or are taking to address it.

Section 10

Data Retention

We retain data for as long as necessary to provide the Service and comply with legal obligations:

End Client PII: Deleted within 7 days of “Collection Complete” status (see Section 5)
End Client metadata (non-PII): Retained for the life of the Firm’s account for audit log purposes
Firm account data: Retained for the life of the account plus 30 days after cancellation (note: a 30-day happiness guarantee refund window applies from initial signup - see our Terms of Service)
Billing records: Retained for 7 years to comply with financial record-keeping requirements
Support communications: Retained for 3 years

Upon account termination, all Firm data and any remaining End Client PII is deleted within 30 days. You may request an export of your chase history log before deletion.

Section 11

Your Rights

Firm Account Holders have the right to:

Access - Request a copy of the personal data we hold about you
Correction - Request correction of inaccurate data
Deletion - Request deletion of your account and associated data
Portability - Request an export of your data in a machine-readable format
Objection - Object to certain processing activities

To exercise these rights, contact legal@gatherdoc.io. We will respond within 30 days.

End Clients who have received messages from a GatherDoc-powered accounting firm and wish to opt out, access, or delete their data should contact the accounting firm directly, as the firm is the data controller for End Client data. GatherDoc will cooperate with Firms in responding to End Client data requests.

Section 12

California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: You may request information about the categories and specific pieces of personal information we have collected, the sources, the purposes, and any third parties we share it with.
Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions.
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt Out of Sale or Sharing: GatherDoc does not sell or share personal information for cross-context behavioral advertising. This right is not applicable, but you may contact us to confirm.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, email legal@gatherdoc.io with the subject “CCPA Request.” We may need to verify your identity before processing the request.

Section 14

Children’s Privacy

GatherDoc is a professional B2B service intended for accounting firms and their staff. It is not directed at, and we do not knowingly collect personal information from, individuals under the age of 18. If you believe we have inadvertently collected data from a minor, contact us at legal@gatherdoc.io and we will delete it promptly.

Section 15

Changes to This Policy

We may update this Privacy Policy periodically. If we make material changes - such as new categories of data collected or changes to how we use or share data - we will notify you by email at least 14 days before the changes take effect.

For minor changes, we will update the effective date at the top of this page. Your continued use of GatherDoc after the effective date constitutes acceptance of the updated Policy.

Section 16

Contact Us

For privacy questions, data requests, or to report a concern:

Privacy & Legal: legal@gatherdoc.io
Support: support@gatherdoc.io
Company: GatherDoc, Inc.

We aim to respond to all privacy inquiries within 5 business days and to complete data requests within 30 days.