Untax Privacy Policy

This policy applies to all information collected through the Untax app.

Information we collect

Untax accounts are created with an email address, phone number and password. Email addresses and phone numbers are only used for logging in, password resets, and subscription notifications. We don't send promotional emails or text messages. We never call you.

If you enable notifications, we must store a token to send them. We never use notifications for marketing.

Crash reports are used to identify and prevent software bugs which cause Untax's app to crash. We also measure how often features are used in order to gauge interest.

We cache information about your transactions for the sole purpose of speeding up app start times.

We didn't want to cache information about your transactions and we attempted to build Untax so that it'd act like a "pass through", loading your transaction information directly from your bank every time you opened the app. That ideal resulted in non-negligable app start times (10+ seconds). Imagine watching a loading spinner for 10 seconds every time you tap into Untax from your home screen. Your bank may be comfortable with that but it's not something we'd be proud of. So, with that admission and explanation out of the way, let's talk about how we keep your information secure.

Security

We use Plaid to connect your financial accounts. When you connect a financial account with Plaid, Untax never sees your financial account credentials.

If you use Venmo, you've probably used Plaid before.

We encrypt data in three ways: At-rest, at-work, and in-transit.

At-rest encryption means that all our databases are encrypted when they’re backed up or otherwise sitting idle. If someone was somehow able to get ahold of a backup of the database, it’d be useless, because they wouldn’t have the key to decrypt it.

At-work encryption means that our main database also deals with encrypted data while it’s working. We’re particularly proud of this bit, as this is not a common approach. It means that every content field in our database is encrypted with its own key, which is then encrypted with a master key. This allows us to introspect, service, and operate Untax without having programmers and administrators inadvertently exposed to private data during the course of their work. They see the metadata connecting everything, so they can resolve bugs, improve performance, and perform maintenance, but they don’t see the content of your transactions.

In-transit encryption is achieved using the industry standard TLS protocol.

Your Untax account is secured with two-factor authentication. That’s when you combine something you know (a password) with something you have (a key, which is often times your phone). This means that even if someone guesses your password, they can’t get into your account. The thief also needs to get ahold of that second factor, the key, which commonly lives on your phone, which itself is typically protected by biometric security (face scanning or fingerprints).

So that’s why Untax requires two-factor authentication for all customers. It’s a bit of a hassle to set up, and it comes with the risk that you could lose that “something you have” key. But given how important the security of your financial information is, it’s worth the hassle.

Information usage

It's simple: We do not share or sell your personal information. All information that's kept is kept for the sole purpose of making Untax useful to our customers.