WriteupOS — Privacy Policy

This Privacy Policy describes how WriteupOS LLC, a Delaware limited liability company (“WriteupOS,” “we,” “us,” or “our”), collects, uses, and protects your data.

What This Is

WriteupOS is transaction categorization software for tax preparers. This policy explains what data we collect, how we use it, who we share it with, and what we do to keep it safe. We wrote it in plain language because you shouldn't need a lawyer to understand a privacy policy.

A Note for Tax Preparers About Section 7216

IRS Section 7216 Considerations

WriteupOS processes your client data in two ways, and the distinction matters for Section 7216 compliance:

Rules engine categorization: No data leaves our servers. Vendor matching happens entirely within our database against your firm's rules. No third party receives any data.

AI categorization: When our rules engine cannot match a transaction, we send only the transaction description and amount to Anthropic's Claude API (e.g., "SYSCO FOODS #4521 $347.22"). We do not send client names, EINs, Social Security numbers, account numbers, or any other client identifiers in AI requests. Our Anthropic account has zero-data-retention enabled — Anthropic does not store the data and does not use it to train their models.

PDF processing: When you upload a PDF bank statement, the full file is sent to DocuClipper for transaction extraction. Unlike AI categorization where we send only descriptions and amounts, PDF processing necessarily transmits the complete statement page content, which may include the client's name, account number, and address as printed by the bank. DocuClipper is SOC 2 compliant and encrypts data in transit and at rest. Preparers should evaluate whether this third-party processing requires client consent under Section 7216 based on their specific circumstances.

WriteupOS is a third-party processor under IRC §7216 and Treasury Regulations §301.7216-3. Tax preparers using WriteupOS to process client transaction data should obtain written client consent in accordance with §7216 before disclosing tax return information to WriteupOS, unless a specific exception under Treasury Reg. §301.7216-2 applies to your use. We provide a downloadable §7216 consent template that you can customize for your practice. The determination of whether consent is required for your specific use case, and the form of that consent, is yours to make — we recommend consulting IRS guidance on §7216 or your compliance advisor.

We provide a downloadable §7216 client consent template that you can customize for your practice. See our Trust Center for full compliance documentation.

What Data We Collect

When you use WriteupOS, we collect and store the following:

Firm information — your firm name and login credentials (managed by Clerk)
Client information — client names, EINs, entity type, and industry that you enter
Transaction data — dates, descriptions, amounts, and vendor names from CSV bank and credit card statements you upload
PDF bank statements — when you upload a PDF statement, it is sent to our processing partner for transaction extraction. The extracted transaction data (dates, descriptions, amounts) is stored. The original PDF file is not retained by WriteupOS.
Categorization decisions — which tax category each transaction was assigned to, whether by our rules engine, AI, or your manual review
Vendor rules — the categorization rules your firm builds over time from corrections and confirmations
Payment records — which clients you've paid to process, handled through Stripe
Subscription information — if you purchase an annual subscription, we record the tier, renewal date, credit usage, and the version of the Terms of Service you accepted at checkout. Consent records are retained for at least three years after termination in accordance with applicable subscription law.
Referral relationships — if you join WriteupOS through a referral code or refer another firm, we record the referrer and referred firm IDs, commission events, and commission balances. Referral relationships are stored at the firm level; we do not expose individual client transaction data across the referral relationship.
Usage data — analytics events such as feature usage and session activity. These events do not contain transaction content or client financial data.
Server logs — IP addresses, browser type, and timestamps. Retained for 90 days.

How We Use Your Data

To categorize transactions — this is the core service. We match vendor names against your firm's rules and, when no rule exists, send transaction descriptions to the AI for categorization.
To improve accuracy within your firm — when you confirm or override a categorization, we update your firm's vendor rules so the same vendor is categorized correctly next time, across all your clients.
To generate reports — Profit & Loss statements, Cash Reconciliation reports, and preparer workpapers are generated from your categorized transaction data.
To process payments — payment information is sent to Stripe to process per-client charges, credit pack purchases, and annual subscription billing.
To administer the referral program — we use referral code associations, commission events, and firm-level payment activity to calculate and credit referral commissions, detect self-referrals, and process clawbacks on refunded payments. See Terms of Service Section 7A for full program details.
To send email notifications — we send transactional emails for categorization completion, payment confirmation, subscription activation, renewal reminders, and firm member invitations.
To maintain and improve the service — we use aggregated, de-identified usage patterns to understand how the product is used and where to improve it. These patterns never include identifiable client information or individual transaction details.

What We Do NOT Share

✓Transaction data is never shared between firms. Firm A cannot see Firm B's data under any circumstances.
✓Vendor rules are firm-specific. Your categorization rules stay within your firm.
✓We do not sell your data to anyone. Period.
✓We do not use your data to train AI models. Our Anthropic account has zero-data-retention enabled.
✓We do not share data with advertisers or data brokers.

Third-Party Services (Sub-Processors)

WriteupOS relies on these services to operate. Each is listed with what data they receive. For a standalone PDF version, see the Sub-Processor List or visit our Trust Center.

Supabase (Database hosting (PostgreSQL)) — All firm and transaction data, encrypted at rest
Vercel (Application hosting) — Web traffic metadata (IP, headers). No transaction content cached.
Clerk (Authentication) — User credentials, session data. No client transaction data.
Stripe (Payment processing and subscription billing) — Payment method, billing details, subscription information (tier, renewal dates, billing history). No client transaction data.
Anthropic (AI categorization (Claude API)) — Transaction descriptions only (e.g., 'SYSCO FOODS #4521 $347.22'). Zero Data Retention enabled — not stored, not used for training.
DocuClipper (PDF bank statement OCR) — Uploaded PDF content during processing only. May include client name and account number as printed on statement.
Resend (Transactional email) — Recipient email address, email content (notification copy). No transaction data.
Google Analytics (Website analytics (consent-gated)) — Aggregate page views, session metadata. No PII or transaction data.

Cookies

WriteupOS uses two types of cookies:

Essential cookies — required for authentication and remembering your cookie consent preference. These cannot be disabled as the service cannot function without them.
Analytics cookies (Google Analytics) — only set if you click "Accept" on the cookie consent banner. If you click "Decline," no analytics cookies are set and no usage data is sent to Google.

Data Retention

Uploaded CSV files are processed and then deleted. We do not retain the original files.
Uploaded PDF files are sent to DocuClipper for processing and are not retained by WriteupOS after transaction extraction is complete.
Transaction data is retained while your account is active.
Server logs are retained for 90 days.
Analytics events are retained for 2 years.
You can delete any client's data at any time from Settings > Data Retention.
If you delete your account, all associated data is permanently removed within 30 days.
You can request a full data export at any time.

Security

All data is encrypted in transit using HTTPS/TLS
All data is encrypted at rest by Supabase
Database access is protected by row-level security — each firm's data is isolated at the database level
All API routes require authentication
Bank account numbers are automatically stripped from transaction descriptions during CSV processing
API rate limiting protects against abuse
Input validation and sanitization on all user-submitted data
Security event audit trail tracks access and changes

We do not currently hold SOC 2 certification but are planning certification as we scale. If your firm requires specific compliance documentation for vendor approval, please contact us and we will provide what we can.

Data Breach Response

In the event of a data breach affecting your firm's data, we will notify affected firms by email without unreasonable delay in accordance with applicable law (applicable state law requires notification without unreasonable delay). Our notification will include:

The nature of the breach and how it occurred
The types of data involved
Steps we are taking to remediate the breach and prevent recurrence
Guidance regarding your obligations to notify affected clients under IRS regulations or applicable state law

We will cooperate fully with any investigations related to a data breach affecting your firm's data.

Children's Privacy

WriteupOS is a professional tool designed for licensed tax preparers and accounting professionals. It is not intended for use by anyone under 18 years of age. We do not knowingly collect personal information from children.

Your Rights

You can:

Export all your data at any time
Delete any client's data at any time
Delete your entire account and all associated data
Request information about what data we hold about you or your firm
Request corrections to any inaccurate data
Opt out of analytics cookies via the cookie consent banner

To exercise any of these rights, use the Settings > Data Retention page or contact us at the address below. We will respond to all requests within 30 days.

State-Specific Privacy Rights

Residents of California, Virginia, Colorado, Connecticut, and other states with comprehensive privacy laws may have additional rights, including the right to know what personal information we collect, the right to delete personal information, and the right to opt out of the sale of personal information.

We do not sell personal information. For any state-specific privacy requests, contact support@writeupos.com and we will respond in accordance with applicable law.

California Automatic Renewal Law. California residents subscribing to an annual WriteupOS plan have the right to cancel online at any time under California's Automatic Renewal Law (Cal. Bus. & Prof. Code §17600 et seq., as amended effective July 1, 2025). You may cancel your subscription at Settings > Billing, which uses the same online medium through which you subscribed. We send an acknowledgment email after subscription activation, a pre-renewal reminder at least 15 days before each annual renewal, and 30 days' advance notice before any material change to subscription pricing. Records of subscription consent (terms version and acceptance timestamp) are retained for at least three years after termination.

Changes to This Policy

If we make material changes to this policy, we will post the updated version here with a new effective date and notify you via email at least 15 days before the changes take effect. Significant changes will also trigger an in-app notification.

Contact Us

Email: support@writeupos.com
Phone: (240) 981-9661
Address: 8401 Mayland Dr #10381, Richmond, VA 23294

WriteupOS LLC is a Delaware limited liability company.