Trust & Privacy

Documents you upload are stored in a private, encrypted cloud storage bucket (Amazon S3). They are never stored in our database — only metadata (filename, upload date, processing status) is stored there.

Your files are not accessible via a public URL. Every time you or the system needs to access a file, a time-limited private link is generated. Links expire after a short window and cannot be reused.

Documents are stored in your account's dedicated space and are isolated from other users' data.

When AI is used to process a document, it receives only the extracted text or table content from that document — not the original file. We do not send full PDFs or images to AI models.

AI output is validated against strict schemas before being saved. If the output is invalid, it is rejected and flagged — not silently accepted.

All AI-extracted data is labeled with a confidence score. Low-confidence fields are flagged for your review before appearing in any output.

You always have the opportunity to review, correct, or override anything AI extracted from your documents.

All documents are encrypted at rest using AES-256 encryption managed by AWS.

All data in transit between your browser and our servers is encrypted using TLS (HTTPS). We do not accept unencrypted connections.

Database fields containing sensitive information are encrypted at the application layer in addition to database-level protections.

Secrets (API keys, database credentials) are stored in a dedicated secrets manager — never in code or environment files committed to source control.

You can delete any uploaded document at any time from the Documents page. Deletion removes the file from cloud storage — it is not simply hidden.

You can request full account deletion at any time from Settings. Account deletion removes your profile, all uploaded documents, all extracted data, and all generated reports.

We do not retain deleted documents or data for marketing or analytics purposes.

Deletion requests are processed promptly. You will receive confirmation when your data has been removed.

Your financial documents, income data, and personal information are never used to train AI models — ours or anyone else's.

When we use third-party AI services to process documents, we use APIs under agreements that prohibit using submitted data for model training.

We do not sell, license, or share your financial data with any third party for commercial purposes.

NRI Comply is a tax readiness and organization tool — not a tax advisor, CPA, or legal service.

Every readiness assessment uses 'may apply' language because only your CPA or Enrolled Agent can determine what obligations exist for your specific situation.

Nothing displayed in NRI Comply — readiness scores, form identifications, income calculations, or filing questions — constitutes tax, legal, or financial advice.

We recommend you review any output with a qualified tax professional before making any filing decisions.

Authentication is handled by Clerk, an industry-standard identity provider. We do not store passwords.

All API endpoints require a valid, time-limited authentication token. Expired or tampered tokens are rejected.

Each user can only access their own data. Household data is strictly isolated — no cross-account data access is possible.

All actions that modify data (uploads, deletions, profile changes) are recorded in an audit log with timestamps.

We run automated dependency scanning and apply security patches promptly.

We will never silently change how your data is stored, used, or shared. Material changes to data practices will be communicated clearly before they take effect.

We do not use your data for advertising, targeting, or marketing profiling.

We do not share your data with CPAs, advisors, or any third party without your explicit consent.

If we ever experience a data security incident affecting your data, we will notify you promptly and clearly.