Privacy Policy

We collect the following categories of information: **Account Information:** Name, email address, company name, phone number, and role when you create an account. **Payroll Data:** When you upload payroll reports (ADP, Paychex, Gusto, QuickBooks, or CSV), we process employee counts, wage data, SUI rates, and withholding amounts. We do NOT store individual employee Social Security Numbers after initial processing. **Compliance Documents:** Tax notices, assessment letters, and correspondence you upload for classification. **Usage Data:** Pages visited, features used, timestamps, IP addresses, and browser information for analytics and security. **Communication Data:** Messages sent through our contact form or support channels.

Your information is used to: - Classify and analyze tax compliance notices using our AI pipeline - Cross-reference notice claims against your payroll data - Generate protest letters and compliance recommendations - Send deadline reminders and compliance alerts - Improve our AI classification accuracy - Provide customer support - Comply with legal obligations

**PII Redaction:** Before any document is processed by our AI system (powered by Anthropic Claude), we automatically redact personally identifiable information including Social Security Numbers (SSN), Employer Identification Numbers (EIN), bank account numbers, and routing numbers. Our AI agents never see raw PII. **AI Processing:** Our 5-agent pipeline (Ingest, Classify, Validate, Deadline, Draft) processes your documents to extract structured data. AI-generated recommendations are always presented for human review — no response is ever sent to a government agency without explicit human approval. **No Training:** Your data is never used to train third-party AI models. We use Anthropic's API with data privacy protections.

**Infrastructure:** All data is stored on AWS infrastructure in the United States with VPC isolation. **Encryption:** AES-256 encryption at rest for all stored documents and data. TLS 1.3 encryption for all data in transit. **Access Control:** Row-Level Security (RLS) ensures tenant isolation at the database level. Multi-tenant architecture with strict access boundaries. **Backups:** Automated daily backups with point-in-time recovery capability.

- **Active accounts:** Data is retained for the duration of your subscription plus 90 days after cancellation. - **Uploaded documents:** Stored for 7 years to comply with IRS record-keeping requirements, unless you request earlier deletion. - **Free classification uploads:** Deleted within 24 hours of processing. - **Account deletion:** Upon request, we delete all personal data within 30 days, except where retention is required by law.

You have the right to: - **Access** your personal data and request a copy - **Correct** inaccurate or incomplete information - **Delete** your account and associated data - **Export** your data in a machine-readable format - **Restrict** processing of your data - **Object** to certain types of data processing - **Withdraw consent** at any time To exercise any of these rights, email privacy@kreto.ai or contact us through our contact page.

We use the following third-party services: - **Supabase** — Authentication and database hosting - **AWS** — Document storage and infrastructure - **Anthropic Claude** — AI document processing (with PII redacted) - **Resend** — Transactional email delivery - **Vercel** — Application hosting - **Google Document AI** — OCR and document extraction (with PII redacted) We do not sell your data to any third parties.

We use essential cookies for authentication and session management. We do not use third-party advertising trackers. Analytics are collected using privacy-respecting methods.

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through a notice on our platform.

For privacy-related inquiries: - **Email:** privacy@kreto.ai - **Address:** Kreto Inc., Mason, Ohio 45040 - **Contact form:** kreto.ai/contact