Privacy Policy

1. Introduction

We are committed to protecting your privacy and complying with applicable data protection laws worldwide, including the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA/CPRA), and other applicable privacy laws.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our ITIN application service ("Service"). By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Information We Collect

We collect the following categories of information:

• a. Personal Information
  • Full name
  • Date of birth
  • Mailing address
  • Email address
  • Phone number
• b. Identification Documents
  • Passport details
  • Visa or immigration information
  • Other government-issued identification documents
• c. Tax Information
  • Tax filing status
  • Income sources
  • Tax treaty eligibility
  • Supporting tax-related documentation
• d. Payment Information
  • Billing details and payment method information
  • Card payments are processed by Stripe, Inc. (our PCI-DSS Level 1 certified payment processor). Full card numbers, CVCs and expiration dates are submitted directly to Stripe and are never stored on our servers. We retain only a non-sensitive payment reference (e.g., Stripe payment intent / charge ID), the last four digits, and the card brand for receipts, refunds and fraud prevention. See Stripe's privacy notice at https://stripe.com/privacy.
• e. Application Data
  • All information submitted as part of your ITIN application
  • Communications related to your application
• f. Technical & Usage Data
  • IP address
  • Browser type
  • Device information
  • Cookies and similar tracking technologies

3. Legal Basis for Processing (EU/UK Users)

For users in the European Economic Area (EEA) and the United Kingdom, we process personal data based on the following legal grounds:

• Contractual necessity – to provide the Service
• Legal obligation – to comply with tax and regulatory requirements
• Legitimate interests – fraud prevention, service improvement
• Consent – where required (e.g., marketing communications)

4. How We Use Your Information

We use your information to:

• Prepare and submit ITIN applications to the IRS
• Communicate regarding application status and support requests
• Process payments and manage accounts
• Comply with legal, tax, and regulatory obligations
• Prevent fraud and misuse
• Improve and maintain the Service
• Send service-related notices and updates

5. Information Sharing and Disclosure

We may share your information:

• a. With the IRS
  • To process your ITIN application, as required.
• b. With Service Providers (Sub-Processors)
  • We share the minimum personal data necessary with the following named sub-processors. Each is bound by a written data-processing agreement (or equivalent contractual safeguards) requiring confidentiality, security and compliance with applicable privacy laws:
  • Stripe, Inc. (United States) — payment processing, fraud prevention, refunds and receipts. Data shared: billing name, email, country, card details submitted through Stripe's secure fields, and the amount charged. Privacy notice: https://stripe.com/privacy.
  • Amazon Web Services, Inc. (AWS) (United States; Amazon S3) — encrypted cloud hosting and long-term archival storage of application records and uploaded supporting documents (passport scans, visa documents, etc.). Privacy notice: https://aws.amazon.com/privacy/.
  • Acuity Scheduling, Inc. (a Squarespace, Inc. company, United States) — scheduling, calendar synchronization and reminders for required in-person or video certification appointments. Data shared: name, email, phone number, appointment date/time and selected location. Privacy notice: https://www.squarespace.com/privacy.
  • Zoom Video Communications, Inc. (United States) — generation and hosting of video-conference links used for remote certification appointments. Data shared: applicant name, email and meeting metadata. Privacy notice: https://explore.zoom.us/en/privacy/.
  • Microsoft Corporation (Microsoft 365 / Exchange Online, United States and EU) — transactional and support email delivery (application status, receipts, reminders, agent correspondence). Data shared: recipient email, message content. Privacy notice: https://privacy.microsoft.com/.
  • Chatling.ai (Innovatica Inc., Canada) — embedded AI chat-support widget used on our home page and admin dashboards. Data shared: only what you voluntarily type into the chat window plus basic technical metadata (page URL, browser/device info). Do not enter sensitive personal data (SSNs, passport numbers, payment details) into the chat. Privacy notice: https://chatling.ai/privacy-policy.

  We do not use advertising networks, behavioral-advertising trackers, Google Analytics, Meta/Facebook pixels, or similar profiling technologies, and we do not sell or rent personal data to any third party.

  We may update this list from time to time as our infrastructure evolves; material changes will be reflected on this page together with a revised “Last updated” date.

• c. Legal & Regulatory Authorities
  • When required by law or in response to lawful requests.
• d. Business Transfers
  • In the event of a merger, acquisition, or sale of assets.
• e. With Your Consent
  • Where you explicitly authorize us to do so.

6. International Data Transfers

Because the ITIN is issued by the U.S. Internal Revenue Service and several of our sub-processors (notably Stripe, AWS, Acuity Scheduling, Zoom and Microsoft 365 — see Section 5.b) are headquartered in the United States, your information will necessarily be transferred to and processed in the United States and may also be processed in other jurisdictions where our sub-processors operate.

For users in the European Economic Area (EEA), the United Kingdom and Switzerland, these transfers are made under one or more of the following safeguards:

• Standard Contractual Clauses (SCCs) adopted by the European Commission, plus the UK International Data Transfer Addendum where applicable
• EU–U.S. Data Privacy Framework certification (and its UK Extension), where the receiving sub-processor is self-certified
• Other adequate safeguards recognized under the GDPR / UK GDPR

7. Data Retention

We retain personal data only for as long as necessary to:

• Provide the Service
• Meet legal, tax, and regulatory requirements

When no longer required, data is securely deleted or anonymized.

8. Your Rights

a. GDPR / UK GDPR Rights

You have the right to:

• Access your personal data
• Correct inaccurate data
• Request deletion ("right to be forgotten")
• Restrict or object to processing
• Data portability
• Withdraw consent at any time

b. CCPA / CPRA Rights (California)

You have the right to:

• Know what personal data we collect
• Request deletion
• Opt out of the sale or sharing of personal data

We do not sell personal data.

To exercise any rights, contact us through our support channels.

9. Cookies and Tracking Technologies

We use cookies to improve functionality and user experience.

Where required by law (e.g., EU/UK), cookies are used only with your consent, except strictly necessary cookies.

You may manage cookie preferences via your browser settings.

10. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors.

11. Security Measures

We implement appropriate technical and organizational safeguards, including:

• Encryption
• Access controls
• Secure storage practices

However, no system is 100% secure.

12. Changes to This Policy

We may update this Privacy Policy periodically. Updates will be posted on this page with a revised "Last updated" date.

13. Contact Us

For privacy-related inquiries or rights requests, please contact us through our official support channels.