Privacy Policy

Document status:

Draft v1

Drafted:

June 12, 2026

Effective date:

to be set on attorney clearance

Last updated:

draft — see “Changes to this policy” below for revision history once active

Overview

cryptoBASIS is a software-as-a-service platform that helps individual taxpayers, small businesses, and tax professionals analyze cryptocurrency tax positions for errors and inconsistencies. To do that, we collect a narrow set of data from you and from the files you upload. This policy describes what we collect, what we do with it, who else processes it on our behalf, how long we keep it, and what control you have over it.

We've written this in plain language. Where we use legal terms, we explain them. If anything here is unclear, email us at hello@cryptobasis.ai.

1. What we collect

We collect only what we need to deliver the audit you paid for and operate the platform.

Account data.

• Your email address (used for sign-in and transactional email).
• An optional display name. By default, your profile auto-creates a single taxpayer entity named after your display name; you can rename it.
• Authentication tokens and session metadata generated by our authentication provider (Supabase).

Engagement intake.

When you start an engagement, we ask you to fill out a questionnaire so the audit is run against the right facts. We collect:

• Entity type (individual, single-member LLC, S-Corp, partnership, trust, IRA, etc.) and formation date where relevant.
• Operating context (what the entity does, validator operations if any, prior crypto activity).
• Tax years in scope for the engagement.
• Prior filing history (whether and how you previously reported crypto on tax returns).
• Wallet inventory descriptions (which exchanges, custodians, and self-custody wallets you have used — names and approximate date ranges, not credentials).
• Audit goals (new filing, amendment, examination defense, pre-event due diligence, etc.).
• Documentation availability (whether you have written agreements, capital contribution resolutions, prior preparer correspondence, etc.).

Uploaded files.

You upload source files for the audit. These typically include:

• CoinTracking exports — Trade List CSVs, Tax Report XLSX files, Imports HTML.
• Filed-return PDFs (Form 1040, Schedule D, Form 8949, Schedule K-1, Form 1120-S, Form 1065, and related schedules).
• Supporting documents you choose to include (preparer correspondence, exchange statements, validator records, settlement notices, etc.).

Parsed data.

We parse your uploaded files into structured records to run the audit. This includes individual transaction rows, tax-report rows, and applied tax settings (cost-basis method, conversion settings, depot separation, etc.) extracted from what you uploaded.

Usage data.

Basic server logs from our hosting provider (Vercel) that record requests to the application — timestamp, path, HTTP status, IP address. We also keep an internal record of your audit-run history (when audits ran, against which methodology version, what the outcome was).

Payment metadata.

When you pay for an audit, we record the tier purchased, the amount paid, the currency, and the Stripe Customer ID, Checkout Session ID, and PaymentIntent ID returned by Stripe. We never see or store your card number, CVC, or banking credentials. Stripe handles all card data.

2. What we don't collect

Cryptocurrency credentials. cryptoBASIS does not ask for, store, or have any way to access private keys, seed phrases, recovery phrases, exchange API keys with withdrawal permission, or any other credential that controls cryptoassets. cryptoBASIS cannot move your assets. If a third party impersonating cryptoBASIS asks for any of these, do not provide them and email security@cryptobasis.ai.

Payment credentials. We do not collect or store card numbers, card expiration dates, CVCs, ACH routing/account numbers, or banking login credentials. All of that goes directly to Stripe.

Marketing or analytics tracking. As of this draft, cryptoBASIS does not run third-party marketing pixels, behavioral analytics, advertising trackers, or “session replay” tools. The only cookies we set are essential cookies for keeping you signed in. We may add privacy-respecting first-party analytics post-launch; if we do, we will update this policy and tell active customers about the change.

Browsing on other sites. We do not track what you do on other websites.

Sensitive data we don't ask for. We do not ask for government identifiers (Social Security Number, ITIN, EIN) as part of the audit pipeline. If you choose to upload a filed-return PDF that contains such identifiers, those identifiers are part of your uploaded file and are treated like the rest of the file under this policy.

3. How we use your data

To deliver the audit you paid for. We parse your uploaded files, run our detection layer (a set of deterministic checks against the data), send the indicator results and your intake context to our LLM provider (Anthropic) to synthesize findings narrative and any Position Memoranda your tier includes, persist the findings to our database, and generate a downloadable PDF deliverable for you.

To send transactional email. We send you email related to your account and engagements — sign-in links, audit-run completion notices, billing receipts, account-recovery messages, and policy updates. We do not send marketing email in v1 of the product.

To detect and prevent fraud and abuse. We monitor for fraudulent payment attempts, abuse of the audit pipeline (e.g., automated mass-submission), and security incidents.

To meet our legal and accounting obligations. We keep records of payments and tax-relevant transactions long enough to satisfy IRS and Pennsylvania recordkeeping requirements (see Retention below).

To improve the product — without training AI on your data. We may review aggregate usage patterns (e.g., which indicators fire most often across all customers, where customers drop out of the intake) to improve cryptoBASIS. We do not use your data to train AI models. Our LLM provider, Anthropic, does not train its models on data sent through its commercial API by default — this is part of Anthropic's Commercial Terms. See “Subprocessors” below.

What we will never do.

• We will not sell your data to anyone.
• We will not rent, license, or share your data with marketing or advertising networks.
• We will not use your uploaded files or audit results to train AI models, ours or anyone else's.
• We will not disclose your data to other customers.

4. Subprocessors

A “subprocessor” is a third-party service that processes your data on our behalf to help us deliver the product. We use the following subprocessors:

A few notes on the largest data exposures in that list:

Anthropic. When your audit runs, we send the indicator-detection results and your relevant engagement intake context to Anthropic's API to produce the narrative portion of your findings. Per Anthropic's Commercial Terms and Privacy Center, Anthropic does not, by default, use inputs or outputs from its commercial API to train models. Anthropic's standard retention window for commercial API data is short (currently seven days at rest after the API response). If Anthropic's policy changes materially, we will update this list and notify active customers.

Supabase. Your uploaded files and parsed data live in Supabase's storage and Postgres infrastructure. Files at rest are encrypted; access is gated by row-level security policies that scope each row to the owning user account.

Stripe. Stripe is a PCI-DSS-compliant payment processor. When you pay, Stripe collects your card details directly via their hosted Checkout page; we never see them.

5. Retention

While your account is active. We keep the data described above for as long as your account is active and for as long as we need it to deliver the service and meet our obligations.

On account closure. If you ask us to close your account (by emailing hello@cryptobasis.ai), we delete your personal data and uploaded files from active systems within 30 days. The deletion covers your profile, your engagements' intake answers, your uploaded files, parsed transaction and tax-report data, and your generated PDF deliverables.

What we keep longer, even after account closure. Some records have to be kept for longer than 30 days regardless of account closure:

• Billing records (Stripe IDs, amounts, dates, currency) are retained for seven (7) years to meet IRS, Pennsylvania, and general business recordkeeping requirements.
• Audit-run records (the fact that an audit ran, when, against which methodology version, against which engagement) are retained for seven (7) years because they may be relevant if a customer later relies on a cryptoBASIS audit in correspondence with the IRS.
• Security and abuse logs are retained for as long as needed to investigate ongoing incidents, typically not longer than two (2) years.
• Backups of our databases may contain your data for up to thirty (30) additional days beyond active-system deletion as backup retention rotates.

Methodology version snapshots. Each audit run is locked to the methodology version active at the time it ran. When we delete your account-side data, we delete the audit-run records (the findings and indicator results specific to you), but the methodology version snapshot itself remains in our reference data. The snapshot does not contain your data; it is a version of our own rule set.

6. Your rights

These rights apply regardless of where you live; some jurisdictions (notably the EU under GDPR, California under CCPA/CPRA, and the UK under UK GDPR) grant additional or more specific rights, which we honor where they apply.

Access. You can request a copy of the personal data we hold about you. Email hello@cryptobasis.ai and we will respond within thirty (30) days.

Correction. Most account-side data is editable directly in the application. For anything you cannot edit yourself, email hello@cryptobasis.ai.

Deletion. You can request that we close your account and delete your personal data as described in “Retention” above. Email hello@cryptobasis.ai. Note that we cannot delete records we are legally required to keep, such as billing records (see Retention).

Portability. Your audit results are available to you as PDF downloads inside the application. If you want a structured export of your data beyond that, email hello@cryptobasis.ai and we will respond within thirty (30) days.

Objection / restriction. If you live in a jurisdiction that grants you the right to object to or restrict our processing of your personal data, email hello@cryptobasis.ai and we will work with you in good faith.

Right to lodge a complaint. If you are in the EU/EEA or the UK and believe we are mishandling your data, you have the right to complain to your local data protection authority. We hope you will give us a chance to address it directly first.

7. Methodology IP

The audit methodology that powers cryptoBASIS — including the indicator catalog, detection rules, severity grading framework, and Position Memorandum framework — is proprietary intellectual property owned by Brandon Patterson personally and licensed exclusively to Cryptobasis Technologies LLC under the terms of the company's operating agreement. When you purchase an audit, you receive audit results — the report, the findings, the PDF deliverable — to use, share, and reference as you see fit (including in correspondence with the IRS or your tax professional). You do not receive a license to the underlying methodology itself. This paragraph is included for completeness; it does not change anything about how we handle your data.

8. Security

We treat the data you give us as sensitive financial information and apply industry-standard protections.

In transit. All connections to cryptoBASIS use TLS (transport-layer security). Our subprocessors (Supabase, Stripe, Vercel, Anthropic, Resend, Cloudflare) all enforce TLS as well.

At rest. Your uploaded files and database records are encrypted at rest by our infrastructure providers (Supabase for application data, Vercel for serverless function state).

Access control. Database row-level security policies scope every row to the owning user account; one customer cannot read another customer's data through the application. Methodology system prompts and proprietary detection rules are server-side only and are not exposed in client code or through any API.

Authentication. v1 of cryptoBASIS uses magic-link email authentication. A password fallback exists in our schema but is not surfaced in the v1 user interface. Multi-factor authentication for customer accounts is on our roadmap for after launch.

No system is perfectly secure. If you become aware of a security issue, please email security@cryptobasis.ai. We commit to acknowledging good-faith security disclosures within seventy-two (72) hours and to not pursuing legal action against good-faith security researchers who follow responsible disclosure practices.

Breach notification. If we suffer a security incident that compromises your personal data, we will notify you in accordance with applicable law (typically without undue delay, and within seventy-two (72) hours where required by GDPR or analogous statutes).

9. Changes to this policy

We update this policy as our practices evolve. When we make a change, we update the “Last updated” date at the top. Material changes — a new subprocessor, an expanded use of your data, a change to retention windows — are emailed to active customers before they take effect.

Previous versions of this policy will be linked from a public revision history once the policy is live. While this document remains a draft, this section is a placeholder.

10. Contact

For privacy questions, data-access requests, deletion requests, or anything else covered by this policy: hello@cryptobasis.ai

For security disclosures: security@cryptobasis.ai

For all other questions: hello@cryptobasis.ai

Legal entity.
Cryptobasis Technologies LLC, a Pennsylvania single-member limited liability company.
PA Entity File Number: 0015428796.
Mailing address: 24 Rumbaugh Avenue, PMB 773, Mount Pleasant, PA 15666.