PREFILE CHECK
PRIVACY POLICY
Effective Date: February 20, 2026
Version 1.0
1. Introduction
This Privacy Policy describes how Purple Management Group, LLC, a Wyoming limited liability company doing business as "PreFile Check" ("Company," "we," "us," or "our"), collects, uses, and protects information when you use the PreFile Check web application and related services (collectively, the "Service").
PreFile Check is a software-as-a-service (SaaS) tool that uses artificial intelligence to classify bank and credit card transaction data into IRS Schedule C expense categories.
We are not a bank, financial institution, tax preparer, or professional advisory firm. The Service is an administrative organizational tool only.
By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.
Contact: [email protected]
2. Information We Collect
2.1 Information You Provide
Account Information
Email address (used for account creation and Magic Link authentication). We do not collect your name, physical address, phone number, Social Security Number, or date of birth.
Uploaded Financial Data
When you upload a CSV or Excel file containing bank or credit card statement data, we process the following fields from your file:
- Transaction date
- Vendor / merchant name
- Transaction description
- Transaction amount
These fields are processed in server memory to generate AI classifications. Uploaded files are not saved to disk.
Business Description
You may optionally provide a text description of your business or profession (e.g., "freelance graphic designer") to improve AI classification accuracy. This description is transmitted to our third-party AI provider along with your transaction data.
Important: Please do not include personal names, physical addresses, Social Security Numbers, or other sensitive personal information in your business description.
2.2 Information Collected Automatically
Log Data
When you use the Service, we automatically collect:
- IP address
- Login timestamps
- Download events (email address, IP address, timestamp, and the disclaimer language you agreed to at the time of download)
Cookies and Local Storage
| Name | Type | Purpose |
|---|---|---|
| auth_token | Cookie | Authentication session (JWT, secure, sameSite=strict) |
| user | Cookie | Basic user session information (secure, sameSite=strict) |
| anonymous_id | localStorage | Anonymous session identifier for pre-login usage |
| termsAccepted | localStorage | Records acceptance of Terms of Service |
The PreFileCheck web application (prefilecheck.com/app) does not use any third-party advertising or analytics cookies. We do not use Google Analytics, Facebook Pixel, or similar tracking services within the application.
Our blog (prefilecheck.com/blog) uses Google AdSense, a third-party advertising service provided by Google LLC. Google AdSense uses cookies to serve personalized advertisements based on your prior visits to this and other websites. These advertising cookies are only present on blog pages, not within the application. You may opt out of personalized advertising by visiting Google's Ads Settings.
2.3 Payment Information
Payments are processed by Stripe, Inc. We do not receive or store your full credit card number. Stripe shares with us only: your Stripe Customer ID, card last four digits, payment token, and transaction status. Stripe's handling of your payment information is governed by Stripe's Privacy Policy.
2.4 Information We Do Not Collect
For clarity, we do not collect:
- Your legal name or physical address
- Social Security Number or Tax ID
- Full credit or debit card numbers
- Bank account login credentials
We do not use Plaid or any bank-connection aggregator service. All file uploads are initiated by you.
3. How We Use Your Information
| Information | Purpose |
|---|---|
| Email address | Account authentication via Magic Link; service-related communications |
| Uploaded transaction data | AI-powered classification into Schedule C categories |
| Business description | Sent to AI provider to improve classification relevance |
| IP address | Security, fraud prevention, rate limiting, consent and download logging |
| Payment data (via Stripe) | Processing subscription payments and managing billing |
| Cookies / local storage | Maintaining your authenticated session |
We do not:
- Sell, rent, or trade your personal information to anyone, for any reason
- Use your data to train our own AI or machine learning models
- Use your account or uploaded transaction data for advertising or ad targeting
- Allow human reviewers to browse your uploaded transaction data, except in rare support or debugging situations that require your prior consent
4. AI Processing and Transparency
4.1 How AI Classification Works
The Service uses Google Gemini 2.5 Flash (provided by Google LLC via the Gemini API) to classify your transactions. When you submit transactions for classification, the following data is sent to the Gemini API:
- A row identifier (internal reference number, not personally identifiable)
- Transaction date, vendor/merchant name, description, and amount
- Your business description (if provided)
- System-generated tax rule references (from our internal knowledge base — these do not contain any user data)
4.2 What Is Not Sent to Google
Your email address, IP address, payment information, and account metadata are not sent to the Gemini API.
4.3 Google's Data Use Policy
Google states that data submitted through the Gemini API is not used to train or improve Google's AI models. For details, refer to Google's API Terms of Service.
4.4 Local Processing
In addition to the Gemini API, we use a locally hosted text-matching system to match transactions against our internal tax rules and merchant database. This processing happens entirely on our servers and no data is sent to any external service for this purpose.
4.5 AI Limitations
AI classifications are probabilistic and may contain errors. They are not tax advice and should be independently verified by a qualified tax professional before use in any tax filing. Please refer to our Terms of Service for complete disclaimers.
5. Third-Party Service Providers
We share data with the following third-party service providers, solely for the purposes described below:
| Provider | Purpose | Data Shared |
|---|---|---|
| Google LLC (Gemini API) | AI transaction classification | Transaction date, vendor, description, amount, business description, internal tax rule references |
| Stripe, Inc. | Payment processing | Payment and billing information (PCI-DSS certified) |
| Google (Gmail SMTP) | Email delivery | Your email address and email content |
| Google LLC (AdSense) | Blog advertising (blog pages only) | Anonymous advertising cookies; no account or transaction data is shared |
| Hetzner Online GmbH | Server hosting | All data processed by the Service resides on Hetzner servers |
Self-hosted services (not shared with third parties): PostgreSQL (database), Redis (temporary caching), Caddy (HTTPS/reverse proxy). These run on our own server infrastructure.
We do not use any third-party analytics, error-tracking, or advertising services. We do not sell or share your information with data brokers, advertisers, or any parties not listed above.
6. Data Retention and Deletion
We retain different types of data for different periods:
| Data Type | Retention |
|---|---|
| Uploaded files (CSV/Excel) | Processed in server memory only. Never written to disk. No retention. |
| AI classification results | Returned to your browser immediately. Not cached or stored on our servers. |
| Draft / work-in-progress data | Automatically deleted when you download your report. If not downloaded, expires after 14 days (anonymous) or 30 days (logged-in). |
| Processed report files | Deleted from server immediately after download. |
| Account data | Retained while your account is active. Deleted upon account deletion request. |
| Consent and activity logs | Retained for the duration of your account plus any period required for legal claims. |
| Server logs (IP, timestamps) | Retained for a reasonable period for security and operational purposes. |
7. Data Security
We implement the following measures to protect your information:
- Encryption in transit: All data is encrypted using HTTPS (TLS).
- Access control: API endpoints are protected by JWT-based authentication with token blacklisting.
- Origin restriction: Cross-origin requests are restricted to prefilecheck.com only.
- No disk storage of financial data: Uploaded files are processed in server memory and never written to disk.
- File validation: Uploaded files are validated for type and size (maximum 5 MB).
- Secrets management: API keys and credentials are stored as server environment variables.
- Payment security: Payment processing is handled by Stripe (PCI-DSS Level 1 certified).
No system can guarantee absolute security. While we take commercially reasonable measures to protect your data, we cannot guarantee that unauthorized access, data loss, or breach will never occur. In the event of a security incident that affects your personal information, we will notify you in accordance with applicable law.
8. Your Rights and Choices
8.1 Account Deletion
You may request deletion of your account and associated data by emailing [email protected]. Upon receiving your request, we will delete:
- Your user record (email address, Stripe customer ID, account metadata)
- Any Draft data in our temporary cache
We will process deletion requests within 30 days.
Data that may be retained after account deletion:
- Consent and activity logs: We retain records of your agreement to our Terms of Service and Privacy Policy even after account deletion, as these records may be necessary to establish, exercise, or defend legal claims. Your user ID will be disassociated from these records, but the email address, IP address, and agreed text recorded at the time of consent will be preserved.
- Stripe may retain its own records of your payment transactions in accordance with Stripe's data retention policies.
- We may retain anonymized or aggregated data that cannot identify you.
8.2 Data Access
You may request a summary of the personal information we hold about you by emailing [email protected].
8.3 Uploaded File Data
Because uploaded files are processed in memory and not stored, and report files are deleted immediately after download, there is generally no uploaded financial data to delete. Draft data is automatically deleted upon report download or cache expiration.
8.4 Marketing Communications
We do not send marketing emails. All email communications are transactional (Magic Link authentication, billing-related notices).
8.5 California Residents
While PreFile Check may not currently meet the thresholds for application of the California Consumer Privacy Act (CCPA/CPRA), we are committed to transparency. California residents may contact us at [email protected] to exercise any applicable data rights, including the right to know, the right to delete, and the right to opt out of the sale of personal information. We do not sell or share (as defined by the CCPA) your personal information.
9. Children's Privacy
The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at [email protected].
10. International Users and Data Location
The Service is operated from and intended for users in the United States. Our servers are located in Germany (Hetzner Online GmbH).
When you use the Service, your data may be processed in:
- Germany — server hosting
- United States — Google Gemini API, Stripe payment processing, Gmail SMTP
If you access the Service from outside the United States, please be aware that your information will be transferred to and processed in the jurisdictions listed above, which may have data protection laws different from those in your country of residence.
We do not intentionally target or market the Service to users in the European Union or United Kingdom.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Effective Date" and version number at the top of this policy
- Notify you by email before the changes take effect
Your continued use of the Service after the updated Privacy Policy becomes effective constitutes your acceptance of the changes. If you do not agree with any changes, you may delete your account by contacting us at [email protected].
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
Email: [email protected]
Purple Management Group, LLC
DBA PreFile Check
This Privacy Policy was last updated on February 20, 2026.