VeritixLocal tax document intake

Privacy

Privacy Policy

Veritix is designed so document processing happens inside your firm's environment. This policy explains what data the product stores, what may leave your environment, and what stays local.

Last updated: April 3, 2026

Important context

Veritix does not operate a cloud document processor that receives client tax files. Document intake, matching, and filing are designed to run on your own machine or network.

1. Overview

Veritix is an on-premises tax document intake and filing system intended for use by CPA firms and tax professionals. This Privacy Policy describes what information Veritix collects, how it is used, and how it is protected.

Because Veritix is deployed on your own infrastructure, most document processing occurs entirely within your environment. This policy covers both data that stays on your system and any data that may be transmitted outside of it.

2. Information We Collect

Account Information

When a user account is created, we collect a name, email address, and a hashed password. Administrators, staff members, and clients each have their own accounts. Account creation is performed by an administrator or staff member. Users do not self-register.

Client Records

The application stores client profile information entered by your firm, including: display name, business name, contact email address, phone number, mailing address, and the last four digits of a Tax ID (SSN or EIN). Full Tax IDs are never stored.

Phone numbers stored in client records may be used to send SMS notifications if your firm has enabled SMS messaging through a supported messaging provider. See the SMS Communications section below for details.

Documents and Extracted Metadata

Documents uploaded or ingested into the system are stored on your local file system. The application extracts and stores metadata from each document, including: form type, tax year, detected payer or employer name, and confidence scores. Document file contents are not stored in the database. Only the extracted metadata and a reference to the file path are stored.

Session and Authentication Data

When a user logs in, a session record is created that includes the session ID, the user's IP address, user-agent string, and timestamps. If a user elects to trust a device, a hashed token is stored to allow that device to skip two-factor authentication for up to 14 days.

Audit Logs

Every significant action in the application is logged, including: logins, document ingestion, metadata edits, client assignments, filing actions, and settings changes. Audit logs include the acting user, a timestamp, and a description of the action. These logs are retained indefinitely.

Two-Factor Authentication Codes

When 2FA is triggered, a one-time code is generated and sent to the user's email address. This code expires after 15 minutes and is stored in hashed form. It is not retained after it is used or expires.

3. How We Use Information

Information collected by Veritix is used for the following purposes:

  • Authenticating users and maintaining active sessions
  • Matching ingested documents to the correct client
  • Organizing and filing documents in structured client folders
  • Sending 2FA codes and account setup emails via your configured SMTP server
  • Notifying clients of document requests via email
  • Maintaining an audit trail of all actions within the system

We do not sell, trade, or share your data with third parties for marketing or advertising purposes.

4. Data Storage and Processing Location

Veritix is designed to run on your own infrastructure. All document files, client records, and extracted metadata are stored on your machine or network. No document content is transmitted to external servers for processing.

OCR extraction and client matching run locally using open-source libraries. Veritix does not use any external AI APIs or cloud document processing services.

5. Third-Party Services

Email (SMTP)

Veritix uses an SMTP server configured by your firm to send 2FA codes, account invitation emails, and document request notifications. The SMTP provider you configure will receive email addresses and the content of these system-generated messages. We do not control your SMTP provider's privacy practices.

SMS Communications (Optional)

If your firm enables SMS notifications, Veritix may use Twilio to send text messages to client phone numbers on file. Messages may include notifications about document requests, document receipt confirmations, or other communications related to your firm's use of Veritix.

SMS is only sent to phone numbers that have been provided to your firm and entered into the system by your staff. Message frequency varies based on activity. Message and data rates may apply. Recipients can opt out at any time by replying STOP to any message. For help, reply HELP.

Twilio, as the messaging provider, will process the phone number and message content necessary to deliver each message. Twilio's privacy policy governs how they handle this data. No document content or Tax ID information is included in SMS messages.

Error Tracking (Optional)

If a Sentry DSN is configured, application errors may be reported to Sentry for debugging purposes. Sentry integration is configured with personal data transmission disabled. No user PII or document content is included in error reports.

Cloudflare Tunnel (Optional)

If your deployment uses Cloudflare Tunnel for external access, network traffic is routed through Cloudflare's infrastructure. Cloudflare's own privacy policy governs how they handle this traffic.

6. Data Security

The following security measures are built into Veritix:

  • All passwords are stored using a one-way cryptographic hash. Plaintext passwords are never stored.
  • Sessions use short-lived signed tokens with HTTP-only cookies for refresh. Sessions can be revoked individually or in bulk.
  • Two-factor authentication is enabled by default for all accounts.
  • The application enforces strict HTTP security headers including Content-Security-Policy, X-Frame-Options, and HSTS.
  • File uploads are validated by content type (magic bytes), not extension alone. Path traversal attempts are blocked.
  • Role-based access control limits what each user can view and modify.

7. Data Retention

Veritix retains data as long as the system is in operation and the data has not been explicitly deleted by an administrator. Specific retention periods are as follows:

  • User accounts: Retained until deleted by an administrator.
  • Documents: Retained until archived or permanently deleted by staff or an administrator.
  • Audit logs: Retained indefinitely. Audit logs cannot be deleted from within the application interface.
  • Sessions: Active sessions are retained until logout, expiry, or revocation. Expired session records may be cleaned up periodically.
  • 2FA codes: Retained only until used or expired (15 minutes).

8. User Rights

Users whose data is stored in Veritix may request:

  • Access to the data stored about them
  • Correction of inaccurate account or profile information
  • Deletion of their account and associated data

Requests should be directed to your firm's administrator, who controls the Veritix installation. Because Veritix is operated by your firm and not directly by us, your firm is the data controller for the data it stores in the system.

9. Children's Privacy

Veritix is intended solely for use by tax professionals and their business clients. It is not directed at individuals under the age of 18.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Updated versions will be posted on this page with a revised date. If you continue using Veritix after a policy update, you accept the revised terms.

11. Contact

If you have questions about this Privacy Policy or how your data is handled, please contact us at:

Support@veritix.app