Privacy Policy

Curator is a private register for tax documents. We collect the minimum we need to run that register for you, we store it encrypted, we do not sell it, we do not use it to train AI models, and we delete it on request. The rest of this page is the long version of those sentences.

“Curator,” “we,” and “us” refer to the operator of curatorrecord.com. We are the data controller for the personal information described in this policy. You can reach us at privacy@curatorrecord.com.

This policy covers the Curator web application at curatorrecord.com, email-forwarding addresses we issue you, and our marketing pages. The Curator browser extension has its own, narrower policy at /privacy/extension; everything in this main policy still applies once an extension-uploaded document arrives in your account.

We collect three things, and only the third is your tax documents themselves.

1. Account information. When you create a Curator account, we collect your email address, a hashed second factor (a TOTP secret bound to your authenticator app), and a record of sign-ins for security purposes. If you invite household or entity members, we record the email addresses you invited and when they accepted.

2. Usage and operational data. We log basic request metadata (IP address, user-agent, request path, timestamps, success or failure) so we can keep the Service available, debug problems, and detect abuse. These logs are retained for up to 90 days. We do not run third-party analytics, advertising trackers, or session-replay tools on the application surface.

3. Your tax documents. When you forward a document, upload one, or use the optional browser extension to send one in, we receive the PDF (or image), the filename, a SHA-256 hash of the file content (used for de-duplication), and any tax-year or account-organization choices you make in the register.

• We do not collect or store passwords for any third-party service you connect to Curator. The browser extension never sees your portal logins; the email forwarding flow does not require us to authenticate to your inbox.
• We do not run advertising trackers, fingerprinting scripts, or cross-site cookies. The only cookies we set are the ones needed to keep you signed in.
• We do not collect information about your activity on websites outside Curator.
• We do not require government identifiers. We do not ask for SSN, EIN, or any other tax identifier as part of account creation; those values may appear inside documents you upload, and they stay where you put them.

• To run the Service for you. Storing your documents, organizing them by tax year and account, generating the share links you request, and delivering forwarded email to your private register.
• To keep the Service secure. Detecting account compromise, blocking abuse of forwarded-email endpoints, and investigating incidents.
• To support you. Replying when you write to us about your account, an extraction error, or a deletion request.
• To extract tax-document fields, only if you opt in. On the Pro plan, when you’ve enabled extraction, we pass the PDF through an AI pipeline to pull the figures the document contains into a structured ledger. See the AI processing section below.
• To meet legal obligations. Where the law requires us to retain or disclose information.

We do not sell your personal information. We do not use your documents, or anything inside them, for advertising or for training AI models.

Your documents live in a private encrypted Supabase Storage bucket backed by AWS S3, with server-side encryption at rest and TLS in transit. Database records describing those documents are stored in the same Supabase project, with row-level security enforced at the database level so that no row from your register is readable by another user.

Two-factor authentication is offered on every account and strongly recommended; you can enable it from Settings whenever you choose. Internal access by Curator personnel is limited to the narrow operational access required to run the Service, is logged, and is granted on a need-to-know basis.

We share information with three categories of recipients, and only three:

• Subprocessors who run the Service for us. A short list of trusted vendors who host the application, store data, deliver email, and process AI extraction requests. As of the effective date above, these are: Vercel (hosting), Supabase (database, storage, authentication), Resend (email delivery and inbound processing), Cloudflare (DNS and edge networking), and, on the Pro plan with extraction enabled, the Vercel AI Gateway with Anthropic Claude under zero-data-retention terms. We update this list when it changes.
• People you explicitly share with. When you create a share link for a tax year and send it to your accountant, the documents covered by that link become accessible to whoever holds the link until you revoke it or it expires. That’s the entire purpose of the link; we mention it here so the flow is unambiguous.
• Legal recipients. If we are compelled by valid legal process (a subpoena, court order, or equivalent), we will disclose the narrowest set of information required, push back on overbroad requests, and where lawful, notify you so you have a chance to contest the request yourself.

Free-plan accounts do not undergo automated reading. On the Pro plan, when you have enabled extraction, the bytes of each PDF you upload are sent to an AI provider for the sole purpose of pulling structured fields out of the document. The provider operates under zero-data-retention terms, meaning it does not log or store the request payload after the response is returned, and it is contractually prohibited from using your data to train or improve its models.

You can disable extraction at any time in your account settings. Disabling it stops new documents from being processed and does not affect documents already extracted; deleting an already-extracted document deletes both the file and the structured fields derived from it.

We keep your account information and documents for as long as your account is active. When you delete a document inside the Service, it is removed from active storage immediately and purged from backups on a rolling basis (typically within 30 days).

To delete your account entirely, write to privacy@curatorrecord.com from the email address on the account. We will delete every document, every share link, every membership row, and every database record associated with your account within 30 days, and confirm in writing when it’s done. Operational logs that contain no document content age out within 90 days regardless.

Depending on where you live, you may have rights to access, correct, export, restrict, or delete the personal information we hold about you, and to object to certain kinds of processing. You can exercise all of these rights, including under the GDPR (for EU/UK users) and the CCPA/CPRA (for California users), by writing to privacy@curatorrecord.com.

We will respond within 30 days. We do not charge for these requests, and we do not require you to create a separate account or use any third-party tool to make them.

Curator is operated from the United States, and our infrastructure providers may store data in data centers in the United States and elsewhere. If you use the Service from outside the United States, you understand that your information may be transferred to and processed in jurisdictions whose data-protection rules differ from yours. Where required by law, we rely on Standard Contractual Clauses or equivalent mechanisms with our subprocessors.

Curator is not intended for children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child has created an account, write to us and we will delete it.

If this policy materially changes, we will update the effective date above and notify account holders by email, by a banner inside the Service, or both. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

Privacy questions, access requests, or deletion requests: privacy@curatorrecord.com.