FundedTax
Start your 14-day trial

Privacy Policy

Last updated: 2026-05-31

1. Who we are

FundedTax is operated by Muhammad Hassaan Javed, an individual sole proprietor based in Pakistan, trading under the name FundedTax. Muhammad Hassaan Javed is the controller of personal data processed through the Service, except for payment data processed by the Merchant of Record under its own privacy terms. The founder is not a Certified Public Accountant or Enrolled Agent; FundedTax is informational software, not tax advice. Contact: privacy@fundedtax.com.

FundedTax currently operates as a sole proprietorship; a postal address for legal notices is available on request at the contact above.

2. Our role: controller and processor

We handle data in two distinct roles.

  • As controller for your account, authentication, billing-status, website-operation, support, and security data, and for the tax records you keep in your own FundedTax account. For this data we determine the purposes and means of processing, and the legal bases in Section 4 are ours.
  • As processor (or subprocessor)where a business or tax professional uses FundedTax to handle records on behalf of a trader client. For that data we act only on the Customer's documented instructions under our Data Processing Addendum, and the Customer is responsible for the lawful basis and the notices owed to those individuals.

3. What data we collect

  • Account data: your email address, credential material (industry-standard hashing — passwords are never stored in plaintext), tax-year preference, filing status, optional US state of residence.
  • Prop-firm payout data (you provide via CSV import): payout timestamps, profit splits, evaluation fees, reset fees, account identifiers, and related transaction lines for accounts you choose to import.
  • Expense entries: business expenses you enter (VPS, data feeds, coaching, software subscriptions, etc.) with vendor names and amounts.
  • Manually entered prior-year tax values: limited values you type in to drive the safe-harbor estimate, such as prior-year total tax, prior-year AGI threshold status, and year-to-date withholding. We do not upload, parse, or ingest your tax return; you enter these few values yourself.
  • Billing data: handled by the Merchant of Record (being finalized). The MoR handles all card data; we never see or store full card numbers. We may receive a customer ID, subscription status, and card last-4 for support.
  • Technical data: IP address, browser user agent, request timestamps, error logs. We do not intentionally include taxpayer identification numbers or tax-amount data in our application logs.

4. Why we collect it (purposes and legal bases)

The legal bases below apply to the data for which we act as controller. We use one lawful basis per purpose.

PurposeData categoriesLegal basis
Account creation + authentication (magic-link sign-in)Email, password/credential material, session metadataContract performance — GDPR Art. 6(1)(b)
Service delivery (categorization, tax calculations, dashboard)Payout records, transaction categorizations, filing status, stateContract performance — GDPR Art. 6(1)(b)
CSV import parsingUploaded payout CSV content (parsed in memory)Contract performance — GDPR Art. 6(1)(b)
Export generation (Schedule C summary worksheet PDF/CSV)Aggregated transactions + expenses for the tax yearContract performance — GDPR Art. 6(1)(b)
Security + abuse prevention (rate limiting, monitoring)IP address, user agent, request timestampsLegitimate interest — GDPR Art. 6(1)(f)
Error monitoring (Sentry)Error events + request context (PII transmission disabled)Legitimate interest — GDPR Art. 6(1)(f)
Transactional communications (sign-in links, account notices)Email addressContract performance — GDPR Art. 6(1)(b)
Product / marketing updatesEmail addressConsent — GDPR Art. 6(1)(a)
Billing-status sync from the Merchant of RecordMoR customer ID, subscription status, card last-4Contract performance — GDPR Art. 6(1)(b)
Legal compliance + recordsBilling records, retention-required recordsLegal obligation — GDPR Art. 6(1)(c)

Where we instead act as a processoron a Customer's behalf, the legal basis for that processing is determined by the Customer as controller, not by us, under our Data Processing Addendum.

5. What we do NOT collect or store

FundedTax is built with a deliberately narrow data surface. In particular:

  • Taxpayer identification numbers. FundedTax is designed not to request, and does not intentionally collect, Social Security Numbers, Individual Taxpayer Identification Numbers, EINs, or other government tax identifiers. We instruct users not to enter them, no tax-identifier field is presented in the product, and none is written to exports. If such a value is submitted inadvertently (for example inside a CSV or a free-text field), automated redaction controls at the persistence boundary replace taxpayer-identifier patterns with a redaction token, and we may delete the value.
  • Full bank account numbers — neither yours nor your prop firm's. The Schedule C summary worksheet does not include bank routing data.
  • Your filed tax return or the amounts you ultimately file. FundedTax produces records and a summary worksheet; you (or your CPA) file the actual return through a separate tool. We do not upload or parse your prior-year return — you may manually enter a few prior-year values for the safe-harbor estimate (see Section 3).
  • Trade-by-trade activity data (entries, exits, P&L per trade). FundedTax works from payout-period summaries, not trade ledgers — TradeLog or TraderSync handle trade journaling.

6. Subprocessors

We maintain a single canonical list of the subprocessors that process Customer Data on our Subprocessors page, including each provider's role, region, and privacy link (the Merchant of Record, Vercel, Neon, and Sentry). That page is the authoritative source; the Terms, this Policy, the Security page, and the Data Processing Addendum all reference it so the list cannot drift between pages.

We will notify users at least 30 days before adding or replacing a subprocessor that processes Customer Personal Data, except where urgent security, availability, or legal reasons require shorter notice.

We do not sell personal data and do not share it with advertisers. We disclose personal data only to the listed subprocessors as needed to run the Service or as required by law. We do not share your prop-firm payout data or expense entries with any tax authority, prop firm, or third party — that disclosure is your decision when you file your return. FundedTax does not access IRS records.

7. Data retention

  • Account data: for the duration of your subscription plus 90 days after cancellation for restore purposes.
  • Tax records (CSV imports, transactions, exports): up to 7 years from the end of the corresponding tax year, to let you respond to tax-authority inquiries. This horizon is for your convenience, not a retention obligation we impose; you may delete tax-year workspaces earlier from account settings.
  • Technical logs: 30 days.
  • Billing records: as required by applicable tax and accounting law (typically 7 years).

If you delete data, active records are removed from production systems within 30 days and backups expire within 90 days, except where retention is necessary for security, fraud prevention, legal claims, or a mandatory legal obligation. EEA/UK users may request earlier deletion, which we will honour unless we have an independent legal obligation to retain.

8. Security

We use HTTPS / TLS 1.2+ for all transport, encryption at rest for the database and storage, automated redaction of taxpayer-identifier patterns at the persistence boundary, rate limiting, and security monitoring. Access to customer data is restricted on a need-to-know basis. No system is perfectly secure; we cannot guarantee absolute security. See the Security page for the specific controls and our incident-response approach.

9. Your GDPR rights

If you are in the EEA, UK, or Switzerland, you have the right to:

  • Access your personal data and receive a copy
  • Correct inaccurate or incomplete data
  • Delete your data (subject to retention obligations in Section 7)
  • Restrict processing
  • Object to processing based on legitimate interests
  • Data portability (receive your data in a structured, machine-readable format)
  • Withdraw consent (where consent is the legal basis)
  • Lodge a complaint with your supervisory authority

To exercise any of these rights, email privacy@fundedtax.com. We respond within 30 days. Where we process personal data as a processor on a Customer's behalf, we will forward any rights request to the relevant Customer (the controller) and assist them in responding, rather than actioning it directly.

10. Your CCPA / California rights

We do not currently believe we meet the statutory thresholds to be a "business" under the CCPA/CPRA. Where we voluntarily provide California-style disclosures, they are provided for transparency and do not concede statutory applicability. If and when FundedTax becomes subject to the CCPA/CPRA, we will update this Policy with the required category, source, purpose, disclosure, retention, sensitive-personal-information, and sale/share disclosures.

If you are a California resident, you have the right to know what we collect, delete, correct, opt out of the sale or sharing of personal information (we do not sell or share for cross-context behavioral advertising), and non-discrimination for exercising your rights. Email privacy@fundedtax.com. We respond within 45 days.

11. International transfers

FundedTax primarily processes data in the United States (Vercel iad1 region, Neon US East). Authorized personnel operating from Pakistan may access customer data only as necessary to provide support, security, and service operations; Pakistan has no EU/UK adequacy decision, so access from Pakistan is itself a restricted transfer.

  • For transfers out of the EEA, we rely on the EU Standard Contractual Clauses (Commission Decision 2021/914).
  • For UK transfers, we use the UK Addendum to those Clauses (or the UK International Data Transfer Agreement).
  • For Swiss transfers, we use the Clauses as adapted for Switzerland.

FundedTax serves US-based traders during early access and does not currently onboard EU, UK, or Swiss customers. Before serving customers in those regions, FundedTax will execute the applicable transfer mechanisms (the EU Standard Contractual Clauses, the UK Addendum/IDTA, and the Swiss adaptation) and complete a transfer impact assessment.

12. EU / UK representative

FundedTax does not currently target EU or UK customers. If that changes, FundedTax will appoint and name an EU representative (GDPR Art. 27) and a UK representative (UK GDPR Art. 27) before serving customers in those regions.

13. Children

The Service is intended for adults filing US tax returns. We do not knowingly collect personal information from anyone under 18. If you believe we have collected such data, contact us and we will delete it.

14. Updates to this Policy

We may update this Policy to reflect changes in our services or legal requirements. Material changes will be notified by email to your registered address and posted on this page with a revised "Last updated" date.

15. Contact

For privacy questions or to exercise your rights: privacy@fundedtax.com. See also the Terms of Service, the Subprocessors page, and the Data Processing Addendum.

Product scopeInformational software, not tax advice. Founder is not a CPA/EA. You or your CPA file the return.