HYK Tax, PLLC ("HYK Tax," "we," "us," or "our") respects your privacy and is committed to protecting the personal and financial information you share with us. This Privacy Policy explains how we collect, use, store, and safeguard your information when you engage our services or use our website.
01Scope & Acceptance
This policy applies to all individuals, businesses, and entities that engage HYK Tax for tax preparation, bookkeeping, advisory, IRS representation, or related services, as well as any visitor to hyktax.com and our client portal at portal.hyktax.com.
By engaging our services or using our website, you consent to the collection and use of information in accordance with this policy. If you do not agree with our practices, please do not provide us with personal information or use our services.
02Information We Collect
From clients during engagement
To prepare returns, maintain your books, or represent you before tax authorities, we collect information you voluntarily provide, including:
- Identification: legal name, Social Security Number (SSN) or Individual Taxpayer Identification Number (ITIN), Employer Identification Number (EIN), date of birth, government-issued ID
- Contact: mailing address, email, phone number
- Financial: W-2s, 1099s, K-1s, bank statements, brokerage records, mortgage statements, retirement contributions, prior-year tax returns
- Business: entity formation documents, payroll records, sales records, vendor invoices, expense receipts
- Other tax-related documentation you submit through our portal, email, or in person
From website visitors
When you visit our website, we automatically collect limited technical information through standard web analytics:
- IP address (anonymized after 30 days)
- Browser type, operating system, and device category
- Pages viewed, time on site, referring URL
- Form submissions you voluntarily complete (name, email, message)
03How We Use Your Information
We use the information you provide solely for the following purposes:
- Service delivery — preparing tax returns, maintaining bookkeeping records, providing tax advice, and representing you before tax authorities
- Communication — responding to your inquiries, sending engagement-related updates, and providing required tax notices
- Compliance — meeting our legal, regulatory, and professional obligations under IRS Circular 230, AICPA standards, and applicable state CPA licensing rules
- Quality & security — improving our services, detecting fraud, and protecting our systems and your data
We do not sell, rent, or trade your personal or financial information to third parties for marketing purposes. Ever.
04When We Share Information
We share your information only in the following limited circumstances, and only to the extent necessary:
- With your authorization — for example, when you direct us to provide records to your bank, attorney, or financial advisor
- With tax authorities — including the IRS, state departments of revenue, and local tax agencies, as required to file your returns or respond to inquiries
- With our subcontractors — including our offshore tax-preparation team in Surat, India, all of whom are bound by written confidentiality and data-security agreements equivalent to this policy and IRS Pub. 4557
- With our service providers — including TaxDome (client portal), Box (document storage), and our practice-management software vendors, all of whom are SOC 2 audited
- To comply with law — including subpoenas, court orders, or other valid legal process
05Storage & Retention
We retain client records as follows:
| Record type | Retention period |
|---|---|
| Filed tax returns and supporting documents | Minimum 7 years |
| Bookkeeping records and financial statements | Minimum 7 years |
| Engagement letters and signed agreements | Minimum 10 years |
| Email correspondence with clients | 3 years from last interaction |
| Website analytics data | 26 months |
After the retention period, records are securely deleted using NIST 800-88 compliant data destruction methods.
06Security Safeguards
We implement administrative, technical, and physical safeguards in accordance with IRS Publication 4557, the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, and SOC 2 Type II controls:
- AES-256 encryption for all data at rest; TLS 1.3 for all data in transit
- Mandatory two-factor authentication on all client portal accounts and internal systems
- Role-based access controls — staff only access client files necessary for their assigned work
- Annual third-party penetration testing and vulnerability scanning
- Documented incident response plan with 72-hour breach notification commitment
- Background checks on all U.S. and offshore staff prior to onboarding
- Secure facilities with biometric access, 24/7 monitoring, and visitor logs
For full details, see our Data Security Policy.
07Your Rights
You have the following rights regarding your information:
- Access — request a copy of the information we hold about you
- Correction — request that we correct any inaccurate or incomplete information
- Deletion — request deletion of information no longer needed for legal or contractual purposes (subject to mandatory retention requirements)
- Restriction — request that we restrict processing in certain circumstances
- Portability — request a machine-readable copy of your data for transfer to another provider
- Objection — object to certain processing activities, including direct marketing
To exercise any of these rights, contact us using the details below. We will respond within 30 days.
08Cookies & Analytics
Our website uses essential cookies for functionality (e.g., remembering your dark/light mode preference) and privacy-respecting analytics to understand how visitors use the site. We do not use advertising cookies, behavioral tracking, or third-party marketing pixels.
You can disable cookies in your browser settings. Doing so will not affect your ability to use our services as a client; it may limit some website features.
09Minors
Our services and website are not directed to individuals under 18. We do not knowingly collect personal information from minors. Parents or guardians who believe their child has provided us with personal information may contact us for prompt deletion.
Note: tax returns prepared for minor dependents (e.g., a 16-year-old's first W-2) are handled through the parent or guardian's client engagement and are subject to the same protections as all client records.
10Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The "Last Updated" date at the top of this page indicates when the most recent revision was made.
Material changes will be communicated to active clients via email at least 30 days before they take effect. Continued use of our services after changes take effect constitutes acceptance of the revised policy.
11Contact Us
If you have questions about this Privacy Policy or how we handle your information, please contact our Privacy Officer:
HYK Tax, PLLC — Privacy Officer
We respond to all privacy inquiries within 5 business days.