Privacy Policy _Last updated: October 15, 2025_

1. Overview Find My K-1s ("we", "our", or "us") helps Gmail users quickly identify Schedule K-1 documents. This Privacy Policy explains what personal information we collect, how we use it, and the choices you have. By using the Service you agree to this policy. If you do not agree, please discontinue use and revoke Google access.

2. Information We Collect ### 2.1 Account & Identity Data - Email address and basic profile information supplied by Google during OAuth or Supabase sign-in. - Optional contact information you provide when contacting support.

2.2 Gmail Data Processed - Email metadata (subject, sender, recipient, dates, labels) for messages matching K-1 detection rules. - Attachments flagged as likely K-1 forms when you request a scan. We request read-only Gmail access and never send, delete, or modify email on your behalf.

2.3 Technical & Usage Data - Device, browser, and event logs generated when you use the Service. - Aggregated analytics such as scans started, results returned, or errors encountered. These metrics do not include message content.

3. How We Use Information We use information to: - authenticate you through Google and Supabase; - scan Gmail for likely K-1 documents and display results to you; - operate, maintain, and improve the Service, including developing new features; - monitor usage, prevent abuse, and secure the platform; - communicate with you about updates, security notices, or support requests; - comply with legal obligations and enforce our Terms of Service.

4. Legal Bases for Processing Where laws require a legal basis, we process personal data on the basis of: (a) your consent (e.g., granting Gmail access), (b) performance of a contract (providing the Service), (c) legitimate interests (improving security and reliability), and (d) compliance with legal obligations.

5. Data Retention - Gmail attachments are processed in-memory or in secure temporary storage and deleted immediately after the scan unless you explicitly export them. - OAuth tokens are stored encrypted and removed when you revoke access or after extended inactivity. - Analytics and system logs are retained for as long as necessary to operate the Service, typically no longer than 24 months.

6. Sharing & Disclosure We do not sell personal information. We may share limited data with: - **Service providers** (e.g., hosting, storage, monitoring) under confidentiality obligations; - **Professional advisors** (lawyers, accountants) under duty of confidentiality; - **Authorities** when required by law, subpoena, or court order; - **Successors** in the event of a merger, acquisition, or sale of assets, subject to this policy.

7. Google User Data & Limited Use Compliance We access Gmail data only after you grant consent through Google OAuth. We follow the Google API Services User Data Policy, including the Limited Use requirements: - Gmail data is used solely to identify Schedule K-1 attachments and present results to you during your session. - We do not transfer Google user data to third parties except to the service providers listed above as necessary to operate the Product, and they are prohibited from using it for other purposes. - We do not sell or display Google user data. Human access to Gmail content is limited to troubleshooting, security issues, or when you explicitly request support. - You can revoke our access at any time via [myaccount.google.com/permissions](https://myaccount.google.com/permissions). If you revoke access or request deletion, we remove stored tokens and delete any cached Gmail data in accordance with this policy.

8. Security We use industry-standard safeguards including encryption at rest and in transit, least-privilege access controls, auditing, and automated monitoring. No system is perfectly secure, so we encourage you to revoke access if you suspect unauthorized use.

9. Your Choices & Rights - Revoke Gmail access at [myaccount.google.com/permissions](https://myaccount.google.com/permissions). - Manage Supabase account data via in-app settings or by contacting us. - Request access, correction, or deletion of personal data by emailing diego@findmyk1s.com. We will respond in accordance with applicable law. - Opt out of non-essential communications by using unsubscribe links or emailing us.

10. International Transfers We operate from the United States and may process data there or in other countries where our providers operate. When we transfer personal data across borders we rely on appropriate safeguards such as Standard Contractual Clauses or other lawful mechanisms.

11. Children The Service is not directed to individuals under 16 years of age, and we do not knowingly collect personal data from children. If we learn that a child has provided personal information, we will delete it.

12. Changes to this Policy We may update this Privacy Policy from time to time. We will post the revised policy with an updated "Last updated" date, and may provide additional notice for material changes. Continued use after the changes take effect constitutes acceptance.

13. Contact Questions or concerns about privacy? Email us at diego@findmyk1s.com.