GoRefer Trust Center
Privacy Policy
Updated April 2026
GoRefer, Inc. ("GoRefer", "we", "us") is committed to protecting the personal data of our customers, their clients, and all users of the platform. This policy explains what we collect, why, how we protect it, and your rights.
What Data We Collect & Why
Updated April 2026
We collect the minimum data needed to provide the service. All data processing has an identified lawful basis under GDPR Article 6. Sensitive data (PII) is encrypted at rest using AES-256 and is only used as necessary to fulfill the tax workflow service.
| Data Category | Examples | Lawful Basis | Retention Period |
|---|---|---|---|
Account & Identity | Name, email, phone number, profile photo | Contract | Life of account + 30 days |
Tax Professional Data | PTIN, EFIN, firm name, specializations | Contract / Legitimate Interest | Life of firm account |
Client Personal Data | Name, email, tax year info | Contract | Per retention schedule |
PII (sensitive) | SSN, EIN, bank account, driving license | Explicit Consent / Legal Obligation | Per retention schedule (encrypted at rest) |
Usage & Analytics | Page views, feature usage, session duration | Legitimate Interest | 24 months rolling |
Communications | Support emails, in-app messages | Contract / Legitimate Interest | 36 months |
Payment Data | Last 4 digits, billing address (card details tokenised by Stripe) | Contract | 7 years (tax/legal requirement) |
How We Use Your Data
Updated April 2026
Service Delivery
Authenticating users and maintaining sessions
Processing tax referrals and commission calculations
Sending transactional emails (referral confirmations, payment notifications)
Enabling AI-powered features (Gio assistant) to assist preparers
Generating reports, exports, and audit trails for firms
Platform Operations
Diagnosing errors and performance issues (Sentry, anonymized logs)
Detecting suspicious activity and fraud patterns
Improving AI model quality (aggregated, non-identifiable data only)
Billing reconciliation and subscription management (via Stripe)
Supporting compliance obligations (IRS record-keeping, GDPR audits)
We do not sell your data
GoRefer does not sell, rent, or trade personal data to third parties for marketing purposes. Data shared with subprocessors is bound by Data Processing Agreements that restrict use to service delivery only.
Your Rights (GDPR & CCPA)
Updated April 2026
EU/EEA residents have rights under the General Data Protection Regulation (GDPR). California residents have similar rights under the CCPA. To exercise any right, contact us at privacy@gorefer.io.
| Right | What It Means |
|---|---|
Right to Access | Request a copy of all personal data we hold about you |
Right to Rectification | Correct inaccurate or incomplete personal data |
Right to Erasure | Delete your personal data (subject to legal retention obligations) |
Right to Restrict Processing | Pause processing while a dispute is resolved |
Right to Data Portability | Export your data in a machine-readable format (JSON/CSV) |
Right to Object | Object to processing based on legitimate interests |
Right to Withdraw Consent | Withdraw previously given consent at any time |
Response SLA
We respond to all privacy rights requests within 30 days. For complex requests we may extend by an additional 60 days with notice. Where technically feasible, data export and deletion are handled directly in the platform.
Cookies & Tracking
Updated April 2026
Essential Cookies
Authentication session cookies (httpOnly, Secure, SameSite=Strict)
CSRF protection tokens
User preference storage (theme, language, timezone)
Load balancer affinity cookies (session stickiness)
Analytics & Preferences
Aggregated usage analytics for product improvement (no cross-site tracking)
Error tracking cookies tied to Sentry session replay (optional)
Cookie consent preferences stored as first-party cookie
No third-party advertising or tracking pixels
International Data Transfers
Updated April 2026
GoRefer is incorporated in the United States. Where we transfer personal data of EU/EEA residents outside the EEA, we rely on:
Standard Contractual Clauses
EU SCCs executed with all relevant subprocessors
Transfer impact assessments conducted where required
Adequacy Decisions
Where the European Commission has issued an adequacy finding for a destination country
UK IDTA addendum used for UK transfers
Binding Agreements
All cross-border transfers are documented in our sub-processor register
Full DPA available on request via Trust Portal