Loading account

ResidencyIQ Privacy

Privacy Policy

ResidencyIQ (residencyiq.app) helps individuals document state tax residency. This policy explains what personal information we collect, why, how long we keep it, and the rights you have over it.

Effective Date: July 8, 2026  ·  Last Updated: July 8, 2026

1. Who We Are and the Merchant of Record

ResidencyIQ is a product of Equitymind Ventures. Payments for ResidencyIQ are processed by Stripe, and Equitymind Ventures is the merchant of record on your billing statement: if you see that name on a card statement, that is us.

2. Information We Collect

We collect the following categories of personal information. We do not collect anything not listed here without updating this policy first.

2.1 Account Information

Name, email address, password (hashed, never stored in plain text), and authentication metadata, collected via Clerk. Purpose: create and secure your account, log you in, communicate with you about the Service.

2.2 Precise Geolocation Data

Check-in location data: When you affirmatively check in within the app, we collect your precise GPS coordinates, timestamp, and device-reported location accuracy.

Background location (planned mobile feature): If and when we introduce background location tracking in a mobile app, we will collect precise location at intervals you configure, only after you grant OS-level background location permission, and you will be able to disable it at any time in-app or via your device settings. We will update this policy with specifics before that feature ships to any user.

Purpose: Precise geolocation is the evidentiary core of the Service: it lets you build a timestamped, contemporaneous record of your physical presence in a given state, which is the type of evidence state tax auditors credit most heavily in residency and domicile disputes.

See Section 4 below; we treat this category as sensitive personal information and give it heightened protection beyond what the law requires for ordinary data.

2.3 Financial Transaction Data (via Plaid, Planned, Not Yet Live)

We plan to offer optional bank and card transaction linking through Plaid, Inc. in read-only mode, so that transaction geography can corroborate your residency timeline alongside check-ins and documents. This feature is not yet available. Plaid is not currently integrated into the Service, and we do not currently collect, receive, or store any bank or card transaction data. When this feature launches, we will collect merchant name, amount, date, and location metadata where your financial institution provides it, and we will not receive your online banking credentials; those will be entered directly into Plaid’s interface and never touch our servers. We will update this policy with specifics before this feature ships to any user.

2.4 Documents and Document Metadata

Uploaded or linked documents you provide as residency evidence: utility bills, leases, driver’s licenses or state ID cards, vehicle registrations, voter registration records, and similar documents. Where you link a document stored in a third-party service (e.g., Google Drive or Dropbox) rather than upload it directly, we store only a pointer to that file (the provider’s file ID) and a SHA-256 cryptographic fingerprint of its contents at the time of linking, not a copy of the document itself. The fingerprint lets us detect if the linked file is later altered, without our holding the underlying content.

2.5 Photo EXIF Metadata

If you upload photographs as evidence, we read embedded EXIF metadata, which may include the GPS coordinates where the photo was taken, the device model, and the capture timestamp. We do not require you to strip EXIF data before upload, but you may do so using your device’s built-in tools if you prefer not to share embedded location data with us; doing so may weaken the evidentiary value of the photo.

2.6 Payment Information

Handled entirely by Stripe. We receive only a payment status, subscription tier, and a truncated card descriptor (e.g., last four digits), never your full card number, CVV, or bank account credentials.

2.7 Usage and Analytics Data

Pages viewed, features used, session duration, device type, browser type, and approximate (non-precise) location derived from IP address, collected via PostHog. We do not use PostHog to collect precise geolocation.

2.8 Communications

Emails, support tickets, and other messages you send us, retained to respond to you and maintain a record of our correspondence.

3. How We Use Your Information

We use the information above only to:

  1. Provide, operate, and maintain the Service, including generating residency evidence timelines and reports;
  2. Authenticate you and secure your account;
  3. Process payments and manage subscriptions;
  4. Communicate with you about your account, changes to the Service, or support requests;
  5. Diagnose technical problems and improve product performance and usability;
  6. Comply with legal obligations, respond to lawful requests, and enforce our Terms of Service;
  7. Detect, prevent, and investigate fraud, abuse, or security incidents.

We do not use your precise geolocation, financial data, or document content to build advertising profiles, and we do not use it for any purpose beyond delivering the residency-documentation service you signed up for.

4. Precise Geolocation as Sensitive Personal Information (CCPA/CPRA)

Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), precise geolocation (location accurate to within a radius of 1,850 feet or less) is legally classified as “Sensitive Personal Information.” We treat it that way for every user, not just California residents.

What this means in practice:

  • We collect precise geolocation only for the core residency-documentation purpose described in Section 2.2, never to infer characteristics about you (health, religious observance, sexual orientation, etc.), and never for cross-context behavioral advertising.
  • We do not sell or share (as “sale” and “share” are defined under CCPA/CPRA) your precise geolocation, or any other personal information, to third parties. See Section 6.
  • You have the right to limit the use of your sensitive personal information to only what is necessary to provide the Service. Because we already restrict our own use to that purpose, exercising this right will not change how the Service functions for you, but you may still submit the request for it to be logged and confirmed.

To exercise this right: Limit the Use of My Sensitive Personal Information or email privacy@residencyiq.app with the subject line “Limit Sensitive Personal Information.”

You may also disable check-in location collection at any time in your account settings; this will stop future collection but will not retroactively delete previously recorded check-ins (see Section 8 on deletion).

5. Financial Data Handling (GLBA / FTC Safeguards Framing): Planned Feature

Financial account linking via Plaid is planned but not yet live. We are not currently connected to Plaid and do not currently collect, receive, or store any bank or card transaction data. This section describes the standard we are committing to for that feature, consistent with the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule because that is the framework designed for exactly this kind of data, before it launches to any user:

  • Read-only access. Once live, we will request only read-only transaction data through Plaid. We will not be able to move money, initiate transactions, or modify your accounts, and we will never ask for or store your bank login credentials.
  • Purpose limitation. Financial transaction data, once collected, will be used solely to help corroborate your residency timeline. We will not use it for credit decisions, underwriting, marketing, or any purpose unrelated to residency documentation.
  • Access controls. Financial data, once collected, will be encrypted at rest and in transit, with access restricted to the systems and personnel who need it to operate the feature.
  • Vendor accountability. Plaid is contractually and independently subject to its own regulatory obligations as a financial data aggregator; our planned integration will use Plaid’s standard secure token-exchange flow, and we will not receive or store raw banking credentials at any point.
  • Written information security program. We maintain administrative, technical, and physical safeguards designed to protect financial data against unauthorized access, consistent with the risk-based approach required by the FTC Safeguards Rule, and this program will extend to financial data once this feature is live.

Once this feature is live, you will be able to disconnect linked financial accounts at any time from your account settings, which will stop future transaction syncing.

6. We Do Not Sell or Share Your Information

We do not sell your personal information, and we do not “share” it for cross-context behavioral advertising, as those terms are defined under CCPA/CPRA or any other applicable law. We have not done so in the past 12 months and have no plans to.

We disclose personal information only:

  • To the service providers listed in Section 7, under contracts that restrict their use of your data to providing services to us;
  • When required by law, subpoena, court order, or other valid legal process;
  • To protect the rights, property, or safety of ResidencyIQ, our users, or the public;
  • In connection with a merger, acquisition, or sale of assets, subject to this policy’s protections continuing to apply (see Section 14);
  • With your explicit direction or consent (for example, if you choose to export and send your evidence packet to your accountant or attorney).

7. Third-Party Service Providers

We rely on the following processors to operate the Service. Each is contractually restricted to using your data solely to provide services to us, not for their own independent purposes.

ProviderFunctionData It Processes
ClerkAuthentication and account managementName, email, authentication credentials
StripePayment processing (merchant of record: Equitymind Ventures)Payment method (tokenized), billing status
RenderApplication and Postgres database hostingAll account data stored in our database
PostHogProduct analyticsUsage events, device/browser data, approximate IP-based location
Plaid (planned, not yet live)Read-only financial account linking, not yet integratedNone today. Once live: bank transaction data via secure token exchange
Google Drive / Dropbox (if linked)External document storage you controlFile ID pointer and SHA-256 fingerprint only; we do not store your document content from these providers

We do not permit any processor to use your data to train third-party AI/ML models without your separate, explicit consent.

8. Data Retention

We retain personal information only as long as necessary for the purposes described in this policy, subject to the schedule below. “Evidence records” (check-ins, financial transaction data, documents and document pointers, EXIF metadata) are retained longer than typical account data because they need to remain available for the multi-year lookback periods states use in residency and domicile audits.

Data CategoryRetention PeriodNotes
Account information (name, email, credentials)Duration of account + 30 days after deletionRetained briefly post-deletion to prevent fraudulent account recreation
Evidence records (geolocation check-ins, financial transactions, documents/pointers, EXIF metadata)Minimum 6 years from date of creation, or duration of account if longerMatches the longest common state tax residency audit lookback window; early deletion available on request
Payment records (via Stripe)Typically 7 yearsGoverned by Stripe’s own financial recordkeeping obligations, not modifiable by us
Analytics data (PostHog)12 months, then aggregated or deletedRolling deletion of raw event data
Support communications3 years from last contact
Data after account deletionDeleted within 30 days, except evidence recordsSee early-deletion note below

Requesting early deletion of evidence records: You may request deletion of your evidence records before the 6-year retention period ends. We will honor that request, but we want you to understand the tradeoff before you make it: evidence records are the substance of what you’d present if a state ever audited your residency claim. If you delete them and are later audited for a tax year within that lookback window, you will not be able to retrieve that evidence from us. We will require you to affirmatively confirm you understand this consequence before processing an early deletion request for evidence records specifically (this confirmation step does not apply to ordinary account data).

9. Your Privacy Rights

Regardless of where you live, you may exercise the following rights by emailing privacy@residencyiq.app:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request that we correct inaccurate personal information.
  • Deletion: Request deletion of your personal information, subject to the retention schedule and consequences described in Section 8.
  • Portability: Request an export of your data in a structured, commonly used, machine-readable format.
  • Limit use of sensitive personal information: See Section 4.
  • Non-discrimination: We will not deny you the Service, charge you a different price, or provide a lesser level of service because you exercised any of these rights.

We will verify your identity before fulfilling a request and will respond within 45 days, consistent with CCPA/CPRA timelines, with a possible one-time 45-day extension for complex requests, of which we will notify you.

You may also designate an authorized agent to make a request on your behalf; we may require proof of the agent’s authorization and independent verification of your identity.

10. California Privacy Rights (CCPA/CPRA)

This section supplements the rest of this policy for California residents, as required by the CCPA/CPRA.

Categories collected (past 12 months): Identifiers (name, email), sensitive personal information (precise geolocation), commercial information (subscription/payment status), internet/network activity (analytics), and documents/records you provide. Financial information via Plaid is a planned category (see Section 2.3) and is not currently collected.

Sources: Directly from you, from your linked document providers via Google Drive/Dropbox (if used), and automatically via PostHog analytics. Once our planned Plaid integration is live, your linked financial institution will become an additional source for transaction data.

Business/commercial purpose: Providing the residency-documentation Service described in Section 3.

Sale or sharing: None, as described in Section 6.

Sensitive personal information: Precise geolocation is collected and used only as described in Section 4; you may request we limit its use as described there.

Right to know, delete, correct, and data portability: See Section 9.

Right to opt out of automated decision-making technology: We do not use your personal information to make any legal or similarly significant automated decision about you without human involvement. ResidencyIQ organizes and presents evidence; it does not make residency determinations on your behalf.

Shine the Light: We do not disclose personal information to third parties for their own direct marketing purposes, so California Civil Code § 1798.83 disclosures do not apply.

To exercise any California-specific right, email privacy@residencyiq.app with “California Privacy Request” in the subject line, or use the link in Section 4 for sensitive information requests specifically.

11. Children’s Privacy

The Service is not directed to, and is not intended for use by, anyone under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will delete it promptly. If you believe a child has provided us with personal information, contact us at privacy@residencyiq.app.

12. Security and Breach Notification

We maintain administrative, technical, and physical safeguards designed to protect your personal information, including encryption in transit (TLS) and at rest, access controls limiting internal access to what each system and team member needs, and regular review of our vendor security posture.

No system is perfectly secure. If we experience a security incident that compromises your personal information in a manner triggering notification obligations under applicable law, we will notify affected users without unreasonable delay and in accordance with the timelines required by applicable state and federal breach notification law, and we will describe what happened, what data was involved, and what steps we and you can take in response.

13. International Users

The Service is hosted in the United States (via Render) and is designed around U.S. state tax residency documentation. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

14. Business Transfers

If ResidencyIQ is involved in a merger, acquisition, financing, or sale of all or a portion of its assets, personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service before your personal information becomes subject to a different privacy policy, and any successor will remain bound by the commitments in this policy with respect to information collected before the transfer.

15. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, particularly any change to how we collect or use precise geolocation, financial data, or documents, we will notify you by email and/or an in-app notice before the change takes effect, and we will update the “Last Updated” date at the top of this page. We will maintain a changelog of prior versions of this policy, available upon request to privacy@residencyiq.app.

Continued use of the Service after a change takes effect constitutes acceptance of the revised policy, except where applicable law requires your affirmative consent, in which case we will obtain it before the change applies to you.

16. Contact Us

Questions, requests, or concerns about this policy or our data practices:

Email: privacy@residencyiq.app

Mail: Equitymind Ventures, Attn: Privacy, 15642 Sand Canyon Ave. #50971, Irvine, CA 92619

Core Disclosure

This policy describes ResidencyIQ’s current data practices as of the Effective Date above. It is not legal, tax, or financial advice, and using ResidencyIQ does not guarantee any particular outcome in a state tax residency audit or dispute.