3520file LLC ("we," "us," "our") prepares IRS Form 3520 for US persons who received large foreign gifts or inheritances. Because we are a paid tax preparer, we are subject to IRS Publication 4557 (Safeguarding Taxpayer Data), the FTC Safeguards Rule under the Gramm-Leach-Bliley Act (16 CFR Part 314, updated 2023), and applicable state breach-notification laws. This Privacy Policy explains what data we collect, how we use it, who we share it with, and the rights you have to control it. Read this alongside our Terms of Service, Cookie Policy, and Data Security page — together they form our complete privacy commitment.

1. Information We Collect

To prepare your Form 3520 we collect: (a) account data — name, email, password (hashed by Clerk, never seen by us); (b) filer data — US address, Social Security Number or ITIN, filing status; (c) transaction data — foreign-donor name and country, transaction dates, currency code, foreign-currency amounts, USD equivalents at historical exchange rate, transaction type (gift / bequest / corporate distribution), and your free-form description of each transaction; (d) cross-form signals — whether your facts also trigger FBAR or Form 8938 reporting obligations; (e) payment data — collected by Stripe; we receive the last four digits and brand of the card but never the full card number; (f) communications — the content of any email, support-ticket, or chat exchange you have with us; (g) device and usage data — IP address, browser user-agent, pages visited, and feature interactions, captured by PostHog with cookie consent.

2. Legal Basis for Processing

We rely on four legal bases: (a) Contract — we process your data to perform the Form 3520 preparation contract you entered into when you created an account and paid; (b) Legal obligation — IRS Publication 4557, the FTC Safeguards Rule, the 7-year IRC § 6501 statute of limitations on assessment for international transactions, and state breach-notification statutes require us to retain certain records and protect them in specific ways; (c) Legitimate interest — fraud detection, abuse prevention, and product improvement; (d) Consent — for non-essential cookies (analytics, error monitoring) we only set them after you accept the cookie banner.

3. How We Use Your Information

We use the data you provide solely to: (a) generate your Form 3520 PDF and supporting envelope; (b) lock the historical USD exchange rate from OpenExchangeRates and store it for the audit trail; (c) maintain your filing history for the 7-year retention period; (d) email you transactional reminders (filing deadline, USPS tracking nudge) and security notifications; (e) detect cross-form obligations (FBAR, Form 8938) and offer to refer you to fbarfile.com or a CPA; (f) respond to your support requests; (g) detect fraud and abuse; (h) comply with our legal obligations as a paid tax preparer. We do NOT use your data for advertising, profiling, model training, or any purpose unrelated to preparing your filing.

4. Information Sharing and Subprocessors

We do not sell, rent, or trade your personal information. We do not share data with the IRS — you (or our Concierge mail-kit on your behalf) print and mail the form. We share the minimum data required with these vendors: Clerk (authentication — email and Clerk user ID); Stripe (payments — name, email, card data Stripe collects directly); Resend (transactional email — name, email, email body); Railway (hosting — encrypted database and application logs); Cloudflare (DNS, CDN, DDoS — request metadata only); OpenExchangeRates (FX rates — we send a currency code and a date, never your identity); Lob.com (Concierge mail-kit only — recipient name and US mailing address printed on your envelope); PostHog (anonymous product analytics — only with cookie consent); Sentry (error monitoring — error stack and anonymized user ID, no PII). Every vendor is contractually bound to use your data solely to provide their service to us and to protect it to the same standard we do.

5. Data Security

We follow IRS Publication 4557 and the FTC Safeguards Rule. Specifically: AES-256-GCM encryption at rest; TLS 1.3 in transit; column-level encryption with separate envelope keys for SSN/ITIN values; role-based access controls with mandatory multi-factor authentication; vendor risk reviews; an annual Written Information Security Plan (WISP); a documented incident-response plan; immutable audit logging of every data access; and quarterly internal access-review attestations. Customer production data is never copied to laptops, mobile devices, or non-production environments. See our Data Security page for the customer-facing WISP summary.

6. Retention Periods

We retain different categories of data for different periods, as required by law: (a) Filing records (Form 3520 data, donor data, transaction data, encrypted SSN/ITIN, generated PDF) — 7 years from the filing date, matching the IRC § 6501 statute of limitations for international transactions plus 1 year of safety margin; (b) Account data (name, email, hashed password) — until you delete your account, then 30 days for backup retention; (c) Support communications — 2 years from the date of the message; (d) Payment metadata at Stripe — Stripe controls retention under its own policy and PCI-DSS Level 1 obligations; (e) Audit logs — same 7 years as the filing they describe; (f) Anonymized analytics — indefinite, but stripped of identifiers within 30 days of capture. After the applicable retention period, identifiable data is securely deleted; only an anonymized audit log remains.

7. Your Rights

Regardless of where you live, you have the right to: (a) access the personal data we hold about you; (b) request correction of inaccurate data; (c) request deletion of data we no longer need to retain; (d) export a copy of your filing data in machine-readable format; (e) withdraw consent for any processing based on consent (e.g. analytics cookies). For active filings we cannot delete records during the 7-year retention period required by law, but we can anonymize them upon request once the active filing is complete. Email privacy@3520file.com to exercise any of these rights — we respond within 30 days.

8. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the following rights in addition to those above: (a) the right to know what personal information we collect, the sources, the purposes, and the categories of third parties we share it with; (b) the right to delete personal information we hold about you, subject to legal retention requirements; (c) the right to correct inaccurate personal information; (d) the right to opt out of the "sale" or "sharing" of personal information — we do NOT sell or share your personal information as those terms are defined under the CCPA; (e) the right to limit use of sensitive personal information (your SSN/ITIN qualifies) — we already limit our use of SSN/ITIN to preparing your Form 3520 only; (f) the right to non-discrimination — we will not deny service, charge a different price, or provide a lower-quality service because you exercised a CCPA right. To exercise any of these rights, email privacy@3520file.com. We will verify your identity using the email on file and respond within 45 days.

9. European, UK, and Swiss Privacy Rights (GDPR / UK GDPR / FADP)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have rights under the GDPR, UK GDPR, or Swiss FADP including: access, rectification, erasure, restriction of processing, data portability, objection to processing, and the right not to be subject to automated decision-making. 3520file LLC is the data controller. Because we are US-domiciled and our infrastructure is US-based, we transfer your data to the United States — we rely on the Standard Contractual Clauses approved by the European Commission and the UK International Data Transfer Addendum to provide the legal basis for this transfer. You may also lodge a complaint with your local data protection authority. Email privacy@3520file.com to exercise any of these rights or to request a copy of the Standard Contractual Clauses.

10. Financial Data Protection (GLBA)

As a paid tax preparer we are a "financial institution" under the Gramm-Leach-Bliley Act and our customers are "consumers" for GLBA purposes. We do not share Nonpublic Personal Information (NPI) — including SSN/ITIN, foreign-gift facts, or Form 3520 contents — with any third party for marketing purposes. We share NPI with our subprocessors only as strictly necessary to deliver the service you purchased, under written contracts that bind them to the same protection standards we apply. You have the right under GLBA to request an annual notice describing our information-sharing practices — this Privacy Policy IS that notice, and we will re-issue it whenever our practices materially change.

11. Cookies and Tracking Technologies

We use only the cookies described in our Cookie Policy. Essential cookies (authentication with Clerk, your cookie-consent choice) are set without consent because the site cannot function without them. Non-essential cookies (PostHog analytics, Sentry error monitoring with cookie consent only) are set only after you accept the cookie banner. We do not use advertising cookies, retargeting pixels, social-media tracking, or third-party advertising networks. You can review and change your cookie preferences anytime via the Cookie Preferences link in the footer.

12. International Data Transfers

3520file is a US-domiciled service hosted in US data centers. If you access us from outside the US, your data will be transferred to and processed in the United States. We rely on the Standard Contractual Clauses (for EEA users), the UK International Data Transfer Addendum (for UK users), and the Swiss-US data transfer mechanism (for Swiss users) to provide an adequate legal basis for these transfers. You may request a copy of the relevant transfer mechanism by emailing privacy@3520file.com.

13. Automated Decision-Making

We do not subject you to automated decision-making with legal or similarly significant effects. Our AI-assisted question flow proposes which part of Form 3520 applies (Part IV in V1) and flags possible cross-form obligations — but every recommendation is reviewable by you before signing, and you are responsible for the final filing. We do not use your data to train AI models.

14. Children's Privacy

Our services are intended for adults filing IRS forms. We do not knowingly collect personal information from anyone under 18. If a parent or guardian needs to file Form 3520 on behalf of a minor (for example, an inheritance to a child), the parent or guardian — not the child — is our customer and creates the account. If you believe we have collected personal information from someone under 18 in error, email privacy@3520file.com and we will delete it.

15. Security Incident Notification

If we discover a security incident affecting your personal data, we will notify you and the applicable regulators within the timeframes required by law — 72 hours for GDPR-covered EU residents, 30 days for most US state breach laws, and consistent with our IRS Publication 4557 obligations as a paid tax preparer. The notification will describe what happened, what data was involved, the steps we are taking, and the steps you can take to protect yourself.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes — meaning a change that expands what we collect, who we share it with, or how long we retain it — will be announced via email to active customers at least 30 days before they take effect. Non-material updates (typo fixes, clarifications) will be reflected in the "Last updated" date above without separate notice.

17. Contact

Questions, requests, or complaints about this Privacy Policy: privacy@3520file.com. For data-subject requests under CCPA, GDPR, or similar laws, the same address. Mailing address: 3520file LLC, c/o Privacy Officer, Wilmington, Delaware (full mailing address provided on request). To report a suspected security incident, email security@3520file.com instead — it routes to our incident-response team.