Skip to content

Privacy

Privacy policy

Effective May 12, 2026 · Last reviewed May 25, 2026

We try to collect as little as possible. This page documents what we do collect, what we do with it, and how to make us stop.

Data controller

Under GDPR / AVG we have to name the entity that determines the purposes and means of processing the personal data collected through this site. That entity is Tunderman, reachable at the address and contact below. The data-controller identity is disclosed here because the regulation requires it; elsewhere on the site, AI Tax Practitioner is presented as an independent editorial publication.

What we collect

  • Analytics. Page views, referrer, country, device class, scroll depth, click paths. We run three measurement tools, configured for the strictest privacy posture each tool supports:
    • Ahrefs Web Analytics — cookieless. Aggregated pageviews + referrers inside our Ahrefs dashboard alongside rank tracking. Sets no cookies.
    • Google Analytics 4 — installed with Consent Mode v2 default-denied. Until you grant analytics consent, GA4 sets no _ga / _gid cookies and sends no individual session data; we receive only aggregated modeled-baseline metrics. IP addresses are anonymized; Google Signals and ad-personalization signals are disabled.
    • Microsoft Clarity — heatmaps + session recordings + rage-click detection to understand where readers get stuck. Clarity sets cookies (_clck, _clsk, MUID). PII fields (email inputs, name fields) are automatically masked in recordings; we see click paths, not what you type. We are in launch-phase traffic; a cookie consent banner will gate Clarity (and post-consent GA4) once daily visitors scale past ~1,000.
    You can opt out of all three tools at any time by visiting /?notrack=1 on this site — the opt-out is stored in your browser's localStorage. Visit /?notrack=0 to re-enable.
  • Newsletter subscribers. At launch the newsletter signup is a coming-soon mailto button — readers email editors@aitaxpractitioner.com to be added. The email address you send from is stored only for the purpose of sending newsletter editions once the newsletter ships. When form-based signup is activated, email addresses will be stored in a Supabase Postgres table (public.newsletter_subscribers) with row-level-security configured to allow insert-only access from the public site and deny all reads, updates, and deletes to anyone other than the editorial team. We do not sell, share, or rent the list. Unsubscribe is one email away.
  • Tools. Inputs to interactive tools (Circular 230 checklist, §7216 consent generator, ROI calculator) run client-side and stay on your device. We do not transmit, log, or store them. This is affirmative: no practitioner workflow data, no client data you type into a tool, ever reaches our servers.
  • Editorial correspondence. When you email the editorial address, whatever you send us, plus your email address so we can reply.

What we do not collect

  • Third-party advertising pixels (no Meta Pixel, no LinkedIn Insight Tag, no Google Ads remarketing tags).
  • Retargeting or cross-site tracking — Google Signals and ad-personalization signals are explicitly disabled on our GA4 install.
  • Browser fingerprinting.
  • Tool-input content (checklist responses, consent-template drafts, calculator inputs).

Legal basis (GDPR / AVG)

  • Ahrefs Web Analytics: legitimate interest under Art. 6(1)(f) GDPR. Cookieless and aggregated.
  • Google Analytics 4 (modeled-baseline state): legitimate interest under Art. 6(1)(f) GDPR while Consent Mode v2 is default-denied — no cookies are set and no individual session data is sent in this state. Once a consent banner ships, post-consent GA4 telemetry shifts to consent under Art. 6(1)(a).
  • Microsoft Clarity: legitimate interest under Art. 6(1)(f) during launch phase, with PII masking enforced and a one-click opt-out at /?notrack=1. Banner-gated consent under Art. 6(1)(a) once daily traffic scales past ~1,000.
  • Newsletter: consent under Art. 6(1)(a) GDPR via double opt-in. Withdraw at any time via the unsubscribe link or by emailing us.
  • Contact / email correspondence: legitimate interest under Art. 6(1)(f) and contract performance under Art. 6(1)(b) where applicable.

Retention

  • Newsletter address: until you unsubscribe.
  • Email correspondence: 24 months from last reply, then deleted unless an active matter requires longer.
  • Analytics aggregates: 24 months, then deleted.

Third-party processors

We use a small set of processors, all bound by data-processing agreements (or by their published standard terms where a DPA is not separately offered for the tier):

  • Ahrefs Pte. Ltd. — Ahrefs Web Analytics (cookieless pageview + referrer aggregation). Singapore-based; EU SCCs in place.
  • Google LLC — Google Analytics 4 (Consent Mode v2 default-denied; IP anonymized; Google Signals and ad-personalization disabled). United States; EU SCCs in place.
  • Microsoft Corporation — Microsoft Clarity (heatmaps + session recordings + rage-click detection; PII masking enforced). United States; EU SCCs in place.
  • Supabase — Postgres hosting for the newsletter-subscriber table. Data stored in the EU region; row-level-security as described above.
  • Hetzner Online GmbH — site hosting (Germany).
  • Cloudflare, Inc. — CDN and DDoS mitigation (United States, EU SCCs in place).
  • Email delivery provider — for newsletter sends, once newsletter delivery ships. The provider is disclosed here when activated; before then, no delivery happens.

US readers — CCPA / CPRA and other state privacy laws

Most of our readers are US tax practitioners. If you are a California resident, you have the rights granted by the CCPA / CPRA: to know what personal information we collect about you, to delete it, to correct it, to opt out of "sale" or "sharing" of personal information (we do not sell or share for cross-context advertising — there is nothing to opt out of), and to non-discrimination for exercising any of these rights.

Residents of other US states with analogous privacy statutes (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, and others as enacted) have equivalent rights under their respective state laws. Send the request to editors@aitaxpractitioner.com and we respond within 30 days.

Affiliate links and disclosures

Some links to vendor products on this site are affiliate links. We disclose the relationship on the page where the link appears. Affiliate links do not change the underlying URL the user lands on; they add a tracking parameter that attributes the click to us. The affiliate relationship never affects editorial judgment — see /about/#disclosures.

Your rights (GDPR / AVG)

Under GDPR / AVG you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data. Email editors@aitaxpractitioner.com with the request and we respond within 30 days. You also have the right to lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens.

Editorial content is not professional advice

Content on this site is reference material for US tax practitioners. It is not legal, tax, or accounting advice. Reading the site, subscribing to the newsletter, or emailing the editorial address does not establish a practitioner-client relationship, an attorney-client relationship, or any duty of professional care. Where a regulatory or technical question requires CPA, EA, or attorney judgment, we say so on the page and point you to the right place.

Changes

Material updates to this policy are dated above and announced via the verification log on the homepage.