Privacy Policy

Effective date: April 14, 2026Last updated: April 14, 2026

1. Introduction and Scope

Tang Advisory is the trade name of Tang Enterprises LLC, a Washington limited liability company and registered CPA firm (“Tang Advisory,” “we,” “us,” or “our”). This Privacy Policy explains how we collect, use, disclose, and protect personal information when you visit tangadvisory.com (the “Website”), inquire about our services, or engage us as a client for tax preparation, bookkeeping, SOC 2 examinations, or related professional services.

Because we are a CPA firm, we are a “financial institution” under the Gramm-Leach-Bliley Act (“GLBA”), and we maintain this notice in part to satisfy the privacy and safeguards obligations that apply to us under GLBA, the FTC Safeguards Rule (16 C.F.R. Part 314), IRS Circular 230, Internal Revenue Code Section 7216, and applicable state laws including those of Washington and Oregon.

This policy applies to both (a) visitors who browse the Website or submit inquiries through it, and (b) clients who engage us for professional services. Where a signed engagement letter or professional engagement contains terms that conflict with this policy, the engagement letter controls for that client relationship.

2. Information We Collect

Information you submit through the Website

If you use our contact form, we collect the information you choose to provide — typically your name, email address, phone number, and the contents of your message. The contact form is processed by Formspree, which delivers submissions to our firm email.

Scheduling information

When you book a consultation through our Calendly link, Calendly collects your name, email address, and any details you enter about the meeting (for example, the topic or questions you want to discuss). Calendar events are synced to our Google Workspace calendar so we can prepare for and attend the meeting.

Client information collected during a professional engagement

Once you engage us, we collect the information necessary to perform the services described in your engagement letter. The specific categories depend on the service:

  • Tax and bookkeeping clients: name, address, date of birth, Social Security number or other taxpayer identification number, filing status, dependents, wage and investment income, 1099s, K-1s, brokerage and bank statements, rental property records, business income and expense records, prior-year returns, and similar tax and financial documentation.
  • SOC 2 engagement clients: information about your system description, control environment, security policies and procedures, network and application architecture, vendor inventories, personnel lists for walk-throughs, access reviews, and evidence samples (log extracts, tickets, configurations, screenshots) that you provide in support of the examination.
  • All clients: communications with us (email, portal messages, meeting notes), signed engagement letters, invoices, and payment records.

Automatically collected information

The Website is hosted on Vercel, which records standard server and network information (such as IP addresses, request timestamps, user-agent strings, and requested URLs) for operational and security purposes. We do not currently run any analytics, advertising, or behavioral-tracking scripts on the Website, and we do not set any non-essential cookies. If we add any such tools in the future, we will update this policy and, where required, obtain consent.

Information we receive from third parties

In the course of an engagement, we may receive information about you from third parties at your direction or as required by your tax return or examination — for example, prior-year returns from your former preparer, forms issued by the IRS or a state taxing authority, or evidence provided by your cloud providers or subservice organizations during a SOC 2 engagement.

3. How We Use Information

We use personal information to:

  • Provide professional services as described in a signed engagement letter, including preparing and filing tax returns, performing bookkeeping, and performing SOC 2 Type I and Type II examinations.
  • Respond to inquiries submitted through the Website, schedule consultations, and evaluate whether an engagement is appropriate for both parties.
  • Communicate with you about your engagement, including requests for information, status updates, deliverables, and post-engagement matters such as notices from the IRS or state agencies.
  • Issue invoices and process payments through our practice management platform.
  • Comply with legal, regulatory, and professional obligations, including those of the IRS, the Washington and Oregon state boards of accountancy, the AICPA, the FTC, and applicable state laws.
  • Maintain the security and integrity of our systems, detect and prevent fraud, and keep appropriate records of our work.

We do not use client tax return information for marketing, and we do not use any personal information for automated decision-making that produces legal or similarly significant effects.

4. Legal Basis for Processing

We process personal information only where we have a lawful basis to do so. Our primary bases are:

  • Performance of a contract — where processing is necessary to deliver the services set out in your engagement letter.
  • Legal obligation — to comply with tax law, e-filing requirements, professional standards, records-retention obligations, and lawful requests from government authorities.
  • Legitimate interests — to run and secure our practice, respond to prospective clients, manage billing, and maintain reasonable business records, in a manner that does not override your interests or rights.
  • Consent — where you have given specific consent, such as an IRC Section 7216 consent to disclose tax return information or a consent to share records with a lender or other third party.

5. How We Share Information

We do not sell or rent personal information, and we do not share it for cross-context behavioral advertising. We share information only in the following limited circumstances:

Service providers we rely on to deliver our services

We use carefully selected service providers who act on our behalf and are contractually or otherwise obligated to protect your information. Each provider receives only the information reasonably necessary for its role:

  • TaxDome — SOC 2 Type II audited practice-management and client-portal platform used for secure document exchange, e-signatures, engagement letters, invoicing, and messaging.
  • Stripe — processes card and ACH payments through TaxDome. Card data is handled directly by Stripe under PCI DSS; we do not store full card numbers.
  • Drake Tax — professional tax-preparation software used to prepare and e-file federal and state returns.
  • Calendly — scheduling of consultations and client meetings.
  • Formspree — delivery of Website contact-form submissions to our firm email.
  • Vercel — hosting and content delivery for the Website.
  • Google Workspace — email (hello@tangadvisory.com), calendar, and document storage for firm communications and workpapers.

We evaluate service providers for appropriate security and privacy practices (including SOC 2 reports, where available), and we rely on written data-processing or vendor terms that restrict their use of client information to the services they provide to us.

Government authorities and legal process

We may disclose information when required by law — for example, e-filing a tax return with the IRS or a state taxing authority, responding to a valid subpoena or court order, complying with an audit or inquiry from a state board of accountancy, the IRS Office of Professional Responsibility, or the FTC, or reporting a matter we are legally obligated to report.

Disclosures with your consent or at your direction

At your written request or consent we may share information with third parties such as lenders, attorneys, bookkeepers, financial advisors, or prospective buyers of your business. For tax return information, these disclosures are only made pursuant to a consent that satisfies IRC Section 7216 and Treasury Regulation Section 301.7216-3.

Business transfers

If the firm is sold, merged, or reorganized, client information may be transferred as part of that transaction, subject to applicable professional obligations and, where required, your consent.

6. Data Security and the FTC Safeguards Rule

We maintain a written Information Security Program (“WISP”) designed to meet the requirements of the FTC Safeguards Rule (16 C.F.R. Part 314) and applicable state laws. The program includes administrative, technical, and physical safeguards appropriate to our size, the nature of our services, and the sensitivity of the information we handle.

Our safeguards include, among others:

  • Multi-factor authentication on all firm accounts and administrative access.
  • Encryption of data in transit (TLS) and at rest on firm devices and with our service providers.
  • Role-based access controls, unique user accounts, and the principle of least privilege.
  • Endpoint protection, full-disk encryption, and automatic patching on devices used to handle client data.
  • Secure client portal for document exchange — client information is not transmitted over unencrypted email.
  • Vendor due diligence focused on service providers with strong security postures (SOC 2 Type II reports where available).
  • Periodic risk assessments, security awareness review, and updates to the WISP.
  • A documented incident response plan with breach-notification procedures designed to comply with applicable laws, including Oregon (ORS 646A.600 et seq.), Washington (RCW 19.255), the IRS’s data-theft reporting expectations for tax professionals, and any other jurisdiction in which an affected client resides.

No system can be guaranteed to be completely secure. We cannot promise that unauthorized access will never occur, but we continuously work to identify risks and reduce them.

7. IRS Section 7216 — Tax Return Information

Federal law (Internal Revenue Code Section 7216) prohibits us, as a tax return preparer, from using or disclosing your tax return information for any purpose other than preparing, assisting in preparing, or obtaining or providing services in connection with the preparation of your tax return, unless we first obtain your written consent that complies with Treasury Regulation Section 301.7216-3.

We will not disclose your tax return information to any third party — including lenders, advisors, or affiliates — without a 7216-compliant consent that you sign, or unless disclosure is specifically permitted without consent (for example, disclosure to the IRS, under a court order, or to our own professional liability insurer as allowed by the regulations).

8. Data Retention

We retain personal information only for as long as it is needed to provide our services, comply with our legal and professional obligations, resolve disputes, and enforce our agreements. Our standard minimum retention periods are:

  • Tax returns and supporting workpapers: at least 7 years after the return is filed.
  • SOC 2 examination workpapers and reports: at least 5 years after the report date, consistent with AICPA standards.
  • Bookkeeping records and general client correspondence: at least 7 years after the end of the engagement.
  • Engagement letters, invoices, and payment records: at least 7 years.
  • Website inquiries from non-clients: generally deleted within 24 months unless they lead to an engagement.

After the applicable retention period, we securely destroy or anonymize personal information. Electronic records are deleted from firm systems and, through contractual means, from service providers. Paper records, when used, are shredded.

9. Your Rights and Choices

Subject to applicable law and our professional and regulatory obligations, you may:

  • Access the personal information we hold about you and request a copy.
  • Correct inaccurate or incomplete personal information.
  • Request deletion of personal information, subject to our legal and professional retention obligations (for example, we generally cannot delete tax workpapers or SOC 2 engagement records before the end of the required retention period).
  • Request portability of information you have provided to us, where technically feasible.
  • Opt out of non-essential communications. Transactional communications about an active engagement — status updates, document requests, tax notices, and similar messages — are part of the service and cannot be suppressed without ending the engagement.

California residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives you additional rights: the right to know what personal information we collect and how we use and disclose it; the right to delete personal information; the right to correct inaccurate personal information; the right to limit the use and disclosure of sensitive personal information; and the right not to be discriminated against for exercising any of these rights. We do not sell or share personal information as those terms are defined by the CCPA, and we do not use or disclose sensitive personal information for purposes that would trigger the right to limit. Information we process to comply with the Internal Revenue Code, GLBA, or similar laws may be exempt from certain CCPA rights, and rights may be limited with respect to tax return information under IRC Section 7216.

How to exercise your rights

To exercise any of these rights, email us at hello@tangadvisory.com. We may need to verify your identity before acting on a request and will respond within the timeframes required by applicable law.

10. Children’s Privacy

Our services are directed to adults. The Website is not directed to children under 13, and we do not knowingly collect personal information from children under 13. In the course of preparing a family tax return, we may receive information about a client’s minor children (for example, dependent names and Social Security numbers); that information is provided by the parent or guardian client and is treated with the same confidentiality as other tax return information.

11. International Users

Tang Advisory is based in the United States and provides services to clients with U.S. tax or compliance obligations. The Website and our services are intended for users in the United States. If you access the Website from outside the United States, you do so on your own initiative and are responsible for compliance with local laws. Information you provide will be processed in the United States.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, our services, or applicable law. When we do, we will post the revised policy on this page and update the “Effective date” and “Last updated” dates above. For material changes, we will provide more prominent notice, for example through the client portal or by email to active clients where appropriate.

13. Contact Us

If you have questions about this Privacy Policy, want to exercise a privacy right, or would like a copy of our GLBA privacy notice, please contact us: