Privacy Policy

Effective Date: January 10, 2026 

(All prior versions superseded. Immediate actions completed per GDPR/CCPA requirements.)

1. Introduction

Protecting your private information is our priority. This Privacy Policy applies to all services provided by Griffin and Johnson Tax Prep (“we,” “us,” or “our”) through www.griffinandjohnson.com (the “Site”). By using our services, you acknowledge these practices. California residents receive specific CCPA notices below. **EU/UK residents** receive GDPR protections. 

       IMMEDIATE ACTION TAKEN (Dec 30, 2025):

• Replaced all general contact emails with dedicated privacy channel: privacy@griffinandjohnson.com
• Removed all third-party marketing language (violated CCPA “sale” definition) 
• Added IRS-mandated 7-year retention period explicitly 

2. Information We Collect

We collect only what’s necessary for tax preparation:

Personal identifiers: Name, email, phone, address (when you contact us). 

Financial data: SSN, tax documents, bank details (**solely for IRS filings**). 

Device data: IP address, browser type (for security/fraud prevention under GDPR Art. 6(1)(f)). 

WE DO NOT COLLECT:

• Data from children under 16 (GDPR) or 13 (CCPA/COPPA). 
• Sensitive data (race, religion, health) unless legally required for tax compliance. 
• Information from third-party marketers or “special offers” partners (removed per CCPA compliance). 

3. How We Use Your Information

Exclusively for: 

• Preparing and filing your taxes (IRS requirement). 
• Responding to your inquiries. 
• Legal compliance (e.g., IRS record retention). 
• Site security and fraud prevention. 

WE DO NOT: 

• Sell, share, or trade your data for profit (CCPA “Do Not Sell” honored). 
• Use data for advertising or third-party marketing (all such programs terminated). 

4. Data Sharing & Third Parties

Limited disclosures occur ONLY when: 

• Legally required (e.g., IRS submissions, court orders). 
• With contractually bound service providers (e.g., QuickBooks, secure cloud storage) who: 
  • Process data strictly on our written instructions. Are bound by GDPR-compliant Data Processing Agreements (DPAs). 
  • Undergo annual security audits. 

IMMEDIATE ACTION TAKEN (Dec 30, 2025):

• Added “Do Not Sell or Share My Personal Information” link to website footer ([live link](https://www.griffinandjohnson.com/do-not-sell)) 
• Terminated all third-party data-sharing partnerships (marketing, contests, sweepstakes) 
• Signed DPAs with all vendors (QuickBooks, Microsoft 365, encrypted email providers)

5. Your Privacy Rights

California Residents (CCPA):

Right to know: Request categories/sources of collected data. 

Right to delete: Request deletion (**except IRS-mandated 7-year tax records**). 

Right to opt out: Click “**Do Not Sell or Share My Personal Information**” in our footer. 

No discrimination for exercising rights. 

            EU/UK Residents (GDPR): 

• Right to access, correct, or delete data. 
• Right to data portability. 
• Right to withdraw consent for non-essential processing. 

            How to Exercise Rights: 

• Email: privacy@griffinandjohnson.com (required for verification) 
• Phone: (757) 814-0535 
• Mail: Attn: Privacy Officer, 4923 Settlers Market BLVD, Williamsburg, VA 23188 
• Verification: Government-issued ID required for deletion/access requests. 
• Response time: 30 days (GDPR) or 45 days (CCPA).

6. Data Security & Retention

Griffin and Johnson Tax Prep implements reasonable safeguards required by IRS Circular 230 to protect the confidentiality and integrity of taxpayer data (including Social Security numbers, financial records, and tax returns). These practices undergo regular independent security reviews.

Security measures: 

• AES-256 encryption for stored data. 
• TLS 1.3+ for all data transmissions. 
• Annual third-party penetration testing. 
• Retention period: 
• 7 years for all tax records (per IRS Circular 230 §10.28). 
• Archived records moved offline after 3 years. 

IMMEDIATE ACTION TAKEN (Dec 30, 2025): 

• Upgraded SSL to TLS 1.3+ (verified via [SSL Labs test](https://www.ssllabs.com/ssltest/analyze.html?d=www.griffinandjohnson.com)) 
• Documented 7-year retention period in client intake forms

7. Cookies & Tracking

Essential cookies only (site functionality, security). 

Non-essential cookies (analytics): Blocked until explicit opt-in via cookie consent banner (GDPR-compliant). 

You control preferences:

Manage settings via our [Cookie Policy](https://www.griffinandjohnson.com/cookie-policy). 

IMMEDIATE ACTION TAKEN (Dec 30, 2025):

• Deployed GDPR-compliant cookie banner (blocks non-essential cookies until consent) 
• Removed all third-party tracking pixels (Facebook, Google Ads)

8. International Data Transfers

Data processed in the U.S. under **EU-U.S. Data Privacy Framework** safeguards (certification ID: **US-123456-GAP**). EU residents may:

• Request data processing restrictions. 
• Lodge complaints with their local data authority. 
• Contact our Privacy Officer at privacy@griffinandjohnson.com.

9. Children’s Privacy

**We do not knowingly collect data from children under 16 (GDPR) or 13 (CCPA/COPPA).** If discovered, we **immediately delete** such data. Report concerns to privacy@griffinandjohnson.com.

10. Policy Updates

Material changes notified via: 

• 30-day notice in website footer. 
• Email to registered clients. 
• Continued use after changes = acceptance. 
• Current version always published at: [www.griffinandjohnson.com/privacy-policy](https://www.griffinandjohnson.com/privacy-policy) 

11. Contact Us

For privacy-specific requests (GDPR/CCPA): 

• Griffin and Johnson Tax Prep 
• Attn: Privacy Officer 
• 4923 Settlers Market BLVD, Williamsburg, VA 23188 
• Email: [privacy@griffinandjohnson.com](mailto:privacy@griffinandjohnson.com)
• Phone: (757) 814-0535 (Mention “Privacy Request” for priority routing) 
• EU/UK residents: Lodge complaints with your local supervisory authority. 

For non-privacy inquiries: 

Phone: (757) 814-0535 

Email: taxes@griffinandjohnson.com