Cookie Policy

This Cookie Consent & Preference Center Policy (this "Policy") describes the categories of cookies and similar technologies that TaxMD™ ("TaxMD™," "we," "us," or "our") deploys on, or in connection with, our public websites and our authenticated software-as-a-service platform (collectively, the "Services"), the purposes for which such technologies are used, and the choices available to you through the cookie banner and the Preference Center.

This Policy applies to the use of cookies and similar technologies in connection with:

(a) visitors to TaxMD™’s public, unauthenticated web pages; and

(b) authenticated users of the TaxMD™ SaaS platform, including firm administrators, firm employees, and firm clients, to the extent they access the Services through a firm.

This Policy does not amend, supersede, or otherwise modify any firm-specific privacy notices, end-client consents, or contractual terms (including any Data Processing Addendum) that may apply to firm accounts, and such documents will govern to the extent of any inconsistency.

• "Cookies" means small text files placed on your device or browser when you visit a website or access a web-based application.
• "Similar Technologies" means pixels, tags, SDKs, local storage, and other identifiers that enable functionality or collect information like cookies.
• "Preference Center" means the interface through which you may manage your preferences for certain categories of cookies and similar technologies, subject to technical limitations and applicable law.
• "FTI" means Federal Tax Information and related IRS-regulated taxpayer data, to the extent processed in connection with the Services.
• "Public Pages" means unauthenticated marketing or informational pages (e.g., product pages, documentation, or blog content).
• "Authenticated SaaS" means the logged-in TaxMD™ application environment.

TaxMD™ uses the following categories of cookies and similar technologies. Certain cookies are strictly necessary for the operation, security, and integrity of the Services, and, as a result, are not subject to opt-out through the Preference Center.

Strictly Necessary (Essential)

Strictly necessary cookies are used to operate the Services, maintain session state, provide requested features, prevent fraud, and implement security controls.

• Authentication and session management
• Load balancing and service availability
• Security controls (e.g., bot detection, abuse prevention)
• Preference persistence (e.g., saving cookie choices)

Functional

Functional cookies are used to enable enhanced features and personalization that are not strictly necessary, such as remembering settings or improving user experience.

• Remembering language or display preferences
• Improving in-app usability features

Analytics / Performance

Analytics/performance cookies are used to understand how the Services are used, measure performance, and improve reliability and user experience. Where feasible, TaxMD™ configures analytics to minimize collection (e.g., through truncation, aggregation, and access controls).

• Measuring page/app performance and error rates
• Understanding feature usage and navigation patterns
• Supporting capacity planning and service improvement

Advertising / Marketing (Limited Use; If enabled)

If enabled, these cookies are used to measure and optimize marketing campaigns on Public Pages only. TaxMD™ does not deploy advertising/marketing cookies within the Authenticated SaaS environment.

Advertising/marketing cookies will be set only when:

(a) Accessing Public Pages;

(b) Applicable law requires opt-in consent for such cookies in the relevant jurisdiction or circumstance; and

(c) Have provided such consent through the cookie banner and/or the Preference Center.

(d) TaxMD™ does not permit advertising/marketing cookies to access, process, or infer to FTI.

Data Collected via Cookies

Depending on your settings and the context in which you use the Services, cookies and similar technologies may collect limited technical data such as:

• IP address (or truncated IP address, where configured)
• Device type and operating system
• Browser type and version
• Session identifiers and authentication-related tokens
• Preference or consent indicators (e.g., whether a category is enabled)
• Usage metadata and timestamps (e.g., page views, navigation patterns, error events)

See Section 9 for additional FTI and sensitive-data boundaries, including the technical and logical segregation of cookie technologies from tax return data and Federal Tax Information (FTI).

Third-Party Cookies

Some cookies and similar technologies may be set up by third-party service providers acting on TaxMD™’s behalf (for example, cloud hosting and security providers, analytics and monitoring services, and payment or billing processors). These providers may access cookie-related data only to provide contracted services to TaxMD™ and are contractually restricted from using such data for independent purposes.

Additional information about TaxMD™’s service provider approach is provided in Section 12.

Depending upon the cookie category and applicable jurisdiction, TaxMD™ relies on one or more of the following legal bases, to the extent permitted by applicable law:

• Consent: where required, TaxMD™ obtains your opt-in consent before placing or reading non-essential cookies (including advertising/marketing cookies).
• Legitimate Interests: for certain security and limited analytics activities on Public Pages where permitted, based on TaxMD™’s legitimate interests and implemented with appropriate safeguards and balancing of user rights.
• Contractual Necessity: to provide the Services you request in the Authenticated SaaS environment (e.g., session management, security, and feature enablement).
• Legal Obligation: Where necessary to comply with applicable law, lawful requests, and security requirements.

Industry frameworks and standards (including SOC 2-aligned controls and ISO/IEC security practices where adopted) may inform TaxMD™’s internal control environment; however, such frameworks and standards are not, in and of themselves, a legal basis for setting cookies.

Consent Controls

When you access our Public Pages, TaxMD™ will present a cookie banner and/or other consent mechanism where required by applicable law. Through the Preference Center, you may consent to, refuse, or customize categories of cookies and similar technologies.

Within the Authenticated SaaS environment, TaxMD™ uses strictly necessary cookies for operation and security. Where optional analytics or functional cookies are offered in-app, your choices will be presented through in-app settings and/or the Preference Center, as applicable and subject to technical feasibility and applicable law.

Withdrawing or Changing Preferences

You may modify your preferences at any time by opening the Preference Center (typically via a link in the website footer or within application settings). Preference changes apply prospectively and may not remove cookies already stored on your device; you may also delete cookies through your browser controls.

Browser Controls

Most browsers allow you to manage cookies through browser settings. Blocking or deleting cookies may impair functionality, including authentication, security features, and certain Service capabilities.

Cross-Device / Cross-Browser Limits

Cookie preferences and consent signals are generally device- and browser-specific. Accordingly, if you use multiple devices or browsers, you may need to set your preferences separately on each.

Consent Recording and Preference Center as System of Record

Where required by applicable law, TaxMD™ deploys non-essential cookies on Public Pages only after you provide valid consent through the cookie banner and/or the Preference Center. Consent is not bundled with acceptance of the Terms of Use or Privacy Policy and, except for strictly necessary cookies, is not a condition of accessing Public Pages.

The Preference Center is designed to function as TaxMD™’s record of cookie choices. Consent and preference decisions may be recorded using consent identifiers or equivalent technical records and associated with the applicable device and browser. Where you access the Authenticated SaaS environment, TaxMD™ may also associate a preference decision with your authenticated account to enforce your choices consistently within the platform, where technically feasible.

Preference decisions are enforced automatically across the applicable TaxMD™ website and platform environments. Consent records may be retained for a period necessary to demonstrate compliance with applicable laws, respond to regulatory inquiries, support audits, or resolve disputes, consistent with Section 6.

TaxMD™ uses both session and persistent cookies:

• Session cookies: typically expire when you close your browser or shortly thereafter.
• Persistent cookies: remain for a defined period or until you delete them.

The following are high-level, approximate retention ranges by category (which may vary by tool, configuration, and applicable law):

• Strictly necessary: session to up to 12 months (e.g., security and preference storage).
• Functional: session to up to 12 months.
• Analytics/performance: typically, 1 day to up to 24 months, configured to support trend analysis and reliability.
• Advertising/marketing (Public Pages only; if enabled): typically, 1 day to up to 13 months, where allowed and consented.

TaxMD™ maintains internal records of cookie configurations and retention settings as part of its compliance and security program.

Some browsers and extensions transmit preference signals such as "Do Not Track" (DNT) or "Global Privacy Control" (GPC).

Where required by applicable law, TaxMD™ honors GPC signals as a request to opt out of certain data uses (including "sharing" for cross-context behavioral advertising under applicable U.S. privacy laws). If GPC is detected, TaxMD™ will treat it as a preference to limit non-essential cookies on Public Pages to the extent technically feasible. Because these signals are not uniformly implemented, TaxMD™’s response may vary by browser and configuration.

DNT signals are not currently interpreted as a uniform opt-out mechanism because there is no consistently adopted industry standard; however, you may use the Preference Center to manage cookie categories.

The Services are not directed to children under 13, and TaxMD™ does not knowingly deploy non-essential cookies to profile children. If you believe that a child has provided information to TaxMD™, please contact us so that we may take appropriate steps consistent with applicable law.

TaxMD™ maintains administrative, technical, and organizational safeguards intended to segregate FTI and other taxpayer data from cookie-based tracking. Cookies are not used to collect, store, or disclose FTI.

TaxMD™ does not use cookies to create behavioral advertising profiles based on taxpayer data, and TaxMD™ does not deploy advertising/marketing cookies within the Authenticated SaaS environment.

TaxMD™ may collect limited operational telemetry (e.g., performance metrics, error logs, and feature usage) to operate, secure, and improve the Services. Telemetry is designed to avoid capturing FTI and to minimize the collection of sensitive content where feasible.

• Information collected via cookies is not used to train general-purpose AI models.
• TaxMD™ does not use FTI or taxpayer data for advertising, marketing, or cross-context profiling.
• AI-enabled features, if any, are governed by applicable contractual terms and internal controls designed to protect confidentiality and regulated data.

TaxMD™ may access or process certain operational data outside the United States in order to provide, maintain, and secure the Services, subject to applicable law and TaxMD™’s internal control environment.

Where cross-border transfer safeguards are required, TaxMD™ implements appropriate contractual and technical measures (such as contractual transfer terms and protections equivalent to standard contractual clauses where applicable), together with access controls, encryption, and audit logging.

TaxMD™ uses vetted service providers to host, secure, and operate components of the Services (e.g., content delivery, security tooling, and analytics). To maintain readability and stability, this Policy does not include a detailed vendor list; vendor inventories and relevant technical configurations are maintained as controlled internal compliance records.

This Policy supplements, and should be read together with, TaxMD™’s Privacy Policy and Terms of Use.

This Policy does not amend, supersede, or otherwise modify any firm-specific privacy notices, end-client consents, or contractual terms (including any Data Processing Addendum) that may apply to firm accounts, and such documents will govern to the extent of any inconsistency.

In the event of a conflict between this Policy and the Privacy Policy regarding the processing of personal information, the Privacy Policy will govern unless otherwise required by applicable law.

TaxMD™ may update this Policy from time to time. TaxMD™ will post any updated version with a revised effective date. Where required by applicable law, TaxMD™ will provide additional notice of material changes.

If you have questions regarding this Policy or your cookie preferences, please contact TaxMD™ at:

• Email: compliance@taxmd.com
• Website: www.taxmd.com