Privacy policy
Effective Date: June 11, 2026
Self Employment Toolkit (the "Service") is operated by Woodfire Digital, LLC ("we," "us," or "our") at selfemploymenttoolkit.com. This Privacy Policy explains how we collect, use, and protect your information when you use our Service.
1. Information we collect
When you create an account and use the Service, we collect:
- Account information: your email address, a securely hashed password, and optional security credentials (TOTP secret for MFA, registered passkey public keys).
- Optional profile information: business name, address, and a business EIN or SSN you choose to add for tax exports (the EIN/SSN is encrypted at rest).
- Usage data: mileage trips (start/end coordinates, distances, categories, dates), time entries (clock in/out times, dates, notes, optional timezone), expenses (vendor, amount, category, dates, optional receipt files in JPEG/PNG/PDF), invoices and their line items, income entries you log, recorded quarterly tax payments, and saved locations.
- Client and engagement information: names, billing addresses and emails, hourly rates, optional client EIN/SSN (encrypted at rest), optional W-9 files you upload, and purchase order or contract details for engagements.
- Optional tax inputs: monthly health, dental, and vision premiums and HSA contribution amounts you enter into the tax tools. These figures are used only to compute your tax estimate.
- Forwarded receipt content: if you opt in to email-to-expense forwarding, the email body and any attachments you send to receipts@selfemploymenttoolkit.com are received by the Service and processed to create an expense record. See section 3 for how the AI provider is involved in that processing.
- Support conversations: messages you send to our in-app support assistant or to support@selfemploymenttoolkit.com are stored so we can follow up and improve the assistant. See section 3 for how the AI provider is involved.
All of this data is stored securely in our database and is scoped to your authenticated account. No other user can access your data.
2. How we use your information
We use your information solely to:
- Provide and operate the Service (mileage tracking, time tracking, expense tracking, invoicing, income tracking, tax estimation, and reporting).
- Authenticate your identity and secure your account (including MFA and passkeys).
- Generate reports you request (timesheets, mileage summaries, Schedule C bundle, profit and loss, CSV exports).
- Send transactional emails you request or that are part of operating your account (verification, password reset, invoice delivery to your clients, payment reminders, quarterly tax reminders, support replies).
- Respond to support requests and improve the Service.
We do not use your data for advertising, profiling, or any purpose beyond operating the Service.
3. Third-party services
The Service relies on the following third-party providers:
- Hosting and security provider: We use a third-party infrastructure provider for network delivery, DDoS protection, and bot verification. It processes requests to deliver the Service and may collect limited technical data (IP addresses, request metadata) under its own privacy policy.
- Google Analytics (GA4): we use Google Analytics to understand aggregate, anonymous usage patterns such as page views and traffic sources. IP anonymization is enabled. Google Analytics does not receive your account data, trip details, or any other information you enter into the Service. You can opt out using the Google Analytics Opt-out Browser Add-on.
- Google Fonts: serves the Inter typeface. Google may collect limited technical data when fonts are loaded.
- OpenStreetMap / OSRM: provides geocoding and route distance calculations. Coordinates are sent to these services to compute driving distances, but no personally identifiable information is transmitted.
- Anthropic (AI provider for receipt parsing and support chat): two features transmit content to Anthropic's API for processing. (1) Receipt parsing: when you forward a receipt email to receipts@selfemploymenttoolkit.com or upload a receipt image, the email or image content is sent to Anthropic to extract vendor, amount, date, and category. (2) Support chat: when you message our support assistant (in-app widget or by emailing support@selfemploymenttoolkit.com), your message and the page you were on when you asked are sent to Anthropic to generate a reply. Under Anthropic's API terms, this content is not used to train their models and is retained only briefly for abuse monitoring. You can use the Service without either feature: log expenses manually and reach a human at support@selfemploymenttoolkit.com.
- Brevo (transactional email delivery): sends account verification emails, password reset emails, invoices to clients you bill, automated payment reminders, quarterly tax reminders, support replies, and other operational emails. Recipient addresses and message content pass through Brevo so the email can be delivered.
- Paddle (payment processing, applies only if you subscribe to a paid plan): when paid subscriptions are offered, Paddle will act as the merchant of record. If you subscribe, Paddle collects and processes your billing information (card details, billing address, tax information) directly under its own privacy policy. We do not store your card data. Charges will appear on your statement as "WOODFIRE" (Woodfire Digital, LLC). See our Refund Policy for refund and chargeback terms.
We do not use advertising trackers or sell your data to any third party.
4. Data sharing
We do not sell, rent, or trade your personal information to any third party. Your data is shared only with the third-party infrastructure providers listed above, strictly for operating the Service.
5. Cookies and local storage
The Service uses two categories of browser storage. Strictly necessary storage is always active. Optional storage (Google Analytics) is off by default and only activates after you click "Accept analytics" on the consent banner shown at the bottom of the page.
Strictly necessary (always on):
- httpOnly authentication cookie: required for secure session sign-in. Cannot be accessed by JavaScript. Without it the Service cannot function.
- localStorage (your device only): stores your light/dark theme preference and your cookie-consent choice (so the banner does not nag you on every visit). These values never leave your browser.
Optional (off until you accept):
- Google Analytics cookies (_ga, _gid): anonymous cookies that distinguish users and sessions for aggregate traffic analysis. These do not contain your account information and IP anonymization is enabled. They are not set until you click "Accept analytics" on the consent banner. If you decline, or if your browser sends a Do Not Track signal, Google Analytics never loads. You can change your choice at any time using the "Cookie preferences" link in the page footer, or by opting out globally via the Google Analytics Opt-out Browser Add-on.
We do not use advertising cookies, ad-personalization cookies, or cookies that track you across other websites. Google Consent Mode v2 is configured with ad_storage, ad_user_data, and ad_personalization permanently set to denied, so accepting analytics does not also grant any advertising scope.
6. Data security
We take security seriously:
- Passwords are hashed with PBKDF2 before storage (never stored in plain text).
- Sensitive identifiers (your business EIN or SSN, and any client EIN or SSN you add) are encrypted at rest with AES-256-GCM. They are decrypted only when needed to render a Schedule C report or 1099 watch entry.
- Authentication uses httpOnly cookies (not localStorage tokens) to mitigate XSS risks.
- Multi-factor authentication (TOTP) and passkeys (WebAuthn) are available and recommended. Step-up authentication is required for sensitive actions.
- All data is transmitted over HTTPS/TLS.
- Content Security Policy headers protect against script injection.
- Rate limiting protects against brute-force attacks.
7. Data retention and deletion
Your data is retained as long as your account is active. You can delete your account and all associated data directly from Settings inside the app, or contact us at support@selfemploymenttoolkit.com. We will process deletion requests promptly.
8. Children's privacy
The Service is not directed at individuals under 13 years of age. We do not knowingly collect information from children under 13. If we become aware that we have collected such information, we will delete it promptly.
9. Your rights
Depending on your jurisdiction, you may have the right to access, correct, or delete your personal data. To exercise these rights, contact us by email at support@selfemploymenttoolkit.com or by mail at:
Woodfire Digital, LLC
PO Box 20
Lithopolis, Ohio 43136
United States
10. Changes to this policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. Continued use of the Service after changes constitutes acceptance of the revised policy.