What taxcode.au stores
The auth service stores account and access records needed to run OAuth, browser sessions, optional billing, entitlement checks, and MCP grant-exchange auditing.
- Stytch user subject and email when an account signs in.
- OAuth authorization request state while a connection flow is active.
- Opaque browser session records for account and consent flows.
- Entitlement and Stripe customer mapping records when billing is enabled.
- Grant-exchange audit rows with route, outcome, Stytch subject, and client id when available.
What taxcode.au does not store
- Connected Apps access tokens or refresh tokens.
- Authorization headers, cookies, or proxy authorization headers in request logs.
- Raw OAuth query strings in normal request logs.
- Raw Stripe webhook payloads after signature verification.
MCP research traffic
The MCP app serves read-only corpus tools. It logs request timing fields and per-tool timing information so performance issues can be diagnosed. Tool logs include the tool name, success or error outcome, duration, result count, cursor presence, returned bytes, and response-budget bytes.
Authorized MCP requests strip browser credentials before reaching the read-only tool service. The corpus database is separate from the auth and payment database.
Providers
taxcode.au uses Stytch for OAuth and email magic-link login. Stripe is used only when billing is enabled. Provider-hosted payment, account, and identity flows are subject to the provider's own privacy and security terms.
Contact
For privacy questions, contact hello@taxcode.au.