# Privacy

> Privacy notes for taxcode.au account, billing, audit, and MCP research
> traffic.

taxcode.au provides research access to a read-only Australian tax-law corpus
through MCP. This page summarizes the current public privacy posture.

Last reviewed: 2026-07-09.

## What taxcode.au stores

The auth service stores account and access records needed to run OAuth, browser
sessions, optional billing, entitlement checks, and MCP grant-exchange auditing.

- Stytch user subject and email when an account signs in.
- OAuth authorization request state while a connection flow is active.
- Opaque browser session records for account and consent flows.
- Entitlement and Stripe customer mapping records when billing is enabled.
- Grant-exchange audit rows with route, outcome, Stytch subject, and client id
  when available.

## What taxcode.au does not store

- Connected Apps access tokens or refresh tokens.
- Authorization headers, cookies, or proxy authorization headers in request
  logs.
- Raw OAuth query strings in normal request logs.
- Raw Stripe webhook payloads after signature verification.

## MCP research traffic

The MCP app serves read-only corpus tools. It logs request timing fields and
per-tool timing information so performance issues can be diagnosed. Tool logs
include the tool name, success or error outcome, duration, result count, cursor
presence, returned bytes, and response-budget bytes.

Authorized MCP requests strip browser credentials before reaching the read-only
tool service. The corpus database is separate from the auth and payment
database.

## Providers

taxcode.au uses Stytch for OAuth and email magic-link login. Stripe is used only
when billing is enabled. Provider-hosted payment, account, and identity flows
are subject to the provider's own privacy and security terms.

## Contact

For privacy questions, contact
[hello@taxcode.au](mailto:hello@taxcode.au?subject=taxcode.au%20privacy).
