Privacy

Privacy notes for source-grounded tax research.

taxcode.au is built to provide research access to a read-only Australian tax-law corpus through MCP. This page summarizes the current public privacy posture for account, billing, audit, and research traffic.

What taxcode.au stores

The auth service stores account and access records needed to run OAuth, browser sessions, optional billing, entitlement checks, and MCP grant-exchange auditing.

  • Stytch user subject and email when an account signs in.
  • OAuth authorization request state while a connection flow is active.
  • Opaque browser session records for account and consent flows.
  • Entitlement and Stripe customer mapping records when billing is enabled.
  • Grant-exchange audit rows with route, outcome, Stytch subject, and client id when available.

What taxcode.au does not store

  • Connected Apps access tokens or refresh tokens.
  • Authorization headers, cookies, or proxy authorization headers in request logs.
  • Raw OAuth query strings in normal request logs.
  • Raw Stripe webhook payloads after signature verification.

MCP research traffic

The MCP app serves read-only corpus tools. It logs request timing fields and per-tool timing information so performance issues can be diagnosed. Tool logs include the tool name, success or error outcome, duration, result count, cursor presence, returned bytes, and response-budget bytes.

Authorized MCP requests strip browser credentials before reaching the read-only tool service. The corpus database is separate from the auth and payment database.

Providers

taxcode.au uses Stytch for OAuth and email magic-link login. Stripe is used only when billing is enabled. Provider-hosted payment, account, and identity flows are subject to the provider's own privacy and security terms.

Contact

For privacy questions, contact hello@taxcode.au.