Phoenix Principals LLP Privacy Policy
Last Updated: February 1, 2026
Introduction
Phoenix Principals LLP and its wholly owned U.S. subsidiaries Phoenix Tax LLC and Phoenix Advisory LLC (collectively, “Phoenix Principals,” “we,” “us” or “our”) are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, secure, retain, and manage Personal Information when you access or use our websites, interact with us, or receive services from us (collectively, the “Services”). By using our Services or communicating with us, you consent to the collection and use of information as described in this Policy. If you do not agree, do not use the Services.
Scope & Definitions
“Personal Information” means information that identifies, relates to, describes, or is reasonably capable of being associated with you.
“Visitor” means a person using our public website(s) or making general inquiries who is not a current client.
“Customer” means a current or former client receiving services from Phoenix Principals or an authorized representative of such a client.
This Policy supplements (and does not replace) any privacy or data processing terms in client agreements. Where local law requires additional disclosures, we provide them (see Exhibit A for U.S. statespecific disclosures).
Changes to this Policy
We update this Policy from time to time. We will post the revised Policy on our Website with the “Last Updated” date. Material changes will be communicated where required by law.
Please review periodically.
Information We Collect
We collect Personal Information:
Directly from you (contact forms, account registration, service intake, communications). Automatically when you visit our websites or use Services (device data, usage analytics, cookies). From third parties (business partners, public sources, service providers).
Categories include: contact & identity; account information; transactional & billing (processed by thirdparty payment providers; we do not retain raw card numbers); Customer Data you provide for services; technical & usage data; communications (email, chat); and KYC/AML data where required.
We avoid collecting Sensitive Personal Data unless required for a specific service; if you provide Sensitive Personal Data, notify us so we can apply heightened protections.
Data Minimization & Purpose Limitation
We collect, process and retain Personal Information only for legitimate purposes necessary to provide Services, comply with legal obligations, resolve disputes, and enforce agreements. We limit collection to what is adequate, relevant and reasonably necessary for those purposes.
Cookies & Similar Technologies
We and our service providers use cookies, web beacons, pixels and similar technologies to operate and improve the Services, analyze usage, and support security. Categories: necessary, functional, performance/analytics and marketing cookies. Manage cookie preferences via our cookie banner or browser settings. Disabling certain cookies may impair functionality.
How We Use Personal Information
We use Personal Information to: provide, operate and improve Services; communicate and provide support; manage accounts and billing; comply with legal, regulatory and contractual obligations (including AML/KYC); detect and prevent fraud; send marketing where permitted (you may opt out); enforce agreements and protect rights. Legal bases include performance of contract, legitimate interests (security, fraud prevention, service improvement), and consent where required.
AI & Automated Processing
We may use AI tools to assist internal operations and service delivery. We do not make solely automated decisions producing legal or similarly significant effects without human review where required by law. We evaluate AI vendors and implement safeguards. We will not train public thirdparty models on Personal Information without explicit consent where required by law.
Sharing & Disclosure of Personal Information
We may share Personal Information with: service providers and subprocessors (hosting, payments, analytics, marketing, legal, audit) under contractual safeguards; affiliates and subsidiaries for internal purposes; professional advisors, auditors and counsel; third parties in connection with corporate transactions; and law enforcement or other third parties as required by law. We do not sell Personal Information for monetary consideration. We require subprocessors to implement appropriate technical, organizational and contractual safeguards.
ThirdParty Tax Preparation Software and Client Data
We use thirdparty software providers to prepare and file tax returns and to support related tax services. These providers may process and retain client Personal Information necessary for tax preparation, including names, addresses, tax identification numbers, Social Security numbers, bank accounts, etc. We carefully select and periodically review such providers and require written data processing agreements obliging them to: (a) process Personal Information only on our documented instructions; (b) implement appropriate technical and organizational security measures (including encryption in transit and at rest where supported, rolebased access controls, and logging); (c) limit access to authorized personnel only and enforce multifactor authentication for privileged accounts; (d) assist with legal and regulatory obligations (including breach notification and data subject request cooperation); and (e) delete or return Personal Information at our direction upon termination, subject to applicable legal retention requirements. By engaging Phoenix Principals for tax preparation services, you acknowledge and consent to our use of such thirdparty tools. If you have questions about a particular vendor, data retention timelines, or wish to request copies, corrections or deletion of Personal Information held by our tax software providers, please contact privacy@phoenixprincipals.com.
Subprocessors & Vendor Controls
We vet vendors and subprocessors and require written contractual commitments for confidentiality, security controls, breach notification, and processing only on our instructions. We maintain a register of subprocessors and will provide notice of material changes where required by law. Customers may reasonably object to the appointment of a new material subprocessor; we will use commercially reasonable efforts to address concerns.
Subprocessor Register and Objection Procedure
We maintain a register of subprocessors and will provide Customers with notice of any new material subprocessor in advance. Customers may submit a written objection within ten (10) business days of such notice citing reasonable data protection grounds. We will use commercially reasonable efforts to address objections, which may include additional contractual safeguards or transition options. If we cannot resolve a bona fide objection, we will work with the Customer in good faith to provide a mutually acceptable solution.
International Transfers & Safeguards
Personal Information may be transferred to and processed in jurisdictions other than your residence. We implement appropriate safeguards for crossborder transfers (e.g., standard contractual clauses, binding corporate rules, or other lawful mechanisms) in accordance with applicable law.
Security Measures
We maintain administrative, technical and physical safeguards appropriate to the sensitivity of Personal Information, including: encryption in transit (TLS) and at rest (where applicable); rolebased access control and leastprivilege access; multifactor authentication for privileged accounts; logging, monitoring and alerting; periodic vulnerability scanning and annual thirdparty penetration testing; endpoint protection, patch management and secure configuration; formal incident response, business continuity and disaster recovery plans; and regular security awareness training for staff and contractors.
Minimum Security Controls
We maintain baseline security measures across our operations and require the same from any vendors who process data for us. These measures include: encrypting data while it moves between systems and while it is stored; requiring additional verification (for example, a second code or device) for users with administrative or highlevel access; keeping centralized logs of access and events and retaining those logs long enough to investigate incidents; regularly checking systems for security weaknesses and engaging an independent firm to perform a comprehensive security test once a year; and keeping software up to date and configured securely according to documented procedures.
Important: No security is absolute. Report suspected security incidents to security@phoenixprincipals.com immediately.
Incident Response & Notification
We will acknowledge reported incidents within 48 hours and commence an investigation. Where notification is required, we will provide timely notice to affected individuals and regulators in accordance with applicable law and our incident response plan. Our designated Privacy Officer coordinates breach response and may be reached via privacy@phoenixprincipals.com for escalation.
Retention & Deletion
We maintain internal retention schedules and do not disclose them publicly. If Personal Information is subject to a legal hold, litigation or regulatory inquiry, deletion may be suspended for the duration required by law. We will communicate any delay to data deletion requests where permitted.
KYC / AML Policies
Where required, we collect identity and sourceoffunds documentation to comply with AML/KYC laws and retain such records per applicable regulation. We may report suspicious activity to appropriate authorities.
Data Subject Rights & Verification
Depending on jurisdiction, you may have rights to access, correction, deletion, restriction, objection, portability and optout of certain processing. To exercise rights, contact privacy@phoenixprincipals.com. We will verify identity using reasonable measures (twofactor verification, ID upload, account details) before fulfilling requests. Authorized agents may act on your behalf with appropriate authorization.
Data Subject Rights Response Timing & Extensions
We will acknowledge receipt of a verified data subject request within five (5) business days. We aim to respond substantively within 45 calendar days of verification. Where complexity or volume requires, we may extend by up to an additional 45 calendar days and will notify you of the extension and reason.
Consumer Requests — Practical Process (U.S. Residents)
Submit requests to privacy@phoenixprincipals.com specifying name, contact information, state of residence and request type. We will acknowledge receipt, may request verification, and will respond within statutory timeframes. For California: include “California Privacy Request” in the subject line.
No Sale / No Sharing for Monetary Consideration
We do not sell Personal Information for monetary consideration. Where applicable laws distinguish “sharing” for targeted advertising, we do not share Personal Information for such purposes for monetary consideration.
Children & COPPA
Our Services are not directed to children under 13, and we do not knowingly collect Personal Information from children under 13. If we learn that we have collected such information, we will promptly delete it and take any steps required by law. If you believe a child under 13 has provided Personal Information to us, please contact privacy@phoenixprincipals.com with details so we can investigate and remove the information
ThirdParty Sites & Social Media
Our Services may link to thirdparty sites. We are not responsible for their privacy practices. Social media interactions are governed by those platforms’ policies.
Links to ThirdParty Services / Advertising Providers
Our websites may include links or embedded content from third parties. We recommend reviewing their privacy policies; we are not responsible for them.
Data Processing Addendum (DPA)
We will provide a standard DPA on request for Customers that addresses subprocessors, security measures, incident notification, international transfers and audit rights. Contact privacy@phoenixprincipals.com.
Tax & Legal Disclosures
Where required by law or contract, we may disclose Personal Information to tax authorities or in corporate transactions. Such disclosures are limited to what is required and lawful.
Limitation of Liability & Disclaimer
This Policy is informational and does not create contractual rights. To the maximum extent permitted by law, Phoenix Principals disclaims liability for damages arising from thirdparty services, links, or reliance on this Policy. Client agreements and DPAs govern processing relationships.
Subprocessor Notification & Objection
We maintain a register of subprocessors and will provide notice of any new material subprocessor. Customers may reasonably object to a new material subprocessor and we will use commercially reasonable efforts to address concerns.
Operational Controls & Use of Managed Service Providers
Phoenix Principals does not operate an internal IT department. We rely on qualified, contractually bound thirdparty managed service providers (MSPs) to perform IT administration, technical support and managed services. MSPs have limited, rolebased access and are contractually required to follow our security, confidentiality and incidentreporting procedures. Thirdparty access is reviewed periodically; MSP personnel must pass background checks and security training.
Subprocessor Accountability & Security Assessments
We conduct due diligence and periodic security assessments (including SOC or equivalent reviews) of key subprocessors and require contractual security obligations, breach notification and cooperation in audits. We may provide redacted security attestations to customers under NDA.
No Rehypothecation / Custody Controls (if applicable)
Where Phoenix Principals or its affiliates hold or oversee thirdparty custodial arrangements for client assets, pledged assets will not be rehypothecated or repledged by the pledgor without express written consent of the secured party and documented intercreditor protections. Custodians will be contractually bound to follow our custody instructions.
Legal Process, Government Requests & Subpoenas
Phoenix Principals LLP may receive legal process, subpoenas, court orders, governmental or regulatory requests for Personal Information (“Legal Requests”). We review all Legal Requests carefully and respond only as required by applicable law. Our process is:
Legal review and verification: All Legal Requests are routed to our Legal/Compliance team for verification of authority and scope before any disclosure. We require valid process and will confirm identity and authority of requesting parties where appropriate.
Narrow disclosure: We disclose only the minimum Personal Information reasonably necessary to comply with a lawful and verified request.
Protection of rights: Where permitted and appropriate, we will seek to narrow the request, obtain a protective order, or otherwise limit disclosure to protect our customers’ and clients’ confidential information.
Notice to affected parties: We will notify the affected Customer or data subject of the Legal Request unless prohibited by law, court order, or the requesting authority. If notice is prohibited, we will disclose that fact when permitted.
Recordkeeping: We maintain a record of Legal Requests received and any disclosures made in response, consistent with legal and regulatory obligations.
Escalation and cooperation: We cooperate with lawful governmental and regulatory investigations while protecting lawful privileges and rights. For emergency requests involving imminent risk of harm, we will comply as required by law and notify affected parties when not prohibited.
If you receive or become aware of a Legal Request seeking Personal Information about your account or data processed by us, please contact privacy@phoenixprincipals.com immediately so our external and external legal and compliance team can assist.
Data Breach Notification & Incident Reporting
Report suspected incidents or vulnerabilities to security@phoenixprincipals.com. We will coordinate investigation, containment and notification under our incident response plan.
Data Transfers & International Residents
Personal Information may be processed outside your jurisdiction. We use lawful transfer mechanisms (SCCs, binding rules, standard contractual clauses) to protect transfers. EEA residents may have additional rights; contact privacy@phoenixprincipals.com for assistance.
Client Engagement Terms; Precedence
Your use of our Services and our processing of your Personal Information are governed by and subject to the terms of any applicable engagement letter, master services agreement, or other written contract between you and Phoenix Principals LLP (the “Engagement Agreement”). To the extent there is any inconsistency between this Privacy Policy and an Engagement Agreement, the terms of the Engagement Agreement shall govern with respect to the Services and data processing performed under that Engagement Agreement. By engaging Phoenix Principals for services, you acknowledge that Personal Information provided to us in connection with the engagement will be processed in accordance with this Privacy Policy and the terms of your Engagement Agreement, and you consent to such processing as described herein and in the Engagement Agreement. If you have questions about how the contract terms affect privacy or data handling for your engagement, contact privacy@phoenixprincipals.com.
StateSpecific Disclosures (U.S.) — Exhibit A
Exhibit A summarizes rights and procedures for residents of U.S. states with privacy laws (California, Colorado, Connecticut, Utah, Virginia, Nevada, Oregon, etc.). Where state law applies, the rights described in Exhibit A are available subject to statutory exceptions. To exercise rights, email privacy@phoenixprincipals.com.
Data Subject Request Verification & Exceptions
We will verify requestor identity using reasonable methods. We may deny/limit requests where exceptions apply (e.g., legal obligations, fraud prevention, ongoing litigation). We will explain denials as required by law.
Contact & Escalations
Privacy inquiries: privacy@phoenixprincipals.com
Security incidents: security@phoenixprincipals.com
Mailing address: Phoenix Principals LLP, 95 Third Street, 2nd Floor, San Francisco, CA 94103
We may modify this Policy. We will post updated versions with revised “Last Updated” date and communicate material changes as required.
Contact & Compliance Escalations
For regulatory or legal escalation, contact privacy@phoenixprincipals.com. For security incidents: security@phoenixprincipals.com.
Exhibit A — U.S. StateSpecific Disclosures & Resident Rights (Summary)
Exhibit A — Consolidated U.S. StateSpecific Privacy Information (Summary and How to Exercise Rights)
This Exhibit summarizes rights and procedures for residents in U.S. states with privacy laws (e.g., California, Colorado, Connecticut, Utah, Virginia, Nevada, Oregon). Rights may include access, deletion, correction, portability, optout of sale/sharing, and objection to targeted advertising. To submit a request, email privacy@phoenixprincipals.com and follow the verification steps described in Section 14. For California residents, include “California Privacy Request” in the subject line.
Additional Operational & Legal Protections (Implemented)
Vendor due diligence, subprocessors register and contractual safeguards.
Periodic security assessments and annual penetration testing.
Data classification, DLP and encryption controls.
Annual security awareness training and background checks for thirdparty personnel.
Retention and deletion SOPs; documented incident response.
Availability of DPA upon request.
Legal Notice
This Policy is informational and does not create contractual rights. Phoenix Principals reserves the right to modify it. Material changes will be posted to our Website.
Purpose and scope
This Exhibit A summarizes the core privacy rights and exercise procedures that may be available to residents of U.S. states with applicable privacy laws (including, but not limited to, California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Montana, Minnesota, Nebraska, Nevada, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia). Rights and terminology vary by state. This consolidated summary harmonizes the common rights, describes verification and submission procedures, and notes statespecific variations where important. If your state provides additional or different rights, we will follow the law that applies to you.
Common rights (what many state laws provide)
Depending on your state of residence, you may have one or more of the following rights with respect to Personal Information Phoenix Principals processes about you:
Right to Know / Access: Request disclosure of categories and specific Personal Information collected, the sources, purposes for processing, categories of recipients, and specific pieces of Personal Information we hold about you (copy/portable format where required).
Right to Delete: Request deletion of Personal Information we maintain about you (subject to lawful exceptions).
Right to Correct: Request correction of inaccurate Personal Information.
Right to Data Portability: Request a copy of Personal Information in a portable, commonly used format.
Right to OptOut: Opt out of certain processing such as targeted advertising, sale/sharing of Personal Information, or profiling for legal/ similarly significant decisions — where applicable under state law. (Phoenix Principals does not sell Personal Information for monetary consideration.)
Right to Restrict or Limit Processing: Request limitation of processing for certain purposes, including sensitive use limitations under specific laws.
Right to NonDiscrimination: Right not to receive retaliatory or discriminatory treatment for exercising privacy rights.
Right to Know Recipients: Request a list of specific third parties with whom we have disclosed your Personal Information (where required).
Right to OptOut of Sale/Sharing (if applicable): Submit a “Do Not Sell / Do Not Share” request where applicable under state law.
State variations and notable points (high level)
California (CCPA/CPRA): Broad rights including access, deletion, correction, optout of sale/sharing, right to limit sensitive use and nondiscrimination. Authorized agent permitted; identity verification is required. Use subject line “California Privacy Request” when contacting us.
Colorado, Connecticut, Virginia, Utah: Rights include access, correction, deletion, portability and optout of targeted advertising and sale/sharing where applicable.
Nevada: Optout of sale of “personally identifiable information” (limited scope). We do not sell Personal Information.
Oregon, Minnesota, New Jersey, New Hampshire, Nebraska, Kentucky, Iowa, Indiana, Montana, Tennessee, Texas, Florida and Delaware: Provide rights in varying combinations of access, deletion, correction, portability and optout of sale/ targeted profiling; procedures and proofs vary by state.
All states: Many laws include exceptions for legal compliance, fraud prevention, public interest, or where retention is necessary for legal/regulatory requirements.
How to submit a request (uniform process)
Contact method: Send an email to privacy@phoenixprincipals.com with the subject line indicating your state and request type (e.g., “California Privacy Request — Access”). You may also mail a written request to: Phoenix Principals LLP, 95 Third Street, 2nd Floor, San Francisco, CA 94103.
Required information: Provide (a) your full name, (b) contact information (email and postal address), (c) state of residence, and (d) a clear description of the request (access, deletion, correction, portability, optout, or other).
Verification: We will verify your identity using reasonable measures before fulfilling requests. Verification may include: account authentication, government ID, delivery of a verification code to a registered email or phone, or other reasonable methods. We may refuse or limit requests we cannot verify.
Authorized agents: You may designate an authorized agent to submit requests on your behalf. We may require written authorization and identity verification for both you and the agent.
Response timing: We will acknowledge receipt and will respond within the timeframes required by applicable state law (typically 30 to 45 calendar days; extensions may be permitted by law). If we need additional verification or information, we will notify you promptly.
Denials and appeals: If we deny a request, we will provide the reason and legal basis for the denial and any appeal or dispute process available under applicable law.
Identity verification and fraud prevention
For your protection and ours, we will require identity verification before providing access to or making changes to Personal Information. We will not disclose Personal Information in response to unverifiable or insufficient requests.
We may refuse requests that are unfounded, excessive or manifestly unfounded, where permitted by law, and we will notify you of the basis for any denial.
Exceptions / Reasons we may not comply fully
We may not comply where an exception under the applicable law applies — for example: to comply with legal obligations, for fraud prevention, for ongoing legal disputes, to protect freedom of expression, to retain aggregated or deidentified information, to maintain confidentiality under legal privilege, or to comply with professional and regulatory recordkeeping obligations. We will explain the applicable exception when denying a request, as required by law.
Exercise of rights for account holders vs. nonaccount holders
For users with an account or contractual relationship, we will generally authenticate using account credentials and respond accordingly.
For visitors or nonaccount holders, we will ask for additional verification (proof of identity) consistent with statutory requirements.
Optout of marketing & donottrack
You may opt out of marketing emails via the unsubscribe link in our communications, or by emailing privacy@phoenixprincipals.com. We do not respond to browser DoNotTrack signals.
Special note for California:
If you are a California resident, include “California Privacy Request” in the subject line when emailing privacy@phoenixprincipals.com. You may designate an authorized agent to submit requests; we may require proof of authorization.
Business / Contractual Exceptions:
Many state laws exclude Personal Information collected, processed or disclosed in the course of businesstobusiness relationships or pursuant to a contract. We will identify and apply lawful exceptions where they apply.
Dispute & Complaint
If you are not satisfied with our response, you may contact privacy@phoenixprincipals.com to escalate. You may also lodge a complaint with your state regulator or supervisory authority.
Recordkeeping and audit trail:
We maintain records of requests and our responses for the periods required by law and to demonstrate compliance with applicable data protection laws.
Contact for rights and questions:
privacy@phoenixprincipals.com (preferred)
Mailing address: Phoenix Principals LLP, 95 Third Street, 2nd Floor, San Francisco, CA 94103