Privacy Policy

Privacy and Data Security Policy

Effective Date: [12-03-2025]
Last Revised: [11-21-2025]

Thank you for choosing to be part of our community at Maner Costerisan (“Company”, “we”, “us”, “our”). We are committed to protecting your personal information and your right to privacy. This Privacy and Data Security Policy reflects our compliance with federal and state regulations, including the Federal Trade Commission’s Safeguards Rule (16 CFR Part 314), IRS Publication 4557 requirements, and Michigan data security laws.

If you have any questions or concerns about this policy or our practices regarding your personal information, please contact us at maner@manercpa.com.

Important Notice Regarding Tax Return Information

As a certified public accounting firm, we handle sensitive tax return information protected under Internal Revenue Code Section 7216 and Treasury Regulation 301.7216. We maintain strict protocols to ensure the confidentiality and security of all tax return information in accordance with IRS Publication 4557 and federal law.

1. WHAT INFORMATION DO WE COLLECT?

Personal Information You Disclose to Us

In Short: We collect personal information that you provide to us, including sensitive financial and tax information.

We collect personal information that you voluntarily provide to us when you:

Engage our professional services
Express interest in obtaining information about our services
Participate in activities on our website https://manercpa.com (the “Website”)
Contact us for any reason

The personal information we collect may include:

Basic Contact Information:

Names
Email addresses
Phone numbers
Mailing addresses
Job titles
Company/business information

Financial Information (covered by FTC Safeguards Rule):

Social Security Numbers
Tax identification numbers (EIN, ITIN)
Bank account numbers and financial account information
Credit and debit card information
Income and financial statements
Investment account information
Credit reports and credit scores
Assets and liabilities information

Tax Return Information (covered by IRC Section 7216):

Federal and state tax returns
Supporting tax documentation
Prior year tax records
Tax payment records
IRS correspondence
State tax authority correspondence

Other Sensitive Information:

Driver’s license numbers
Passport information
Date of birth
Signature images and copies
Business formation documents
Estate planning documents

All personal information you provide must be true, complete, and accurate. You must notify us promptly of any changes to such information.

Information Automatically Collected

In Short: Some information—such as your Internet Protocol (IP) address and/or browser and device characteristics—is collected automatically when you visit our Website.

We automatically collect certain information when you visit, use, or navigate the Website. This information does not reveal your specific identity but may include:

Log and Usage Data:

IP address
Device information and identifiers
Browser type and settings
Date/time stamps of website usage
Pages and files viewed
Searches and other actions taken
Device event information (system activity, error reports)
Hardware settings

Device Data:

Computer, phone, tablet, or other device information
IP address (or proxy server)
Device and application identification numbers
Browser type and hardware model
Internet service provider and/or mobile carrier
Operating system and system configuration

Location Data:

Device location information (precise or imprecise)
GPS and geolocation data
Location based on IP address

You can opt out of location data collection by refusing access or disabling location settings on your device. However, opting out may limit certain Services functionality.

Information Collected from Other Sources

In Short: We may collect limited data from public databases, business partners, and other sources to provide our professional services.

To provide comprehensive professional services, we may obtain information from:

Public databases and records
Credit bureaus and financial institutions
IRS and state tax authorities
Business partners and referral sources
Data providers for tax research and compliance
Joint marketing partners
Corporate databases and business registries

This information may include mailing addresses, job titles, email addresses, phone numbers, business ownership data, financial records, and public filing information.

2. HOW DO WE USE YOUR INFORMATION?

In Short: We process your information to provide professional accounting, tax, and advisory services in compliance with applicable laws and professional standards.

We use personal information for the following purposes:

Service Delivery:

Prepare and file tax returns
Provide accounting and bookkeeping services
Deliver audit, review, and compilation services
Offer business advisory and consulting services
Prepare financial statements and reports
Provide estate and succession planning services

Legal and Professional Obligations:

Comply with IRS regulations and reporting requirements
Meet state and local tax filing obligations
Respond to subpoenas and legal process
Fulfill professional licensing requirements
Maintain required audit documentation
Comply with anti-money laundering (AML) requirements

Business Operations:

Process payments and manage accounts
Communicate regarding services and deadlines
Manage client relationships
Conduct quality control reviews
Maintain professional liability insurance requirements

Marketing Communications (Non-Tax Return Information Only):

Send newsletters and firm updates
Provide tax planning alerts and regulatory updates
Promote relevant professional services
Host educational seminars and events

Important: Tax return information is NEVER used for marketing purposes without your explicit, separate written consent in accordance with IRC Section 7216.

Security and Risk Management:

Monitor for and prevent fraud
Detect and prevent cybersecurity threats
Conduct security assessments and audits
Maintain incident response capabilities
Ensure business continuity

3. INFORMATION SECURITY PROGRAM

In Short: We maintain a comprehensive written information security program as required by the FTC Safeguards Rule.

As a financial institution under the Gramm-Leach-Bliley Act and FTC Safeguards Rule, we have implemented and maintain a comprehensive written information security program designed to:

Protect Customer Information: Ensure the security and confidentiality of customer information, including financial information and tax return data
Protect Against Threats: Guard against anticipated threats or hazards to the security or integrity of such information
Prevent Unauthorized Access: Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to customers

Information Security Program Components

Our information security program includes:

Designated Qualified Individual: We have designated a qualified individual responsible for overseeing, implementing, and enforcing our information security program. This individual has the authority and resources to implement and maintain appropriate safeguards.

Risk Assessment: We conduct periodic written risk assessments to:

Identify reasonably foreseeable internal and external threats
Assess the likelihood and potential damage of these threats
Evaluate the sufficiency of existing policies, procedures, and safeguards
Document and prioritize risks in a written report
Reassess risks when significant changes occur to operations or technology

Safeguards Design and Implementation: Based on our risk assessment, we design and implement safeguards to control identified risks, including:

Access controls and authentication measures
Encryption of data in transit and at rest
Secure development practices
Multi-factor authentication where appropriate
Physical security controls for offices and data centers
Disposal procedures for customer information
Change management procedures

Regular Monitoring and Testing: We continuously monitor and periodically test the effectiveness of our safeguards through:

Continuous monitoring of information systems
Annual penetration testing by qualified third parties
Bi-annual vulnerability assessments
Regular security awareness training and testing
Monitoring of service provider controls
Review of access logs and security events

Board and Senior Management Oversight: Our qualified individual reports at least annually to our board of directors or equivalent governing body regarding:

Overall status of the information security program
Compliance with the FTC Safeguards Rule
Material matters related to the program
Significant security incidents or breaches

Program Documentation: We maintain comprehensive written documentation of our information security program, including:

Written policies and procedures
Risk assessment reports
Testing and monitoring results
Security incident reports
Training records
Service provider oversight documentation

4. TAX RETURN INFORMATION – SPECIAL PROTECTIONS

In Short: Tax return information receives heightened protection under federal law and IRS regulations.

IRC Section 7216 Compliance

We comply strictly with Internal Revenue Code Section 7216 and Treasury Regulation 301.7216, which prohibit tax return preparers from knowingly or recklessly:

Disclosing tax return information
Using tax return information for purposes other than preparing tax returns

Tax Return Information Defined: Tax return information includes any information furnished to us in connection with preparing your tax return, including:

Your name, address, and identification numbers
Information about the amounts, sources, and types of income, payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, tax withheld, deficiencies, overassessments, or tax payments
Information about whether a tax return was prepared or filed, or whether assistance was requested or received in preparing or filing a return
Any other data received, recorded, or generated in connection with tax return preparation

Permitted Uses and Disclosures

We may use or disclose tax return information only:

With Your Written Consent: When you provide specific, informed written consent on IRS Form 8879 or equivalent consent document
For Tax Return Preparation: To prepare, assist in preparing, or obtain or provide services in connection with preparing your tax return
Quality or Peer Reviews: For quality or peer reviews to the extent authorized by Treasury Regulations
Pursuant to Court Order: When required by court order or subpoena
Tax Administration: For disclosure to the IRS or state tax authorities as required by law
Certain Disclosures to Other Tax Professionals: When obtaining advice related to your tax return preparation

Consent Requirements

When we seek your consent to use or disclose tax return information for purposes other than return preparation:

Consent must be provided on a separate, standalone document
Consent must describe the specific purpose of the disclosure
Consent must identify the specific tax return information to be disclosed
Consent must identify the recipient of the information
You have the right to refuse or revoke consent at any time

IRS Publication 4557 Safeguards

In addition to IRC Section 7216 requirements, we implement specific safeguards required by IRS Publication 4557:

Physical Safeguards:

Secure storage of paper documents in locked cabinets or rooms
Visitor access controls and sign-in procedures
Clean desk policies for areas where tax return information is handled
Secure disposal of documents (cross-cut shredding minimum)
Protection of devices containing tax return information

Administrative Safeguards:

Background checks for employees handling tax return information
Confidentiality agreements with all employees and contractors
Role-based access to tax return information (need-to-know basis)
Regular security awareness training
Disciplinary procedures for policy violations

Technical Safeguards:

Encryption of tax return information in transit and at rest
Secure file transfer protocols (SFTP, encrypted email)
Multi-factor authentication for accessing systems with tax return information
Firewall and intrusion detection systems
Regular security patching and updates
Automatic logoff after periods of inactivity
Secure data disposal (wiping/destruction of electronic media)

5. WILL YOUR INFORMATION BE SHARED WITH ANYONE?

In Short: We only share information with your consent, to comply with laws, to provide professional services, or to protect rights.

We may process or share data based on the following legal bases:

Consent: With your specific consent for a particular purpose

Professional Service Delivery: To provide the professional services you have engaged us to perform

Legal Obligations:

To comply with applicable laws and regulations
In response to valid subpoenas, court orders, or legal process
To meet IRS and state tax authority requirements
To respond to governmental requests
To meet professional licensing and regulatory requirements

Professional Standards: To comply with professional standards and ethics rules applicable to certified public accountants

Vital Interests: To investigate, prevent, or take action regarding:

Potential violations of our policies
Suspected fraud or illegal activities
Threats to the safety of any person
Protection of our rights and interests

Legitimate Business Interests: When reasonably necessary to achieve legitimate business interests, such as:

Quality control reviews
Professional liability insurance compliance
Peer review requirements

Specific Sharing Scenarios

Service Providers: We may share information with third-party service providers who perform services on our behalf, subject to strict contractual obligations (see Section 6)

Professional Consultants: We may share information with other tax professionals, attorneys, or consultants when necessary to provide your services, subject to confidentiality obligations

Business Transfers: In connection with any merger, sale of assets, financing, or acquisition of our business, subject to continued protection of your information

Tax Authorities: We disclose information to the IRS and state/local tax authorities as required for tax filing and compliance

Auditors and Peer Reviewers: As required for quality control, audit, and peer review purposes under professional standards

6. SERVICE PROVIDER AND VENDOR MANAGEMENT

In Short: We maintain rigorous oversight of all service providers and vendors who may access customer information.

Service Provider Due Diligence

Before engaging any service provider that will have access to customer information, we:

Assess Capability: Evaluate the service provider’s ability to maintain appropriate safeguards for customer information
Review Security Practices: Examine their information security policies, procedures, and controls
Verify Compliance: Confirm compliance with applicable regulations and industry standards
Check References: Obtain and verify professional references and service history

Contractual Requirements

All service provider contracts include provisions requiring the service provider to:

Implement and maintain appropriate safeguards for customer information
Meet the same standards we are required to meet under the FTC Safeguards Rule and IRS requirements
Implement multi-factor authentication and encryption as appropriate
Report any security incidents or breaches promptly
Allow us to audit or assess their security controls
Ensure any subcontractors meet the same requirements
Return or securely destroy customer information upon contract termination

Ongoing Oversight

We conduct ongoing oversight of service providers through:

Periodic reviews of security assessments and audit reports (e.g., SOC 2 reports)
Regular communication regarding security practices
Incident reporting and response coordination
Contract compliance reviews
Reassessment when significant changes occur

Current Service Providers

We currently engage the following categories of service providers who may access customer information:

Cloud storage and infrastructure providers (with encryption and access controls)
Tax preparation and research software vendors
Electronic filing intermediaries (EROs)
Document management systems
Email and communication platforms
Secure file transfer services
Payment processors (PCI-DSS compliant)
IT support and cybersecurity vendors
Customer relationship management (CRM) systems

7. DATA RETENTION AND SECURE DISPOSAL

In Short: We retain your information only as long as necessary and dispose of it securely when no longer needed.

Retention Periods

We retain personal information for the following periods:

Tax Return Information:

Minimum 7 years from the date of filing (IRS requirement)
Longer periods as required by applicable statutes of limitations
Indefinitely if related to ongoing legal matters or fraud prevention

Financial Information:

Duration of client relationship plus 7 years
Longer if required by professional standards or litigation holds

Audit Documentation:

Per professional standards (typically 7-10 years)

General Business Records:

As required by applicable laws and professional standards
Minimum periods as mandated by Michigan business record retention laws

Website Usage Data:

Generally 24-36 months unless required for security or legal purposes

Secure Disposal Requirements

When we no longer have a legitimate business need to retain personal information, we dispose of it securely:

Paper Documents:

Cross-cut shredding (minimum 3/16″ x 2″ particles)
Certified destruction for highly sensitive documents
Certificate of destruction maintained for audit purposes

Electronic Media:

Degaussing or physical destruction of magnetic media
DoD 5220.22-M compliant wiping for hard drives and SSDs (minimum 3 passes)
Certificate of destruction for physical destruction
Secure cloud data deletion verified by service provider

Off-Site Storage:

Coordination with secure storage providers for proper destruction
Verification of destruction completion

Michigan Data Security Compliance

Our disposal procedures meet Michigan Identity Theft Protection Act requirements for destroying personal information to make it unreadable or indecipherable.

8. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We implement comprehensive technical and organizational security measures to protect your information.

Comprehensive Security Framework

We have implemented appropriate technical and organizational security measures including:

Perimeter Security:

Enterprise-grade firewalls with intrusion prevention systems (IPS)
Network segmentation and access controls
Virtual private network (VPN) for remote access
Regular firewall rule reviews and optimization

Endpoint Protection:

Antivirus and anti-malware software on all devices
Endpoint detection and response (EDR) solutions
Mobile device management (MDM) for company devices
Automatic security patching and updates
Full disk encryption on laptops and mobile devices

Email Security:

Advanced email filtering and anti-phishing protection
Spam filtering and malicious attachment scanning
Email encryption for sensitive communications
Security awareness training to recognize phishing attempts

Data Backup and Recovery:

Regular automated backups (daily for critical systems)
Encrypted backup storage
Off-site and cloud backup replication
Tested disaster recovery procedures
Business continuity planning

Physical Security:

Controlled access to offices and data centers
Video surveillance systems
Visitor management and sign-in procedures
Secure storage for sensitive documents
Clean desk policies

Security Limitations and User Responsibility

Despite our comprehensive safeguards, no electronic transmission over the Internet or information storage technology can be guaranteed 100% secure. We cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will never defeat our security measures.

Your Responsibilities:

Protect your login credentials and passwords
Use strong, unique passwords
Enable multi-factor authentication when available
Do not share account access with others
Access our Website and secure portals only from secure networks
Report suspicious activity or potential security incidents immediately
Keep your contact information current

Transmission of personal information to and from our Website is at your own risk. You should only access the Website within a secure environment.

9. ENCRYPTION AND ACCESS CONTROLS

In Short: We use encryption and strict access controls to protect your sensitive information.

Encryption Standards

Data in Transit:

TLS 1.2 or higher for all website communications
Encrypted email (S/MIME or PGP) for sensitive client communications
Secure file transfer protocol (SFTP) for document exchanges
VPN encryption for remote access (AES-256)

Data at Rest:

AES-256 encryption for stored sensitive data
Full disk encryption on all devices
Encrypted cloud storage for all customer information
Database-level encryption for sensitive fields
Encrypted backup media

Access Control Framework

Authentication:

Unique user accounts for all employees and contractors
Strong password requirements (minimum 12 characters, complexity requirements)
Automatic session timeouts after 15 minutes of inactivity
Account lockout after failed login attempts

Multi-factor authentication (MFA) for:

Access to customer financial information
Access to tax return information
Remote access to firm systems
Administrative access to critical systems
Cloud service access

Authorization:

Role-based access control (RBAC)
Principle of least privilege (users receive minimum access necessary)
Need-to-know access to tax return information
Regular access reviews and recertification (at least annually)
Immediate access revocation upon termination

Audit Logging:

Comprehensive logging of access to customer information
Monitoring of privileged user activities
Log retention for minimum 7 years
Regular log review for suspicious activity
Automated alerts for security events

Network Segmentation

We maintain separate network segments for:

Guest wireless access
General business operations
Systems containing customer information
Administrative and security systems

10. EMPLOYEE TRAINING AND ACCESS MANAGEMENT

In Short: All employees receive mandatory security and privacy training and are bound by strict confidentiality obligations.

Employee Onboarding

All employees and contractors undergo:

Background Checks:

Criminal background checks (where permitted by law)
Professional reference verification
Education and credential verification
Credit checks for positions handling financial information (where permitted)

Confidentiality Agreements:

Signed confidentiality and non-disclosure agreements
Acknowledgment of privacy policy requirements
IRC Section 7216 compliance training for tax preparers
Professional ethics obligations
Consequences of policy violations

Initial Training:

Information security fundamentals
FTC Safeguards Rule requirements
IRS Publication 4557 compliance
Phishing and social engineering awareness
Proper handling of customer information
Incident reporting procedures
Physical security protocols

Ongoing Training Requirements

Annual Mandatory Training:

Security awareness refresher training
Updated threat landscape and emerging risks
Privacy policy and procedure updates
Regulatory compliance updates
Case studies of security incidents

Role-Specific Training:

Tax preparers: IRC Section 7216 compliance
IT staff: Advanced security practices and incident response
Administrative staff: Physical security and document handling
Partners and management: Governance and oversight responsibilities

Simulated Phishing Exercises:

Quarterly simulated phishing campaigns
Tracking and remediation for users who fail tests
Additional training for repeated failures

Access Management Procedures

Provisioning:

Formal access request and approval process
Manager approval required for all access grants
Documentation of business justification
Default deny principle (no access unless specifically granted)

Periodic Reviews:

Quarterly reviews of all user access rights
Annual recertification by department managers
Removal of unnecessary access privileges
Validation of continued employment

Termination Procedures:

Immediate access revocation upon termination
Collection of company devices and access credentials
Exit interview including confidentiality reminders
Notification to IT and security teams
Account deletion after retention period

Insider Threat Prevention:

Monitoring of unusual access patterns
Segregation of duties for sensitive functions
Management review of employee activities
Whistleblower and reporting mechanisms
Investigation procedures for policy violations

11. INCIDENT RESPONSE AND DATA BREACH NOTIFICATION

In Short: We maintain comprehensive incident response capabilities and will notify affected individuals and authorities as required by law.

Incident Response Program

We have established and maintain a written incident response plan that includes:

Incident Detection:

24/7 security monitoring
Automated security alerts and notifications
User reporting mechanisms
Regular security assessments and audits
Threat intelligence monitoring

Incident Response Team:

Designated incident response coordinator
Technical response team members
Legal counsel
Communications/public relations lead
Management decision-makers
External forensic support relationships

Response Procedures:

Initial Assessment: Rapid evaluation of incident scope and severity
Containment: Immediate actions to limit damage and prevent spread
Eradication: Removal of threat and closure of vulnerabilities
Recovery: Restoration of affected systems and data
Post-Incident Review: Lessons learned and improvement implementation

Michigan Data Breach Notification Requirements

Under Michigan’s Identity Theft Protection Act (MCL 445.72), we will provide notice of any security breach involving personal information to:

Michigan Residents: We will notify affected Michigan residents without unreasonable delay if we discover a security breach that compromises:

An individual’s first name or first initial and last name, plus
Social Security number, driver’s license or state ID number, or financial account information

Michigan Attorney General: If a breach affects more than 1,000 Michigan residents, we will notify the Michigan Attorney General without unreasonable delay.

Consumer Reporting Agencies: If a breach affects more than 1,000 individuals nationwide, we will notify major consumer reporting agencies.

Notification Method:

Written notice by first-class mail
Electronic notice if we have a valid email address and the individual has consented
Substitute notice if cost exceeds $250,000 or affected class exceeds 500,000 persons

IRS and Federal Breach Notification

IRS Notification: For any breach involving tax return information, we will:

Immediately notify the IRS through the Electronic Filing Identification Number (EFIN) revocation process if required
Report to the Treasury Inspector General for Tax Administration (TIGTA) if criminal activity is suspected
Notify affected taxpayers as required

FTC Safeguards Rule Notification: We will notify our primary federal regulator (Federal Trade Commission) of any breach affecting customer information as required under the Safeguards Rule.

Notification Content

Our breach notifications will include:

Description of the incident and date of occurrence
Types of personal information involved
Steps we have taken to investigate and remediate
Contact information for questions
Recommended steps individuals can take to protect themselves
Information about credit monitoring services (if applicable)
Contact information for major credit bureaus and state/federal agencies

Client Notification

Beyond legal requirements, we maintain transparency with our clients:

Prompt notification of any incident affecting their information
Regular updates during incident investigation and remediation
Post-incident report and improvement measures
Availability of management to address concerns

12. MONITORING, TESTING, AND CONTINUOUS IMPROVEMENT

In Short: We continuously monitor our systems and regularly test our security controls to ensure ongoing effectiveness.

Continuous Monitoring

Security Information and Event Management (SIEM):

Real-time monitoring of security events
Correlation of events across multiple systems
Automated alerting for suspicious activities
Centralized log management and analysis

Network Monitoring:

Continuous monitoring of network traffic
Intrusion detection and prevention systems (IDS/IPS)
Bandwidth and performance monitoring
Detection of unauthorized devices

Endpoint Monitoring:

Real-time antivirus and anti-malware protection
Endpoint detection and response (EDR)
Software inventory and license compliance
Unauthorized software detection

Vulnerability Management:

Continuous vulnerability scanning
Automated patch management
Security advisory monitoring
Risk-based remediation prioritization

Periodic Testing and Assessment

Annual Penetration Testing: We engage qualified, independent third parties to conduct annual penetration testing that includes:

External network penetration testing
Web application security testing
Social engineering assessments
Wireless network security testing
Physical security testing
Remediation of identified vulnerabilities
Retesting to verify fixes

Bi-Annual Vulnerability Assessments:

Comprehensive vulnerability scanning
Network architecture review
Configuration assessment
Authentication mechanism testing
Remediation tracking and validation

Annual Security Assessments:

Review of information security policies and procedures
Access control effectiveness
Encryption implementation
Backup and recovery capabilities
Incident response plan testing
Business continuity plan review

Testing Methodologies

Tabletop Exercises:

Annual incident response tabletop exercises
Business continuity scenario testing
Disaster recovery plan walkthroughs
Communication protocol validation

Security Awareness Testing:

Quarterly simulated phishing campaigns
Social engineering tests
Physical security spot checks
Clean desk policy audits

Backup and Recovery Testing:

Quarterly backup restoration tests
Annual disaster recovery drills
Verification of backup integrity
Recovery time objective (RTO) validation

Continuous Improvement Process

Performance Metrics:

Monitoring of key security indicators
Incident frequency and severity tracking
Mean time to detect (MTTD) and respond (MTTR)
Training completion rates
Vulnerability remediation timeframes

Program Updates:

Annual review and update of information security program
Policy and procedure updates based on testing results
Technology upgrades and improvements
Adoption of new security standards and best practices

Regulatory Compliance:

Tracking of regulatory changes
Assessment of new requirements
Implementation of compliance enhancements
Regular compliance audits

Reporting to Leadership

Our qualified individual provides written reports to senior management and the board of directors at least annually, including:

Overall status of information security program
Compliance with FTC Safeguards Rule and IRS requirements
Results of risk assessments
Summary of testing and monitoring activities
Significant security incidents
Recommended improvements and budget requirements
Comparison to industry benchmarks

13. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

In Short: We use cookies and similar tracking technologies to collect and store information about your website usage.

We use cookies and similar tracking technologies (like web beacons and pixels) to access or store information. Specific information about how we use such technologies is set forth below.

Types of Cookies We Use

Essential Cookies:

Required for website functionality
Session management
Security features
Load balancing

Analytics Cookies:

Website usage patterns
Performance monitoring
Error tracking
User experience optimization

Preference Cookies:

Language preferences
Display settings
User interface customization

Hotjar Analytics

We use Hotjar to better understand our users’ needs and optimize our website experience. Hotjar is a technology service that helps us understand user experience through:

Time spent on pages
Navigation patterns
Click behavior
User feedback
Heatmaps and session recordings

Hotjar Data Collection: Hotjar uses cookies and other technologies to collect:

Device IP address (processed during session and stored in de-identified form)
Device screen size and type
Browser information
Geographic location (country only)
Preferred language for displaying our website

Data Protection:

Hotjar stores information in a pseudonymized user profile
Hotjar is contractually forbidden to sell data collected on our behalf
Data is stored securely on Hotjar’s servers
For details, see Hotjar’s privacy policy at https://www.hotjar.com/legal/policies/privacy

Managing Cookie Preferences

Browser Settings: Most web browsers accept cookies by default. You can usually:

Set your browser to remove cookies
Set your browser to reject cookies
Receive notification before a cookie is stored

Opting Out:

Interest-based advertising: http://www.aboutads.info/choices/
Google Analytics: https://tools.google.com/dlpage/gaoptout
Hotjar: https://www.hotjar.com/legal/compliance/opt-out

Impact of Disabling Cookies: Choosing to remove or reject cookies may affect certain features or services of our Website.

Other Tracking Technologies

Web Beacons (Pixels): We may use web beacons (small graphic images) in emails to track:

Email open rates
Click-through rates
Effectiveness of communications

Local Storage: We may use local storage for:

Session information
User preferences
Performance optimization

14. DO WE COLLECT INFORMATION FROM MINORS?

In Short: We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly solicit data from or market to children under 18 years of age. By using our Website and Services, you represent that you are at least 18 years old, or that you are the parent or guardian of a minor and consent to such minor dependent’s use of the Website and Services.

If we learn that personal information from users less than 18 years of age has been collected, we will:

Deactivate the account
Take reasonable measures to promptly delete such data from our records
Notify parents/guardians if appropriate

Reporting: If you become aware of any data we may have collected from children under age 18, please contact us immediately at maner@manercpa.com.

Note on Tax Returns: When preparing tax returns for minors, we collect and process information about dependents as necessary for tax compliance. This information is subject to the same protections as all tax return information under IRC Section 7216 and is controlled by the parent/guardian who engaged our services.

15. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: You have rights regarding your personal information, including the right to access, correct, and request deletion in certain circumstances.

Access and Correction

You have the right to:

Request access to the personal information we hold about you
Receive a copy of your personal information in a structured, commonly used format
Request correction of inaccurate or incomplete personal information
Request updates to your contact information or other details

Important Limitations: We cannot modify or delete information required to be maintained for:

Tax compliance and IRS record retention requirements (minimum 7 years)
Legal obligations and litigation holds
Professional standards and licensing requirements
Regulatory compliance

Data Portability

Where technically feasible and legally permitted, you may request:

Electronic copies of your tax returns and supporting documents
Export of your data from our client portal
Transfer of information to another service provider

Fees: We generally do not charge for reasonable requests for copies of your information. However, we may charge a reasonable fee for:

Excessive or repetitive requests
Requests requiring significant technical effort
Requests for duplicate copies of information already provided

Restriction and Objection

You may request that we:

Restrict processing of your personal information in certain circumstances
Object to processing based on legitimate interests
Opt out of marketing communications (does not apply to service-related communications)

Deletion Requests

You may request deletion of your personal information. However, we may not be able to comply if:

We are required to retain the information by law (tax records must be kept minimum 7 years)
The information is necessary to complete services you requested
The information is subject to a litigation hold or legal investigation
The information is necessary to comply with professional standards
The information is necessary to protect our legal rights

After the Retention Period: Once legal and professional retention requirements are satisfied, you may request deletion of your information. We will comply within a reasonable timeframe.

Marketing Opt-Out

Email Marketing:

Click “unsubscribe” link in any marketing email
Contact us at maner@manercpa.com with “Unsubscribe” in subject line
Update preferences in client portal

Important: Opting out of marketing does not affect:

Service-related communications about your account
Tax deadline reminders and filing notifications
Legally required notices
Responses to your inquiries

Exercising Your Rights

To exercise any of these rights:

Submit a request to maner@manercpa.com
Specify which right you wish to exercise
Provide sufficient information to verify your identity
Include relevant account or client numbers

Response Time: We will respond to your request within 30 days. If we need additional time, we will notify you of the delay and the reason.

Verification: For security purposes, we must verify your identity before processing requests. We may require:

Authentication through client portal
Answering security questions
Providing government-issued identification
Other verification methods as appropriate

16. MICHIGAN RESIDENTS – SPECIFIC RIGHTS

In Short: If you are a Michigan resident, you have specific rights under Michigan law regarding data security and breach notification.

Michigan Identity Theft Protection Act

As a Michigan resident, you are protected by the Michigan Identity Theft Protection Act (MCL 445.63 et seq.), which provides:

Security of Personal Information: We are required to implement and maintain reasonable security measures to protect your personal information from unauthorized access, use, or disclosure.

Breach Notification Rights: If we experience a security breach that compromises your:

Name plus Social Security number, or
Name plus driver’s license or state ID number, or
Name plus financial account information

We will provide you with notice without unreasonable delay, including:

Description of the breach
Types of information involved
Steps we have taken to investigate
Contact information for questions
Recommended protective actions
Available assistance resources

Michigan Attorney General Notification

If a breach affects 1,000 or more Michigan residents, we will also notify the Michigan Attorney General without unreasonable delay.

Contact Information: Michigan Attorney General Corporate Oversight Division P.O. Box 30736 Lansing, MI 48909 517-335-7622

Security Freeze Rights

Michigan residents have the right to place a security freeze on their credit reports. Contact the major credit bureaus:

Equifax: 1-800-685-1111
Experian: 1-888-397-3742
TransUnion: 1-888-909-8872

Identity Theft Reporting

If you are a victim of identity theft in Michigan:

File a report with local law enforcement
File a complaint with Michigan Attorney General: 877-765-8388
Report to the Federal Trade Commission: identitytheft.gov
Place a fraud alert with credit bureaus

Michigan Privacy Contact

For Michigan-specific privacy concerns:

Email: maner@manercpa.com
Phone: 517-323-7500
Mail:
Maner Costerisan
Attention: Privacy Officer
2425 East Grand River Ave., Suite 1
Lansing, MI 48912
United States

17. CALIFORNIA RESIDENTS – SPECIFIC RIGHTS

In Short: If you are a California resident, you are granted specific rights regarding access to your personal information under the California Consumer Privacy Act (CCPA) and California “Shine the Light” law.

California Consumer Privacy Act (CCPA)

While we are a Michigan-based firm, we comply with CCPA requirements for our California clients. California residents have the right to:

Right to Know: Request disclosure of:

Categories of personal information collected
Categories of sources of personal information
Business or commercial purpose for collecting information
Categories of third parties with whom we share information
Specific pieces of personal information we hold about you

Right to Delete: Request deletion of personal information we have collected, subject to legal and professional retention requirements.

Right to Opt-Out: Opt-out of the “sale” of personal information (Note: We do not sell personal information)

Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

“Shine the Light” Law

California Civil Code Section 1798.83 permits California residents to request:

Information about categories of personal information disclosed to third parties for direct marketing purposes
Names and addresses of all third parties who received such information in the preceding calendar year

To make a “Shine the Light” request:

Send written request to: maner@manercpa.com
Include “California Privacy Rights” in the subject line
Provide your California address
Requests are free once per calendar year

California Minors

If you are under 18, reside in California, and have a registered account:

You have the right to request removal of unwanted data you publicly posted
Contact us with the email address associated with your account
Include a statement that you reside in California

Note: Data may not be completely removed from all systems (e.g., backups)

Making CCPA Requests

To exercise your CCPA rights:

Email: maner@manercpa.com with “CCPA Request” in subject line
Specify which right you wish to exercise
Provide information to verify your identity
We will respond within 45 days (may extend 45 additional days if needed)

Authorized Agents: You may designate an authorized agent to make requests on your behalf. We require:

Proof of authorization
Verification of your identity
Direct confirmation from you

18. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems include a Do-Not-Track (“DNT”) feature or setting that signals your privacy preference not to have data about your online browsing activities monitored and collected.

Current Status: At this time, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online.

Future Updates: If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this privacy notice.

Your Options: You can still control tracking through:

Browser cookie settings
Opting out of interest-based advertising
Disabling JavaScript
Using privacy-focused browser extensions

19. CHANGES TO THIS POLICY

In Short: We will update this policy as necessary to stay compliant with relevant laws and to reflect changes in our practices.

Policy Updates

We may update this privacy and data security policy from time to time to:

Comply with new or changed laws and regulations
Reflect changes in our security practices
Incorporate new technologies or services
Improve clarity and transparency

Notification of Changes

Revised Date: The updated version will be indicated by an updated “Revised” date at the top of this policy.

Effective Date: The updated version becomes effective as soon as it is accessible on our website.

Material Changes: If we make material changes to this policy, we may notify you by:

Prominently posting a notice on our website
Sending email notification to your registered email address
Direct mail for significant changes affecting your rights
Notice in your client portal

Your Responsibility: We encourage you to review this policy frequently to stay informed of how we are protecting your information.

Prior Versions

Upon request, we can provide copies of prior versions of this policy.

20. CONTACT INFORMATION

General Privacy Questions

For questions or comments about this privacy notice or our privacy practices:

Email: maner@manercpa.com
Phone: 517-323-7500
Mail:
Maner Costerisan
Attention: Privacy Officer
2425 East Grand River Ave., Suite 1
Lansing, MI 48912
United States

Security Incident Reporting

To report a potential security incident or data breach:

Email: security@manercpa.com
Phone: 517-323-7500

Data Subject Requests

To exercise your privacy rights (access, correction, deletion, etc.):

Email: privacy@manercpa.com [or maner@manercpa.com]
Subject Line: Include “Privacy Rights Request”
Online Form: https://manercpa.com/contact/

Response Time

We will respond to your inquiry within:

General questions: 5 business days
Data subject rights requests: 30 days
Security incidents: Immediate acknowledgment, full response per legal requirements

Regulatory Contacts

Internal Revenue Service:
To report tax preparer misconduct: 1-877-330-2783
Online: https://www.irs.gov/tax-professionals/make-a-complaint-about-a-tax-return-preparer

Federal Trade Commission:
Consumer Response Center
600 Pennsylvania Avenue, NW
Washington, DC 20580
1-877-FTC-HELP (382-4357)
https://www.ftc.gov

Michigan Attorney General:
Corporate Oversight Division
P.O. Box 30736
Lansing, MI 48909
517-335-7622
https://www.michigan.gov/ag

21. DATA INTEGRATION WITH THIRD-PARTY SYSTEMS

In Short: We use third-party business systems that are carefully vetted and subject to strict security and privacy requirements.

Zoho One Integration

We utilize Zoho One to streamline our business processes in compliance with our service provider oversight requirements under the FTC Safeguards Rule.

Data Collection: Through Zoho One, we collect:

Contact details (name, email, phone, address)
Company and business information
Transactional records and billing history
Communication and interaction history
Service engagement details

Purpose of Data Usage:

Enhance service delivery
Enable personalized client experiences
Provide efficient customer service
Deliver tailored product offerings
Manage client relationships
Track service engagements

Data Storage and Security:

All data stored securely on Zoho servers
Encryption in transit and at rest
Adherence to stringent data protection standards
Regular security audits and assessments
Compliance with SOC 2 Type II standards

Information Sharing:

No personal data shared with third parties without explicit consent
Exceptions: as necessary to provide services, comply with legal obligations, or protect our rights
All data sharing governed by strict data processing agreements
Compliance with privacy regulations (GDPR, CCPA, etc.)

Service Provider Oversight:

Annual review of Zoho security practices
Monitoring of SOC 2 compliance reports
Contractual requirements for safeguarding customer information
Incident reporting and response coordination
Right to audit security controls

Your Rights: You have the right to:

Access your information stored in Zoho One
Request correction of inaccurate data
Request deletion (subject to retention requirements)
Object to certain processing activities

To exercise these rights, contact us at maner@manercpa.com.

Other Third-Party Systems

We may integrate with other third-party systems for:

Tax preparation and research software
Document management and storage
Client relationship management (CRM)
Time and billing systems
Secure file transfer and communication
Payment processing

All third-party systems are subject to the same rigorous:

Due diligence before engagement
Contractual security requirements
Ongoing oversight and monitoring
Compliance with FTC Safeguards Rule
IRS Publication 4557 requirements

Service Provider List

Upon request, we will provide a list of our current service providers who may have access to customer information and the nature of services they provide.

ACKNOWLEDGMENTS AND CERTIFICATIONS

Regulatory Framework Compliance

This Privacy and Data Security Policy has been developed to comply with:

Federal Requirements:

Gramm-Leach-Bliley Act (GLBA)
Federal Trade Commission Safeguards Rule (16 CFR Part 314)
Internal Revenue Code Section 7216
Treasury Regulation 301.7216
IRS Publication 4557 – Safeguarding Taxpayer Data
IRS Security Summit recommendations

State Requirements:

Michigan Identity Theft Protection Act (MCL 445.63 et seq.)
Michigan data security and breach notification laws
California Consumer Privacy Act (CCPA) for California clients
California “Shine the Light” law

Professional Standards:

American Institute of Certified Public Accountants (AICPA) Code of Professional Conduct
Michigan Association of CPAs standards
Generally Accepted Privacy Principles (GAPP)

Management Commitment

This policy is approved and supported by the management and board of directors of Maner Costerisan. We are committed to:

Protecting client information and privacy
Maintaining the highest standards of data security
Continuous improvement of our information security program
Transparency in our privacy practices
Accountability for protecting your information

Annual Review

This policy is reviewed and updated at least annually to ensure ongoing compliance with:

Changes in applicable laws and regulations
Evolution of cyber threats and security best practices
Results of our risk assessments and security testing
Feedback from clients and stakeholders
Recommendations from our information security program

Questions or Concerns

We value your trust and take our privacy and security obligations seriously. If you have any questions, concerns, or feedback regarding this policy or our practices, please do not hesitate to contact us at maner@manercpa.com.

This policy may be updated from time to time. Please check our website at https://manercpa.com for the most current version.