The Donovan Company Certified Public Accountant

Privacy Policy

How we handle your nonpublic personal information.

Effective: May 17, 2026

CPAs, like all providers of personal financial services, are required by law to inform their clients of their policies regarding the privacy of client information. CPAs have been, and continue to be, bound by professional standards of confidentiality that are even more stringent than those required by law. We have always protected your right to privacy and remain committed to doing so.

This notice describes the information we collect, how we use and protect it, and the choices you have regarding that information. It applies to our clients and to visitors of thedonovancompany.com.

Types of nonpublic personal information we collect

We collect nonpublic personal information about you that is provided to us by you, obtained by us with your authorization, or generated in the course of preparing your returns or performing the accounting, tax, and advisory services you have engaged us to perform. This includes information you submit to us through secure document portals and information we receive from third parties on your behalf, such as taxing authorities, banks, brokers, and other professionals.

Our website itself is informational only. We do not require account registration, we do not host contact forms, and we do not use advertising or cross-site tracking cookies. Standard web server logs (such as IP address, browser type, and pages visited) may be retained for routine security and operational purposes. The site includes links to third-party services that we use to serve our clients, including ShareFile (for secure document exchange) and CPACharge (for payment processing). When you follow one of those links, you are interacting with that third-party provider, and the provider’s own privacy practices apply to information you submit there.

Parties to whom we disclose information

For current and former clients, we do not disclose any nonpublic personal information obtained in the course of our practice except as required or permitted by law. Permitted disclosures include providing information to our employees and to outside parties who assist us in providing services to you. Those outside parties may include tax software providers, electronic filing transmitters, document management and secure file transfer providers, payment processors, cloud service and artificial intelligence tool providers, and specialists engaged for particular matters such as actuaries or appraisers. In every such case, we stress the confidential nature of the information being shared and we engage these parties under terms that require them to safeguard it.

Federal law (Internal Revenue Code Section 7216) restricts the use and disclosure of tax return information by tax return preparers. We will not use or disclose your tax return information for any purpose other than preparing your return, except as permitted by the Treasury Regulations or with your specific written consent.

Use of technology, including artificial intelligence

We may use cloud-based software and artificial intelligence tools as part of our practice to improve accuracy, efficiency, and service to our clients. When we use such tools, we apply the same confidentiality standards we apply to any other service provider: vendors are selected with attention to their security practices, access to nonpublic personal information is limited to what is necessary for the work, and we do not permit your information to be used to train third-party artificial intelligence models.

Protecting the confidentiality and security of client information

We retain records relating to the professional services we provide so that we are better able to assist you with your future needs and, in some cases, to comply with professional and regulatory requirements. To guard your nonpublic personal information, we maintain physical, electronic, and procedural safeguards consistent with our professional obligations, including the AICPA Statements on Standards for Tax Services and the AICPA Privacy Management Framework, and with the Federal Trade Commission’s Safeguards Rule under the Gramm-Leach-Bliley Act, including a written information security program, multi-factor authentication for systems holding client information, access controls, and encryption of stored and transmitted client data.

California privacy rights

Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA/CPRA”), California residents have certain rights with respect to their personal information. Most of the personal information we collect and process — including all information collected, processed, sold, or disclosed in connection with preparing a tax return or providing related financial services — is exempt from the CCPA/CPRA’s privacy provisions because it is collected and used subject to the Gramm-Leach-Bliley Act and Internal Revenue Code Section 7216.

With respect to any personal information we hold that is not exempt (for example, ordinary website server logs or general business contact information for individuals who are not our clients), California residents may request:

To exercise any of these rights, contact us using the information below. We will respond within the time required by law. We will not discriminate against you for exercising any of your privacy rights.

Other state privacy rights

We prepare returns for clients in many states. Residents of states with comprehensive consumer privacy laws (including Colorado, Connecticut, Virginia, Texas, Oregon, and others) may have rights similar to those described above with respect to any non-exempt personal information we hold. Most information we hold for tax and accounting clients is exempt from these laws on the same Gramm-Leach-Bliley Act and Internal Revenue Code Section 7216 basis described in the California section. To make a privacy request, please contact us using the information below.

Residents of the European Union, United Kingdom, and Switzerland (GDPR)

If you reside in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (“GDPR”), the UK GDPR, or the Swiss Federal Act on Data Protection (as applicable) may apply to personal data we hold about you. For those purposes, The Donovan Company is the data controller, and the contact for privacy matters is set out below.

Lawful bases. We process your personal data on the following bases: (i) performance of the engagement contract you have entered into with us (GDPR Article 6(1)(b)); (ii) compliance with our own legal and professional obligations as a U.S. licensed CPA practice (Article 6(1)(c)); and (iii) our legitimate interests in operating the firm, including security, recordkeeping, and protecting our practice against legal claims (Article 6(1)(f)).

Your rights. Subject to limitations imposed by U.S. tax law, professional standards, and recordkeeping requirements, you have the right to: access the personal data we hold about you; request correction of inaccurate data; request erasure (where erasure would not conflict with our legal or professional retention obligations); request restriction or object to certain processing; request a portable copy of data you provided to us; withdraw any consent you have given (without affecting the lawfulness of prior processing); and lodge a complaint with the supervisory authority in your country of residence — in Spain, the Agencia Española de Protección de Datos (AEPD, www.aepd.es).

International data transfers. Because we are located in the United States, providing services to you necessarily involves the transfer of your personal data from your country of residence to the United States. The United States has not received a general adequacy decision under the GDPR, and U.S. law may not provide privacy protections equivalent to those in your jurisdiction. We rely on the following safeguards for these transfers: (i) the contractual-necessity derogation under GDPR Article 49(1)(b), because the transfer is necessary to perform the engagement contract you have entered into with us; and (ii) your explicit informed consent under Article 49(1)(a), obtained at the start of the engagement after disclosure of the risks. Where we share your data with service providers that have self-certified to the EU–U.S. Data Privacy Framework (and the UK and Swiss extensions), we rely on that certification; where we share data with service providers that have not self-certified, we rely on Standard Contractual Clauses or the foregoing derogations.

Retention. We retain client records for the period required by U.S. federal and California professional standards and tax-records requirements (generally seven years from the filing of the relevant return, and longer for certain workpapers and for clients who remain engaged with the firm).

No EU representative; basis for exemption. We have not designated a representative in the European Union under GDPR Article 27 because our processing of EU residents’ personal data is occasional, does not include large-scale processing of special categories of data (Article 9) or criminal-conviction data (Article 10), and is unlikely to result in a risk to the rights and freedoms of natural persons taking into account the nature, context, scope, and purposes of the processing.

Changes to this policy

We may update this policy from time to time to reflect changes in our practice or in applicable law. The effective date above will indicate when the policy was last revised.

Contact us

If you have any questions about this privacy policy or our information practices, please contact:

The Donovan Company
Thomas Donovan, CPA
9930 Research Drive, Suite 100
Irvine, CA 92618
(949) 640-1333
privacy@thedonovancompany.com