Skip to main content

Architecture transparency

How our decoder works

We built this so the privacy promise on every page is verifiable in your browser's network tab. This page explains exactly what happens when you use the decoder, what we do with the information, and what we don't do. The scope below describes both what ships today (v1) and what we're building next (v2 — a privacy-first browser-OCR upload path).

v1 — what ships today

Two safe modes, both fully client-side

  1. 1.
    Pick from list. You type a code (CP14, CP2000, LT11, Letter 5071C…) into the search box. The decoder looks up the code in a static catalog shipped with the page itself — no network request goes out from your device. When you click a match, your browser navigates directly to the per-notice page.
  2. 2.
    Paste your notice text. You paste any text from your notice into the textarea. The decoder runs a keyword scan in your browser to find code tokens (CP14, CP2000, etc.) and surface candidate matches. The pasted text never leaves your browser. We do not log, store, transmit, or analyze it. The match logic runs in the JavaScript that's already loaded on the page; no additional fetch happens.

Verify it yourself. Open your browser's DevTools, switch to the Network tab, and watch as you type. You'll see static asset requests (the page HTML, the font files, the page's JavaScript bundle — all from this site's origin) but nothing that contains your pasted notice content.

v2 — privacy-first browser OCR (in development)

Upload-your-notice path, ship-when-airtight

Eventually, you'll be able to upload a PDF or photo of your notice and the decoder will identify it automatically. We're not shipping that path until the privacy architecture is verifiably airtight. Here's the design:

  1. 1.
    Browser OCR. The PDF or image is processed entirely in your browser using a WebAssembly OCR runtime. The original file stays on your device — it never reaches our server.
  2. 2.
    PII redaction. Before any text leaves your browser, a redaction pipeline removes Social Security numbers, EINs, account numbers, phone numbers, addresses, and names — replacing each with placeholder tokens (<SSN>, <NAME>, etc.). The pipeline is unit-tested against a fixture corpus of public IRS sample notices; the build fails if any fixture leaks PII.
  3. 3.
    Extraction-only LLM call. Only the redacted text is sent to our API for notice-type extraction. The model returns a structured response — notice code, tax year, response window, deadline date — and nothing else. The model never generates the legal or tax answer; the answer comes from the per-notice ruleset we maintain in this repository.
  4. 4.
    Aggregate logs only. Server-side logs record only which notice code was matched, when, and whether the match succeeded. We never log notice content, redacted or otherwise. No SSN, no name, no address ever touches our logs — even after redaction.
  5. 5.
    Pause-tenant kill switch. If the privacy pipeline ever fails an audit, we can disable the upload path instantly with a single toggle. The decoder falls back to manual-pick + paste-text mode (the v1 mode shipping today) until the issue is fixed.

The v2 path is intentionally not live yet because the privacy promise on this page must match what the code actually does. Until the redaction pipeline is unit-tested with a 50-fixture corpus and the network-tab inspection confirms zero PII in any outbound request, we keep the upload path off and ship the safer client-side-only modes.

What we won't do

Hard constraints

  • We will not store your notice. No persistent storage on our server, ever. Not in a database, not in a file system, not in a temporary cache.
  • We will not sell your data. We don't share, sell, or syndicate your information to tax-resolution-mill operators, lead-generation networks, or any third party. We don't have data to sell because we don't collect it.
  • We will not call you. There is no phone form on this site. We don't collect phone numbers and we don't generate "leads" for outbound dialers. If you see a phone number on a tax-notice site, it should not be ours.
  • We will not promote FTC-flagged operators. Tax-resolution mill operators with active FTC consent decrees, state Attorney General actions, or BBB pattern complaints are excluded from any affiliate slot we build — regardless of payout. Brand trust is load-bearing for this kind of site; we will not trade it.
  • We will not pretend to be the IRS. No IRS eagle, no Treasury-style flourishes, no IRS letterhead mimicry. We use a deliberately distinct visual identity — restrained navy, warm gold, sage privacy accents — so there is no confusion about who is sending you what.

Read the full privacy policy for the legal version of this page. Read the methodology to see how every per-notice page is sourced and verified.