Privacy & Data Protection

W9Relay is built for finance and vendor ops teams that need secure, auditable W‑9 collection. We keep personal data limited, encrypted, and controlled by you.

What we collect

• Account data: name, email, password hash, MFA details.
• Vendor + W‑9 data: invite metadata, contact info, TIN type, masked TIN, signatures, IP/user agent for audit trail.
• Product signals: usage events needed to operate reminders, exports, and support.

How we protect it

• Encryption: TLS in transit; AES-256 for sensitive fields and stored files. You control the encryption keys in your environment.
• Access controls: role-based access, optional MFA enforcement for W‑9 viewing, signed links for document delivery.
• Auditability: every invite, resend, impersonation, and export is logged for review.
• Data minimization: we never store raw payment card data and do not sell personal data.

Retention & deletion

By default we retain vendor records for 24 months to satisfy tax-year audits. Org admins can delete a vendor or document at any time; we remove it from active storage immediately and from backups within 30 days.

Subprocessors

We rely on essential providers for email delivery and storage (e.g., your configured SMTP or Postmark/Resend, and S3-compatible object storage). Each provider is bound by data processing terms. We will notify admins before adding any materially new subprocessor.

Your controls

• Export all vendor data (CSV + PDFs) anytime from the dashboard.
• Delete vendors, W‑9s, or your workspace, and purge signatures/PDFs from storage.
• Enforce MFA for teammates who can view W‑9s and require vendor MFA on invite links.

Questions

Email security@w9relay.com for privacy requests, subprocessor details, or to report a security concern. We aim to respond within one business day.