Where your information goes — exactly
Your SSN and signature exist in your browser — and nowhere else of ours — until the moment you click Pay; then they travel once, inside the finished PDF, transmitted straight to our print partner to be printed, sealed in an envelope, and mailed — never written to a database, a disk, or a log. Here’s the whole path, and how to check it yourself.
Verify it yourself (really)
Open your browser’s developer tools, Network tab, while you fill in the form. Watch it: nothing leaves the page while you type — no keystrokes, no field contents, no analytics payloads with form values. The form fills in locally (the PDF engine runs on your device). One disclosed exception before payment: at the review step we send your typed addresses only (never your SSN or signature) to our server and print partner for USPS standardization. When you click Pay, your identity data — SSN, names, signature — leaves your browser exactly once, inside the finished PDF: it’s transmitted straight to our print partner, printed, sealed into an envelope, and mailed — never written to a database or disk along the way (the next section shows how PostGrid secures it).
The retention table
| Data | Where | Kept | Then |
|---|---|---|---|
| SSN, signature, the full form | Your browser | While you work (refresh wipes SSN + signature even from your own browser’s storage) | Gone — sent only inside the PDF when you order |
| Filled PDF | Our server’s memory (RAM) | Until your letter is handed to the print carrier | Erased and zeroed; never written to our disk |
| Filled PDF | Print partner (PostGrid — SOC 2 Type II) | Their print pipeline, under a minimal-retention security policy with automated purging | Automatically purged on their minimal-retention schedule |
| Order record (name, addresses, email, tracking #) | Our database | 90 days after delivery, then addresses reduced to state-only | Name/email kept 18 months for support and refunds, then deleted |
| Payment record | Stripe (we never see card numbers) | 7 years (financial-records rules) | — |
Who prints and mails it: PostGrid
When you order, your finished PDF travels once — over an encrypted (TLS) connection — to PostGrid, the print-and-mail service that produces and posts your letter. It’s the same class of infrastructure used for healthcare and financial mail, chosen because it treats documents as sensitive by default. Per PostGrid’s published documentation:
- SOC 2 Type II — an independent auditor verifies its security controls (access, encryption, monitoring) actually operate over time, not just exist on paper.
- HIPAA-compliant — built to handle health-grade personal data, the strictest common bar for protecting identifiers like a Social Security number.
- Encrypted in transit — your form is encrypted on the wire from us to PostGrid; it’s never sent in the clear.
- Automated file purging — print files are removed on a minimal-retention schedule once the job is done, rather than kept around.
Why a leak is hard by construction: we send PostGrid only the finished PDF — there’s no SSN field anywhere in our own systems, so your number exists solely inside that one document, which we never write to our disk and zero from memory after the handoff. PostGrid then prints and mails it under the controls above. No party holds a reusable copy of your SSN.
What we deliberately don’t have
- No session replay, no Google Analytics. Analytics is Plausible — page counts and step events, no form values, no fingerprinting, no ad pixels.
- No accounts, no passwords. Your status page is a private link.
- No SSN column anywhere. Our database schema has nowhere to put one — that’s by construction, not policy.
- No card numbers. Payment is handled by Stripe’s embedded checkout.
Transport and infrastructure
Everything moves over HTTPS (TLS). The PDF upload goes directly to our server, which holds it in memory only; the handoff to PostGrid is TLS as well. Request logging on the order endpoint excludes bodies, so the PDF never appears in logs.
Questions about your data?
Email support@taxaddresschange.com — a human answers within one business day.
That’s the whole story. The form takes about a minute.
Fill in Form 8822Or do it yourself free — same honest answer either way.