Privacy Policy

Overview & scope

This Policy applies to all websites operated by Hoyos & Baker Consulting LLC ("Hoyos Baker," "we," "us," or "our"), including hoyosbaker.com and its subdomains, and to the bookkeeping, tax preparation, advisory, website-design, and AI automation services we deliver to our clients.

By using our website or engaging our services, you agree to the practices described here. If you do not agree, please discontinue use of our website and contact us before sharing any personal information.

Who we are

Hoyos & Baker Consulting LLC is a limited liability company organized under the laws of the State of Illinois. We are the data controller for personal information collected through our website and in the ordinary course of providing professional services to our clients.

Information we collect

The categories of personal information we may collect depend on how you interact with us.

Information you provide directly

• Contact and identity information — name, email address, phone number, business name, role, and the entity type of your business.
• Engagement information — the service you are inquiring about, your state of operation, language preference, and any details you choose to share when scheduling a call, filling a form, or messaging us through chat.
• Books and records you share with us — receipts, invoices, bank and credit-card statements, prior tax returns, IRS or state notices, business formation documents, and similar materials we need in order to deliver the services you have engaged us for.
• Communications — emails, Slack messages, voicemails, and other communications you direct to us, including their content and metadata.

Information collected automatically

• Device and browser data — IP address, approximate location (derived from IP), browser type and version, operating system, language preference, referring URL, and pages viewed on our site.
• Usage data — clicks, scroll depth, time on page, and similar interaction signals, gathered through privacy-conscious analytics.
• Cookies and similar technologies — see the Cookies section below.

Information collected from third parties

• Payment processing — when you pay an invoice, our payment processor Stripe transmits to us limited transaction information (the amount, currency, brand of card used, last four digits, and timestamp). Full card numbers and CVCs are never received by, nor stored on, our systems.
• Public sources — for prospective business clients we may, with your permission, verify formation status and good standing through state Secretary of State databases.

We do not buy lists of contacts from data brokers, and we do not enrich client profiles using third-party data marketplaces.

How we use your information

We use personal information for the following purposes:

• To provide the services you engage us for — preparing returns, reconciling books, advising on tax planning, building or hosting a website, responding to IRS or state notices, and the related deliverables.
• To communicate with you — answer questions, schedule calls, send engagement letters, send deliverables, send invoices and receipts, and provide ongoing client support.
• To process payments — through Stripe, as described in the Payment processing section.
• To operate our website — secure it, prevent fraud and abuse, debug issues, and improve usability and performance.
• To meet legal and professional obligations — including obligations under the Internal Revenue Code, Treasury Department Circular 230, state tax statutes, anti–money-laundering rules where applicable, and the record-retention rules that govern our profession.
• To send you our newsletter or service updates — only if you have opted in. You can unsubscribe at any time using the link in any email we send.

Legal basis for processing

We rely on the following legal bases for processing personal information:

• Performance of a contract — to deliver the services you engaged us for under your engagement letter.
• Compliance with a legal obligation — to meet tax preparer and accounting obligations under federal and state law, and to retain records as required.
• Legitimate interests — to operate, secure, and improve our website and services, to communicate with you about your engagement, and to defend our rights if needed. Where we rely on legitimate interests, we have weighed those interests against your rights and concluded that the processing does not override your interests.
• Consent — for newsletter subscriptions and any other processing for which we have explicitly asked your permission.

How we share information

We share personal information only in the limited categories below. We do not share information for advertising, profiling, or commercial benefit to third parties.

We will not share your personal information with any third party for any other purpose without your specific, prior written authorization.

Payment processing through Stripe

We use Stripe, Inc. as our exclusive payment processor for invoiced services. When you pay us, Stripe — not Hoyos Baker — collects your payment-card or bank-account details directly through a secure form embedded on our site or hosted by Stripe. Stripe handles encryption, tokenization, fraud screening, and storage of payment instruments under its own privacy practices and applicable PCI-DSS obligations.

The only payment information Hoyos Baker receives from Stripe is the limited transaction metadata listed in the table above. We do not store full card numbers, CVCs, or bank-routing details on any system we control. You can review Stripe's privacy practices at stripe.com/privacy.

Cookies and similar technologies

Our website uses a small number of cookies and similar storage technologies to operate properly and to understand how visitors use the site. We group them as follows:

• Strictly necessary — required for the site to function, such as remembering your language preference and securing form submissions. These cannot be turned off through our settings, but you can block them through your browser at the cost of site functionality.
• Performance and analytics — to count visits and traffic sources so we can measure and improve site performance. We use privacy-conscious analytics that does not build individual profiles or share identifiers with advertising networks.
• Stripe (when paying an invoice) — Stripe sets cookies to enable fraud detection and the secure operation of its payment forms.

You can control cookies through your browser settings, including blocking, deleting, or limiting them. Most browsers also offer a "Do Not Track" signal — we honor Global Privacy Control (GPC) signals where required by law.

Data retention

We retain personal information for as long as needed to provide the services you engaged us for and to comply with our legal, accounting, and professional obligations. Concretely:

• Engagement files (returns, books, working papers, correspondence) — retained for at least seven (7) years from the close of the relevant tax year, which is the standard for IRS and state record-retention rules applicable to tax preparers.
• Billing and payment records — retained for at least seven (7) years for accounting, audit, and tax purposes.
• Marketing and newsletter records — retained only while you remain subscribed, plus a short suppression list to honor unsubscribe requests.
• Website analytics — retained in aggregate form; individual session identifiers are kept for no longer than 14 months.

When information is no longer needed, we securely delete or anonymize it.

Information security

We treat the books and tax records of our clients with the same discretion as a doctor treats a chart. We protect the information we hold using administrative, technical, and physical safeguards that are appropriate to its sensitivity, including encryption in transit and at rest for sensitive records, access controls based on the principle of least privilege, multi-factor authentication for staff systems, vendor risk reviews of every software provider we use, and a written incident-response procedure.

No system is perfectly secure. If we become aware of a security incident that affects your personal information, we will notify you and the appropriate authorities as required by applicable law and as fast as a responsible investigation will allow.

Your rights and choices

Subject to applicable law and to our legal and professional record-retention obligations, you may exercise any of the following rights:

• Access — request a copy of the personal information we hold about you.
• Correction — ask us to correct information that is inaccurate or incomplete.
• Deletion — ask us to delete personal information, subject to our obligations to retain certain records (notably tax and accounting records) for the periods required by law.
• Portability — receive a copy of the information you provided to us in a structured, commonly used, machine-readable format.
• Objection — object to certain processing, including direct marketing, which we will stop on request.
• Withdrawal of consent — withdraw any consent you previously gave (for example, to receive our newsletter) without affecting the lawfulness of earlier processing.

To exercise any of these rights, email us at privacy@hoyosbaker.com with enough information for us to verify your identity. We will respond within the timeframe required by applicable law (typically 30 to 45 days). You may authorize an agent to make a request on your behalf, subject to verification.

California residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), gives you additional rights regarding personal information collected by businesses subject to those laws. Where the CCPA/CPRA applies to our processing, you have the right to know, the right to delete, the right to correct, the right to opt out of the sale or sharing of personal information, the right to limit the use of sensitive personal information, and the right not to be discriminated against for exercising any of these rights.

We do not sell or share personal information as those terms are defined under the CCPA/CPRA, including for cross-context behavioral advertising. We do not knowingly process the personal information of consumers under 16 for any sale or share.

Categories of personal information collected in the prior 12 months, by CCPA/CPRA category: identifiers, customer records, commercial information (services purchased), internet or other electronic network activity (site usage), geolocation (approximate, from IP), professional or employment-related information (for business contacts), and inferences drawn from the foregoing.

To exercise your CCPA/CPRA rights, email privacy@hoyosbaker.com. We will respond within 45 days, with one 45-day extension where reasonably necessary.

International users

Hoyos Baker is based in the United States and provides services principally to US-based clients. Our servers and the third-party tools we use are located in the United States. If you access our website or contact us from outside the United States, you understand that the information you provide will be transferred to and processed in the United States, which may have data-protection rules different from those in your country.

Children's privacy

Our services are directed at business owners, founders, and professional contacts. We do not knowingly collect personal information from anyone under 16 years of age. If you believe a child under 16 has submitted personal information to us, please contact us at privacy@hoyosbaker.com and we will promptly delete it.

Third-party links and services

Our website may link to third-party websites, products, or services. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any website or service before sharing personal information with it.

Changes to this policy

We may update this Policy from time to time to reflect changes to our practices, technology, legal requirements, or other factors. When we make a material change, we will update the "Last updated" date at the top of this page and, where the change is significant, give you a more prominent notice (such as a banner on our site or, where appropriate, a direct email to clients). Your continued use of our website or services after we post a change constitutes your acceptance of the updated Policy.

How to contact us

If you have questions or complaints about this Policy or about our handling of your personal information, please contact us at:

We take complaints seriously and will work in good faith to resolve them. If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with the supervisory authority in your jurisdiction.