1. Who We Are
Payroll Genie, Inc. (“Payroll Genie,” “we,” “us,” or “our”) is a Nevada corporation headquartered at 4276 Spring Mountain Road, Suite 200, Las Vegas, NV 89102. We are a Vortex AI company. We operate a cloud-based payroll processing, HR administration, and tax compliance platform that serves employers (“Employer Clients”) and, through our platform, their employees (“Employees”).
Payroll Genie is a Reporting Agent authorized by the Internal Revenue Service and an EFTPS Batch Provider. In these capacities, we handle federal tax data subject to specific legal protections and handling requirements, including IRS Publication 4557 (Safeguarding Taxpayer Data). Payroll Genie is also a financial institution subject to the Gramm-Leach-Bliley Act (GLBA) due to our payroll and ACH payment processing activities.
This Privacy Policy applies to:
- Employer Clients who register and use the Payroll Genie platform
- Employees of Employer Clients whose payroll and tax information is processed through our platform
- Visitors to our website at www.payrollgenie.ai
- Contractors, partners, and other individuals who interact with Payroll Genie
What This Policy Does Not Cover
2. Information We Collect
We collect different categories of information depending on your relationship with Payroll Genie.
2.1 Information Collected from Employer Clients
When an organization registers for and uses the Payroll Genie platform, we collect:
Business and Account Information
- Company legal name, trade name, and business address
- Employer Identification Number (EIN)
- Federal and state payroll tax registration numbers
- Authorized contact names, email addresses, and phone numbers
- Account login credentials (email address; passwords are stored in hashed form only)
- Billing and payment information
Banking and Financial Information
- Business bank account number and routing number (collected via Plaid Instant Account Verification or manual entry)
- Bank account type (checking or savings)
- Account holder name as verified against business records
- Available account balance (checked via Plaid Balance before each payroll debit for NSF prevention)
Tax and Compliance Information
- State employer account numbers and payroll tax rates
- Federal deposit schedule classification
- Prior payroll processor data imported during onboarding (year-to-date payroll records)
- Workers' compensation policy information where applicable
2.2 Information Collected from Employees
When an Employer Client processes payroll through our platform, we receive and store the following information about their employees. This information is provided by the Employer Client or directly by the employee through our self-service portal:
Identity and Contact Information
- Legal full name
- Social Security Number (SSN) or Individual Taxpayer Identification Number (ITIN)
- Date of birth
- Home address
- Email address and phone number (for self-service portal access)
Employment and Compensation Information
- Employment start date and, where applicable, end date
- Job title and department
- Compensation type (hourly, salary, commission) and rate
- Regular and overtime hours worked
- Tip income reported to the employer
- Commissions, bonuses, and other supplemental wages
- Year-to-date earnings and tax withholding history
Tax Withholding Information
- Federal W-4 withholding elections (filing status, additional withholding, OBBB tip and overtime deduction elections)
- State withholding form elections (California DE-4 or equivalent)
- Social Security and Medicare tax withholding
- Federal and state income tax withholding amounts
Banking Information (Direct Deposit)
- Bank account number and routing number for direct deposit (collected via Plaid Instant Account Verification or manual entry with micro-deposit verification)
- Account type (checking or savings)
- Account holder name as verified against identity records
Benefits and Deduction Information
- Health insurance premium deductions
- Retirement plan (401k) contribution elections and amounts
- Flexible spending account (FSA) contributions
- Garnishment orders and withholding amounts
- Other voluntary deduction authorizations
2.3 Information Collected Automatically
When you access our platform or website, we automatically collect:
- IP address and approximate geographic location
- Browser type and version
- Device type and operating system
- Pages visited, features used, and time spent on the platform
- Referring URL and exit page
- Session duration and activity logs
- Authentication events (login attempts, MFA verifications, session starts and ends)
This information is collected through server logs, cookies, and similar technologies. See Section 9 (Cookies and Tracking Technologies) for more detail.
2.4 Information We Receive from Third Parties
| Source | Information Received | Purpose |
|---|---|---|
| Plaid Technologies | Bank account and routing numbers, account type, account holder name, available balance | Bank account verification for ACH direct deposit setup (employers and employees); NSF prevention (employer accounts) |
| IRS and State Tax Agencies | Tax identification number confirmations, filing acknowledgments, payment confirmations | Confirming successful tax filings and payments; resolving discrepancies |
| Prior Payroll Processors | Year-to-date payroll records for migrating clients | Ensuring accurate tax calculations and W-2 preparation for mid-year onboarding |
| Identity Verification Services | Name and address confirmation (where applicable) | KYC verification for Employer Client onboarding |
3. How We Use Your Information
We use the information we collect only for defined, documented purposes. We do not sell personal information. We do not use payroll or tax data for advertising or marketing purposes.
| Purpose | Legal Basis | Details |
|---|---|---|
| Payroll processing | Contract; Legal obligation | Calculating gross-to-net pay, applying deductions, generating pay stubs, initiating direct deposit ACH transactions through Super Processor, Inc. |
| Federal tax compliance | Legal obligation | Calculating and remitting federal payroll taxes via EFTPS; filing Form 941 (quarterly), Form 940 (annual FUTA), and W-2s; applying OBBB tip and overtime deductions; calculating FICA Tip Credits (Form 8846) |
| State tax compliance | Legal obligation | Calculating and remitting state income tax withholding and SUI; filing state quarterly returns; submitting new hire reports to state agencies |
| Bank account verification | Contract; Legitimate interest | Using Plaid to verify employer and employee bank account credentials before initiating ACH transactions; checking employer account balances to prevent NSF |
| ACH payment processing | Contract | Transmitting payroll disbursement instructions to Super Processor, Inc. for ACH origination; processing tax payment ACH debits |
| Identity verification | Legal obligation; Contract | Verifying employer and employee identities to satisfy KYC obligations, prevent fraud, and ensure tax filings are attributed to the correct taxpayer |
| Platform operation and support | Contract | Maintaining accounts, providing customer support, troubleshooting, and communicating about service issues or changes |
| Security and fraud prevention | Legitimate interest; Legal obligation | Detecting and preventing unauthorized access, fraud, and security threats; maintaining audit logs; conducting security monitoring |
| Legal compliance | Legal obligation | Responding to lawful requests from government agencies (IRS, state tax authorities, law enforcement); satisfying record retention requirements; exercising legal rights |
| Service improvement | Legitimate interest | Analyzing aggregated, de-identified usage patterns to improve platform features and performance. Individual payroll or tax data is not used for this purpose. |
| Communications | Contract; Legitimate interest | Sending transactional emails (payroll confirmations, tax filing confirmations, security alerts). Marketing communications are sent only with consent and subject to opt-out. |
4. How We Share Your Information
We do not sell your personal information to third parties. We do not share your personal information with advertisers or data brokers. We share information only in the following circumstances:
4.1 Service Providers
We share information with third-party service providers who help us deliver our platform and services. These providers are contractually required to use information only for the specific purpose for which it is shared and to implement security standards consistent with this policy.
| Provider | Information Shared | Purpose |
|---|---|---|
| Plaid Technologies, Inc. | Employer/employee name and bank account connection (via Plaid Link OAuth flow) | Instant bank account verification for ACH direct deposit enrollment; balance checking for NSF prevention. Plaid's privacy policy governs Plaid's own use of information. |
| Super Processor, Inc. | Employer ACH account credentials, employee direct deposit routing and account numbers, payroll disbursement amounts | ACH origination for payroll direct deposit and tax payment processing. Super Processor is a related entity (both subsidiaries of Vortex AI, Inc.). |
| Cloud Infrastructure Provider (AWS) | All platform data (encrypted at rest) | Hosting, storage, and computing infrastructure for the Payroll Genie platform. Data is stored exclusively in U.S.-based AWS regions. |
| Email Service Provider | Employer and employee email addresses; transactional email content | Delivering payroll confirmations, tax filing notices, security alerts, and account communications. |
4.2 Government Agencies and Tax Authorities
We share tax and payroll information with government agencies as required by law and as authorized by Employer Clients through Form 8655 (IRS Reporting Agent Authorization) and equivalent state authorizations:
- Internal Revenue Service (IRS): Form 941, Form 940, W-2, Form 8846, EFTPS tax payments, and other required filings
- Social Security Administration (SSA): Annual W-2/W-3 filings via Business Services Online
- State tax agencies: State withholding returns, SUI filings, new hire reports, and state tax payments for all states where Employer Clients have employees
- State labor departments: New hire reports as required by state law
4.3 Employer Clients
Employee information is shared with the employing Employer Client as necessary for payroll administration. Employer Clients have access to payroll records, tax filings, and employee information for their own employees only. Employer Clients do not have access to information about employees of other Employer Clients.
4.4 Legal Requirements and Protection of Rights
We may disclose information when we believe in good faith that disclosure is necessary to:
- Comply with applicable law, regulation, or legal process (including lawful subpoenas, court orders, or government requests)
- Enforce our Terms of Service or other agreements
- Protect the rights, property, or safety of Payroll Genie, our clients, employees, or the public
- Detect, prevent, or address fraud, security vulnerabilities, or technical issues
We will notify affected Employer Clients of legal process seeking disclosure of their employees' information to the extent permitted by law.
4.5 Business Transfers
If Payroll Genie is involved in a merger, acquisition, asset sale, or similar transaction, personal information may be transferred as part of that transaction. We will notify affected users via email or prominent notice on our platform before personal information becomes subject to a materially different privacy policy.
4.6 With Your Consent
We may share information for additional purposes with your explicit consent. You may withdraw consent at any time; withdrawal will not affect the lawfulness of prior processing.
5. Data Retention
We retain personal information only as long as necessary to fulfill the purposes described in this policy, comply with applicable legal obligations, and resolve disputes. Payroll and tax records are subject to IRS and state record retention requirements that mandate minimum retention periods.
| Data Category | Retention Period | Basis for Retention |
|---|---|---|
| W-2, Form 941, Form 940, and tax filings | 7 years from filing date | IRS record retention requirement; statute of limitations for tax assessment |
| Payroll run records and calculation audit trails | 7 years | IRS and state tax requirements; legal dispute resolution |
| Employee SSN and EIN | Duration of employment + 7 years | Required for W-2 correction (W-2c) and IRS correspondence; after 7 years, crypto-shredded |
| Employee bank account credentials (direct deposit) | Duration of employment + 90 days | To process final payments and resolve any outstanding ACH issues; then crypto-shredded |
| Employer bank account credentials | Duration of client relationship + 90 days | ACH debit authorization continuity; then crypto-shredded |
| Plaid access tokens | Duration of active bank connection | Revoked via Plaid /item/remove API on account closure or 30 days after last use |
| W-4 and withholding elections | Duration of employment + 4 years | IRS requirement; potential audit support |
| Garnishment records | Duration of order + 7 years | Legal compliance; potential audit support |
| Security and audit logs | 7 years | SOC 2 compliance; legal and regulatory requirements; forensic investigation support |
| Account information (employer contacts) | Duration of relationship + 3 years | Business records; legal dispute resolution |
| Website visitor data (cookies, logs) | 90 days | Security monitoring; analytics; then anonymized or deleted |
Upon expiry of the applicable retention period, personal information is securely deleted or anonymized. For encrypted fields containing CR1 data (SSN, account numbers), we use crypto-shredding: the encryption key is destroyed, rendering the encrypted data permanently inaccessible.
6. How We Protect Your Information
Payroll Genie implements technical, organizational, and administrative security measures designed to protect your personal information against unauthorized access, disclosure, alteration, and destruction.
6.1 Technical Safeguards
| Safeguard | Implementation |
|---|---|
| Encryption at rest | AES-256 encryption for all sensitive data. Field-level encryption (AES-256-GCM) for Social Security Numbers, EINs, and bank account credentials, using AWS Key Management Service with dedicated per-data-class keys. |
| Encryption in transit | TLS 1.3 for all data transmission. Plain HTTP connections are rejected. Certificate pinning on mobile applications. |
| Access controls | Role-based access control with least-privilege principles. Multi-factor authentication mandatory for all accounts. Just-in-Time privileged access for production systems. |
| Data masking | SSNs are displayed as ***-**-XXXX. Account numbers show last 4 digits only. Full values are never displayed in the user interface or stored in logs. |
| Network security | Cloud infrastructure with network segmentation, Web Application Firewall, and DDoS protection. Production databases are not directly accessible from the internet. |
| Vulnerability management | Regular security scanning, annual third-party penetration testing, and dependency vulnerability monitoring. |
6.2 Organizational Safeguards
- Annual security awareness training for all employees and contractors
- Background checks for all personnel with access to sensitive payroll data
- Documented access provisioning and deprovisioning procedures
- Quarterly access reviews and recertification
- Documented incident response procedures with defined notification timelines
- SOC 2 Type II audit program underway
Security Incident Notification
7. Your Privacy Rights
Depending on your location and relationship with Payroll Genie, you may have the following rights with respect to your personal information.
7.1 Rights Available to All Users
| Right | Description |
|---|---|
| Access | You may request a copy of the personal information we hold about you. We will provide this in a structured, commonly used format within 30 days of a verified request. |
| Correction | You may request correction of inaccurate personal information. Employees seeking to update payroll information (name, address, W-4 elections) may do so through the employee self-service portal or by contacting their employer. |
| Data Portability | You may request your personal information in a machine-readable format (JSON or CSV) to transfer to another service provider. |
| Deletion | You may request deletion of your personal information, subject to our legal obligations to retain records. Payroll and tax records required by law cannot be deleted before the end of the mandatory retention period. |
| Objection / Restriction | You may object to or request restriction of certain processing activities. Processing required by law or for contract performance cannot be restricted. |
| Withdraw Consent | Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. |
7.2 California Residents — California Consumer Privacy Act (CCPA) / CPRA
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with specific rights regarding your personal information. This section describes your CCPA/CPRA rights and how to exercise them.
Categories of Personal Information Collected (CCPA)
In the preceding 12 months, Payroll Genie has collected the following categories of personal information as defined by the CCPA:
| CCPA Category | Examples | Collected? |
|---|---|---|
| Identifiers | Name, SSN, EIN, email, IP address | Yes — for payroll and account management |
| Personal information (Cal. Civ. Code §1798.80) | Name, SSN, bank account number, employment information | Yes — for payroll processing |
| Protected classification characteristics | Age (date of birth for W-4 purposes) | Limited — date of birth for tax compliance only |
| Commercial information | N/A | No |
| Biometric information | N/A | No |
| Internet / network activity | IP address, browser type, usage logs | Yes — for security and platform operation |
| Geolocation data | Approximate location from IP address | Limited — not precise GPS location |
| Sensory / audio data | N/A | No |
| Professional / employment information | Job title, compensation, hours worked | Yes — for payroll processing |
| Education information | N/A | No |
| Inferences | N/A | No — we do not create consumer profiles |
| Sensitive personal information | SSN, bank account numbers, tax information | Yes — required for payroll and tax compliance |
Your CCPA/CPRA Rights
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the purposes for collection, and the categories of third parties with whom we share it.
- Right to Delete: You may request deletion of personal information we have collected, subject to exceptions (including legal retention obligations for payroll and tax records).
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt Out of Sale or Sharing: We do not sell personal information and do not share personal information for cross-context behavioral advertising.
- Right to Limit Use of Sensitive Personal Information: We use sensitive personal information (SSN, bank account numbers) only for the purposes of payroll processing and tax compliance as described in this policy. We do not use sensitive personal information for inferring characteristics or for advertising.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
To exercise your CCPA/CPRA rights, contact us at privacy@payrollgenie.ai or (725) 255-3685. We will respond to verified requests within 45 days, with a possible 45-day extension upon notice. We will verify your identity before processing requests involving sensitive personal information.
7.3 Nevada Residents — Nevada Revised Statutes § 603A
Nevada residents have the right to direct us not to sell their covered information. As stated throughout this policy, Payroll Genie does not sell personal information. Nevada residents may submit a request to opt out of any future sale of their information by contacting privacy@payrollgenie.ai.
7.4 Employee Rights Note
Information for Employees
8. Financial Privacy Notice (GLBA)
Payroll Genie is a financial institution subject to the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule due to our payroll and ACH processing activities. This section constitutes our GLBA privacy notice.
8.1 What We Collect
We collect nonpublic personal financial information (“NPFI”) about employers and employees as described in Section 2 of this policy. This includes Social Security Numbers, bank account information, and wage and tax data.
8.2 What We Disclose
We may disclose NPFI to the following categories of companies and individuals:
- Service providers that perform payroll processing, ACH origination, and tax filing services on our behalf, including Plaid Technologies and Super Processor, Inc., under contracts requiring confidentiality
- Government agencies as required by law (IRS, SSA, state tax agencies)
- Other parties as required by law or with your authorization
We do not disclose NPFI to unaffiliated third parties for their own marketing purposes.
8.3 Safeguards
We maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of customer NPFI. This program includes administrative, technical, and physical safeguards as described in Section 6 of this policy and in our Information Security Policy and Procedures document.
9. Cookies and Tracking Technologies
9.1 What We Use
| Cookie Type | Duration | Purpose |
|---|---|---|
| Strictly Necessary | Session | Required for platform operation: authentication session tokens, CSRF protection tokens, MFA verification state. Cannot be disabled without breaking core platform functionality. |
| Functional | 30 days | Remember user preferences: language, time zone, dashboard layout. Disabling reduces platform convenience but does not affect core functionality. |
| Analytics | 90 days | Understand how users interact with the platform using aggregated, anonymized data. We use first-party analytics only; no third-party tracking pixels. |
| Security | Session | Track authentication events and device fingerprints for fraud detection and account security. Required for MFA and suspicious activity detection. |
9.2 Managing Cookies
Strictly necessary and security cookies cannot be disabled without preventing core platform functions. All other cookies may be managed through your browser settings or our cookie preference center. Disabling analytics cookies does not affect your access to Payroll Genie services.
Payroll Genie does not use third-party advertising cookies, does not participate in cross-site behavioral tracking, and does not sell data derived from cookies.
10. Children's Privacy
Payroll Genie's platform is designed for use by businesses and working adults. We do not knowingly collect personal information from children under the age of 13. Our platform is not directed at children under 13.
If you are an Employer Client and have employees who are minors lawfully employed (e.g., under 18 but above 14 in compliance with applicable child labor laws), their payroll information may be processed through our platform as part of your payroll operations. This information is handled with the same protections as adult employee data.
If we become aware that we have inadvertently collected personal information from a child under 13 outside of an employment context, we will delete that information promptly. Contact privacy@payrollgenie.ai to report such a concern.
11. Third-Party Links and Integrations
Our platform may contain links to third-party websites, and we may offer integrations with third-party services (such as HR information systems or time-tracking software). This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through our platform.
Our primary third-party integrations:
- Plaid Technologies: Used for bank account verification. Plaid's privacy policy is available at plaid.com/legal/privacy-policy.
- Super Processor, Inc.: A related entity (Vortex AI Company) that handles ACH origination. Governed by the Payroll Genie–Super Processor service agreement.
- Amazon Web Services: Cloud infrastructure provider. AWS's privacy practices are governed by the AWS Customer Agreement.
12. Interstate Data Transfer
Payroll Genie is headquartered in Nevada and operates infrastructure exclusively within the United States. All personal information is stored and processed in the United States. If you are located outside the United States, please be aware that your information will be transferred to and processed in the United States, which may have different data protection laws than your country of residence.
Payroll Genie does not currently offer services to employers outside the United States and does not process personal information of individuals residing outside the United States in its payroll platform. Our website is accessible internationally; website visitor data is processed in the United States.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Post the updated policy on our website at www.payrollgenie.ai/privacy with the new effective date
- Send an email notification to Employer Client account administrators
- Display a prominent notice within the Payroll Genie platform for 30 days following the change
We will not make retroactive changes that materially reduce your privacy protections without your consent. Your continued use of the Payroll Genie platform following notice of material changes constitutes your acceptance of the updated policy.
Non-material changes (such as clarifications, formatting corrections, or updates to contact information) may be made without specific notice beyond updating the effective date.
14. How to Contact Us
For privacy-related inquiries, requests to exercise your rights, security concerns, or questions about this policy:
Privacy Inquiries
Payroll Genie, Inc.
Attn: Privacy Officer
4276 Spring Mountain Road, Suite 200
Las Vegas, NV 89102
Security Incidents
For suspected security incidents or data breaches:
Report immediately — do not wait for confirmation. We will acknowledge receipt within 4 hours and initiate our incident response procedure.
We will respond to all privacy rights requests within 30 days of receipt. For complex requests, we may extend this by an additional 30 days with advance notice. We may need to verify your identity before processing requests involving sensitive personal information.