Privacy Policy

Last updated: 2026-04-29

1. Controller (GDPR Art. 13)

The data controller within the meaning of the GDPR is Next Trace – Inhaber: Hossein Bagherzadegan Talkhouncheh, registered office: am maselakepark 24, 13587, Berlin. Contact: [email protected]. Full provider details: Imprint.

2. Data Protection Officer

We have not appointed a Data Protection Officer because the statutory thresholds under § 38(1) BDSG are not met. Privacy enquiries can be directed to [email protected] and are handled by the controller directly.

3. What we process

• Account data (name, email, tenant membership, role).
• Uploaded documents, extracted fields, review comments, audit events.
• Technical data (IP, user agent, logs) for security and debugging.
• Cookie consent records (see Cookie Notice).

4. Legal bases (GDPR Art. 6)

• Art. 6(1)(b) — performance of the TaxioAI service contract.
• Art. 6(1)(c) — statutory retention obligations (HGB, AO).
• Art. 6(1)(f) — legitimate interest (security, abuse detection).
• Art. 6(1)(a) — consent (analytics / marketing cookies).

5. Recipients and processors

We have Art. 28 GDPR data-processing agreements in place with the sub-processors listed below. Where processing involves a transfer outside the EEA, the legal basis (typically EU Standard Contractual Clauses, applied after a transfer impact assessment) is shown alongside the entry — see also section 6.

• DigitalOcean, LLC — Hosting (App Platform, Managed Postgres, Object Storage / Spaces). Processing location: EU (Frankfurt) — Konzernsitz / corporate seat in the USA. Transfer basis: EU SCCs (intra-group) für US-Konzernzugriff im Support / for US-corporate-affiliate support access.
• Cloudflare, Inc. — CDN, DDoS protection, email obfuscation; processes IP addresses + request metadata. Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.
• PayPal (Europe) S.à r.l. et Cie, S.C.A. — Payment processing for subscription and onboarding; processes payment and billing data. Processing location: EU (Luxembourg).
• ActiveCampaign, LLC (Postmark) — Transactional email delivery (confirmations, invitations, audit notifications). Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.
• Groq, Inc. — AI-assisted document extraction and classification; processes OCR output + extracted fields. Processing location: USA. Transfer basis: EU SCCs.
• Google Ireland Limited (Gemini API) — AI-assisted document extraction and classification; processes OCR output + extracted fields. Processing location: EU (Ireland) — Modellverarbeitung kann in den USA stattfinden / model processing may occur in the USA. Transfer basis: EU SCCs.
• OpenAI, LLC — AI-assisted document extraction, OCR and classification; processes document images + extracted text. Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.
• Anthropic, PBC — AI-assisted classification and rule extraction; processes aggregated document text. Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.
• Functional Software, Inc. (Sentry) — Error and performance monitoring; processes IP addresses, request metadata and user identifiers from error reports. Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.

5a. Compartir datos con su asesor fiscal

Cuando vincula a un asesor fiscal (gestor) con su espacio de trabajo TaxioAI, este obtiene acceso a los datos necesarios para prestar los servicios fiscales:

• documentos cargados y sus campos extraídos,
• periodos de declaración, análisis y borradores de formularios fiscales,
• datos maestros de las empresas (razón social, domicilio, números fiscales),
• eventos de auditoría relativos a los documentos compartidos.

Base jurídica: RGPD Art. 6.1.a — consentimiento explícito. El vínculo no surte efecto hasta su consentimiento activo: le enviamos un correo con los botones «Aprobar» y «Rechazar». Hasta entonces, el asesor no tiene acceso.

Revocación: Puede revocar el consentimiento en cualquier momento en «Perfil & Ajustes → Mis Asesores», sin necesidad de justificación, con efecto inmediato. Los documentos ya consultados por el asesor dejarán de ser accesibles tras la revocación; la eliminación retroactiva en el asesor depende de sus obligaciones profesionales.

Relación contractual con el asesor: el contrato de asesoría existe directamente entre usted y el asesor fiscal; TaxioAI actúa exclusivamente como plataforma técnica.

6. International transfers (Art. 44+)

Where data is transferred outside the EEA, this happens exclusively on the basis of EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) following a transfer impact assessment. The specific recipients and the corresponding transfer basis for each are disclosed in the sub-processor list in section 5.

7. Retention

Tax-relevant documents: up to 10 years (§ 147 AO). Account master data: up to 30 days post-termination. Audit events: 24 months. Then deletion or pseudonymisation.

8. Your rights

You have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20) and objection (Art. 21). You may lodge a complaint with a supervisory authority (Art. 77).

9. Contact

Privacy questions: [email protected].