Privacy Policy

Last updated: 2026-04-29

1. Controller (GDPR Art. 13)

The data controller within the meaning of the GDPR is Next Trace – Inhaber: Hossein Bagherzadegan Talkhouncheh, registered office: am maselakepark 24, 13587, Berlin. Contact: [email protected]. Full provider details: Imprint.

2. Data Protection Officer

We have not appointed a Data Protection Officer because the statutory thresholds under § 38(1) BDSG are not met. Privacy enquiries can be directed to [email protected] and are handled by the controller directly.

3. What we process

• Account data (name, email, tenant membership, role).
• Uploaded documents, extracted fields, review comments, audit events.
• Technical data (IP, user agent, logs) for security and debugging.
• Cookie consent records (see Cookie Notice).

4. Legal bases (GDPR Art. 6)

• Art. 6(1)(b) — performance of the TaxioAI service contract.
• Art. 6(1)(c) — statutory retention obligations (HGB, AO).
• Art. 6(1)(f) — legitimate interest (security, abuse detection).
• Art. 6(1)(a) — consent (analytics / marketing cookies).

5. Recipients and processors

We have Art. 28 GDPR data-processing agreements in place with the sub-processors listed below. Where processing involves a transfer outside the EEA, the legal basis (typically EU Standard Contractual Clauses, applied after a transfer impact assessment) is shown alongside the entry — see also section 6.

• DigitalOcean, LLC — Hosting (App Platform, Managed Postgres, Object Storage / Spaces). Processing location: EU (Frankfurt) — Konzernsitz / corporate seat in the USA. Transfer basis: EU SCCs (intra-group) für US-Konzernzugriff im Support / for US-corporate-affiliate support access.
• Cloudflare, Inc. — CDN, DDoS protection, email obfuscation; processes IP addresses + request metadata. Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.
• PayPal (Europe) S.à r.l. et Cie, S.C.A. — Payment processing for subscription and onboarding; processes payment and billing data. Processing location: EU (Luxembourg).
• ActiveCampaign, LLC (Postmark) — Transactional email delivery (confirmations, invitations, audit notifications). Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.
• Groq, Inc. — AI-assisted document extraction and classification; processes OCR output + extracted fields. Processing location: USA. Transfer basis: EU SCCs.
• Google Ireland Limited (Gemini API) — AI-assisted document extraction and classification; processes OCR output + extracted fields. Processing location: EU (Ireland) — Modellverarbeitung kann in den USA stattfinden / model processing may occur in the USA. Transfer basis: EU SCCs.
• OpenAI, LLC — AI-assisted document extraction, OCR and classification; processes document images + extracted text. Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.
• Anthropic, PBC — AI-assisted classification and rule extraction; processes aggregated document text. Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.
• Functional Software, Inc. (Sentry) — Error and performance monitoring; processes IP addresses, request metadata and user identifiers from error reports. Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.

5a. Partage de données avec votre conseiller fiscal

Lorsque vous reliez un conseiller fiscal (expert-comptable) à votre espace TaxioAI, ce dernier obtient l'accès aux données nécessaires à la prestation des services fiscaux :

• documents téléversés et leurs champs extraits,
• périodes de déclaration, analyses et brouillons de formulaires fiscaux,
• données maîtres des sociétés (raison sociale, adresse, numéros fiscaux),
• événements d'audit relatifs aux documents partagés.

Base juridique : RGPD Art. 6, paragraphe 1, point a — consentement explicite. La liaison ne prend effet qu'après votre consentement actif : nous vous envoyons un courriel avec les boutons « Approuver » et « Refuser ». Tant que le consentement n'est pas donné, le conseiller n'a aucun accès.

Retrait : Vous pouvez retirer votre consentement à tout moment dans « Profil & Paramètres → Mes Conseillers », sans justification, avec effet immédiat. Les documents déjà consultés par le conseiller ne lui seront plus accessibles après le retrait ; la suppression rétroactive côté conseiller relève uniquement de ses obligations professionnelles.

Relation contractuelle avec le conseiller : le contrat de conseil existe directement entre vous et le conseiller fiscal ; TaxioAI agit uniquement en tant que plateforme technique.

6. International transfers (Art. 44+)

Where data is transferred outside the EEA, this happens exclusively on the basis of EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) following a transfer impact assessment. The specific recipients and the corresponding transfer basis for each are disclosed in the sub-processor list in section 5.

7. Retention

Tax-relevant documents: up to 10 years (§ 147 AO). Account master data: up to 30 days post-termination. Audit events: 24 months. Then deletion or pseudonymisation.

8. Your rights

You have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20) and objection (Art. 21). You may lodge a complaint with a supervisory authority (Art. 77).

9. Contact

Privacy questions: [email protected].