Privacy Policy

Last updated: 2026-04-29

1. Controller (GDPR Art. 13)

The data controller within the meaning of the GDPR is Next Trace – Inhaber: Hossein Bagherzadegan Talkhouncheh, registered office: am maselakepark 24, 13587, Berlin. Contact: [email protected]. Full provider details: Imprint.

2. Data Protection Officer

We have not appointed a Data Protection Officer because the statutory thresholds under § 38(1) BDSG are not met. Privacy enquiries can be directed to [email protected] and are handled by the controller directly.

3. What we process

• Account data (name, email, tenant membership, role).
• Uploaded documents, extracted fields, review comments, audit events.
• Technical data (IP, user agent, logs) for security and debugging.
• Cookie consent records (see Cookie Notice).

4. Legal bases (GDPR Art. 6)

• Art. 6(1)(b) — performance of the TaxioAI service contract.
• Art. 6(1)(c) — statutory retention obligations (HGB, AO).
• Art. 6(1)(f) — legitimate interest (security, abuse detection).
• Art. 6(1)(a) — consent (analytics / marketing cookies).

5. Recipients and processors

We have Art. 28 GDPR data-processing agreements in place with the sub-processors listed below. Where processing involves a transfer outside the EEA, the legal basis (typically EU Standard Contractual Clauses, applied after a transfer impact assessment) is shown alongside the entry — see also section 6.

• DigitalOcean, LLC — Hosting (App Platform, Managed Postgres, Object Storage / Spaces). Processing location: EU (Frankfurt) — Konzernsitz / corporate seat in the USA. Transfer basis: EU SCCs (intra-group) für US-Konzernzugriff im Support / for US-corporate-affiliate support access.
• Cloudflare, Inc. — CDN, DDoS protection, email obfuscation; processes IP addresses + request metadata. Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.
• PayPal (Europe) S.à r.l. et Cie, S.C.A. — Payment processing for subscription and onboarding; processes payment and billing data. Processing location: EU (Luxembourg).
• ActiveCampaign, LLC (Postmark) — Transactional email delivery (confirmations, invitations, audit notifications). Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.
• Groq, Inc. — AI-assisted document extraction and classification; processes OCR output + extracted fields. Processing location: USA. Transfer basis: EU SCCs.
• Google Ireland Limited (Gemini API) — AI-assisted document extraction and classification; processes OCR output + extracted fields. Processing location: EU (Ireland) — Modellverarbeitung kann in den USA stattfinden / model processing may occur in the USA. Transfer basis: EU SCCs.
• OpenAI, LLC — AI-assisted document extraction, OCR and classification; processes document images + extracted text. Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.
• Anthropic, PBC — AI-assisted classification and rule extraction; processes aggregated document text. Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.
• Functional Software, Inc. (Sentry) — Error and performance monitoring; processes IP addresses, request metadata and user identifiers from error reports. Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.

5a. Condivisione dei dati con il vostro commercialista

Quando collegate un commercialista (consulente fiscale) al vostro spazio TaxioAI, quest'ultimo ottiene l'accesso ai dati necessari per fornire i servizi fiscali:

• documenti caricati e i loro valori dei campi estratti,
• periodi di dichiarazione, analisi e bozze di moduli fiscali,
• dati anagrafici delle società (ragione sociale, indirizzo, codici fiscali),
• eventi di audit relativi ai documenti condivisi.

Base giuridica: GDPR Art. 6, par. 1, lett. a — consenso esplicito. Il collegamento ha effetto solo dopo il vostro consenso attivo: vi inviamo un'e-mail con i pulsanti «Approva» e «Rifiuta». Fino al consenso, il consulente non ha accesso.

Revoca: Potete revocare il consenso in qualsiasi momento in «Profilo & Impostazioni → I miei Consulenti», senza fornire motivazioni, con effetto immediato. I documenti già consultati dal consulente non saranno più accessibili dopo la revoca; la cancellazione retroattiva presso il consulente è regolata dai suoi obblighi professionali.

Rapporto contrattuale con il consulente: il contratto di consulenza esiste direttamente tra voi e il commercialista; TaxioAI agisce esclusivamente come piattaforma tecnica.

6. International transfers (Art. 44+)

Where data is transferred outside the EEA, this happens exclusively on the basis of EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) following a transfer impact assessment. The specific recipients and the corresponding transfer basis for each are disclosed in the sub-processor list in section 5.

7. Retention

Tax-relevant documents: up to 10 years (§ 147 AO). Account master data: up to 30 days post-termination. Audit events: 24 months. Then deletion or pseudonymisation.

8. Your rights

You have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20) and objection (Art. 21). You may lodge a complaint with a supervisory authority (Art. 77).

9. Contact

Privacy questions: [email protected].