Privacy Policy

Last updated: 2026-04-29

1. Controller (GDPR Art. 13)

The data controller within the meaning of the GDPR is Next Trace – Inhaber: Hossein Bagherzadegan Talkhouncheh, registered office: am maselakepark 24, 13587, Berlin. Contact: [email protected]. Full provider details: Imprint.

2. Data Protection Officer

We have not appointed a Data Protection Officer because the statutory thresholds under § 38(1) BDSG are not met. Privacy enquiries can be directed to [email protected] and are handled by the controller directly.

3. What we process

• Account data (name, email, tenant membership, role).
• Uploaded documents, extracted fields, review comments, audit events.
• Technical data (IP, user agent, logs) for security and debugging.
• Cookie consent records (see Cookie Notice).

4. Legal bases (GDPR Art. 6)

• Art. 6(1)(b) — performance of the TaxioAI service contract.
• Art. 6(1)(c) — statutory retention obligations (HGB, AO).
• Art. 6(1)(f) — legitimate interest (security, abuse detection).
• Art. 6(1)(a) — consent (analytics / marketing cookies).

5. Recipients and processors

We have Art. 28 GDPR data-processing agreements in place with the sub-processors listed below. Where processing involves a transfer outside the EEA, the legal basis (typically EU Standard Contractual Clauses, applied after a transfer impact assessment) is shown alongside the entry — see also section 6.

• DigitalOcean, LLC — Hosting (App Platform, Managed Postgres, Object Storage / Spaces). Processing location: EU (Frankfurt) — Konzernsitz / corporate seat in the USA. Transfer basis: EU SCCs (intra-group) für US-Konzernzugriff im Support / for US-corporate-affiliate support access.
• Cloudflare, Inc. — CDN, DDoS protection, email obfuscation; processes IP addresses + request metadata. Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.
• PayPal (Europe) S.à r.l. et Cie, S.C.A. — Payment processing for subscription and onboarding; processes payment and billing data. Processing location: EU (Luxembourg).
• ActiveCampaign, LLC (Postmark) — Transactional email delivery (confirmations, invitations, audit notifications). Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.
• Groq, Inc. — AI-assisted document extraction and classification; processes OCR output + extracted fields. Processing location: USA. Transfer basis: EU SCCs.
• Google Ireland Limited (Gemini API) — AI-assisted document extraction and classification; processes OCR output + extracted fields. Processing location: EU (Ireland) — Modellverarbeitung kann in den USA stattfinden / model processing may occur in the USA. Transfer basis: EU SCCs.
• OpenAI, LLC — AI-assisted document extraction, OCR and classification; processes document images + extracted text. Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.
• Anthropic, PBC — AI-assisted classification and rule extraction; processes aggregated document text. Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.
• Functional Software, Inc. (Sentry) — Error and performance monitoring; processes IP addresses, request metadata and user identifiers from error reports. Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.

5a. Gegevensdeling met uw belastingadviseur

Wanneer u een belastingadviseur aan uw TaxioAI-werkruimte koppelt, krijgt deze toegang tot de gegevens die nodig zijn om belastingdiensten te verlenen:

• geüploade documenten en de daaruit geëxtraheerde velden,
• rapportageperioden, analyses en concept-belastingformulieren,
• stamgegevens van de bedrijven (rechtsvorm, adres, fiscale nummers),
• audit-gebeurtenissen die betrekking hebben op de gedeelde documenten.

Rechtsgrondslag: AVG Art. 6 lid 1 sub a — uitdrukkelijke toestemming. De koppeling wordt pas actief nadat u uitdrukkelijk toestemming geeft — wij sturen u een e-mail met de knoppen "Goedkeuren" en "Afwijzen". Tot uw toestemming heeft de adviseur geen toegang.

Intrekking: U kunt uw toestemming op elk moment intrekken via "Profiel & Instellingen → Mijn Adviseurs", zonder opgaaf van reden, met onmiddellijke ingang. Reeds door de adviseur ingeziene documenten zijn na intrekking niet meer toegankelijk; retroactieve verwijdering aan de zijde van de adviseur is alleen mogelijk volgens hun beroepsregels.

Opdrachtrelatie met de adviseur: het adviescontract bestaat rechtstreeks tussen u en de belastingadviseur; TaxioAI fungeert uitsluitend als technisch platform.

6. International transfers (Art. 44+)

Where data is transferred outside the EEA, this happens exclusively on the basis of EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) following a transfer impact assessment. The specific recipients and the corresponding transfer basis for each are disclosed in the sub-processor list in section 5.

7. Retention

Tax-relevant documents: up to 10 years (§ 147 AO). Account master data: up to 30 days post-termination. Audit events: 24 months. Then deletion or pseudonymisation.

8. Your rights

You have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20) and objection (Art. 21). You may lodge a complaint with a supervisory authority (Art. 77).

9. Contact

Privacy questions: [email protected].