Privacy Policy

Last updated: 2026-04-29

1. Controller (GDPR Art. 13)

The data controller within the meaning of the GDPR is Next Trace – Inhaber: Hossein Bagherzadegan Talkhouncheh, registered office: am maselakepark 24, 13587, Berlin. Contact: [email protected]. Full provider details: Imprint.

2. Data Protection Officer

We have not appointed a Data Protection Officer because the statutory thresholds under § 38(1) BDSG are not met. Privacy enquiries can be directed to [email protected] and are handled by the controller directly.

3. What we process

• Account data (name, email, tenant membership, role).
• Uploaded documents, extracted fields, review comments, audit events.
• Technical data (IP, user agent, logs) for security and debugging.
• Cookie consent records (see Cookie Notice).

4. Legal bases (GDPR Art. 6)

• Art. 6(1)(b) — performance of the TaxioAI service contract.
• Art. 6(1)(c) — statutory retention obligations (HGB, AO).
• Art. 6(1)(f) — legitimate interest (security, abuse detection).
• Art. 6(1)(a) — consent (analytics / marketing cookies).

5. Recipients and processors

We have Art. 28 GDPR data-processing agreements in place with the sub-processors listed below. Where processing involves a transfer outside the EEA, the legal basis (typically EU Standard Contractual Clauses, applied after a transfer impact assessment) is shown alongside the entry — see also section 6.

• DigitalOcean, LLC — Hosting (App Platform, Managed Postgres, Object Storage / Spaces). Processing location: EU (Frankfurt) — Konzernsitz / corporate seat in the USA. Transfer basis: EU SCCs (intra-group) für US-Konzernzugriff im Support / for US-corporate-affiliate support access.
• Cloudflare, Inc. — CDN, DDoS protection, email obfuscation; processes IP addresses + request metadata. Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.
• PayPal (Europe) S.à r.l. et Cie, S.C.A. — Payment processing for subscription and onboarding; processes payment and billing data. Processing location: EU (Luxembourg).
• ActiveCampaign, LLC (Postmark) — Transactional email delivery (confirmations, invitations, audit notifications). Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.
• Groq, Inc. — AI-assisted document extraction and classification; processes OCR output + extracted fields. Processing location: USA. Transfer basis: EU SCCs.
• Google Ireland Limited (Gemini API) — AI-assisted document extraction and classification; processes OCR output + extracted fields. Processing location: EU (Ireland) — Modellverarbeitung kann in den USA stattfinden / model processing may occur in the USA. Transfer basis: EU SCCs.
• OpenAI, LLC — AI-assisted document extraction, OCR and classification; processes document images + extracted text. Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.
• Anthropic, PBC — AI-assisted classification and rule extraction; processes aggregated document text. Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.
• Functional Software, Inc. (Sentry) — Error and performance monitoring; processes IP addresses, request metadata and user identifiers from error reports. Processing location: USA. Transfer basis: EU SCCs + EU-US Data Privacy Framework.

5a. Sharing data with your tax advisor

When you link a tax advisor (Steuerberater) to your TaxioAI workspace, the advisor gains access to the data required to provide tax services:

• uploaded documents and their extracted field values,
• reporting periods, analytics and tax-form drafts,
• company master data (legal name, address, tax numbers),
• audit events relating to the shared documents.

Legal basis: GDPR Art. 6(1)(a) — explicit consent. The link does not take effect until you actively consent: we email you with "Approve" and "Reject" buttons. Until consent is given, the advisor has no access.

Withdrawal: You can revoke consent at any time under "Profile & Settings → My Advisors", without giving reasons, with immediate effect. Documents already viewed by the advisor will no longer be accessible after withdrawal; retroactive deletion at the advisor's side is only possible under § 32f StBerG (German Tax Advisor Act).

Engagement contract: the advisory contract exists directly between you and the tax advisor; TaxioAI acts solely as the technical platform.

6. International transfers (Art. 44+)

Where data is transferred outside the EEA, this happens exclusively on the basis of EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) following a transfer impact assessment. The specific recipients and the corresponding transfer basis for each are disclosed in the sub-processor list in section 5.

7. Retention

Tax-relevant documents: up to 10 years (§ 147 AO). Account master data: up to 30 days post-termination. Audit events: 24 months. Then deletion or pseudonymisation.

8. Your rights

You have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20) and objection (Art. 21). You may lodge a complaint with a supervisory authority (Art. 77).

9. Contact

Privacy questions: [email protected].