Skip to main content
Login
Start Your Tax Return
LoginStart Your Tax Return

Taxfix Privacy Policy

Last updated: June 2026

Taxfix SE (“Taxfix”, “we”, “us” or “our”) respects your privacy and is committed to protecting your personal data. As part of our mission to simplify the tax filing system for our users (“you” or “your”), it’s important to us that you feel comfortable and trust us with your personal data when you use our services (collectively, the “Services”). Please take a few minutes to read this privacy policy (this “Privacy Policy”) and our Cookie Policy , which applies to your use of our website www.taxfix.de and the Services accessible through our website and our mobile based apps (collectively, "Apps" and each, an "App") , so that you understand what kind of information we collect about you, how we use that information and why. This Privacy Policy also explains what kind of rights you have regarding our processing of your data.

A. Contact

As the provider of the Taxfix Services, we are responsible for the processing of your personal data, as defined in the EU General Data Protection Regulation (“GDPR”). Our contact details are as follows:

Taxfix SE

Köpenicker Str. 122

10179 Berlin

[email protected]

You can reach our data protection team at the e-mail address above. In addition, we have appointed a Data Protection Officer (“DPO”) who acts on behalf of Taxfix in supporting our compliance efforts in relation to the processing of personal data. Our DPO is Carlo Piltz, PL Services GmbH, Südwestkorso 3, 12161 Berlin. He can be reached at the above email address (Attn: DPO).


B. Thirs Party Links

Our website may, from time to time, contain links to or from partner websites or other third-party sites. These sites and any services that may be accessible through them have their own privacy policies. As we are not responsible for the privacy practices of these sites, we recommend that you review their privacy policies before submitting personal data to them.


C. General Purposes and Legal Bases

When we use the term “personal data”, we are referring to any information that can be used, directly or indirectly, to identify you personally. We process your personal data in accordance with the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) if at least one of the following applies:

  1. Performance of Contractual or Pre-Contractual Measures. The data processing is needed for the performance of a contract to which you are party or in order to take the steps requested by you prior to entering into a contract (Art. 6 (1) lit. b GDPR). Data processing that falls under this category is done when requested by you and can include performing transactions, customer support, requirement analysis and processing your tax-related data needed for your tax declaration in order to fulfill our Service Agreement with you.
  2. Consent. Where you have agreed to the processing of your personal data for one or more specific purposes, such data processing by us is permitted on the legal basis of your consent (Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR). Your consent is revocable at any time. Where you revoke your consent, we will not process your personal data on the basis of your consent following your revocation.
  3. Legitimate Interests. The data processing is needed for the purposes of the legitimate interests pursued by us Taxfix, the controller, or a third party, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Art. 6 (1) lit. f GDPR). Data processing that falls under this category can include marketing or market and opinion analysis, ensuring IT security, assessment and optimization of processes, analyzing and improving our products and services, enhancing your user experience, enforcement of claims or defenses in legal proceedings and developing our Services and App.
  4. Legal Compliance. The data processing is necessary for compliance with a legal obligation to which we are subject (Art. 6 (1) lit. c GDPR). We are subject to several legal obligations that necessitate certain data processing activities. This includes verification of your identity, prevention of fraud and upholding our control and reporting obligations. 
  5. Processing on Behalf of Taxfix. In several instances, we engage service providers and processors to process personal data on our behalf under Art. 28 GDPR. The data processing that falls under this category is carried out pursuant to a separate agreement with the respective processor. We ensure that this agreement contains sufficient protection and guarantees for the protection of your personal data and your rights with respect to that data, in each case in compliance with the GDPR.

D. Requested Authorizations When Using the App

For some functions, the App requires access to certain services and data on your mobile device, which you will be asked to authorize. This section explains which access authorizations are required to use the App on iOS and Android devices and why.

  1. iOS.
    • Notifications / Push Messages. By choosing “Allow” when asked whether the App can send push notifications to your device, you are authorizing the App to notify you of certain events such as deadlines for filing your tax return or other tax-relevant topics by means of push notification even when you are not using the App. The App may push notifications with a tone, message (e.g. in the form of a screen banner) or symbol identifier (a picture or number on the App icon). You’ll be asked to authorize push notification the first time you call up the App and register or log in. You can adjust or customize your permission settings for push messages under “Settings” > “Messages” and selecting the Taxfix App on your device.The legal basis for this is Art. 6(1) lit. a GDPR, consent.
    • Camera and Photo Access. By choosing “Allow” when asked whether the App can access your photos, you are allowing the App to access your mobile device’s photo library in order to upload a photo of your identification document or income. In order to take a photo of your identification document or payslip directly in the App via your mobile device camera, you’ll need to grant additional access to your camera, which you can do so under “Settings” > “Privacy” > “Camera” on your device. Your grant of access rights to your camera and photos are exclusively for purposes of verifying your identification card. As such, only the photo(s) you select or take with your camera will be processed and there will be no authorized use of the photo and the camera function. You can revoke your access permissions at any time by adjusting your mobile device settings.
  2. Android.
    • Push Messages. When installing the App, you will be asked to grant permission to receive push messages from the App when you are not using it. You can prevent the App from displaying push messages by navigating to “Settings” > “Apps” (or “Application Manager”) on your device. There you will find an overview of all applications installed on your device. Select the Taxfix App and under "Permissions" you can switch on or off the push notification function. The legal basis for this is Art. 6(1) lit. a GDPR, consent.
    • Access to all Networks. During installation, access to all networks is requested in order to enable the App to transfer data via Internet connection of your end mobile device (WiFi or data connection). This authorization is needed to transfer your entries to our servers, for example, as part of the registration process.
    • Camera Access. This authorization is requested in order for you to photograph your income tax statement and identification in the App and in this way record your tax-relevant information quickly and seamlessly. The App will only have access to your camera if you select this function in the App.
    • Save Records to Memory or SD Cards. This authorization is required to enable the App to store or retrieve the data for its tax return in the memory or, if necessary, in an additional memory used by your terminal device. The app only reads the data that was stored in connection with the use of the Taxfix services.

E. Personal Data We Collect and How We Process It

We process your personal data in order to provide you with our best Services. We collect your personal data either through your voluntary input or automatically when you use our App or visit our website (including through the use of tracking technologies, as discussed in our Cookie Policy ). This section discusses the specific categories of personal data that we process.

  1. Device and Technical Data. Certain technical data is automatically collected and transmitted to us by your browser when you access our website. Such information includes data about your internet browser, operating system, IP address, time of the page request, referrer URL, device information, session information, size of the requested file and any status or error codes. The information is logged in server log files, which we process in order to ensure the functionality of our website, gather statistical information about the use and development of our website, for general data security and error analysis purposes and for marketing purposes and general product improvement. With respect to ensuring the functionality of our website, the basis for our data processing is Art. 6 (1) lit. b GDPR (i.e. contractual or pre-contractual measure). With respect to monitoring for data security and error analysis, the basis for our processing is Art. 6 (1) lit. f GDPR (our legitimate interests to ensure the stability and security of the website and app). With regard to marketing purposes and general product improvement, the basis of our processing is Art. 6 para. 1 lit. f GDPR (our legitimate interest to attract more customers and improve sales and products).
  2. App Store Installation Data. You can download and install the App on your mobile device from either Google Play or the App Store. In order to do this, you must first register for a user account with the provider of the app store and conclude a user agreement with that provider. In the process of downloading and installing the App, certain information about you and your access device gets transmitted to the app store provider – username, e-mail address, customer number, time of download and device ID. We do not have any control over this data collection and we do not store it, but we do process it insofar as is necessary to install the App on your device. Our legal basis for processing this data is Art. 6 (1) lit. b GDPR (i.e. contractual or pre-contractual measures). 
  3. Registration Data. During the registration process, we ask you for your e-mail address (which we verify with you), your name, assign you a Taxfix user ID, process the time of your registration and your IP address, and and obtain your consent to our our Terms and Conditions . The basis for our processing of your registration data as described in this section is Art. 6 (1) lit. b GDPR. (i.e. contractual or pre-contractual measures). Your registration data will be stored as long as your user account remains active at Taxfix. Please note that we use technical services (e.g. servers) provided by Google. We pay careful attention to the highest technical security standards and all data is stored in Europe. For technical reasons, however, it may happen that the infrastructure is maintained or partly provided from the USA. As we process sensitive data, we strive for maximum transparency in this respect as well. 
  4. Pre-Fill Data. We offer the option to populate your tax return with certain pre-fill information that is electronically reported to tax authorities (namely by your employer and the relevant social security office) and stored with them. Upon receiving your request via the App to pull your pre-fill information, we ask the tax authorities to dispatch a letter to you containing a confirmation code, which you then input into the App. Once you have entered your confirmation code in the App, we securely retrieve via ELSTER your pre-fill information which is encrypted via in-transit encryption (SSL). You can find more information about ELSTER’s security and encryption methods here
    Alternatively, you can arrange for the pre-fill data to be retrieved digitally. We offer this service in cooperation with an external professional (the "Firm"). To use this service, you explicitly authorise the Firm via the Taxfix mobile or web app to retrieve the pre-fill data on your person held by the tax authority responsible for you. The Firm will then forward this pre-fill data to Taxfix for further use in preparing your tax return. 
    For this part of the service, please also note the Firm’s  General Terms and Conditions, which you can view here .
    Once we have received your pre-fill data, we store it in your Taxfix account on our servers so that we can enter this data directly into your tax return for you. The legal basis for processing your pre-fill data as described in this section is therefore Art. 6 (1) lit. b GDPR (i.e. performance of a contract) and our legal basis for processing sensitive personal data that may be included in your pre-filled information (e.g. on religious beliefs) is Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR (i.e. consent). Taking into account the statutory deadlines for filing your tax return (§ 46 II No. 8 EStG, § 169 II No. 2 AO), we store your pre-fill data in fully encrypted form in our database in Europe for a period of ten years after transmission to the tax authorities.
  5. Tax Data. Following registration, you will be asked a series of questions through our App designed to capture the tax-relevant information needed to fill out your tax declaration digitally. These questions ask you for information about your name, employment status, address, religious affiliation, occupation, employer, income statements, secondary residence, competent tax office, tax identification number, training and education, business expenses, professional associations, income from capital asset and other income, insurance, medical expenses, survivorship, disability, parents, children or other dependents, donations, church tax, household expenses, alimony and tax loss carryforwards. As already mentioned, such tax-relevant information may include “sensitive personal data” such as data related to your health, religious affiliation or trade union membership, for which we need your consent to process in order to provide the Services, as this information is required to calculate your tax return amount. We will obtain your consent separately. You can revoke your consent at any given time with effect for the future, but in the event of such revocation you will no longer be able to use all services. Your tax data is also stored in order to further streamline and simplify your declaration for next year. Our legal basis for processing your tax data as described in this section is thus Art. 6 (1) lit. b GDPR (i.e. performance of a contract), and our legal basis for processing any sensitive personal data is Art. 6 (1) lit. b GDPR (i.e. performance of a contract) and Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR (i.e. consent). Taking into consideration the statutory deadlines for filing your tax return (§ 46 II No. 8 EStG, § 169 II No. 2 AO), we store your tax data fully encrypted in our database located in Europe for a period of ten years following transmission to the tax authority. After that the data is anonymized completely. 
  6. Joint Assessment. If you commission a joint assessment, we also process the data you provide relating to your spouse or your registered civil partner (the “jointly assessed person”), in particular their master data and tax data, including any sensitive data. You confirm to us that you are authorised to share this data and to make the required declarations in the name of the jointly assessed person. The sections on tax data, recipients, retention periods and security apply accordingly to the data of the jointly assessed person; where a Partner Firm is involved, the engagement agreement is also concluded with the jointly assessed person (see the section “Tax Advisory Services via Partner Firms”). The jointly assessed person may exercise their rights under the section “Your Rights Under the GDPR” against us themselves at any time. Legal bases: Art. 6 (1) lit. b GDPR and – for sensitive data – the consent obtained via you (Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR).
  7. Document Manager. Where your tariff provides for it, you can upload, store and organise documents (e.g. receipts, certificates, contracts) in your account throughout the year – including independently of a specific tax return. We process these documents and the data they contain in order to provide you with the storage and organisation function and, where you arrange this, to transfer content into your tax return. The legal basis is Art. 6 (1) lit. b GDPR (performance of the contract); insofar as documents contain sensitive data (e.g. health data in medical-expense receipts), your consent (Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR). Your documents are stored encrypted in data centres within the EU and remain available for the duration of your contract as well as the subsequent export and inactivity phase (see the section “Storage and Deletion after Contract End”).
  8. Transaction and Payment Data. For one-time purchase services and subscriptions, the price shown at the time the contract is concluded applies. Payment is currently made exclusively by SEPA core direct debit; for this purpose you grant us a SEPA direct debit mandate upon conclusion of the contract. For this we process your name, your IBAN and the mandate reference, as well as data on the due date and payment status. Please note: if you provide your IBAN during the ordering process, we use it both for the disbursement of your tax refund by the tax office and for collecting the remuneration by direct debit. In a subscription, depending on the tariff, we collect the remuneration at the beginning or at the end of the respective billing cycle; in the case of deferred payment, up to one year may pass between conclusion of the contract and collection – we store your mandate and your payment data for this period and beyond within the scope of the statutory retention obligations (§ 257 HGB, § 147 AO). Legal bases: Art. 6 (1) lit. b GDPR (performance of the contract) and Art. 6 (1) lit. c GDPR (statutory retention obligations). The collection of the remuneration by direct debit is handled via our external payment service providers
  • Abillify Collect GmbH, Dr.-Leo-Ritter-Straße 2, 93049 Regensburg, Germany (“Abillify”),
  • Chargebee Inc., 909 Rose Avenue, Suite 950, North Bethesda, MD 20852, USA (“Chargebee”) or
  • Adyen N.V., Simon Carmiggeltstraat 6, 1011 DJ, Amsterdam, Netherlands (“Adyen”).
    Abillify, Chargebee or Adyen receive your name and bank details in order to process the payment and notify us once the payment has been received. We process your transaction data (i.e. when you paid, when the payment was processed and the amount of the payment) for ten years for evidentiary purposes in combination with your registration data. The legal basis for processing your transaction data is Art. 6 (1) lit. b GDPR (performance of a contract) and Art. 6 (1) lit. c GDPR (compliance with our legal obligation (§ 257 HGB, § 147 AO, § 169 AO)), as we are required under applicable law to retain relevant financial and accounting records. Please note that we also use Abillify, Chargebee or Adyen for refunds and invoicing as well as for carrying out relevant security and fraud-prevention measures. Further information on the data processing can be found in the respective privacy notices at https://abillify.me/datenschutz, https://www.adyen.com/privacy-policy and https://www.chargebee.com/privacy/. Insofar as data is transferred to Chargebee Inc. in the USA in the course of payment processing, this takes place on the basis of the EU-U.S. Data Privacy Framework; we implement additional safeguards where necessary.
  1. Identification. For legal reasons, we are required to confirm your identity as the filing taxpayer prior to final submission of your tax declaration. For this purpose, Taxfix uses an electronic identification system that enables you to verify your identity by submitting a scan of, for example, a wage tax certificate, wage/salary statement, confirmation of registration, a German identity card or other identification documents that show the address. 
    For the purpose of identity verification in accordance with the statutory provisions, we will forward you via the app to a mobile app or web app of our third-party provider Veriff OÜ, Niine 11, Tallinn, 10414, Estonia ("Veriff"). Veriff acts as our processor in this regard. The legal basis for this processing activity is Art. 28 GDPR.
    For legal reasons, we are obliged to be able to provide information on any person who has instructed a transfer of tax documents to the tax authorities. Thus, we are processing your identification data and storing it for the legally stipulated period of a minimum of five years after the end of the year in which the documents were transmitted in order to verify your identity and your authorization of us is Art. 6 (1) lit. c GDPR (i.e. compliance with our legal obligations (§ 87d (2) AO)).
    Where your tariff comprises the engagement of a Partner Firm, the Partner Firm is obliged, as an entity subject to the German Anti-Money Laundering Act (Geldwäschegesetz), to identify you (§§ 10, 11 GwG). We carry out the identification on behalf of the Partner Firm via our service provider Veriff and transmit the required identification data to the Partner Firm. Details of this processing can be found in the privacy notices of the respective Partner Firm, which are made available to you before the engagement.
  2. ELSTER Data Processing. You authorize us to submit your tax declaration to the tax office via ELSTER, on the basis of Art. 6 (1) lit. b, Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR. ELSTER is the software the tax authorities provide for purposes of processing electronic filings. As the transmission of your tax declaration involves data privacy related obligations of the tax authorities, we are obliged to inform you of the following regarding ELSTER:
    “The ELSTER software is used to collect personal data within the meaning of Art. 4 (1) of the GDPR and Art. 9 (1) of the GDPR. In addition to the pure data required for tax assessments, the software collects information on the type of operating system of the user and transmits this to the tax authorities. This data is needed for ensuring the proper processing of the data and for preventing errors in such processing. The data is used in the context of Art. 6 (1) lit. e GDPR in conjunction with Art. 6 (3) lit. b GDPR in accordance with federal and state tax laws by the tax authorities and only for the purpose stated.”
    You can read more about the data processing that is done via ELSTER by the tax authorities in their informational brochure available here .
  3. Elster PDF. After your tax declaration is submitted to and received by the tax office, you can view the .pdf version of your tax declaration (“Elster PDF”) directly in the App when you are logged into your account. We process your Elster PDF for this purpose and store it as long as your user account is active. If you do not want your Elster PDF to be available to you in the App, you can let us know and we will delete this data (in which case you will no longer be able to retrieve your Elster PDF through us). Our legal basis for processing this information is Art. 6 (1) lit. b, Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR (i.e. performance of a contract).
  4. Retrieval of Electronic Tax Assessment. We retrieve your electronic tax assessment via the ELSTER portal in order to show you the amount of the final refund. This serves to identify discrepancies between the refund calculated in the App and the amount finally determined by the tax office. We retrieve further information for statistical and control purposes in order to improve our Services for you and to further develop our App. No processing of special categories of personal data under Art. 9 GDPR takes place for this. No data from the retrieval of the electronic tax assessment is passed on to third parties. It is stored fully encrypted in our database in Europe. The storage and archiving of your electronic tax assessment is governed by the section “Storage and Deletion after Contract End”. The legitimate interest under Art. 6 (1) lit. f GDPR lies in being able to offer our users an improved and more precise service. In addition, this data processing takes place on the basis of Art. 6 (1) lit. b GDPR (performance of the contract) and Art. 9 (2) lit. a GDPR (consent).
  5. Tax Advisory Services via Partner Firms. The App acts as a platform for services of independent professionals (each a “Partner Firm”) authorised to provide unrestricted assistance in tax matters. Depending on your tariff, you can use the Platform in particular for the full preparation of your tax return by the Partner Firm, for personal tax advice (e.g. via chat) and for support in matters with the tax office (such as the review of tax assessment notices, the explanation of official correspondence or the preparation of draft objections). Which services your tariff comprises results from the respective Service Description.
    a. Initiation. If you confirm your interest in a service of the Partner Firm, we collect the information and documents required for preparation via the App (in particular the tax data described in this section “Personal Data We Collect and How We Process It” as well as, where applicable, tax assessment notices and letters from the tax office). We obtain your consent to the processing of sensitive personal data separately; you can withdraw it at any time with effect for the future, but may then no longer be able to use all Services. Legal bases: Art. 6 (1) lit. b GDPR (pre-contractual measures) and Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR (consent).
    b. Data exchange with the Partner Firm. If an engagement agreement is concluded between you and the Partner Firm, you instruct us to transmit the data required for the respective service to the Partner Firm. Conversely, the Partner Firm transmits its work results (e.g. the draft of your tax return, advisory reports, results of an assessment-notice review, draft objections or chat content) to us so that we can make them available to you in the App; alternatively, transmission to you may take place by email. To that extent, you release the Partner Firm from its professional duty of confidentiality. Legal bases: Art. 6 (1) lit. b GDPR (performance of the contract) and Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR (consent).
    c. Submission to the tax office. We make the tax return prepared by the Partner Firm available to you in the App for submission. Submission to the tax office via ELSTER (see the section “ELSTER Data Processing”) is arranged by you yourself or – where your tariff so provides – by the Partner Firm in your name.
    d. Central billing. Insofar as your tariff provides that you pay the Partner Firm’s remuneration to us, we also process your payment and billing data for the settlement of the Partner Firm’s fee claim and transmit the necessary information on the payment status to the Partner Firm (Art. 6 (1) lit. b GDPR).
    e. Further professionals. Insofar as the Partner Firm transfers individual activities, in a manner permissible under professional law, to a further tax advisory firm, we also transmit the required data to the latter upon your instruction (Art. 6 (1) lit. b GDPR). Details can be found in the privacy notices of your Partner Firm.
    f. Storage. We store the data collected and generated in the context of these services in order to make them available to you in the App and to improve our Services (Art. 6 (1) lit. b and lit. f GDPR). Taking into account the statutory deadlines (§ 46 (2) no. 8 EStG, § 169 (2) no. 2 AO), we store tax data and work results fully encrypted in our database in Europe for ten years after transmission to the tax office or after the last use of the respective service; they are subsequently deleted or fully anonymised.
  6. Support. If you have any questions about our Services, reach out to our customer support team. You can reach support by clicking “Contact our Support Team” in your account settings. We can’t provide you with any tax advice (so please contact a tax advisor with any tax-related questions). If you have booked the expert service, the support team will forward your question to your tax advisor as part of the expert service.  We are happy to answer any questions you have about how to use the App, registration, errors or bugs in the App, etc. If your App crashes, you can elect to send us a complete error log, containing both technical information and any sensitive tax data that may have been entered, in which case you consent to the transmission of such information in order for us to most effectively trouble any problems. The error log and support requests are saved to your user account. Of course you have the possibility to delete saved error logs. An error log will be deleted or completely anonymized at the latest 12 months after transmission. Our legal basis for processing error logs is Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR (i.e. consent) and our legal basis for processing your other support requests is Art. 6 (1) lit. b GDPR (i.e. performance of a contract). To handle customer inquiries, we use a ticket system and customer service platform provided by Zendesk, Inc. (989 Market St., San Francisco, CA 94103, USA; “Zendesk”). We have in place a Data Processing Addendum according to Art. 28 GDPR with Zendesk to ensure that the processing of your data is conducted in accordance with applicable law.
    Additionally, we may use your contact details (email address, telephone number) to contact you in connection with your tax return, in particular if the submission of missing or additional documents is required to complete the tax return. 
    The legal basis for contacting you is Art. 6 (1) lit. b GDPR (performance of a contract).
  7. Marketing and Communications Data. If you have used the Services previously or if you have subscribed to receive marketing materials from us , we or our service providers acting on our behalf may send you certain marketing e-mails or postal marketing materials including for example newsletters, on satisfaction, requests to submit a review on an external review platform (e.g., Trustpilot), information about updates to our Services or special offers from us. To facilitate these communications, we use Braze Inc., 330 West 34th Street, New York, NY 10001, a comprehensive customer engagement platform. Our legal basis for processing this data for existing customers is Art. 6 (1) lit. f GDPR (legitimate interests) or for new customers Art. 6 Abs. 1 lit. a GDPR (consent).
    We have concluded a data processing agreement and Standard Contractual Clauses (“SCCs”) with Braze Inc. to ensure that the processing of your data is carried out in accordance with applicable law.
    If you do not wish to receive any marketing e-mails from us, you can opt-out anytime by using the “unsubscribe” link in any e-mail we send you or by sending us an e-mail at [email protected] .
  8. Improving security. To increase the security and delivery speed of our website, we use the Content Delivery Network (CDN) of Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich Germany (Cloudflare). A CDN is a network of distributed servers that is able to deliver optimised content to the website user. For this purpose, personal data may be processed in server log files by Cloudflare. The legal basis for processing this data is Art 6 (1) lit. f GDPR (i.e. legitimate interests). It is in line with our legitimate interest within the meaning of Art. 6 (1) p. 1 lit. f GDPR not to operate a content delivery network ourselves.  We have concluded an order processing agreement with Cloudflare to ensure that the processing of your data is carried out in accordance with applicable law. You have the right to object to the processing. Whether the objection is successful is to be determined in the context of a balancing of interests. The processing of the data provided under this section is not required by law or contract. However, the functionality of the website cannot be guaranteed without the processing. Your personal data will be stored by Cloudflare for as long as necessary for the purposes described. Cloudflare has implemented compliance measures for international data transfers. These apply to all global activities where Cloudflare processes personal data of individuals in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). For more information, please visit: https://www.cloudflare.com/en-gb/cloudflare-customer-scc/ .
  9. Improvement of User Experience. To improve the user experience, we will test new or modified functions and features limited to certain user groups. Under certain circumstances, this may lead to different presentations for different users. The legal basis for processing this data is Art. 6 para. 1 lit. f GDPR (i.e. our legitimate interest in continuously improving the user experience and our products). 
  10. Cooperation with affiliated companies. In our endeavor to continuously improve our services and our customer experience, we may forward your personal data for certain purposes to affiliated companies, in particular Steuerbot GmbH, Welfenstraße 19, 70736 Fellbach as well as TaxScouts, Positron Technologies Ltd. 71-75 Shelton St., London, WC2H 9JQ.
    This collaboration is essential for:
  • Data analysis and research: using advanced data analytics to gain insights and conduct research that allows us to innovate and improve our offerings.
  • Customer support: Providing efficient and responsive customer service to effectively fulfil your needs and queries.
  • Invoice processing and payment processes: Streamlining billing and payment processes to ensure smooth and secure transactions.
  • Sharing technical capabilities: Sharing technical expertise and resources to maintain and improve the functionality and security of our app.
  • Maintaining app functionality: Ensuring that our app works effectively and provides you with a seamless user experience.
    The legal basis for processing this data is Art. 6 para. 1 lit. f GDPR. For the transfer to the United Kingdom, there is an adequacy decision of the European Commission (Art. 45 GDPR) that ensures an adequate level of data protection.
  1. Processing of Personal Data of Press Representatives. Press representatives can register for our media list. In this case, we process the personal data provided (first name, last name, email address) for the purpose of directly sending Taxfix press releases.
    The legal basis for this processing is Art. 6 para. 1 (a) GDPR. Section H) of this Privacy Policy applies accordingly.
  2. Storage and Deletion after Contract End. After any termination of the subscription, we place your account in an inactive state and store the data it contains for four (4) years, so that you can reactivate your account if you book again. The legal basis is our legitimate interest in a user-friendly resumption of the contractual relationship and in the verifiability of services rendered (Art. 6 (1) lit. f GDPR). Before the inactivity phase expires, we inform you by email to the address you have provided; if no reactivation takes place, your account and your data are automatically deleted or fully anonymised. Data subject to statutory retention obligations (in particular § 147 AO, § 257 HGB – up to ten years) continues to be retained in blocked form until the respective period expires and is only deleted thereafter.
  3. Use of Chatbots. To assist you quickly and efficiently, we use AI-supported chat functions: a chatbot for questions on tax topics and on our Services (where your tariff provides for it) and a support chatbot for general customer-service enquiries, e.g. regarding your account, billing or technical issues. In doing so, we process your chat inputs as well as the data from your contractual relationship required to respond to or to identify your account. The legal basis is our legitimate interest in responding to your enquiries appropriately and efficiently and in providing you with a user-friendly service (Art. 6 (1) lit. f GDPR). To improve our offering, we analyse the conversations conducted (in anonymised form where tax data has been entered), including timestamps and technical metadata (e.g. device, browser type), likewise on the basis of Art. 6 (1) lit. f GDPR. Your data is not used to train the AI models.
    We operate the chatbot for tax topics ourselves; for the technical infrastructure we use Vertex AI provided by Google Ireland Limited as our processor (Art. 28 GDPR). Processing takes place exclusively in data centres within the EU. For the support chatbot we use Zendesk International Ltd. (Ireland) as our processor; this chatbot does not process your sensitive tax data at any time. A transfer to the parent company Zendesk, Inc. in the USA may take place in this context; Zendesk is certified under the EU-U.S. Data Privacy Framework, which the European Commission has recognised as ensuring an adequate level of protection. Unless otherwise stated, your chat histories are stored for a period of 12 months so that earlier conversations and their responses remain traceable, for example to be able to demonstrate how our chatbots function. They are subsequently deleted or anonymised. Data that we analyse for quality-improvement purposes is anonymised or deleted upon completion of the analysis, but no later than after 90 days.

F. How We Protect Your Data

  1. Security Measures. We maintain state-of-the-art technical measures to secure your personal data from accidental loss and from unauthorized access, use, alteration and disclosure. All transactions, regardless of their nature, are encrypted using SSL technology. The information you provide to us is generally stored in a computer center located in Europe in accordance with high security standards and is encrypted (AES-256-CTR). Our data center is equipped with state-of-the-art technical security measures and is certified in accordance with ISO 27018 standards and guidelines. We carefully select and regularly monitor our service providers, who are instructed by us and required to ensure that any data processing including transfers to third countries is subject to stringent technical security measures compliant with European standards. 
  2. PIN Protection. You can protect access to the App on your device with a PIN code. You can change your PIN at any time in the account settings in the App. Where you have chosen a PIN code for access to the App, you are responsible for keeping this confidential and we ask you not to share it with anyone. Please note that your PIN is unique to your browser session and/or mobile device. If you wish to access your account from a new mobile device or in a new browser session, you will be asked to verify your email address and you will be sent an additional security access code in order to do so. Alternatively, you can also use the system-side Touch ID function on suitable Apple devices to enable access to the Taxfix App or the Taxfix WebApp using your fingerprint. Please note that neither your fingerprint nor biometric information is transmitted to Taxfix. Please consult Apple's Touch ID information  or Apple's Face ID information  for more details.


G. External Transfers

  1. Transfers to Third Parties. As mentioned elsewhere in this Privacy Policy, in order to provide the Services, we transfer your data to the tax authorities upon your request and in certain cases, to our third-party service providers, including our hosting providers, payment providers, IT service and development providers. Your personal data will only be passed on or transmitted to third parties insofar as is necessary for our contract with you, if we have a legitimate interest, if you have given your consent, or insofar as we are legally required to do so. Our service providers receive personal data solely for the performance of their services for us and are contractually obliged not to use personal data for other purposes. 
  2.  Transfers to Third Countries. Should any processing of your data take place outside of the EU, this will be done in compliance with Art. 44 GDPR – namely, on the basis of an appropriate transfer mechanism. In the absence of an adequacy decision by the European Commission, we conclude the Standard Contractual Clauses (SCCs) approved by the EU Commission with the recipient and, where necessary, implement additional safeguards to ensure an equivalent level of data protection. A copy of the SCCs can be made available upon request.
  3. Debt Collection. If you default on payments, we may transmit the data required to enforce our claim (name, contact details, contract and claim data) to debt-collection service providers or, in the event of an assignment of the claim, to the assignee. The legal basis is Art. 6 (1) lit. b and lit. f GDPR (legitimate interest in enforcing our claims).


H. Your Rights Under the GDPR

  1. Data Subject Rights. As the data subject, you have the right of access (Art. 15 GDPR), the right to rectification (Art. 16 GDPR), the right to erasure of your personal data (Art. 17 GDPR), the right to restriction of processing of your personal data (Art. 18 GDPR) and the right to data portability (Art. 20 GDPR). Please note, that the restrictions of Sections 34 and 35 BDSG apply to your right of access and erasure. You also have the option to file a complaint against the processing of your personal data with a  supervisory authority, in particular in the member state of your residual residence, place of work or place of the alleged infringement. 
  2. Right of Revocation. If you have given your consent to the processing of your data, you can revoke your given consent at any time pursuant to Art. 7 (3) GDPR and we will no longer continue any such processing that is based on your consent moving forward. Note that such revocation will not affect the legality of any processing carried out on the basis of your consent up to the point of revocation. You can send your withdrawal to [email protected] or to the postal address mentioned above.
  3. Right to Object. You can object to the processing of your personal data insofar as we base such processing on the balance of legitimate interests under Art. 6 (1) lit. f GDPR. This is the case in particular if the processing is not necessary for the fulfillment of a contractual obligation or for compliance with our legal obligations. In case you wish to object, we kindly ask you to provide an explanation of the reasons for the objection against the processing of your personal data, so that we may examine and assess the situation, and either discontinue or adapt the data processing, or point out to you our compelling legitimate reasons based on which we continue the processing of your data. You may, of course, object to data processing for the purposes of advertising or direct marketing at any time. In this case, please send a message to [email protected] .


I. Amendments

We keep this Privacy Policy under regular review and reserve the right to make changes to this Privacy Policy. If we do amend this Privacy Policy, these changes will be posted on this page and, where appropriate, notified to you by e-mail or when you start the App to use our Services. You may be required to read and acknowledge the changes in order to continue your use of the App or our Services. You can view the current version of this Privacy Policy at any time in your account settings in the App.

It is very important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during our contractual relationship with you. 

Version: 8.0 / Last Update: June 2026