Last updated: February 2023
As the provider of the Taxfix Services, we are responsible for the processing of your personal data, as defined in the EU General Data Protection Regulation (“GDPR”). Our contact details are as follows:
Köpenicker Str. 122
(T) +49 30 92106949
You can reach our data protection team at the e-mail address above. In addition, we have appointed a Data Protection Officer (“DPO”) who acts on behalf of Taxfix in supporting our compliance efforts in relation to the processing of personal data. Our DPO can be reached at the above postal address (Attn: DPO).
B. Third Party Links
Our website may, from time to time, contain links to or from partner websites or other third-party sites. These sites and any services that may be accessible through them have their own privacy policies. As we are not responsible for the privacy practices of these sites, we recommend that you review their privacy policies before submitting personal data to them.
C. General Purposes and Legal Bases
When we use the term “personal data”, we are referring to any information that can be used, directly or indirectly, to identify you personally. We process your personal data in accordance with the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) if at least one of the following applies:
- Performance of Contractual or Pre-Contractual Measures. The data processing is needed for the performance of a contract to which you are party or in order to take the steps requested by you prior to entering into a contract (Art. 6 (1) lit. b GDPR). Data processing that falls under this category is done when requested by you and can include performing transactions, customer support, requirement analysis and processing your tax-related data needed for your tax declaration in order to fulfill our Service Agreement with you.
- Consent. Where you have agreed to the processing of your personal data for one or more specific purposes, such data processing by us is permitted on the legal basis of your consent (Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR). Your consent is revocable at any time. Where you revoke your consent, we will not process your personal data on the basis of your consent following your revocation.
- Legitimate Interests. The data processing is needed for the purposes of the legitimate interests pursued by us Taxfix, the controller, or a third party, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Art. 6 (1) lit. f GDPR). Data processing that falls under this category can include marketing or market and opinion analysis, ensuring IT security, assessment and optimization of processes, analyzing and improving our products and services, enhancing your user experience, enforcement of claims or defenses in legal proceedings and developing our Services and App.
- Legal Compliance. The data processing is necessary for compliance with a legal obligation to which we are subject (Art. 6 (1) lit. c GDPR). We are subject to several legal obligations that necessitate certain data processing activities. This includes verification of your identity, prevention of fraud and upholding our control and reporting obligations.
- Processing on Behalf of Taxfix. In several instances, we engage service providers and processors to process personal data on our behalf under Art. 28 GDPR. The data processing that falls under this category is carried out pursuant to a separate agreement with the respective processor. We ensure that this agreement contains sufficient protection and guarantees for the protection of your personal data and your rights with respect to that data, in each case in compliance with the GDPR.
D. Requested Authorizations When Using the App
For some functions, the App requires access to certain services and data on your mobile device, which you will be asked to authorize. This section explains which access authorizations are required to use the App on iOS and Android devices and why.
- Notifications / Push Messages. Certain technical data is automatically collected and transmitted to us by your browser when you access our website. Such information includes data about your internet browser, operating system, IP address, time of the page request, referrer URL, device information, session information, size of the requested file and any status or error codes. The information is logged in server log files, which we process in order to ensure the functionality of our website, gather statistical information about the use and development of our website, and for general data security and error analysis purposes. With respect to ensuring the functionality of our website, the basis for our data processing is Art. 6 (1) lit. b GDPR (i.e. contractual or pre-contractual measure). With respect to monitoring for data security and error analysis, the basis for our processing is Art. 6 (1) lit. f GDPR (i.e. legitimate interests).
- Registration Data. By choosing “Allow” when asked whether the App can send push notifications to your advice, you are authorizing the App to notify you of certain events such as deadlines for filing your tax return or other tax-relevant topics by means of push notification even when you are not using the App. The App may push notifications with a tone, message (e.g. in the form of a screen banner) or symbol identifier (a picture or number on the App icon). You’ll be asked to authorize push notification the first time you call up the App and register or log in. You can adjust or customize your permission settings for push messages under “Settings” > “Messages” and selecting the Taxfix App on your device.
- Camera and Photo Access. By choosing “Allow” when asked whether the App can access your photos, you are allowing the App to access your mobile device’s photo library in order to upload a photo of your identification document or income. In order to take a photo of your identification document or payslip directly in the App via your mobile device camera, you’ll need to grant additional access to your camera, which you can do so under “Settings” > “Privacy” > “Camera” on your device. Your grant of access rights to your camera and photos are exclusively for purposes of verifying your identification card. As such, only the photo(s) you select or take with your camera will be processed and there will be no authorized use of the photo and the camera function. You can revoke your access permissions at any time by adjusting your mobile device settings.
- Push Messages. When installing the App, you will be asked to grant permission to receive push messages from the App when you are not using it. You can prevent the App from displaying push messages by navigating to “Settings” > “Apps” (or “Application Manager”) on your device. There you will find an overview of all applications installed on your device. Select the Taxfix App and under “Permissions” you can switch on or off the push notification function.
- Access to all Networks. During installation, access to all networks is requested in order to enable the App to transfer data via Internet connection of your end mobile device (WiFi or data connection). This authorization is needed to transfer your entries to our servers, for example, as part of the registration process.
- Camera Access. This authorization is requested in order for you to photograph your income tax statement and identification in the App and in this way record your tax-relevant information quickly and seamlessly. The App will only have access to your camera if you select this function in the App.
- Save Records to Memory or SD Cards. This authorization is required to enable the App to store or retrieve the data for its tax return in the memory or, if necessary, in an additional memory used by your terminal device. The app only reads the data that was stored in connection with the use of the Taxfix services.
E. Personal Data We Collect and How We Process It
- Device and Technical Data. Certain technical data is automatically collected and transmitted to us by your browser when you access our website. Such information includes data about your internet browser, operating system, IP address, time of the page request, referrer URL, device information, session information, size of the requested file and any status or error codes. The information is logged in server log files, which we process in order to ensure the functionality of our website, gather statistical information about the use and development of our website, for general data security and error analysis purposes and for marketing purposes and general product improvement. With respect to ensuring the functionality of our website, the basis for our data processing is Art. 6 (1) lit. b GDPR (i.e. contractual or pre-contractual measure). With respect to monitoring for data security and error analysis, the basis for our processing is Art. 6 (1) lit. f GDPR (our legitimate interests to ensure the stability and security of the website and app). With regard to marketing purposes and general product improvement, the basis of our processing is Art. 6 para. 1 lit. f GDPR (our legitimate interest to attract more customers and improve sales and products).
- App Store Installation Data.. You can download and install the App on your mobile device from either Google Play or the App Store. In order to do this, you must first register for a user account with the provider of the app store and conclude a user agreement with that provider. In the process of downloading and installing the App, certain information about you and your access device gets transmitted to the app store provider – username, e-mail address, customer number, time of download and device ID. We do not have any control over this data collection and we do not store it, but we do process it insofar as is necessary to install the App on your device. Our legal basis for processing this data is Art. 6 (1) lit. b GDPR (i.e. contractual or pre-contractual measures).
- Registration Data. When you register to use our App, we collect certain personal information from you in order to determine whether our Services support your tax case. We collect this information by asking you about your relationship status, living situation, sources of income, alimony payments, foreign income and tax-relevant disability payments. During the registration process, we also ask you for your e-mail address (which we verify with you), your name, assign you a Taxfix user ID, process the time of your registration and your IP address, and ask you to take note of this Policy and our Terms and Conditions. The basis for our processing of your registration data as described in this section is Art. 6 (1) lit. b GDPR. (i.e. contractual or pre-contractual measures). Your registration data will be stored as long as your user account is still active and will be retained by us for an additional twelve months thereafter. Legal retention periods apply and remain unaffected. Please note that we use technical services (e.g. servers) provided by Google. We pay careful attention to the highest technical security standards and all data is stored in Europe. For technical reasons, however, it may happen that the infrastructure is maintained or partly provided from the USA. As we process sensitive data, we strive for maximum transparency in this respect as well.
- Pre-fill Data. We offer the option to populate your tax return with certain pre-fill information that is electronically reported to tax authorities (namely by your employer
and the relevant social security office) and stored with them. Upon receiving your request via the App to pull your pre-fill information, we ask the tax authorities to dispatch a letter to you containing a confirmation code, which you then input into the App. Once you have entered your confirmation code in the App, we securely retrieve via ELSTER your pre-fill information which is encrypted via in-transit encryption (SSL). You can find more information about ELSTER’s security and encryption methods here.
Alternatively, you can arrange for the pre-fill data to be retrieved digitally. We offer this service in cooperation with an external professional (the “Firm”). To use this service, you explicitly authorise the Firm via the Taxfix mobile or web app to retrieve the pre-fill data on your person held by the tax authority responsible for you. The Firm will then forward this pre-fill data to Taxfix for further use in preparing your tax return.
For this part of the service, please also note the Firm’s General Terms and Conditions, which you can view here.
Once we have received your pre-fill data, we store it in your Taxfix account on our servers so that we can enter this data directly into your tax return for you. The legal basis for processing your pre-fill data as described in this section is therefore Art. 6 (1) lit. b DSGVO (i.e. performance of a contract) and our legal basis for processing sensitive personal data that may be included in your pre-filled information (e.g. on religious beliefs) is Art. 6 (1) lit. a, Art. 9 (2) lit. a DSGVO (i.e. consent). Taking into account the statutory deadlines for filing your tax return (§ 46 II No. 8 EStG, § 169 II No. 2 AO), we store your pre-fill data in fully encrypted form in our database in Europe for a period of ten years after transmission to the tax authorities.
- Tax Data. Following registration, you will be asked a series of questions through our App designed to capture the tax-relevant information needed to fill out your tax declaration digitally. These questions ask you for information about your name, employment status, address, religious affiliation, occupation, employer, income statements, secondary residence, competent tax office, tax identification number, training and education, business expenses, professional associations, income from capital asset and other income, insurance, medical expenses, survivorship, disability, parents, children or other dependents, donations, church tax, household expenses, alimony and tax loss carryforwards. As already mentioned, such tax-relevant information may include “sensitive personal data” such as data related to your health, religious affiliation or trade union membership, for which we need your consent to process in order to provide the Services, as this information is required to calculate your tax return amount. We will obtain your consent separately. You can revoke your consent at any given time with effect for the future, but in the event of such revocation you will no longer be able to use all services. Your tax data is also stored in order to further streamline and simplify your declaration for next year. Our legal basis for processing your tax data as described in this section is thus Art. 6 (1) lit. b GDPR (i.e. performance of a contract), and our legal basis for processing any sensitive personal data is Art. 6 (1) lit. b GDPR (i.e. performance of a contract) and Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR (i.e. consent). Taking into consideration the statutory deadlines for filing your tax return (§ 46 II No. 8 EStG, § 169 II No. 2 AO), we store your tax data fully encrypted in our database located in Europe for a period of ten years following transmission to the tax authority. After that the data is anonymized completely.
- Transaction Data. In order to submit the income tax return generated through the App to the tax office, you must enter into a Service Agreement with Taxfix in accordance with our Terms and Conditions. Pursuant to this Service Agreement, you may be required to pay a one-time submission fee with respect to each tax declaration submitted, depending on the amount of your calculated tax return. For users in Germany, the submission fee (if applicable) is payable by direct debit and is processed via our external payment service provider abilipay GmbH (Abillify), Dr.-Leo-Ritter-Straße 2, 93049 Regensburg, Deutschland; “Abillify”. Abillify will receive your name and bank details in order to process payment and will notify us upon receipt of payment. We won’t store your payment information but we do process your transaction information (i.e. when you paid, when payment was processed and the amount of your payment) for reporting purposes for ten years in combination with your registration data. Our legal basis for processing your transaction data is Art. 6 (1) lit. b GDPR (i.e. performance of a contract) and our legal basis for its retention is Art. 6 (1) lit. c GDPR (i.e. compliance with our legal obligations (§ 257 HGB, § 147 AO, § 169 AO)) as we are required under applicable law to store relevant financial and accounting documents. Please note that we also use Abillify for repayment and invoicing, and to handle relevant security and fraud prevention measures. For more information about Abillify’s data processing, please refer to their privacy notice at https://abillify.me/datenschutz/. Please note that you can exercise the rights described in section G, as applicable, directly against Abillify.
- Identification. For legal reasons, we are required to confirm your identity as the filing taxpayer prior to final submission of your tax declaration. We verify your identity by having you submit your income tax certificate, wage/salary statement, registration of address confirmation, a German identity card or other identification document with your address listed on it. After we have confirmed your identity, you will have the opportunity to review your prepared tax return, confirm the accuracy of your details inputted and authorize us to submit the tax declaration to the tax office. For other legal reasons, we are obliged to be able to provide information on any person who has instructed a transfer of tax documents to the tax authorities. Thus, we are processing your identification data and storing it for the legally stipulated period of five years after the end of the year in which the documents were transmitted in order to verify your identity and your authorization of us is Art. 6 (1) lit. c GDPR (i.e. compliance with our legal obligations (§ 87d (2) AO)).
- ELSTER Data Processing. We submit your tax declaration using ELSTER, which is the software the tax authorities provide for purposes of processing electronic filings based on Art. 6 (1) lit. b, Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR. As the transmission of your tax declaration involves data privacy related obligations of the tax authorities, we are obliged to inform you of the following regarding ELSTER:“The ELSTER software is used to collect personal data within the meaning of Art. 4 (1) of the GDPR and Art. 9 (1) of the GDPR. In addition to the pure data required for tax assessments, the software collects information on the type of operating system of the user and transmits this to the tax authorities. This data is needed for ensuring the proper processing of the data and for preventing errors in such processing. The data is used in the context of Art. 6 (1) lit. e GDPR in conjunction with Art. 6 (3) lit. b GDPR in accordance with federal and state tax laws by the tax authorities and only for the purpose stated.”
You can read more about the data processing that is done via ELSTER by the tax authorities in their informational brochure available here.
- ELSTER PDF. After your tax declaration is submitted to and received by the tax office, you can view the .pdf version of your tax declaration (“Elster PDF”) directly in the App when you are logged into your account. We process your Elster PDF for this purpose and store it as long as your user account is active. If you do not want your Elster PDF to be available to you in the App, you can let us know and we will delete this data (in which case you will no longer be able to retrieve your Elster PDF through us). Our legal basis for processing this information is Art. 6 (1) lit. b, Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR (i.e. performance of a contract).
- Retrieval of Electronic Tax Assessment. We retrieve your electronic tax assessment via the ELSTER portal in order to provide you this information within the App, as well for statistical and control purposes – namely, to assess any discrepancies between the amount of your refund as calculated using the App and as finally determined by the tax office in order to improve the Services and further refine the App. Our legal basis for processing this data is Art. 6 (1) lit. f GDPR (i.e. legitimate interests), Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR (i.e. consent). In addition, we may forward information about a tax refund to CB Bank GmbH, Gabelsbergerstraße 32, 94315 Straubing (“Partner Bank”), provided that obtain a tax advance loan (see section 10 below). With the exception of the aforementioned transfer to the Partner Bank, this data will not be passed on to third parties and is kept fully encrypted in our database located in Europe. The storage and archiving of your electronic tax assessment is governed by sections D.2 and 4 above.
- Tax refund advance. Provided that you meet certain conditions, in particular with regard to the expected amount of the tax refund, our App will inform you about the option of obtaining an advance financing of the tax refund payment calculated in the course of preparing the tax return. As part of such pre-financing, we act as a credit broker for our Partner Bank. The legal basis for this preliminary investigation is Art. 6 (1) lit. b and f GDPR (i.e. fulfillment of a contract and our legitimate interest in checking compliance with the qualification criteria for pre-funding, fraud prevention, improvement of our product and your user experience).If we then inform you via the app that you are eligible for a tax refund advance offer, you have the option of confirming by clicking the appropriate button that you are interested in a loan brokerage through us. If you confirm your interest in this way, this triggers the following further data processing by us:
- Credit check: We ask the credit agency Creditreform Boniversum GmbH, Hammfelddamm 13, 41460 Neuss (“Boniversum”) for certain identification and creditworthiness data. For this purpose, we will transmit your master and contact details (name, address, date of birth) to Boniversum. For the purpose of the credit check, Boniversum transmits the address and creditworthiness data stored about you in its database, including scores determined on the basis of mathematical-statistical methods, provided that we have credibly demonstrated our legitimate interest. When calculating the score, address data is also used, among other things. This procedure supports us with the loan brokerage and our partner bank with the loan decision. You can find more information about the activities and working methods of Boniversum in their data protection declaration at www.boniversum.de/EU-GDPR. The legal basis for this data collection and processing by us is Article 6 (1) lit. b GDPR (implementation of pre-contractual measures upon your request).
- Review of sanction lists: As part of the loan brokerage process, we carry out the mandatory verification required by the lender to determine whether you are on a sanction list. We act here as a processor under the instruction and data protection responsibility of the partner bank. The legal basis for our processing activities is Art. 28 GDPR. For this we use the database of Sanction Scanner Ltd., 27 Old Gloucester Street, London WC1N 3AX, United Kingdom (“Sanction Scanner”). Sanction Scanner enables a direct comparison of your master and contact data with a current inventory of sanction lists. In this respect, Sanction Scanner acts as a processor. The legal basis for these processing activities is Art. 28 GDPR. Your data will be compared with the lists of Sanction Scanner, which are stored on servers in the European Union. There is no storage of your data outside of our systems. The partner bank acts hereby to fulfill its legal obligations and thus on the legal basis of Art. 6 para. 1 lit. c GDPR.
- Query of status as a “politically exposed person”: We will also ask you to submit a self-declaration via the app that you are not a politically exposed person (PeP) or a family member or within the meaning of § 10 (1) No. 4 of the German Anti-Money Laundering Act (GwG) a person known to be closely related to a PeP, if this is the case. We act hereby as a processor under the instruction and data protection responsibility of the partner bank. The legal basis for our processing activity is Art. 28 GDPR. The partner bank acts here to fulfill its legal obligation and thus on the legal basis of Art. 6 (1) lit. c GDPR.
- Initiation of bank identity verification via video identification: For the purpose of bank identity verification in accordance with anti-money laundering regulations, we will forward you from our App to a mobile app or web app of the third-party provider IDnow GmbH, Auenstrasse 100, 80469 Munich (“IDnow”). IDnow itself acts as a processor for the Partner Bank. The legal basis for these processing activities is Art. 28 GDPR. Insofar as we forward your identity information to IDnow to initiate the process, we also act as a processor under the instructions and responsibility of the Partner Bank under data protection regulations. The Partner Bank acts in order to fulfill its legal obligation (in particular according to § 10 (1) no. 1 and 2 GwG) and thus on the legal basis of Art. 6 (1) lit. c GDPR.
- Obtaining a qualified electronic signature on the contract documents: We commission IDnow for this, and your digital signature on the loan brokerage agreement with us and on the loan documents with the Partner Bank is obtained via their mobile app or web app. Insofar as we disclose the relevant contract documents and your personal data to IDnow and obtain a qualified electronic signature, this is done on the legal basis of Art. 6 (1) lit. b GDPR (enabling the conclusion of a contract).
- Forwarding of the credit-relevant data and credit documents to the Partner Bank: This is also done on the legal basis of Art. 6 (1) lit. b GDPR because it enables us to fulfill our tasks from the credit brokerage contract with you.
- Processing of data from the current credit relationship: After the loan has been paid out to you, we receive information on your current credit relationship from the Partner Bank on a daily basis (e.g. account number, amount of outstanding credit, duration and due date of the credit, any instructions regarding the repayment and status of your tax refund payment), as well as your contact details with the Partner Bank. We process this data to support the Partner Bank with ongoing customer service and loan servicing. Here we act as a data processor for the Partner Bank. The legal basis for our processing activities is Art. 28 GDPR. The Partner Bank relies Art. 6 (1) lit. b GDPR (fulfillment of obligations from the credit agreement).
- We may also forward information about a tax refund to the Partner Bank. This serves the purpose of administrating the loan agreement by the Partner Bank. The Partner Bank processes this data on the basis of Art. 6 (1) lit. b GDPR (i.e. to fulfill the agreement). This forwarding by us to the Partner Bank represents data processing on behalf of the Partner Bank as its data processor.
- The storage and archiving of your tax-relevant data is based on Sections D.2 and 4.
- Third Party Offers. The app also acts as a platform for third-party offers (providers) that are qualified and authorized to provide assistance in tax matters.
- In particular, a review of the information provided in the App (Review Service) is offered. In relation to the Review Service, Taxfix and the Providers are joint controllers within the meaning of Art. 26 GDPR. Taxfix has also been designated by the parties as the contact point for data subjects. Further details on joint responsibility can be found here.
- You have the option to confirm that you are interested in the Review Service of the Provider by clicking accordingly. If you confirm your interest in this way, you will be given the opportunity to ask further additional questions to the Provider. Taxfix collects and stores the data entered by you for the execution of pre-contractual measures in the context of the mandate contract between you and the provider. The legal basis for the processing of this information is Art. 6 para. 1 lit. b, Art. 6 para. 1 lit. a, Art. 9 para. 2 lit. a GDPR (implementation of pre-contractual measures, consent).
- Insofar as a mandate agreement is concluded with you and the provider, you instruct us to transmit to the provider all tax data collected from you for the relevant assessment period so that the provider is able to perform the review service offered. You further agree that the Provider will provide the final report for the Review Service to us to enable you to view the PDF version of the report directly in the App (alternatively, the report will be provided to you via email) and that the Provider will share drafts of the report with us to verify the accuracy of its information with respect to notices on the App. To the extent
that they submit further questions to the Provider after the Report has been provided via the Review Service, you agree that the Provider may share the questions, draft answers and final answers with Taxfix. The legal basis for processing this information is Art. 6(1)(b), Art. 6(1)(a), Art. 9(2)(a) GDPR (performance of the contract, consent).
- We store the questions you submit as well as the reports of the review service in order to provide you with this information in the app, to improve our services and to further develop our app. This data will not be shared with any third party (other than the Provider as your contractual partner). The legal basis for processing this data is Art. 6 (1) lit. b, f GDPR (i.e. performance of the contract and our legitimate interest in continuously improving the user experience and our products), Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR (i.e. consent).
- In addition, providers qualified to provide assistance in tax matters are given the opportunity to offer you the preparation of the tax return. Also in relation to this service, Taxfix and the providers are joint controllers within the meaning of Art. 26 GDPR. Taxfix has also been designated by the parties as the point of contact for data subjects. You can find more details about the joint responsibility here.
- You have the option to confirm that you are interested in having your tax return prepared by a provider by clicking on the appropriate button. If you confirm your interest in this way, you will be asked questions about your personal situation via our app, based on which you will receive a list of documents that the provider needs to prepare your tax return. With the help of the questions and the documents, the information described in section 5 will be collected. In this respect, we will also separately obtain your consent to the processing of sensitive personal data. You can revoke your consent at any time with effect for the future, but in the event of such revocation you will no longer be able to use all services. The legal basis for the processing of this information is Art. 6 para. 1 lit. b, Art. 6 para. 1 lit. a, Art. 9 para. 2 lit. a GDPR (implementation of pre-contractual measures, consent).
- To the extent you enter into a mandate agreement is entered the Provider, you authorize us to transmit to the Provider all tax data collected from you for the applicable assessment period so that the Provider is able to prepare the tax return for you. You also agree that the provider will transmit the final draft of the tax return to us so that we can enable you to view the PDF version of the report directly in the app (alternatively or additionally, the transmission of the report to you may also be made by email). The legal basis for processing this information is Art. 6(1)(b), Art. 6(1)(a), Art. 9(2)(a) GDPR (performance of the contract, consent).
- As soon as you have released the tax return in the app, we will submit the tax return via the ELSTER software mentioned in section 8. In this respect, we obtain your consent to the transfer and storage of the data. Your tax data will also be stored in order to further optimize and simplify your tax return for the following year. The legal basis for processing this information is Art. 6(1)(b), Art. 6(1)(a), Art. 9(2)(a) GDPR (performance of the contract, consent). Taking into consideration the statutory deadlines for filing your tax return (§ 46 II No. 8 EStG, § 169 II No. 2 AO), we store your tax data fully encrypted in our database located in Europe for a period of ten years following transmission to the tax authority. After that the data is anonymized completely.
- In particular, a review of the information provided in the App (Review Service) is offered. In relation to the Review Service, Taxfix and the Providers are joint controllers within the meaning of Art. 26 GDPR. Taxfix has also been designated by the parties as the contact point for data subjects. Further details on joint responsibility can be found here.
- Support. If you have any questions about our Services, reach out to our customer support team! You can reach support by clicking “Contact our Support Team” in your account settings. We can’t provide you with any tax advice (so please contact a tax advisor with any tax-related questions), but we’re here to answer any questions you have about how to use the App, registration, errors or bugs in the App, etc. If your App crashes, you can elect to send us a complete error log, containing both technical information and any sensitive tax data that may have been entered, in which case you consent to the transmission of such information in order for us to most effectively trouble any problems. The error log and support requests are saved to your user account. Of course you have the possibility to delete saved error logs. An error log will be deleted or completely anonymized at the latest 12 months after transmission. Our legal basis for processing error logs is Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR (i.e. consent) and our legal basis for processing your other support requests is Art. 6 (1) lit. b GDPR (i.e. performance of a contract). To handle customer inquiries, we use a ticket system and customer service platform provided by Intercom, Inc. (55 2nd Street, 4th Floor, San Francisco, CA 94105 USA; “Intercom”). For more information about Intercom’s data processing, please refer to their privacy notice at https://www.intercom.com/terms-and-policies#privacy. We have in place a Data Processing Addendum with Intercom to ensure that the processing of your data is conducted in accordance with applicable law.
Additionally, we may use your contact details (email address, telephone number) to contact you in connection with your tax return, in particular if the submission of missing or additional documents is required to complete the tax return. The legal basis for contacting you is Art. 6 (1) lit. b DSGVO (performance of a contract). If you have consented to this, the contact described above can also be made via WhatsApp. For this purpose, we obtain your explicit consent in advance. You can revoke this consent at any time with effect for the future in accordance with Art. 7 DSGVO. We use the MessageBird B.V. platform (Trompenburgstraat 2C, 1079 TX Amsterdam, Netherlands) to send WhatsApp messages. We have concluded a data processing agreement with MessageBird to ensure that the processing of your data is carried out in accordance with applicable law.
- Marketing and Communications Data. If you have used the Services previously or if you have subscribed to receive marketing materials from us , we or our service providers acting on our behalf may send you certain marketing e-mails including for example newsletters, customer satisfaction or review surveys, information about updates to our Services or special offers from us. Our legal basis for processing this data is Art. 6 (1) lit. f GDPR (i.e. legitimate interests). If you do not wish to receive any marketing e-mails from us, you can opt-out anytime by using the “unsubscribe” link in any e-mail we send you or by sending us an e-mail at [email protected].
- Improvement of User Experience. To improve the user experience, we will test new or modified functions and features limited to certain user groups. Under certain circumstances, this may lead to different presentations for different users. The legal basis for processing this data is Art. 6 para. 1 lit. f GDPR (i.e. our legitimate interest in continuously improving the user experience and our products).
F. How We Protect Your Data
- Security Measures. We maintain state-of-the-art technical measures to secure your personal data from accidental loss and from unauthorized access, use, alteration and disclosure. All transactions, regardless of their nature, are encrypted using SSL technology. The information you provide to us is generally stored in a computer center located in Europe in accordance with high security standards and is encrypted (AES-256-CTR). Our data center is equipped with state-of-the-art technical security measures and is certified in accordance with ISO 27018 standards and guidelines. We carefully select and regularly monitor our service providers, who are instructed by us and required to ensure that any data processing including transfers to third countries is subject to stringent technical security measures compliant with European standards. Furthermore , our Information Security Management System is ISO/IEC 27001 certified.
- PIN Protection. You can protect access to the App on your device with a PIN code. You can change your PIN at any time in the account settings in the App. Where you have chosen a PIN code for access to the App, you are responsible for keeping this confidential and we ask you not to share it with anyone. Please note that your PIN is unique to your browser session and/or mobile device. If you wish to access your account from a new mobile device or in a new browser session, you will be asked to verify your email address and you will be sent an additional security access code in order to do so. Alternatively, you can also use the system-side Touch ID function on suitable Apple devices to enable access to the Taxfix App or the Taxfix WebApp using your fingerprint. Please note that neither your fingerprint nor biometric information is transmitted to Taxfix. Please consult Apple’s Touch ID information or Apple’s Face ID information for more details.
G. External Transfers
- Transfers to Third Countries. Should any processing of your data take place outside of the EU, this will be done in compliance with Art. 44 GDPR – namely, on the basis of an appropriate transfer mechanism (e.g. standard contractual clauses in the respective data processing agreement with the relevant third party).
H. Your Rights Under the GDPR
- Data Subject Rights. As the data subject, you have the right of access (Art. 15 GDPR), the right to rectification (Art. 16 GDPR), the right to erasure of your personal data (Art. 17 GDPR), the right to restriction of processing of your personal data (Art. 18 GDPR) and the right to data portability (Art. 20 GDPR). Please note, that the restrictions of Sections 34 and 35 BDSG apply to your right of access and erasure. You also have the option to file a complaint against the processing of your personal data with a supervisory authority, in particular in the member state of your residual residence, place of work or place of the alleged infringement.
- Right of Revocation. If you have given your consent to the processing of your data, you can revoke your given consent at any time pursuant to Art. 7 (3) GDPR and we will no longer continue any such processing that is based on your consent moving forward. Note that such revocation will not affect the legality of any processing carried out on the basis of your consent up to the point of revocation.
- Right to Object. You can object to the processing of your personal data insofar as we base such processing on the balance of legitimate interests under Art. 6 (1) lit. f GDPR. This is the case in particular if the processing is not necessary for the fulfillment of a contractual obligation or for compliance with our legal obligations. In case you wish to object, we kindly ask you to provide an explanation of the reasons for the objection against the processing of your personal data, so that we may examine and assess the situation, and either discontinue or adapt the data processing, or point out to you our compelling legitimate reasons based on which we continue the processing of your data. You may, of course, object to data processing for the purposes of advertising or direct marketing at any time. In this case, please send a message to [email protected].
It is very important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during our contractual relationship with you.
Version: 5.0 / Last Update: February 2023