Taxfix Privacy Policy

Last updated: April 2021

Taxfix GmbH (“Taxfix”, “we”, “us” or “our”) respects your privacy and is committed to protecting your personal data. As part of our mission to simplify the tax filing system for our users (“you” or “your”), it’s important to us that you feel comfortable and trust us with your personal data when you use our services (collectively, the “Services”). Please take a few minutes to read this privacy policy (this “Privacy Policy”) and our Cookie Policy, which applies to your use of our website www.taxfix.de and the Services accessible through our website (the “App”), so that you understand what kind of information we collect about you, how we use that information and why. This Privacy Policy also explains what kind of rights you have regarding our processing of your data.

A. Contact

As the provider of the Taxfix Services, we are responsible for the processing of your personal data, as defined in the EU General Data Protection Regulation (“GDPR”). Our contact details are as follows:

Taxfix GmbH
Karl-Liebknecht-Str. 34
10178 Berlin
[email protected]
(T) +49 30 92106949

You can reach our data protection team at the e-mail address above. In addition, we have appointed a Data Protection Officer (“DPO”) who acts on behalf of Taxfix in supporting our compliance efforts in relation to the processing of personal data. Our DPO can be reached at the above postal address (Attn: DPO).

B. Third Party Links

Our website may, from time to time, contain links to or from partner websites or other third-party sites. These sites and any services that may be accessible through them have their own privacy policies. As we are not responsible for the privacy practices of these sites, we recommend that you review their privacy policies before submitting personal data to them.

C. General Purposes and Legal Bases

When we use the term “personal data”, we are referring to any information that can be used, directly or indirectly, to identify you personally. We process your personal data in accordance with the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) if at least one of the following applies:

  1. Performance of Contractual or Pre-Contractual Measures. The data processing is needed for the performance of a contract to which you are party or in order to take the steps requested by you prior to entering into a contract (Art. 6 (1) lit. b GDPR). Data processing that falls under this category is done when requested by you and can include performing transactions, customer support, requirement analysis and processing your tax-related data needed for your tax declaration in order to fulfill our Service Agreement with you.
  2. Consent. Where you have agreed to the processing of your personal data for one or more specific purposes, such data processing by us is permitted on the legal basis of your consent (Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR). Your consent is revocable at any time. Where you revoke your consent, we will not process your personal data on the basis of your consent following your revocation.
  3. Legitimate Interests. The data processing is needed for the purposes of the legitimate interests pursued by us Taxfix, the controller, or a third party, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Art. 6 (1) lit. f GDPR). Data processing that falls under this category can include marketing or market and opinion analysis, ensuring IT security, assessment and optimization of processes, enforcement of claims or defenses in legal proceedings and developing our Services and App.
  4. Legal Compliance. The data processing is necessary for compliance with a legal obligation to which we are subject (Art. 6 (1) lit. c GDPR). We are subject to several legal obligations that necessitate certain data processing activities. This includes verification of your identity, prevention of fraud and upholding our control and reporting obligations.
  5. Processing on Behalf of Taxfix. In several instances, we engage service providers and processors to process personal data on our behalf under Art. 28 GDPR. The data processing that falls under this category is carried out pursuant to a separate agreement with the respective processor. We ensure that this agreement contains sufficient protection and guarantees for the protection of your personal data and your rights with respect to that data, in each case in compliance with the GDPR.

D. Personal Data We Collect and How We Process It

We process your personal data in order to provide you with our best Services. We collect your personal data either through your voluntary input or automatically when you use our App or visit our website (including through the use of tracking technologies, as discussed in our Cookie Policy). This section discusses the specific categories of personal data that we process.

  1. Device and Technical Data. Certain technical data is automatically collected and transmitted to us by your browser when you access our website. Such information includes data about your internet browser, operating system, IP address, time of the page request, referrer URL, device information, session information, size of the requested file and any status or error codes. The information is logged in server log files, which we process in order to ensure the functionality of our website, gather statistical information about the use and development of our website, and for general data security and error analysis purposes. With respect to ensuring the functionality of our website, the basis for our data processing is Art. 6 (1) lit. b GDPR (i.e. contractual or pre-contractual measure). With respect to monitoring for data security and error analysis, the basis for our processing is Art. 6 (1) lit. f GDPR (i.e. legitimate interests).
  2. Registration Data. When you register to use our App, we collect certain personal information from you in order to determine whether our Services support your tax case. We collect this information by asking you about your relationship status, living situation, sources of income, alimony payments, foreign income and tax-relevant disability payments. During the registration process, we also ask you for your e-mail address (which we verify with you), your name, assign you a Taxfix user ID, process the time of your registration and your IP address, and ask you to take note of this Policy and our Terms and Conditions. The basis for our processing of your registration data as described in this section is Art. 6 (1) lit. b GDPR. (i.e. contractual or pre-contractual measures). Your registration data will be stored as long as your user account is still active and will be retained by us for an additional twelve months thereafter. Legal retention periods apply and remain unaffected.

    By clicking “Sign me up!”, you also consent to the processing of tax-sensitive data (such as information on denomination, health, membership of a trade union) as stated in this privacy policy in order to use the App and the Services (for calculating your tax refund, preparing and filing your tax return as well as retrieving the filed tax return (ELSTER PDF) and your electronic tax assessment as well as providing support).

    You may withdraw this consent at any time with effect for the future, but in case of such withdrawal, the Services can then no longer be used in full.

    Please note that we use technical services (e.g. servers) provided by Google. We pay careful attention to the highest technical security standards and all data is stored in Europe. For technical reasons, however, it may happen that the infrastructure is maintained or partly provided from the USA. As we process sensitive data, we strive for maximum transparency in this respect as well.

  3. Pre-fill Data. We offer the option to populate your tax return with certain pre-fill information that is electronically reported to tax authorities (namely by your employer and the relevant social security office) and stored with them. Upon receiving your request via the App to pull your pre-fill information, we ask the tax authorities to dispatch a letter to you containing a confirmation code, which you then input into the App. Once you have entered your confirmation code in the App, we securely retrieve via ELSTER your pre-fill information which is encrypted via in-transit encryption (SSL). You can find more information about ELSTER’s security and encryption methods here. Once we have received your pre-fill information from ELSTER, we store it in your Taxfix account on our servers, so that you can populate this data directly in your tax return. Our legal basis for processing your pre-fill data as described in this section is thus Art. 6 (1) lit. b GDPR (i.e. performance of a contract), and our legal basis for processing any sensitive personal data contained in your pre-fill information (such as on religious belief) is Art. 6 (1) lit. b GDPR (i.e. performance of a contract) and Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR (i.e. consent). Taking into consideration the statutory deadlines for filing your tax return (§ 46 II No. 8 EStG, § 169 II No. 2 AO), we store your pre-fill data fully encrypted in our database located in Europe for a period of ten years following transmission to the tax authority.
  4. Tax Data. Following registration, you will be asked a series of questions through our App designed to capture the tax-relevant information needed to fill out your tax declaration digitally. These questions ask you for information about your name, employment status, address, religious affiliation, occupation, employer, income statements, secondary residence, competent tax office, tax identification number, training and education, business expenses, professional associations, income from capital asset and other income, insurance, medical expenses, survivorship, disability, parents, children or other dependents, donations, church tax, household expenses, alimony and tax loss carryforwards. As already mentioned, such tax-relevant information may include “sensitive personal data” such as data related to your health, religious affiliation or trade union membership, for which we need your consent to process in order to provide the Services, as this information is required to calculate your tax return amount. Your tax data is also stored in order to further streamline and simplify your declaration for next year. Our legal basis for processing your tax data as described in this section is thus Art. 6 (1) lit. b GDPR (i.e. performance of a contract), and our legal basis for processing any sensitive personal data is Art. 6 (1) lit. b GDPR (i.e. performance of a contract) and Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR (i.e. consent). Taking into consideration the statutory deadlines for filing your tax return (§ 46 II No. 8 EStG, § 169 II No. 2 AO), we store your tax data fully encrypted in our database located in Europe for a period of ten years following transmission to the tax authority. After that the data is anonymized completely.
  5. Transaction Data. In order to submit the income tax return generated through the App to the tax office, you must enter into a Service Agreement with Taxfix in accordance with our Terms and Conditions. Pursuant to this Service Agreement, you may be required to pay a one-time submission fee with respect to each tax declaration submitted, depending on the amount of your calculated tax return. For users in Germany, the submission fee (if applicable) is payable by direct debit and is processed via our external payment service provider GoCardless Ltd. (Sutton Yard, 65 Goswell Road, London, EC1V 7EN, UK; “GoCardless”). GoCardless will receive your name and bank details in order to process payment and will notify us upon receipt of payment. We won’t store your payment information but we do process your transaction information (i.e. when you paid, when payment was processed and the amount of your payment) for reporting purposes for ten years in combination with your registration data. Our legal basis for processing your transaction data is Art. 6 (1) lit. b GDPR (i.e. performance of a contract) and our legal basis for its retention is Art. 6 (1) lit. c GDPR (i.e. compliance with our legal obligations (§ 257 HGB, § 147 AO, § 169 AO)) as we are required under applicable law to store relevant financial and accounting documents. Please note that we also use GoCardless for repayment and invoicing, and to handle relevant security and fraud prevention measures. For more information about GoCardless’s data processing, please refer to their privacy notice at https://gocardless.com/en-eu/legal/privacy/. Please note that you can exercise the rights described in section G, as applicable, directly against GoCardless.
  6. Identification. For legal reasons, we are required to confirm your identity as the filing taxpayer prior to final submission of your tax declaration. We verify your identity by having you submit a copy of your electronic wage statement or utility bill with your address listed on it. After we have confirmed your identity, you will have the opportunity to review your prepared tax return, confirm the accuracy of your details inputted and authorize us to submit the tax declaration to the tax office. For other legal reasons, we are obliged to be able to provide information on any person who has instructed a transfer of tax documents to the tax authorities. Thus, we are processing your identification data and storing it for the legally stipulated period of five years after the end of the year in which the documents were transmitted in order to verify your identity and your authorization of us is Art. 6 (1) lit. c GDPR (i.e. compliance with our legal obligations (§ 87d (2) AO)).
  7. ELSTER Data Processing. We submit your tax declaration using ELSTER, which is the software the tax authorities provide for purposes of processing electronic filings based on Art. 6 (1) lit. b, Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR. As the transmission of your tax declaration involves data privacy related obligations of the tax authorities, we are obliged to inform you of the following regarding ELSTER:

    “The ELSTER software is used to collect personal data within the meaning of Art. 4 (1) of the GDPR and Art. 9 (1) of the GDPR. In addition to the pure data required for tax assessments, the software collects information on the type of operating system of the user and transmits this to the tax authorities. This data is needed for ensuring the proper processing of the data and for preventing errors in such processing. The data is used in the context of Art. 6 (1) lit. e GDPR in conjunction with Art. 6 (3) lit. b GDPR in accordance with federal and state tax laws by the tax authorities and only for the purpose stated.”

    You can read more about the data processing that is done via ELSTER by the tax authorities in their informational brochure available here.

  8. ELSTER PDF. After your tax declaration is submitted to and received by the tax office, you can view the .pdf version of your tax declaration (“Elster PDF”) directly in the App when you are logged into your account. We process your Elster PDF for this purpose and store it as long as your user account is active. If you do not want your Elster PDF to be available to you in the App, you can let us know and we will delete this data (in which case you will no longer be able to retrieve your Elster PDF through us). Our legal basis for processing this information is Art. 6 (1) lit. b, Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR (i.e. performance of a contract).
  9. Retrieval of Electronic Tax Assessment. We retrieve your electronic tax assessment via the ELSTER portal in order to provide you this information within the App, as well for statistical and control purposes – namely, to assess any discrepancies between the amount of your refund as calculated using the App and as finally determined by the tax office in order to improve the Services and further refine the App. Our legal basis for processing this data is Art. 6 (1) lit. f GDPR (i.e. legitimate interests), Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR (i.e. consent). In addition, we may forward information about a tax refund to CB Bank GmbH, Gabelsbergerstraße 32, 94315 Straubing (“Partner Bank”), provided that obtain a tax advance loan (see section 10 below). With the exception of the aforementioned transfer to the Partner Bank, this data will not be passed on to third parties and is kept fully encrypted in our database located in Europe. The storage and archiving of your electronic tax assessment is governed by sections D.2 and 4 above.
  10. Tax refund advance. Immediately before the tax return is sent to the tax office – provided that you meet certain conditions, in particular with regard to the expected amount of the tax refund – our App will inform you about the option of obtaining an advance financing of the tax refund payment calculated in the course of preparing the tax return. As part of such pre-financing, we act as a credit broker for our Partner Bank. The legal basis for this preliminary investigation is Art. 6 (1) lit. f GDPR (i.e. legitimate interest).

    If we then inform you via the app that you are eligible for a tax refund advance offer, you have the option of confirming by clicking the appropriate button that you are interested in a loan brokerage through us. If you confirm your interest in this way, this triggers the following further data processing by us:

    1. Credit check: We ask the credit agency Creditreform Boniversum GmbH, Hammfelddamm 13, 41460 Neuss (“Boniversum”) for certain identification and creditworthiness data. For this purpose, we will transmit your master and contact details (name, address, date of birth) to Boniversum. For the purpose of the credit check, Boniversum transmits the address and creditworthiness data stored about you in its database, including scores determined on the basis of mathematical-statistical methods, provided that we have credibly demonstrated our legitimate interest. When calculating the score, address data is also used, among other things. This procedure supports us with the loan brokerage and our partner bank with the loan decision. You can find more information about the activities and working methods of Boniversum in their data protection declaration at www.boniversum.de/EU-DSGVO. The legal basis for this data collection and processing by us is Article 6 (1) lit. b GDPR (implementation of pre-contractual measures upon your request).
    2. Review of sanction lists: As part of the loan brokerage process, we carry out the mandatory verification required by the lender to determine whether you are on a sanction list. For this we use the database of Sanction Scanner Ltd., 27 Old Gloucester Street, London WC1N 3AX, United Kingdom (“Sanction Scanner”). Sanction Scanner enables a direct comparison of your master and contact data with a current inventory of sanction lists. In this respect, Sanction Scanner acts as a processor. Your data will be compared with the lists of Sanction Scanner, which are stored on servers in the European Union. There is no storage of your data outside of our systems. Here, too, we act on the legal basis of Article 6 (1) lit. b GDPR, i.e. to carry out pre-contractual measures upon your request.
    3. Query of status as a “politically exposed person”: We will also ask you to submit a self-declaration via the app that you are not a politically exposed person (PeP) or a family member or within the meaning of § 2 (12) through (14) of the German Anti-Money Laundering Act (GwG) a person known to be closely related to a PeP, if this is the case. Here, too, we act on the legal basis of Article 6 (1) (b) GDPR, i.e. to carry out pre-contractual measures upon your request.
    4. Initiation of bank identity verification via video identification: For the purpose of bank identity verification in accordance with anti-money laundering regulations, we will forward you from our App to a mobile app or web app of the third-party provider IDnow GmbH, Auenstrasse 100, 80469 Munich (“IDnow”). IDnow itself acts as a processor for the Partner Bank. Insofar as we forward your identity information to IDnow to initiate the process, we also act as a processor under the instructions and responsibility of the Partner Bank under data protection regulations. The Partner Bank acts in order to fulfill its legal obligation (in particular according to § 10 (1) no. 1 and 2 GwG) and thus on the legal basis of Art. 6 (1) lit. c GDPR.
    5. Obtaining a qualified electronic signature on the contract documents: We commission IDnow for this, and your digital signature on the loan brokerage agreement with us and on the loan documents with the Partner Bank is obtained via their mobile app or web app. Insofar as we disclose the relevant contract documents and your personal data to IDnow and obtain a qualified electronic signature, this is done on the legal basis of Art. 6 (1) lit. b GDPR (enabling the conclusion of a contract).
    6. Forwarding of the credit-relevant data and credit documents to the Partner Bank: This is also done on the legal basis of Art. 6 (1) lit. b GDPR because it enables us to fulfill our tasks from the credit brokerage contract with you.
    7. Processing of data from the current credit relationship: After the loan has been paid out to you, we receive information on your current credit relationship from the Partner Bank on a daily basis (e.g. account number, amount of outstanding credit, duration and due date of the credit, any instructions regarding the repayment and status of your tax refund payment), as well as your contact details with the Partner Bank. We process this data to support the Partner Bank with ongoing customer service and loan servicing. Here we act as a data processor for the Partner Bank. The Partner Bank relies Art. 6 (1) lit. b GDPR (fulfillment of obligations from the credit agreement).
    8. We may also forward information about a tax refund to the Partner Bank. This serves the purpose of administrating the loan agreement by the Partner Bank. The Partner Bank processes this data on the basis of Art. 6 (1) lit. b GDPR (i.e. to fulfill the agreement). This forwarding by us to the Partner Bank represents data processing on behalf of the Partner Bank as its data processor.
    9. The storage and archiving of your tax-relevant data is based on Sections D.2 and 4.
  11. Support. If you have any questions about our Services, reach out to our customer support team! You can reach support by clicking “Contact our Support Team” in your account settings. We can’t provide you with any tax advice (so please contact a tax advisor with any tax-related questions), but we’re here to answer any questions you have about how to use the App, registration, errors or bugs in the App, etc. If your App crashes, you can elect to send us a complete error log, containing both technical information and any sensitive tax data that may have been entered, in which case you consent to the transmission of such data in order for us to most effectively trouble any problems. The error log and support requests are saved to your user account. Of course you have the possibility to delete saved error logs. An error log will be deleted or completely anonymized at the latest 12 months after transmission. Our legal basis for processing error logs is Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR (i.e. consent) and our legal basis for processing your other support requests is Art. 6 (1) lit. b GDPR (i.e. performance of a contract). To handle customer inquiries, we use a ticket system and customer service platform provided by Intercom, Inc. (55 2nd Street, 4th Floor, San Francisco, CA 94105 USA; “Intercom”). For more information about Intercom’s data processing, please refer to their privacy notice at https://www.intercom.com/terms-and-policies#privacy. We have in place a Data Processing Addendum with Intercom to ensure that the processing of your data is conducted in accordance with applicable law.
  12. Marketing and Communications Data. If you have used the Services previously or if you have subscribed to receive marketing materials from us , we or our service providers acting on our behalf may send you certain marketing e-mails including for example newsletters, customer satisfaction or review surveys, information about updates to our Services or special offers from us. Our legal basis for processing this data is Art. 6 (1) lit. f GDPR (i.e. legitimate interests). If you do not wish to receive any marketing e-mails from us, you can opt-out anytime by using the “unsubscribe” link in any e-mail we send you or by sending us an e-mail at [email protected].

E. Tracking Technologies

  1. Security Measures. We maintain state-of-the-art technical measures to secure your personal data from accidental loss and from unauthorized access, use, alteration and disclosure. All transactions, regardless of their nature, are encrypted using SSL technology. The information you provide to us is generally stored in a computer center located in Europe in accordance with high security standards and is encrypted (AES-256-CTR). Our data center is equipped with state-of-the-art technical security measures and is certified in accordance with ISO 27018 standards and guidelines. We carefully select and regularly monitor our service providers, who are instructed by us and required to ensure that any data processing including transfers to third countries is subject to stringent technical security measures compliant with European standards. Furthermore, our Information Security Management System is ISO/IEC 27001 certified.
  2. PIN Protection. You can protect access to the App on your device with a PIN code. You can change your PIN at any time in the account settings in the App. Where you have chosen a PIN code for access to the App, you are responsible for keeping this confidential and we ask you not to share it with anyone. Please note that your PIN is unique to your browser session and/or mobile device. If you wish to access your account from a new mobile device or in a new browser session, you will be asked to verify your email address and you will be sent an additional security access code in order to do so.

F. External Transfers

  1. Transfers to Third Parties. As mentioned elsewhere in this Privacy Policy, in order to provide the Services, we transfer your data to the tax authorities upon your request and in certain cases, to our third-party service providers, including our hosting providers, payment providers, IT service and development providers. Your personal data will only be passed on or transmitted to third parties insofar as is necessary for our contract with you, if we have a legitimate interest, if you have given your consent, or insofar as we are legally required to do so. Our service providers receive personal data solely for the performance of their services for us and are contractually obliged not to use personal data for other purposes.
  2. Transfers to Third Countries. Should any processing of your data take place outside of the EU, this will be done in compliance with Art. 44 GDPR – namely, on the basis of an appropriate transfer mechanism (e.g. standard contractual clauses in the respective data processing agreement with the relevant third party).

G. Your Rights Under the GDPR

  1. Data Subject Rights. As the data subject, you have the right of access (Art. 15 GDPR), the right to rectification (Art. 16 GDPR), the right to erasure of your personal data (Art. 17 GDPR), the right to restriction of processing of your personal data (Art. 18 GDPR) and the right to data portability (Art. 20 GDPR). Please note, that the restrictions of Sections 34 and 35 BDSG apply to your right of access and erasure. You also have the option to file a complaint against the processing of your personal data with the competent supervisory authority, which in this case is Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstr. 219, 10969 Berlin.
  2. Right of Revocation. If you have given your consent to the processing of your data, you can revoke your given consent at any time pursuant to Art. 7 (3) GDPR and we will no longer continue any such processing that is based on your consent moving forward. Note that such revocation will not affect the legality of any processing carried out on the basis of your consent up to the point of revocation.
  3. Right to Object. You can object to the processing of your personal data insofar as we base such processing on the balance of legitimate interests under Art. 6 (1) lit. f GDPR. This is the case in particular if the processing is not necessary for the fulfillment of a contractual obligation or for compliance with our legal obligations. In case you wish to object, we kindly ask you to provide an explanation of the reasons for the objection against the processing of your personal data, so that we may examine and assess the situation, and either discontinue or adapt the data processing, or point out to you our compelling legitimate reasons based on which we continue the processing of your data. You may, of course, object to data processing for the purposes of advertising or direct marketing at any time. In this case, please send a message to [email protected].

H. Amendments

We keep this Privacy Policy under regular review and reserve the right to make changes to this Privacy Policy. If we do amend this Privacy Policy, these changes will be posted on this page and, where appropriate, notified to you by e-mail or when you start the App to use our Services. You may be required to read and acknowledge the changes in order to continue your use of the App or our Services. You can view the current version of this Privacy Policy at any time in your account settings in the App.

It is very important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you.

Version: 4.0 / Last Update: April 2021