Taxfix Website Privacy Policy

Last updated: March 2020

Taxfix GmbH (“Taxfix”, “we”, “us” or “our”) respects your privacy and is committed to protecting your personal data. As part of our mission to simplify the tax filing system for our users (“you” or “your”), it’s important to us that you feel comfortable and trust us with your personal data when you use our services (collectively, the “Services”). Please take a few minutes to read this privacy policy (this “Privacy Policy”), which applies to your use of our website www.taxfix.de and the Services accessible through our website (the “App”), so that you understand what kind of information we collect about you, how we use that information and why. This Privacy Policy also explains what kind of rights you have regarding our processing of your data.

A. Contact

As the provider of the Taxfix Services, we are responsible for the processing of your personal data, as defined in the EU General Data Protection Regulation (“GDPR”). Our contact details are as follows:

Taxfix GmbH
Karl-Liebknecht-Str. 34
10178 Berlin
privacy@taxfix.de
(T) +49 30 92106949

You can reach our data protection team at the e-mail address above. In addition, we have appointed a Data Protection Officer (“DPO”) who acts on behalf of Taxfix in supporting our compliance efforts in relation to the processing of personal data. Our DPO can be reached at the above postal address (Attn: DPO).

B. Third Party Links

Our website may, from time to time, contain links to or from partner websites or other third-party sites. These sites and any services that may be accessible through them have their own privacy policies. As we are not responsible for the privacy practices of these sites, we recommend that you review their privacy policies before submitting personal data to them.

C. General Purposes and Legal Bases

When we use the term “personal data”, we are referring to any information that can be used, directly or indirectly, to identify you personally. We process your personal data in accordance with the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) if at least one of the following applies:

  1. Performance of Contractual or Pre-Contractual Measures. The data processing is needed for the performance of a contract to which you are party or in order to take the steps requested by you prior to entering into a contract (Art. 6 (1) lit. b GDPR). Data processing that falls under this category is done when requested by you and can include performing transactions, customer support, requirement analysis and processing your tax-related data needed for your tax declaration in order to fulfill our Service Agreement with you.
  2. Consent. Where you have agreed to the processing of your personal data for one or more specific purposes, such data processing by us is permitted on the legal basis of your consent (Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR). Your consent is revocable at any time. Where you revoke your consent, we will not process your personal data on the basis of your consent following your revocation.
  3. Legitimate Interests. The data processing is needed for the purposes of the legitimate interests pursued by us Taxfix, the controller, or a third party, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Art. 6 (1) lit. f GDPR). Data processing that falls under this category can include marketing or market and opinion analysis, ensuring IT security, assessment and optimization of processes, enforcement of claims or defenses in legal proceedings and developing our Services and App.
  4. Legal Compliance. The data processing is necessary for compliance with a legal obligation to which we are subject (Art. 6 (1) lit. c GDPR). We are subject to several legal obligations that necessitate certain data processing activities. This includes verification of your identity, prevention of fraud and upholding our control and reporting obligations.
  5. Processing on Behalf of Taxfix. In several instances, we engage service providers and processors to process personal data on our behalf under Art. 28 GDPR. The data processing that falls under this category is carried out pursuant to a separate agreement with the respective processor. We ensure that this agreement contains sufficient protection and guarantees for the protection of your personal data and your rights with respect to that data, in each case in compliance with the GDPR.

D. Personal Data We Collect and How We Process It

We process your personal data in order to provide you with our best Services. We collect your personal data either through your voluntary input or automatically when you user our App or visit our website (including through the use of tacking technologies, as discussed in Tracking Technologies in Section E). This section discusses the specific categories of personal data that we process.

  1. Device and Technical Data. Certain technical data is automatically collected and transmitted to us by your browser when you access our website. Such information includes data about your internet browser, operating system, IP address, time of the page request, referrer URL, device information, session information, size of the requested file and any status or error codes. The information is logged in server log files, which we process in order to ensure the functionality of our website, gather statistical information about the use and development of our website, and for general data security and error analysis purposes. With respect to ensuring the functionality of our website, the basis for our data processing is Art. 6 (1) lit. b GDPR (i.e. contractual or pre-contractual measure). With respect to monitoring for data security and error analysis, the basis for our processing is Art. 6 (1) lit. f GDPR (i.e. legitimate interests).
  2. Registration Data. When you register to use our App, we collect certain personal information from you in order to determine whether our Services support your tax case. We collect this information by asking you about your relationship status, living situation, sources of income, alimony payments, foreign income and tax-relevant disability payments. During the registration process, we also ask you for your e-mail address (which we verify with you), your name, assign you a Taxfix user ID, process the time of your registration and your IP address, and ask you to take note of this Policy and our Terms and Conditions. The basis for our processing of your registration data as described in this section is Art. 6 (1) lit. b GDPR. (i.e. contractual or pre-contractual measures). Your registration data will be stored as long as your user account is still active and will be retained by us for an additional twelve months thereafter. Legal retention periods apply and remain unaffected.

    By clicking “Sign me up!”, you also consent to the processing of tax-sensitive data (such as information on denomination, health, membership of a trade union) as stated in this privacy policy in order to use the App and the Services (for calculating your tax refund, preparing and filing your tax return as well as retrieving the filed tax return (ELSTER PDF) and your electronic tax assessment as well as providing support).

    You may withdraw this consent at any time with effect for the future, but in case of such withdrawal, the Services can then no longer be used in full.

    Please note that we use technical services (e.g. servers) provided by Google LLC. We pay careful attention to the highest technical security standards and all data is stored in Europe. For technical reasons, however, it may happen that the infrastructure is maintained or partly provided from the USA. As we process sensitive data, we strive for maximum transparency in this respect as well.

  3. Tax Data. Following registration, you will be asked a series of questions through our App designed to capture the tax-relevant information needed to fill out your tax declaration digitally. These questions ask you for information about your name, employment status, address, religious affiliation, occupation, employer, income statements, secondary residence, competent tax office, tax identification number, training and education, business expenses, professional associations, income from capital asset and other income, insurance, medical expenses, survivorship, disability, parents, children or other dependents, donations, church tax, household expenses, alimony and tax loss carryforwards. As already mentioned, such tax-relevant information may include “sensitive personal data” such as data related to your health, religious affiliation or trade union membership, for which we need your consent to process in order to provide the Services, as this information is required to calculate your tax return amount. Your tax data is also stored in order to further streamline and simplify your declaration for next year. Our legal basis for processing your tax data as described in this section is thus Art. 6 (1) lit. b GDPR (i.e. performance of a contract), and our legal basis for processing any sensitive personal data is Art. 6 (1) lit. b GDPR (i.e. performance of a contract) and Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR (i.e. consent). Taking into consideration the statutory deadlines for filing your tax return (§ 46 II No. 8 EStG, § 169 II No. 2 AO), we store your tax data fully encrypted in our database located in Europe for a period of ten years following transmission to the tax authority. After that the data is anonymized completely.
  4. Transaction Data. In order to submit the income tax return generated through the App to the tax office, you must enter into a Service Agreement with Taxfix in accordance with our Terms and Conditions. Pursuant to this Service Agreement, you may be required to pay a one-time submission fee with respect to each tax declaration submitted, depending on the amount of your calculated tax return. For users in Germany, the submission fee (if applicable) is payable by direct debit and is processed via our external payment service provider GoCardless Ltd. (Sutton Yard, 65 Goswell Road, London, EC1V 7EN, UK; “GoCardless”). GoCardless will receive your name and bank details in order to process payment and will notify us upon receipt of payment. We won’t store your payment information but we do process your transaction information (i.e. when you paid, when payment was processed and the amount of your payment) for reporting purposes for ten years in combination with your registration data. Our legal basis for processing your transaction data is Art. 6 (1) lit. b GDPR (i.e. performance of a contract) and our legal basis for its retention is Art. 6 (1) lit. c GDPR (i.e. compliance with our legal obligations (§ 257 HGB, § 147 AO, § 169 AO)) as we are required under applicable law to store relevant financial and accounting documents. Please note that we also use GoCardless for repayment and invoicing, and to handle relevant security and fraud prevention measures. For more information about GoCardless’s data processing, please refer to their privacy notice at https://gocardless.com/en-eu/legal/privacy/. Please note that you can exercise the rights described in section H, as applicable, directly against GoCardless.
  5. Identification. For legal reasons, we are required to confirm your identity as the filing taxpayer prior to final submission of your tax declaration. We verify your identity by having you submit a copy of your electronic wage statement or utility bill with your address listed on it. After we have confirmed your identity, you will have the opportunity to review your prepared tax return, confirm the accuracy of your details inputted and authorize us to submit the tax declaration to the tax office. For other legal reasons, we are obliged to be able to provide information on any person who has instructed a transfer of tax documents to the tax authorities. Thus, we are processing your identification data and storing it for the legally stipulated period of five years after the end of the year in which the documents were transmitted in order to verify your identity and your authorization of us is Art. 6 (1) lit. c GDPR (i.e. compliance with our legal obligations (§ 87d (2) AO)).
  6. ELSTER Data Processing. We submit your tax declaration using ELSTER, which is the software the tax authorities provide for purposes of processing electronic filings based on Art. 6 (1) lit. b, Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR. As the transmission of your tax declaration involves data privacy related obligations of the tax authorities, we are obliged to inform you of the following regarding ELSTER:

    “The ELSTER software is used to collect personal data within the meaning of Art. 4 (1) of the GDPR and Art. 9 (1) of the GDPR. In addition to the pure data required for tax assessments, the software collects information on the type of operating system of the user and transmits this to the tax authorities. This data is needed for ensuring the proper processing of the data and for preventing errors in such processing. The data is used in the context of Art. 6 (1) lit. e GDPR in conjunction with Art. 6 (3) lit. b GDPR in accordance with federal and state tax laws by the tax authorities and only for the purpose stated.”

    You can read more about the data processing that is done via ELSTER by the tax authorities in their informational brochure available here.

  7. ELSTER PDF. After your tax declaration is submitted to and received by the tax office, you can view the .pdf version of your tax declaration (“Elster PDF”) directly in the App when you are logged into your account. We process your Elster PDF for this purpose and store it as long as your user account is active. If you do not want your Elster PDF to be available to you in the App, you can let us know and we will delete this data (in which case you will no longer be able to retrieve your Elster PDF through us). Our legal basis for processing this information is Art. 6 (1) lit. b, Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR (i.e. performance of a contract).
  8. Retrieval of Electronic Tax Assessment. We retrieve your electronic tax assessment via the ELSTER portal for statistical and control purposes – namely, to assess any discrepancies between the amount of your refund as calculated using the App and as finally determined by the tax office in order to improve the Services and further refine the App. This data will not be passed on to any third parties and is kept fully encrypted in our database located in Europe. Our legal basis for processing this data is Art. 6 (1) lit. f GDPR (i.e. legitimate interests), Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR (i.e. consent). The storage and archiving of your electronic tax assessment is governed by Sections 2 and 3 above.
  9. Support. If you have any questions about our Services, reach out to our customer support team! You can reach support by clicking “Contact our Support Team” in your account settings. We can’t provide you with any tax advice (so please contact a tax advisor with any tax-related questions), but we’re here to answer any questions you have about how to use the App, registration, errors or bugs in the App, etc. If your App crashes, you can elect to send us a complete error log, containing both technical information and any sensitive tax data that may have been entered, in which case you consent to the transmission of such data in order for us to most effectively trouble any problems. The error log and support requests are saved to your user account. Of course you have the possibility to delete saved error logs. An error log will be deleted or completely anonymized at the latest 12 months after transmission. Our legal basis for processing error logs is Art. 6 (1) lit. a, Art. 9 (2) lit. a GDPR (i.e. consent) and our legal basis for processing your other support requests is Art. 6 (1) lit. b GDPR (i.e. performance of a contract). To handle customer inquiries, we use a ticket system and customer service platform provided by Intercom, Inc. (55 2nd Street, 4th Floor, San Francisco, CA 94105 USA; “Intercom”). Intercom is certified under the US-EU Privacy Shield. For more information about Intercom’s data processing, please refer to their privacy notice at https://www.intercom.com/terms-and-policies#privacy. We have in place a Data Processing Addendum with Intercom to ensure that the processing of your data is conducted in accordance with applicable law.
  10. Marketing and Communications Data. If you have used the Services previously or if you have subscribed to our newsletter via our website, we may send you certain marketing e-mails including information about updates to our Services or special offers from us. Our legal basis for processing this data is Art. 6 (1) lit. f GDPR (i.e. legitimate interests) for existing customers and Art. 6 (1) lit. a GDPR (i.e. consent) for newsletter subscribers. If you do not wish to receive any marketing e-mails from us, you can opt-out anytime by using the “unsubscribe” link in any e-mail we send you or by sending us an e-mail at privacy@taxfix.de.

E. Tracking Technologies

Like many companies, we, along with our advertising partners and vendors, use cookies and similar tracking technologies when you use our Services, access our website or engage with our online ads. Cookies are small pieces of text used to store information in order to allow for re-identification of your device. Other technologies, including data we store on your web browser or device, identifiers associated with your device, and other tracking software, are used for similar purposes. In this Privacy Policy, we refer to all of these technologies as “cookies”. There are essentially two types of cookies – first-party and third-party cookies. First-party cookies are used and controlled by us to provide the Services. Third-party cookies are controlled by third parties.

  1. First-Party Cookies. We use first-party cookies to provide, protect and improve our Services, such as by personalizing content, tailoring and measuring ads and providing a optimized user experience. For example, we use certain cookies that are needed for the operation of our App, such as for authentication when you log in to your account. We also use analytical or performance cookies to recognize and count the number of users on the App or our website. We may use functionality-related cookies to tell us, for example, whether you have used the Services before, or to remember your language preferences or even where you left off in the App in your last session. In some cases, we may share limited activity data about you with third parties (such as whether you have registered for the Services), in order to optimize our marketing efforts. The legal basis for the processing is Art. 6 (1) lit. f GDPR.
  2. Third-Party Cookies. We engage certain service providers for website analysis, advertising and conversion tracking. These providers may use cookies or other tracking technologies to help us analyze how you use our Services and to market and advertise our Services on third party websites. Some of these entities might combine information they collect from our Services with other information that they have independently gathered relating to your browsing activities across their network of websites, and may also provide you targeted ads based upon your interests on third party sites. These companies process this information under their own privacy policies and are responsible for their own processing activities. The legal basis for the processing is Art. 6 (1) lit. f GDPR.
  3. Tracking Tools. The following table sets out details of the tools we use that utilize cookies and other tracking technologies:
Party
Contact
Service
Privacy Information
Adcolony
Adcolony Inc. 11400 W. Olympic Blvd., 12th floor Los Angeles, CA 90064
Advertising
https://www.adcolony.com/privacy-policy/EU-US Privacy Shield Certified
AWIN
AWIN AG Eichhornstrasse 3, 10785 Berlin Germany
Advertising
https://www.awin.com/de/rechtliches
DoubleClick
Google Ireland Limited Gordon House, Barrow Street, Dublin 4, Ireland
Advertising; conversion tracking
http://www.google.com/policies/privacy/
Facebook
Facebook Ireland Ltd. 4 Grand Canal Square Grand Canal Harbour Dublin 2 Ireland
Social
https://www.facebook.com/about/privacy/https://www.facebook.com/policies/cookies/
Facebook Ads
Facebook Ireland Ltd. 4 Grand Canal Square Grand Canal Harbour Dublin 2 Ireland
Advertising; conversion tracking
https://www.facebook.com/about/privacy/https://www.facebook.com/policies/cookies/
Persona.Ly
O.P Vision LTD Meir Weissgal Rd. 2, Rehovot, Israel
Advertising
http://persona.ly/privacy_dsp
Google Ads
Google Ireland Limited Gordon House, Barrow Street, Dublin 4, Ireland
Advertising; conversion tracking
http://www.google.com/policies/privacy/
Google Analytics
Google Ireland Limited Gordon House, Barrow Street, Dublin 4, Ireland
Analytics for display advertisers, in-app analytics, conversion tracking
http://www.google.com/policies/privacy/https://support.google.com/analytics/answer/6004245?hl=en
Google Tag Manager
Google Ireland Limited Gordon House, Barrow Street, Dublin 4, Ireland
Tag manager
http://www.google.com/policies/privacy/
Hotjar
Hotjar Ltd., St. Julian's Business Center, Elia Zammit Street 3, St Julian's STJ 1000
In-app analytics
https://www.hotjar.com/privacy
Immonet
Immowelt Hamburg GmbH Spaldingstr. 64 20097 Hamburg Deutschland
Advertising
https://www.immonet.de/datenschutz
LinkedIn
LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
Social
https://www.linkedin.com/legal/privacy-policyEU-US Privacy Shield Certified
Mixpanel
Mixpanel, Inc. 405 Howard St., 2nd Floor, San Francisco, CA 94105
In-app analytics
https://mixpanel.com/legal/privacy-policy/EU-US Privacy Shield Certified
Outbrain
Outbrain Inc. 39 West 13th Street, 3rd floor, New York, NY 10011
Advertising
https://www.outbrain.com/en/legal/privacyEU-US Privacy Shield Certified
Pinterest
Pinterest Inc. 651 Brannan Street, San Francisco, CA 94107
Social
https://policy.pinterest.com/en/privacy-policy
Segment
Segment.io, Inc. 100 California Street, Suite 700 San Francisco, CA 94111
API connector for analytics, data warehousing and marketing
https://segment.com/docs/legal/privacy/EU-US Privacy Shield Certified
Snapchat
Snap Inc. 63 Market Street, Venice, CA 90291
Social
https://www.snap.com/en-US/privacy/privacy-policy/EU-US Privacy Shield Certified
Taboola
Taboola, Inc. 16 Madison Square West 7th Floor New York, New York 10010
Advertising
https://www.taboola.com/privacy-policy
Twitter
Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland
Social
https://twitter.com/de/privacy

4. Disabling Tracking. In many cases, you can manage your cookie preferences and opt-out of having third-party cookies and other data collection technologies used by adjusting the settings on your browser. However, please note that if you choose to remove or reject cookies, this could affect the features and functionality of the App.

F. How We Protect Your Data

  1. Security Measures. We maintain state-of-the-art technical measures to secure your personal data from accidental loss and from unauthorized access, use, alteration and disclosure. All transactions, regardless of their nature, are encrypted using SSL technology. The information you provide to us is generally stored in a computer center located in Europe in accordance with high security standards and is encrypted (AES-256-CTR). Our data center is equipped with state-of-the-art technical security measures and is certified in accordance with ISO 27018 standards and guidelines. We carefully select and regularly monitor our service providers, who are instructed by us and required to ensure that any data processing including transfers to third countries is subject to stringent technical security measures compliant with European standards.
  2. PIN Protection. You can protect access to the App on your device with a PIN code. You can change your PIN at any time in the account settings in the App. Where you have chosen a PIN code for access to the App, you are responsible for keeping this confidential and we ask you not to share it with anyone. Please note that your PIN is unique to your browser session and/or mobile device. If you wish to access your account from a new mobile device or in a new browser session, you will be asked to verify your email address and you will be sent an additional security access code in order to do so.

G. External Transfers

  1. Transfers to Third Parties. As mentioned elsewhere in this Privacy Policy, in order to provide the Services, we transfer your data to the tax authorities upon your request and in certain cases, to our third-party service providers, including our hosting providers, payment providers, IT service and development providers. Your personal data will only be passed on or transmitted to third parties insofar as is necessary for our contract with you, if we have a legitimate interest, if you have given your consent, or insofar as we are legally required to do so. Our service providers receive personal data solely for the performance of their services for us and are contractually obliged not to use personal data for other purposes.
  2. Transfers to Third Countries. Should any processing of your data take place outside of the EU, this will be done in compliance with Art. 44 GDPR – namely, on the basis of certain guarantees (e.g. standard contractual clauses in the respective data processing agreement with the relevant third party) or under the EU-U.S. Privacy Shield Framework.

H. Your Rights Under the GDPR

  1. Data Subject Rights. As the data subject, you have the right of access (Art. 15 GDPR), the right to rectification (Art. 16 GDPR), the right to erasure of your personal data (Art. 17 GDPR), the right to restriction of processing of your personal data (Art. 18 GDPR) and the right to data portability (Art. 20 GDPR). Please note, that the restrictions of Sections 34 and 35 BDSG apply to your right of access and erasure. You also have the option to file a complaint against the processing of your personal data with the competent supervisory authority, which in this case is Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstr. 219, 10969 Berlin.
  2. Right of Revocation. If you have given your consent to the processing of your data, you can revoke your given consent at any time pursuant to Art. 7 (3) GDPR and we will no longer continue any such processing that is based on your consent moving forward. Note that such revocation will not affect the legality of any processing carried out on the basis of your consent up to the point of revocation.
  3. Right to Object. You can object to the processing of your personal data insofar as we base such processing on the balance of legitimate interests under Art. 6 (1) lit. f GDPR. This is the case in particular if the processing is not necessary for the fulfillment of a contractual obligation or for compliance with our legal obligations. In case you wish to object, we kindly ask you to provide an explanation of the reasons for the objection against the processing of your personal data, so that we may examine and assess the situation, and either discontinue or adapt the data processing, or point out to you our compelling legitimate reasons based on which we continue the processing of your data. You may, of course, object to data processing for the purposes of advertising or direct marketing at any time. In this case, please send a message to privacy@taxfix.de.

I. Amendments

We keep this Privacy Policy under regular review and reserve the right to make changes to this Privacy Policy. If we do amend this Privacy Policy, these changes will be posted on this page and, where appropriate, notified to you by e-mail or when you start the App to use our Services. You may be required to read and acknowledge the changes in order to continue your use of the App or our Services. You can view the current version of this Privacy Policy at any time in your account settings in the App.

It is very important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you.