Last update: May 2018
This privacy statement informs you of the purposes for which we collect, process and use personal data when you use the app provided by Taxfix GmbH (hereinafter the ‚Taxfix app‘).
1. Point of contact
The provider of the Taxfix app is Taxfix GmbH, Schwedter Straße 36A, 10435 Berlin (hereinafter: “Taxfix” or “we”). Taxfix is also responsible for the collection, processing and use of personal data of users of the Taxfix app (hereinafter “you”) within the meaning of the EU Data Protection Ordinance (DSGVO).
You can reach us by phone at +49 30 92106949
or by e-mail: firstname.lastname@example.org
For all questions regarding data protection in connection with the use of our Taxfix app, you can also contact our data protection officer at any time. This can be reached at the above postal address as well as at the previously given e-mail address.
2. Taxfix data protection principles
The protection and safe processing of your data is of utmost importance to us. We are fully aware of the highly sensitive nature of your tax related data and therefore comply strictly with any and all provisions of the European and German data protection law.
The data you supply remains your data. Without your consent we will not use your data for other purposes than the ones stated in this privacy statement nor pass it on to third parties.
The tax information you provide remains your data. We will only process your data for the purposes described in this data protection declaration.
If you provide us with tax information in the context of the app, we will only process and use it to provide you with the services described in the General Terms and Conditions in more detail, such as the preparation and, if necessary, submission of the tax return (hereinafter collectively referred to as “Taxfix Services”), to invoice these services in the case of chargeable services and to make the use of the Taxfix app more convenient and secure or to fulfil our statutory obligations if applicable.
- We strive to implement processing of your data in a way that is both data-minimizing and safe. Therefore, we strictly utilize current methods of encryption and limit the amount of data collected and transmitted to a minimum. Where technically possible your data is processed directly on your mobile device. Only the information required for the submission of your tax return is transmitted to us using encryption. Thus, your sign-up information is transmitted to us while your tax related data is processed directly on your device. Transmission of the latter occurs only in case you opt to submit your tax return. Your tax related data is then encrypted using sophisticated encryption methods and only then saved by us. The submission of your tax return to the tax office is done using encrypted connections as well.
3. Data processing when using our app
Download from an App Store. In order to download and install our app from an app store (Google Play, Apple AppStore), you must first register a user account with the provider of the respective app store and conclude an appropriate user contract. We have no influence on its content, in particular we are not a party to such a contract of use. When downloading and installing the app, the necessary information is transferred to the respective provider of the app store (Google or Apple), in particular your user name, your e-mail address and the customer number of your account, the time of download and the individual device identification number as well as, in the case of in-app purchases, payment information. We have no influence on this data collection and are not responsible for it. We only process the data provided if this is necessary for downloading and installing the app on your mobile device (e.g. iPhone, iPad or Android device). Beyond that, this data is no longer stored.
Using the app. When using the app we collect the following technical data in order to enable the various functions of the app. This data is automatically collected from your mobile device and transmitted to us when you use the app (said data is collectively referred to as user data henceforth):
– Your device name (for example Apple iPhone 7)
– Operating system and version
– App version
– System language configuration
– General device data, such as language and regional settings
– IP address of the mobile device
– Date and time of use
– Application ID to identify your App installation
In order to improve the app we receive error messages following a crash (i.e. after the app was unexpectedly terminated following a program error or the app freezes). The error messages do not contain personal data. Instead they merely contain the aforementioned technical device information as well as informational to which part of the software code caused the error.
The usage data are logged in internal log files for a period of three months after the end of the respective access and subsequently made anonymous.
We use the usage data and, if applicable, the error messages to enable the app to function and to detect and eliminate any security risks or malfunctions and to ensure the stability of our systems. The legal basis for this data processing is Art. 6 para. 1 lit. b DSGVO, insofar as this concerns the provision of app functions and Art. 6 para. 1 lit. f DSGVO, according to which data processing is permissible for the protection of legitimate interests, insofar as this concerns the collection and further processing of data in internal log files. Our legitimate interests are to ensure app functionality, error detection and correction, and early detection and defense against cyber attacks.
Sign-up. When first launching the app, an introduction asks for your marital status, living situation, sources of income, whether alimony payments were made and whether you lived or had any income from abroad . You are also asked about any disabilities that may be relevant for tax purposes. We require this data in order to determine whether the Taxfix app is suitable for generating your tax return. We furthermore ask for your email address to set up your user account and possibly contact you. We require this to send you the documents and a copy of your tax return if you so wish. This data is collectively referred to as ‘Sign-Up data‘ henceforth.
You are then provided the opportunity to restrict access to the app from your device by way of a PIN code. If you are in possession of a suitable mobile device you may optionally use the intrasystem iOS function Touch ID in order to enable access to the app via fingerprint. Your fingerprint is not transmitted to Taxfix. Touch ID is configured to save your fingerprint exclusively on your device. Further information can be obtained via Apple’s information on Touch ID.The Touch ID function is designed so that your fingerprint is only stored on your device. For more information, see Apple’s Touch ID information. Newer Apple devices allow unlocking via the so-called Face ID. Also the Face ID data always remain on your device and are not transmitted to Taxfix. For more information, please refer to Apple’s Face ID information.
We use your Sign-Up data to create a Taxfix user account for you. We make use of technical services (e.g. servers) by Google Inc.. We strive to make sure that only the highest security standards are used and that data is principally stored in Europe (see point 7 for details). Due to technical reasons infrastructure may nonetheless be serviced out of the USA. Since we process sensitive data we strive for the highest transparency in this regard.
I consent to Taxfix also collecting and processing any sensitive tax-relevant information on confession, health and, for example, membership of a trade union as above in order to be able to offer the Taxfix service. I can revoke this consent at any time for the future, but then the Taxfix service can no longer be used in full.
In order to verify your email account we will send you a confirmation email containing a corresponding confirmation link. Your sign-up is complete as soon as you verified your email address. You may change your PIN at any time by going to your account settings in the app.
The registration data will be stored for as long as the Taxfix user account exists and will be kept for another twelve months after the account is closed. Where information on payments made must be retained for accounting purposes, it shall be retained in connection with the registration data for a period of six years. The legal basis for this storage is Art. 6 para. 1 lit. c DSGVO in conjunction with § 257 HGB and § 147 AO.
Entering tax informationThe app collects tax relevant data (referred to as ‚tax information‘ henceforth) via the question catalogue. It includes information on title, name, first name, marital status, employment, address, religious affiliation, occupation, employer, information from the annual wage tax statement or the most recent payroll, second household, responsible tax office, Tax identification number, education and vocational training, expenses for work equipment, job applications and professional associations, income from capital assets (if a bank statement is available), other income including income from sale of commodities but excluding income from pension schemes, insurance schemes of the user for themselves, their children or third parties, health expenses, whether the user is a surviving dependant, disabilities, nursed persons, personal information on children living in the same household (including costs, information on disabilities and whether they are surviving dependants), parents or other persons, donations, church tax, household expenses, expenses from pension schemes, permanent expenses or alimony paid to third parties and loss carryforward. The tax information can include particularly sensitive personal data on health, possible nursing costs, information on religious affiliation with regard to the church tax paid or information on trade union membership if these are relevant in each case. We explicitly point out that we process this tax information for provision of the Taxfix service exclusively. In order to provide the service we are required to utilize service providers as mentioned above.
The tax information is principally processed directly on the mobile device and is only transmitted to us to the extent that is necessary. If for example data is in some cases not relevant for income tax purposes because certain limits are not met or exceeded, this data is not processed any further. After entering all tax information the app works out the tax load or the expected tax refund.
We use the tax information to provide the Taxfix services and to execute the relevant contract. The legal basis for this data processing is Art. 6 para. 1 lit. b DSGVO.
With regard to the above consent to the processing of sensitive tax-relevant data including information on religion, health or trade union membership, the legal basis is your consent pursuant to Art. 6 para. 1 lit. b DSGVO in connection with. Art. 9 para. 2 lit. a DSGVO.
We store the tax data transferred to us completely encrypted for a period of 60 months after submission of the tax return, taking into account the deadlines for submitting tax returns in accordance with § 46 II No. 8 EStG in conjunction with § 169 II No. 2 AO. The data will then be made anonymous.
Submission of the tax return. In order to submit the completed income tax return documents to the tax office a service contract with Taxfix needs to be concluded. Details concerning this can be found in the Terms of Service. The respective payment is, however made via in-app payment. Payment information is saved by Apple and Google exclusively. Taxfix does not acquire payment information and thus cannot save such information either. Taxfix only saves the incoming payment in connection with the Taxfix user account in order to be able to assign incoming payments. Information on payments made will be kept for six years for accounting purposes in connection with the registration data. The legal basis for this storage is Art. 6 para. 1 lit. c DSGVO in conjunction with § 257 HGB and § 147 AO.
Tax returns received by the tax office (Elster PDF) are displayed to the user in the app and stored for this purpose by us in connection with your Taxfix user account for as long as the Taxfix user account exists or you separately request the deletion of the PDF. In this case, however, the relevant PDFs can no longer be displayed in the app. The legal basis for this data processing is Art. 6 para. 1 lit. b DSGVO.
For legal reasons, submission of the tax return requires clear identification of the taxpayer. This is achieved by means of a document containing the taxpayer’s address, as well as reviewing the integrity of this information. The following documents are suited for identification: electronic annual wage tax slip, current utility bill. To use the camera in the app you need to grant the required access (see point 5.2). You then get the opportunity to review all data as well as the completed tax return. You will be asked to confirm the correctness of your entries and to authorize the submission to the tax office. You can view the submitted data at any time. As far as further documents and proof is required for your tax return you need to send these directly to the responsible tax office.
The legal basis for data processing in the context of identification is Art. 6 para. 1 lit. c DSGVO in conjunction with § 87d para. 2 Abgabenordnung.
Taxfix is legally obliged to provide information about who has commissioned a transmission of tax documents to the tax office. The identification data are therefore stored for the legally stipulated period of five years after the end of the year in which the documents were submitted. The legal basis for this storage is Art. 6 para. 1 lit. c DSGVO in conjunction with § 87d para. 2 Abgabenordnung.
The tax return is submitted via the software provided for this purpose by the tax authorities (“ELSTER”). Since the receipt of the data is also connected with data protection obligations of the tax authorities, we are obliged to inform you as follows on data processing at ELSTER:
“With this software, personal data within the meaning of Art. 4 No. 1 of the Datenschutzgrundverordnung (DSGVO) and Art. 9 para. 1 DSGVO are collected for processing purposes. In addition to the pure data required for tax assessment, the software collects data about the type of operating system of the user and transmits it to the tax authorities. These data are required to ensure the proper processing of the data and to prevent errors in the processing process. The data will be used within the scope of Art. 6 para. 1 subpara. 1 letter e in conjunction with. Para. 3 para. 1 letter b DSGVO in connection with federal or state tax laws by the tax authorities and only for the aforementioned purpose”.
The tax authorities provide another information sheet informing you about data processing at ELSTER. The letter “Allgemeine Informationen zur Umsetzung der datenschutzrechtliche Vorgaben der Artikeln 12 bis 14 der Datenschutz-Grunddverordnung in der Steuerverwaltung” can be viewed here.
Retrieval of the electronic tax return. For controlling and statistical purposes we retrieve your electronic tax return via the ELSTER Portal. This data is treated as strictly confidential and not disclosed to third parties. Storage and archiving of your electronic tax assessments are governed by Sections 3.6 and 3.2. This data retrieval is exclusively to determine any statistical differences between our forecast and the final amount of refunds in order for us to continually improve our services make them more efficient. The legal basis for this data processing is Art. 6 para. 1 lit. f DSGVO based on our legitimate interests to further optimize our product.
Storage of documents. We store the tax information and the tax return in order to make next year’s tax return easier for you. The tax information and documents are encrypted and stored in Europe. We store the tax data transferred to us completely encrypted for a period of 60 months after submission of the tax return. The data will then be made anonymous. We use the tax information accordingly to provide the Taxfix services and to execute the relevant contract. The legal basis for this data processing is Art. 6 para. 1 lit. b DSGVO.
Support. Should you have questions regarding the Taxfix services feel free to contact our customer support anytime. You can reach customer support via the button ‚Contact our support team‘ in your account settings. The support can help you with questions concerning use of the app, general understanding, identification or how circumstances are captured in the app. You may also point us to to errors or bugs in the app. We do, however, point out that we do not provide individual tax advice and cannot answer support inquiries in that regard. Please turn to your tax advisor for tax related questions that cannot be solved by the app. We also bring to your attention the fact that we our support ticket system is run by the external service provider Intercom, Inc. which means that for technical reasons the content of inquiries can be temporarily stored in the USA. We have entered into agreements with the provider that correspond to the European level of data protection. The service provider is also certified under the US-EU Privacy Shield. From a technical point of view, the support inquiries are transmitted using encryption. In order to prevent your tax information or sensitive facts from being processed in this way, they should not be communicated via support at all since we cannot provide tax advice as stated above. The legal basis for processing your support requests is Art. 6 para. 1 lit. b DSGVO. We store the support requests addressed to us as well as our answers for the duration of 18 months after the end of the support case for purposes of proof. The data is then automatically made anonymous.
4. Usage data analysis
We use usage data analysis technologies to continuously improve and optimize the app, to statistically record and analyze general usage behavior and to offer you the best possible user experience. The data about the use of our app is stored exclusively pseudonymously, i.e. under a separate identifier and not using your name or other directly identifying information. The data will be kept in pseudonymised form for a period of 12 months and subsequently completely deleted or made anonymous. The legal basis for the analysis of usage data in the form of the data processing described below is Art. 6 Para. 1 S. 1 lit. f DSGVO, based on our legitimate interest in the demand-oriented design and continuous optimisation of our app and service. You can object to data collection for the purpose of usage data analysis (opt-out) by activating the slider at the end of this file
Adjust. We use a software solution from Adjust GmbH for usage analysis. The events and functions triggered in the app as well as the navigation in the app are collected and evaluated anonymously. The collected IP and Mac addresses and their unique device identification (so-called identifiers, e.g. in the form of the Apple AdvertisingID) are immediately anonymized by Adjust, so that no conclusion about your person is possible. The information is used to compile evaluations of the general, non-personal usage behavior in relation to the Taxfix app for us and thus to enable our own market research and the demand-oriented design and further development of our app. This statistical usage analysis is not used for advertising purposes and no advertising is controlled by this. You can object to the data processing described above by using the above opt-out option.
For more information about Adjust, see the following link: https://www.adjust.com/privacy-compliance/
Segment.io. We also use Segment.io, a service of Segment.io, Inc, (101 15th St, San Francisco, CA 94103, USA), (‚Segment‘) for usage analysis. The service helps us to collect, analyze and interpret by way of the technologies described in this section any technical usage data arising during the use of our app. We then use this to improve the user experience of our app. The collected usage data is processed in a pseudonymized way. IP addresses and IDFA or Google AdvertisingID respectively are shortened upon collection and are not used to connect user profiles to personal data. Any pseudonymized usage data concerning usage of our app are usually transmitted and stored to a Segment server in the USA. Segment explicitly contractually assures us of compliance with European data protection laws. You can object to the data processing described above by using the above opt-out option.
5. Requested permissions
Certain functions of the app require access to services and data of your mobile device. In order to use all functions of the app you must grant the required access permissions. In the following, we explain which permissions the Taxfix app requests and which functions they are required for.
Notifications / Push notifications. If you click ‘Enable’ after being asked ‘If you enable push-notifications, Taxfix will remind you about important tax deadlines.‘ you are giving the app permission to alert you to certain events and topics (especially filing deadlines and other tax relevant matters) by sending you push notifications even if the app is currently not open on your device. Notifications can be delivered through sounds, messages (for example screen banners) and/or symbols (a picture or number on top of the app icon). You can find further information on push notifications and your configuration options under point 6.
Camera and photo access. If you click ‘Enable‘ after being asked ‘Give us permission to access your camera‘ you are granting the app permission to your photo gallery for uploading an identification document. To take a photo of the document using your camera directly within the app we require permission to access your camera. You can grant this by going to your app settings (‘Settings‘, then ‘Privacy‘ and then ‘Camera‘). The app may send you an appropriate notification in case access is needed: ‘Please give us permission to access your camera‘. The permission to access your camera and photo gallery is used exclusively for the purpose of obtaining a picture for identification. Only the photo you supply or take pursuant to the Identification process described under point 3.4 is processed. The photo and camera function are not used further. Via your mobile devices’ settings (‘Settings‘, then ‘Privacy‘ and ‘Camera‘) you may revoke this permission at any time.
Access to all networks. During installation, this authorization is requested to enable the app to transfer data via the Internet connection of your end device (WLAN or data connection). This authorization is required in order to transfer your entries to our servers during registration, for example.
Google Play billing service (in-app purchases). This permission is required to use the payment feature of the Google Play Store. In-App purchases are only made if you explicitly select and confirm this in the app.
Camera access. The authorization is queried to enable you to photograph your wage tax statements and thus quickly enter the tax-relevant data. The app will only access the camera if you select this function in the app.
Save data sets to memory or SD cards. This authorization is required to enable the app to store or read the data for its tax return in the memory or, if necessary, in an auxiliary memory used on your mobile device. The app will only read out the data saved in connection with the use of the Taxfix app.
6. Configuring push notifications
To be reminded of certain events and topics (such as filing deadlines for your tax return) via push notifications (also called ‘notifications‘ by iOS) even when the app is closed on your device, you need to grant the necessary permission (see point 5.1). You will be asked for this permission when you open the app for the first time to sign up or log in. Without your consent, which you give by clicking the button ‘Enable‘ we cannot send you push notifications. You can change the permission regarding push notifications in your iOS settings and turn the notifications on or off at a later time.
Open the ‘settings‘ app in iOS and select ‘notifications‘ from the menu. In the following menu you will find an overview of all apps that are installed to your device and that have been granted permission to send you push notifications. Select the Taxfix app. You can now turn push notifications on or off. You also have the opportunity to adjust how push notifications are displayed by the Taxfix app.
When installing the app, you will be asked to grant permission to receive push messages so that you can receive push messages even if the app is not currently open. To prevent the app from displaying push messages, please open the “Settings” app in the main menu of your device and select “Apps” (or “Application Manager”) in the following menu item. There, you will find an overview of all apps installed on your device. Select the Taxfix App and then “Permissions”. You can then turn the push message function on or off using the switch.
7. Data security and place of processing
We employ state-of-the-art technical measures to ensure the security of your data. Our security measures are constantly adapted to technological progress. When your mobile device is locked, all data stored on it are encrypted. Thus if you activated automatic locking on your device, it will be harder for unauthorized persons to access your data. Actual protection levels depend on the choice of your PIN and its length (four or six digits). Further information on hardware encryption can be obtained via Apple’s iOS security guidance. The data in the app can be protected from unauthorized access by means of a PIN or Touch ID as stated in 3.2. Apple also provides further information about Touch ID advanced security technology. For information about the security of your Android device, please refer to your manufacturer’s support pages. Communication between your mobile device and our servers is conducted using SSL encryption. We strictly monitor the service providers we use and are shown proof of compliance for the assured security standards via current certification. Your data is principally stored encrypted (AES-256-CTR) in a European computer center and in accordance with high security standards. The computer center employs state-of-the-art technical security measures and is certified under the ISO 27018 standard. As far as third countries are involved in the exceptional cases described in this privacy statement (in case of of server maintenance or support inquiries), technical levels of data security nonetheless correspond to European standards to full extent. In any case, any data processing in third countries shall be carried out in compliance with the guarantees provided for this purpose by law.
The data collected by us will only be passed on if:
- you have given your express consent pursuant to Art. 6 para. 1 sentence 1 lit. a DSGVO,
- the disclosure pursuant to Art. 6 para. 1 sentence 1 f DSGVO is necessary to assert, exercise or defend legal claims and there is no reason to assume that there is an overriding interest worthy of protection in not disclosing the data,
- we are legally obliged pursuant to Art. 6 para. 1 sentence 1 lit. c DSGVO to pass on or
- this is legally permissible and is required under Art. 6 para. 1 sentence 1 lit. b DSGVO for the processing of the contractual relationship or for the implementation of pre-contractual measures that are taken at their request.
Part of the data processing described in this data protection declaration may be carried out by our service providers. In addition to the service providers mentioned in this data protection declaration, this may include data centers that store our databases, IT service providers that maintain our systems, and consulting firms. If we pass data on to our service providers, they may use the data exclusively for the fulfilment of their tasks. The service providers have been carefully selected and commissioned by us. They are contractually bound by our instructions, have appropriate technical and organisational measures in place to protect the rights of the persons concerned and are regularly monitored by us.
In addition, it may be disclosed in connection with official inquiries, court orders and legal proceedings if it is necessary for legal prosecution or enforcement.
9. Your rights
You have the right to request information about the processing of your personal data by us at any time. We will explain the data processing and provide you with an overview of the data stored about you as part of the provision of information.
If data stored with us is incorrect or no longer up-to-date, you have the right to have this data corrected.
You may also request that your data be deleted. If, in exceptional cases, deletion is not possible due to other legal regulations, the data will be blocked so that they are only available for this legal purpose.
You may also have the processing of your data restricted, e.g. if you believe that the data we have stored is incorrect. You also have the right to data transferability, i.e. we will send you a digital copy of the personal data you have provided on request.
In order to exercise your rights as described here, you may contact us at any time at the contact details mentioned in paragraph 1 above. This also applies if you wish to receive copies of guarantees to prove an adequate level of data protection.
In addition, you have the right to object to data processing based on Art. 6 para. 1 sentence 1 lit. e or f DSGVO. Finally, you have the right to complain to our data protection supervisory authority. You may exercise this right before a supervisory authority in the Member State in which you are staying, working or suspected of infringing. The responsible supervisory authority in Berlin: Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit), Friedrichstr. 219, 10969 Berlin.
10. Right of revocation and objection
In accordance with Article 7 (2) DSGVO, you have the right to revoke your consent to us at any time. As a result, we will not continue processing data based on this consent in the future. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent until revocation.
If we process your data on the basis of legitimate interests pursuant to Art. 6 para. 1 lit. f DSGVO, you have the right under Art. 21 DSGVO to object to the processing of your data and to give us reasons which arise from your particular situation and which in your opinion indicate that your interests worthy of protection predominate. If you object to data processing for direct marketing purposes, you have a general right of objection, which we will implement without giving reasons. You can also exercise your right to object to the processing of usage data via the opt-out switch as described in section 4.
If you would like to make use of your right of revocation or objection, an informal message to the above-mentioned contact data is also sufficient.
Taxfix reserves the right to alter this privacy statement. The Terms of Service apply accordingly. You can view the current versions of Taxfix’s privacy statement and terms of service at any time in the account settings of the app.
Version: 2.1 / As of June 2018