TaxItEasyTaxItEasy
Sign in Get started — free
Browse the knowledge base

Your GDPR rights as a user

all Updated Thu May 21 2026 00:00:00 GMT+0000 (Coordinated Universal Time)

Six GDPR rights apply to your TaxItEasy data: Art. 15 (access), 16 (rectification), 17 (erasure), 18 (restriction), 20 (portability), 21 (objection). Most are exercisable directly in-app; for the formal route or for Art. 18 / 21 (no UI today), email [email protected]. Statutory 30-day resolution window; we acknowledge within 2 working days.

When to read this article

You're trying to exercise one of your GDPR rights, or you're a data subject (a user, an EU resident, anyone whose personal data we process) who wants to understand what rights you have and how to exercise them. This article is the practical guide for each right; for the underlying processing and storage context, see where is my data stored.

For the specific Article 17 (erasure / account deletion) flow, see delete your account and export your data. For the encryption that makes Article 17 cryptographically final, see how our encryption works.

The six rights, in plain English

Art. 15 — Right of access

"Show me everything you know about me."

You have the right to ask us for a copy of all the personal data we hold about you, what categories of data we process, for what purposes, with which sub-processors, and how long we keep it.

In-app: Settings → Account → Export my data. The export is a JSON file containing every document, every transaction, every audit-log entry tied to your account, plus a covering manifest listing the categories of processing.

Formal route: email [email protected]. We reply within 30 days (the GDPR statutory window) with the same JSON plus a formal covering letter that lists categories of data, processing purposes, sub-processors, retention periods, and the basis for each.

The in-app export is sufficient for most purposes. The formal route is appropriate when you need a signed letter from the DPO (e.g. for your own legal proceedings, for a regulatory submission).

Art. 16 — Right of rectification

"You've got X wrong about me — fix it."

You have the right to ask us to correct inaccurate or incomplete personal data about you.

In-app: edit fields directly. Vendor name, invoice amount, your account email, your address, your name — all editable from Settings and the relevant document detail pages. For trading-partner records, edit at Trading Partners → vendor → Edit.

Formal route: write to [email protected] with what you want corrected. We update and confirm within 30 days. Use this for fields that aren't editable in the UI (e.g. system-generated audit-log entries with factual errors — rare but possible).

Art. 17 — Right of erasure ("right to be forgotten")

"Delete everything you have on me."

You have the right to ask us to delete your personal data, subject to certain legal-retention exceptions.

In-app: Settings → Account → Delete account. The deletion has a 30-day grace period for accidental clicks. On day 31, your Account Key is destroyed and every encrypted document, OCR result, and OAuth token becomes mathematically unreadable — for us, our backups, forever. See delete your account and export your data for the full walk-through and how our encryption works for the crypto-shredding mechanism.

Formal route: write to [email protected]. We trigger the same deletion. The 30-day grace period applies the same way.

Exceptions: a small set of audit-log entries with statutory retention survives crypto-shredding. Specifically, financial-trail records required by §147 AO / §257 HGB (Germany, 10-year retention) and equivalent laws in other EU jurisdictions. These are pseudonymised: your email is anonymised, but the financial record (timestamp, document hash, payment processed) stays so we can answer a tax-authority audit years later. We can't tell who the user was from the surviving record.

Art. 18 — Right of restriction

"Stop processing my data — keep it but don't actively use it."

You have the right to ask us to freeze processing of your data while retaining it. This is a rarer right, typically invoked during disputes about accuracy or while you decide between rectification and erasure.

In-app: no UI today (it's a rare-enough use case that we haven't built dedicated controls). Email [email protected] describing what you want restricted. We freeze processing — your data stays but no new operations on it (no AI extraction of new uploads, no exports generated, no analytics queries). Restriction is reversible at any time; once the dispute is resolved or you make a follow-up decision, you can un-restrict.

Art. 20 — Right to data portability

"Give me my data in a machine-readable format so I can take it elsewhere."

You have the right to receive your personal data in a structured, commonly-used, machine-readable format and to transmit it to another controller.

In-app: Settings → Account → Export my data. The JSON export is structured (per documented schema), commonly used (JSON is universal), and machine-readable. Same export as Article 15 access; the right of portability emphasises the machine-readable aspect for tool-to-tool transfer.

Formal route: [email protected] for special formats. CSV and PDF formats are on the 2026 roadmap (see CSV and PDF export status); for now JSON is the supported format. We can produce CSV manually within 1–3 working days for one-off Article-20 requests.

Art. 21 — Right to object

"I object to one of your processing purposes — stop that specific thing."

You have the right to object to processing based on legitimate interest, public interest, or for direct marketing purposes (Art. 21 specifically). For TaxItEasy:

  • All our processing is necessary for service delivery — we don't do marketing profiling, ad targeting, or behavioural analytics on personal data beyond product usage.
  • We don't sell or share data with third parties for marketing.
  • We don't use your data to train AI models beyond the specific Anthropic API call that processes your documents in real-time for extraction (the document content doesn't feed back into model training under Anthropic's commercial API terms).

So objections under Article 21 are rare for TaxItEasy in practice. If you have a specific processing purpose you want stopped (e.g. our use of Sentry for error monitoring, our use of Cloudflare in front of the site), write to [email protected] with the specific purpose. We'll discuss whether we can stop that processing for you specifically without breaking the core service.

How to contact our DPO

[email protected] is the formal address for all GDPR rights requests.

  • First acknowledgement within 2 working days. We confirm receipt and any clarifying questions.
  • Full resolution within 30 days. The GDPR-statutory window. For complex requests we may extend by another 2 months under Article 12(3), with notification to you of the extension.
  • No fee for the first request in a given 12-month period. We reserve the right to charge a reasonable fee for "manifestly unfounded or excessive" repeated requests (Article 12(5)) — in practice we've never done this.

The address is monitored by Tom Klein (data controller and DPO for THE GROVVEST AI LTD). For complex requests requiring legal review, response time may be at the longer end of the 30-day window.

Complaint and escalation

If you're not satisfied with the resolution of your rights request, you have the right to complain to your country's data protection authority (DPA).

We'd rather resolve any dispute directly with you, but the right to escalate is yours. Write to [email protected] first; if you're still unsatisfied, your DPA is the next step.

Things GDPR does NOT entitle you to

A few things people occasionally expect from GDPR that it doesn't actually cover:

  • Free use of the service. Paid plans stay paid; the right to access doesn't waive your subscription.
  • Access to other users' data. Even your tax advisor's notes about your invoices, if they're stored in their account, are theirs to disclose, not ours.
  • The right to demand a specific sub-processor or stay off another. You can object (Art. 21), but if the objection would make the service impossible to deliver, the only viable outcome may be termination. We can't unilaterally drop our AI sub-processor for one user.
  • Forgetting invoices we issued to you. Legal-retention-required records (Stripe payment records, our financial-trail under §147 AO / §257 HGB) survive Article 17 deletion in pseudonymised form. These are statutory retention requirements that override the right to erasure.
  • Compensation for processing. Article 82 allows compensation for material or non-material damage caused by a GDPR violation — but absent an actual violation that caused harm, there's no compensation entitlement.

Edge cases

I'm not the data subject — I'm someone's lawyer asking for their data. Send proof of authorisation (signed letter, lawyer's mandate, power of attorney). We verify before releasing data. For probate / inheritance scenarios, see "What happens to a deceased user's data" below.

I want a copy of all the audit logs about me. Included in the Art. 15 export. The audit log shows every action you took, when, from what IP, what was changed before vs after. Some entries are pseudonymised in the export (where they contain other users' identifiers); your own actions are fully visible.

How long do you keep the data after my Art. 17 deletion request? Until day 31 after request — the 30-day grace period during which you can change your mind. After day 31, the Account Key is destroyed and the data becomes cryptographically unrecoverable. The grace period is fixed (we don't extend it on request) and is consistent with GDPR's "without undue delay" wording.

What happens to a deceased user's data? GDPR doesn't strictly apply to deceased persons in most member states, but their estate / next-of-kin may have rights under national law. We handle deceased-user requests via the formal route at [email protected] with proof of death (death certificate) and proof of legal authority (probate, executor letter, or equivalent). We typically grant Art. 15 (access) and Art. 17 (deletion) for the deceased's data on appropriate authority.

I want to exercise Art. 22 (automated decision-making with significant effects). TaxItEasy's automated decisions (AI extraction, classification, matching scoring) are advisory — you always have the final edit on extracted fields, classification, and matches. There are no automated decisions with significant legal or comparable effects on you (no denial of service based on AI scoring, no algorithmic credit denials, etc.). If a specific decision concerns you, write to [email protected] to discuss.

The audit log shows actions from an IP I don't recognise. Could be a sign of unauthorised access (immediate concern) or could be your own VPN / mobile carrier IP (normal). If you suspect unauthorised access, immediately change password, revoke all sessions (Settings → Account → Active sessions → Revoke all), enable 2FA if not already, and write to [email protected] with what you found. We treat suspected unauthorised access seriously.

My Article 17 request only erases TaxItEasy data — what about my data on Stripe and other sub-processors? Our erasure triggers cascade deletion where contractually feasible (e.g. OAuth tokens get revoked at Google / Microsoft on disconnect). Stripe keeps its own records for tax purposes (typically 10 years); to have Stripe erase its records, that's a separate request to [email protected]. Same for each sub-processor — they're independent data controllers with their own erasure flows.

Related

Didn't answer your question? Write to [email protected] · the AI chat in the bottom-right corner answers most common questions.