We take your privacy seriously. This policy explains what data we collect, how we use it, and what rights you have. Last updated: July 2026.
TaxItEasy® ("we", "us", "our") operates the TaxItEasy platform for invoice processing and document management. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website and services.
We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR) and applicable national data protection laws.
The data controller responsible for processing your personal data is:
THE GROVVEST AI LTD
Evangelou Floraki 10, Villa 4
8220 Paphos, Cyprus
Email: [email protected]
Website: taxiteasy.org
When you create an account, we collect:
When you create a company on our platform, we collect:
When you upload documents, we process:
If you import a bank statement (via statement-file upload, e.g. PDF; automated bank connections are planned), we collect:
If you set up automatic email invoice forwarding, we collect:
When you share documents with others (e.g. tax advisors), we collect:
When you use our platform, we automatically collect:
Payment processing is handled by Stripe (PCI-DSS Level 1 compliant). We do not store or have access to your full credit card numbers. We store:
We process your personal data for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the TaxItEasy service | Contract performance (Art. 6(1)(b)) |
| AI invoice processing and OCR | Contract performance (Art. 6(1)(b)) |
| Account verification and security | Legitimate interest (Art. 6(1)(f)) |
| Audit logging and access tracking | Legitimate interest (Art. 6(1)(f)) |
| Payment processing via Stripe | Contract performance (Art. 6(1)(b)) |
| Email notifications about your account | Contract performance (Art. 6(1)(b)) |
| Responding to support requests | Contract performance (Art. 6(1)(b)) |
| Bank account integration and transaction matching | Contract performance (Art. 6(1)(b)) |
| Automatic email invoice processing | Contract performance (Art. 6(1)(b)) |
| Document sharing with tax advisors | Contract performance (Art. 6(1)(b)) |
We do not sell your data. We do not share your data with advertisers. We do not use your data for profiling or targeted advertising. We do not train AI models on your documents.
Your primary data — documents, invoices, account records, bank transactions — is stored on servers physically located in Frankfurt, Germany (EU), operated by DigitalOcean (DOKS Kubernetes cluster, managed PostgreSQL, Spaces object storage). Your data does not leave the European Union for storage.
Documents are stored in encrypted object storage. Database records are stored in encrypted PostgreSQL databases. All connections between services use TLS encryption.
AI extraction (OCR / document reading) uses the Anthropic API. Anthropic, PBC is located in the United States. Transfers to Anthropic for AI processing are made under the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs). Retention of API request content follows Anthropic's commercial default (up to 30 days for safety monitoring); a contractual zero-retention addendum is in active negotiation. See our Sub-processors page for the full list and transfer mechanisms.
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion |
| Documents and invoices | Until deleted by you, or 30 days after account deletion |
| Deleted documents (recycle bin) | 30 days after deletion, then permanently removed |
| Audit logs — tax-relevant entries (documents, invoices, transactions, banking, billing) | 10 years (legal retention duty for tax-relevant records) |
| Audit logs — security events (logins, account changes, shares incl. share access logs) | 2 years |
| Audit logs — other operational events | 6 months |
| IP addresses in audit logs | Anonymized after 90 days |
| Payment records | 10 years (legal requirement for financial records) |
| Bank transactions | Until deleted by you, or 30 days after account deletion |
| Email integration credentials | Until you disconnect the email account |
| Bank connection tokens (OAuth) | Until you revoke the connection |
We share your data only with the following recipients (sub-processors and authorized third parties), and only to the extent necessary. The complete current list with locations and transfer mechanisms is on our Sub-processors page.
We do not sell, rent, or otherwise share your personal data with any other third parties.
TaxItEasy's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
gmail.readonly scope only to identify and parse invoice / receipt emails on your behalf. We never modify, send, or delete email on your account.
As a data subject under the GDPR, you have the following rights:
You can request a copy of all personal data we hold about you at any time.
You can request correction of inaccurate or incomplete data. You can also update most data directly in your account settings.
You can request complete deletion of all your data. We will delete your account, documents, invoices, and all associated data within 30 days of your request.
You can export all your data in JSON (structured, machine-readable) at any time from your account settings. CSV and PDF export are on the 2026 roadmap.
You can request that we limit the processing of your data under certain circumstances.
You can object to processing based on legitimate interest. We will stop processing unless we demonstrate compelling legitimate grounds.
To exercise any of these rights, contact our data-protection contact at [email protected] (or general support at [email protected]). We will respond to your request within 30 days.
We implement the following technical and organizational measures to protect your data:
TaxItEasy uses strictly necessary cookies to run the service, plus — only
with your explicit consent — preference storage and anonymous analytics. Our website loads
Google Tag Manager (container GTM-MZCTLJZD) with
Consent Mode v2: all consent signals default to “denied”, and
analytics storage is enabled only after you accept the Analytics category in the cookie banner.
Advertising signals (ad_storage, ad_user_data,
ad_personalization) are permanently denied, regardless of your
banner choice — we do not use advertising, retargeting, or social-media tracking cookies.
| Cookie / storage | Purpose | Duration |
|---|---|---|
| Session token (strictly necessary) | Keeps you logged in | Session / 7 days |
| CSRF token (strictly necessary) | Protects against cross-site request forgery | 1 year |
| Consent record (strictly necessary) | Stores your cookie choices as evidence of consent | Until revoked |
| Preferences (opt-in) | Stores your UI preferences (sidebar state, theme, recent currencies) | Persistent until cleared |
_ga, _ga_* (opt-in) |
Google Analytics 4 — anonymous usage statistics, set only after you consent to Analytics | 2 years |
__cf_bm (strictly necessary) |
Cloudflare bot detection — distinguishes legitimate users from automated traffic | 30 minutes |
cf_clearance (strictly necessary) |
Cloudflare challenge verification — set after passing a DDoS or WAF challenge | 24 hours |
You can change or revoke your consent at any time via the “Cookie settings” link in the footer. The complete list of every cookie and local-storage entry — including what happens when you revoke — is in our Cookie Policy. The Cloudflare cookies listed above are strictly necessary security cookies set by our CDN provider and cannot be disabled without affecting the security and availability of the service.
When you upload invoices and documents, our AI system automatically processes them to extract structured data (invoice numbers, amounts, dates, etc.). This constitutes automated processing under GDPR.
TaxItEasy is a business tool and is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through a prominent notice on our platform at least 30 days before the changes take effect.
The "Last updated" date at the top of this page indicates when this policy was last revised.
If you have questions about this Privacy Policy, want to exercise your rights, or have concerns about how we handle your data, please contact us:

You also have the right to lodge a complaint with a supervisory authority in your EU member state if you believe your data protection rights have been violated.
If anything in this policy is unclear, don't hesitate to reach out at [email protected]. We're happy to explain how we handle your data.