TaxItEasyTaxItEasy
Sign in Get started — free
Legal

Privacy Policy

We take your privacy seriously. This policy explains what data we collect, how we use it, and what rights you have. Last updated: May 2026.

1. Overview

TaxItEasy® ("we", "us", "our") operates the TaxItEasy platform for invoice processing and document management. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website and services.

We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR) and applicable national data protection laws.

2. Data Controller

The data controller responsible for processing your personal data is:

THE GROVVEST AI LTD
Evangelou Floraki 10, Villa 4
8220 Paphos, Cyprus

Email: [email protected]
Website: taxiteasy.org

3. What Data We Collect

3.1 Account Data

When you create an account, we collect:

  • Name — Your first and last name
  • Email address — Used for login, verification, and communication
  • Phone number — Optional, for account recovery and communication
  • Password — Stored only as a bcrypt hash (we never see your actual password)
  • Language preference — Your preferred UI language (German or English)
  • Notification preferences — Your custom notification settings
  • Two-factor authentication — If enabled, we store an encrypted TOTP secret for generating verification codes

3.2 Company Data

When you create a company on our platform, we collect:

  • Company name and legal form
  • Business address — Street, city, postal code, state/province, country
  • Tax identification number — Tax ID, VAT number, or EIN (optional)
  • Company registration number — e.g. Handelsregister (optional)
  • Banking information — IBAN, routing number, and SWIFT/BIC code (optional, stored from invoice data)
  • Billing details — Billing email, billing address, and billing VAT ID for invoice generation

3.3 Document Data

When you upload documents, we process:

  • Uploaded files — Invoices, receipts, bank statements, and other documents you upload
  • Extracted data — Invoice numbers, amounts, dates, VAT rates, sender/recipient details, line items, and other data extracted by our AI
  • Metadata — Upload timestamps, file sizes, file types, processing status, and file hashes
  • OCR data — Full text extracted from documents via optical character recognition, including confidence scores
  • Version history — Previous versions of re-uploaded documents

3.4 Banking & Transaction Data

If you import a bank statement (currently via CSV upload; automated bank connections via a pan-EU PSD2 aggregator are in development), we collect:

  • Bank account details — IBAN, BIC, account holder name, bank name, account type, and current balance
  • Transactions — Transaction date, amount, currency, description, counterparty name/IBAN, merchant information, and categorization
  • Bank statements — Statement periods, opening/closing balances, and transaction summaries
  • OAuth tokens — Encrypted access and refresh tokens for API connections (you can revoke access at any time)

3.5 Email Integration Data

If you set up automatic email invoice forwarding, we collect:

  • Email credentials — Your email address and app password, stored encrypted (AES) on our servers
  • IMAP settings — Server address, port, and folder to monitor
  • Processing logs — Email subject, sender address, received date, and number of attachments processed

3.6 Sharing Data

When you share documents with others (e.g. tax advisors), we collect:

  • Recipient information — Name and email address of the person you share with
  • Access logs — IP address, browser information, and timestamps of each access to shared documents
  • Share settings — Access level, expiry date, password protection status, and access limits

3.7 Usage Data

When you use our platform, we automatically collect:

  • IP address — For security, rate limiting, and audit logging
  • User agent — Browser and device information
  • Action logs — Records of actions taken within the platform (uploads, shares, logins, downloads)
  • Timestamps — When actions were performed
  • Login security data — Failed login attempts, account lockout timestamps

3.8 Payment Data

Payment processing is handled by Stripe (PCI-DSS Level 1 compliant). We do not store or have access to your full credit card numbers. We store:

  • Stripe customer and subscription IDs
  • Subscription status, plan, and billing interval
  • Payment confirmation and invoice records (amount, status, dates)
  • Last 4 digits of your payment method (for display purposes only)
  • Usage records per billing period (invoices processed, storage used)

4. How We Use Your Data

We process your personal data for the following purposes:

Purpose Legal Basis (GDPR)
Providing the TaxItEasy service Contract performance (Art. 6(1)(b))
AI invoice processing and OCR Contract performance (Art. 6(1)(b))
Account verification and security Legitimate interest (Art. 6(1)(f))
Audit logging and access tracking Legitimate interest (Art. 6(1)(f))
Payment processing via Stripe Contract performance (Art. 6(1)(b))
Email notifications about your account Contract performance (Art. 6(1)(b))
Responding to support requests Contract performance (Art. 6(1)(b))
Bank account integration and transaction matching Contract performance (Art. 6(1)(b))
Automatic email invoice processing Contract performance (Art. 6(1)(b))
Document sharing with tax advisors Contract performance (Art. 6(1)(b))
We do not

We do not sell your data. We do not share your data with advertisers. We do not use your data for profiling or targeted advertising. We do not train AI models on your documents.

5. Where We Store Your Data

Your primary data — documents, invoices, account records, bank transactions — is stored on servers physically located in Frankfurt, Germany (EU), operated by DigitalOcean (DOKS Kubernetes cluster, managed PostgreSQL, Spaces object storage). Your data does not leave the European Union for storage.

Documents are stored in encrypted object storage. Database records are stored in encrypted PostgreSQL databases. All connections between services use TLS encryption.

AI extraction (OCR / document reading) uses the Anthropic API. Anthropic, PBC is located in the United States. Transfers to Anthropic for AI processing are made under the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs). Retention of API request content follows Anthropic's commercial default (up to 30 days for safety monitoring); a contractual zero-retention addendum is in active negotiation. See our Sub-processors page for the full list and transfer mechanisms.

6. How Long We Keep Your Data

Data Type Retention Period
Account data Until account deletion
Documents and invoices Until deleted by you, or 30 days after account deletion
Deleted documents (recycle bin) 30 days after deletion, then permanently removed
Audit logs 6 months
Share access logs 6 months
Payment records 10 years (legal requirement for financial records)
Bank transactions Until deleted by you, or 30 days after account deletion
Email integration credentials Until you disconnect the email account
Bank connection tokens (OAuth) Until you revoke the connection

7. Who We Share Your Data With

We share your data only with the following recipients (sub-processors and authorized third parties), and only to the extent necessary. The complete current list with locations and transfer mechanisms is on our Sub-processors page.

  • DigitalOcean, LLC (cloud infrastructure) — Hosts our Kubernetes cluster, managed PostgreSQL database, and Spaces object storage in Frankfurt, Germany (EU). DigitalOcean is a US-incorporated company; data residency in Frankfurt is contractually guaranteed. DigitalOcean Privacy Policy
  • Anthropic, PBC (AI/OCR provider) — Processes document content (invoices, receipts) for field extraction via the Claude API. Located in the United States. Transfers under EU-U.S. Data Privacy Framework and SCCs. Retention follows Anthropic's commercial default (up to 30 days for safety monitoring); a contractual zero-retention addendum is in active negotiation. Anthropic Privacy Policy
  • Stripe, Inc. (payment processor) — Receives payment-related data only. Located in the United States. Transfers under EU-U.S. Data Privacy Framework and SCCs. Stripe Privacy Policy
  • Resend (transactional email + inbound webhook) — Sends transactional emails on our behalf and receives forwarded invoice emails to your private TaxItEasy address. Resend Privacy Policy
  • Sentry (error monitoring) — Receives application error events with limited PII (user ID, IP). Used to detect and fix bugs. Sentry Privacy Policy
  • Cloudflare, Inc. (CDN & network security) — All web traffic passes through Cloudflare for DDoS protection, WAF, and CDN. Processes IP addresses and request metadata but has no access to documents or account content. Cloudflare Privacy Policy
  • Your tax advisor (if you invite one) — Receives access only to invoices and transactions for the company you invite them to. Permissions and revocation are managed in your settings.
  • Google (Gmail) / Microsoft (Outlook) (email integration, optional) — If you connect Gmail or Outlook via OAuth, we read invoice emails (read-only scope). OAuth tokens are encrypted at rest.

We do not sell, rent, or otherwise share your personal data with any other third parties.

7a. Google API Services — Limited Use Disclosure

TaxItEasy's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We request the gmail.readonly scope only to identify and parse invoice / receipt emails on your behalf. We never modify, send, or delete email on your account.
  • Data obtained via Google APIs is used only to provide and improve user-facing features within TaxItEasy — specifically: detecting invoice emails, extracting attachments, and surfacing them in your document inbox.
  • We do not use Gmail data to develop, improve, or train generalized AI / machine-learning models. Per-account OCR / classification runs on the attachments you choose to ingest, never as training input for shared models.
  • We do not transfer Gmail data to third parties except as necessary to provide or improve user-facing features (e.g. our OCR sub-processor) or to comply with applicable law.
  • We do not allow humans to read Gmail data unless we have your explicit consent for specific messages, it is necessary for security purposes (e.g. investigating abuse), to comply with applicable law, or for our internal operations and where the data is aggregated and anonymized.
  • You can revoke our access at any time from the “Email Accounts” settings in TaxItEasy or via your Google Account > Security > Third-party access. On revoke we delete the OAuth token locally and call Google's revocation endpoint to invalidate it server-side.

8. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

Right of Access (Art. 15)

You can request a copy of all personal data we hold about you at any time.

Right to Rectification (Art. 16)

You can request correction of inaccurate or incomplete data. You can also update most data directly in your account settings.

Right to Erasure (Art. 17)

You can request complete deletion of all your data. We will delete your account, documents, invoices, and all associated data within 30 days of your request.

Right to Data Portability (Art. 20)

You can export all your data in JSON (structured, machine-readable) at any time from your account settings. CSV and PDF export are on the 2026 roadmap.

Right to Restrict Processing (Art. 18)

You can request that we limit the processing of your data under certain circumstances.

Right to Object (Art. 21)

You can object to processing based on legitimate interest. We will stop processing unless we demonstrate compelling legitimate grounds.

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days.

9. Security Measures

We implement the following technical and organizational measures to protect your data:

  • Encryption in transit — All data transfers use TLS encryption
  • Encryption at rest — All stored data is encrypted with AES-256
  • Password hashing — Bcrypt with sufficient cost factor
  • Access control — Role-based access with principle of least privilege
  • Tenant isolation — Complete data separation between companies at the database level
  • Rate limiting — Protection against brute-force and abuse
  • Account lockout — Automatic lockout after 5 failed login attempts
  • Audit logging — Complete trail of all user actions
  • File validation — Magic bytes validation to prevent malicious uploads
  • Temporary download links — Presigned URLs expire after 1 hour

10. Cookies

TaxItEasy uses only essential cookies required for the service to function properly:

Cookie Purpose Duration
Session token Keeps you logged in Session / 7 days
CSRF token Protects against cross-site request forgery Session
Preferences Stores your UI preferences (language, theme) 1 year
__cf_bm Cloudflare bot detection — distinguishes legitimate users from automated traffic (strictly necessary for security) 30 minutes
cf_clearance Cloudflare challenge verification — set after passing a DDoS or WAF challenge (strictly necessary for security) 24 hours

We do not use tracking cookies, analytics cookies, or advertising cookies. We do not use Google Analytics, Facebook Pixel, or any similar third-party tracking tools. The Cloudflare cookies listed above are strictly necessary security cookies set by our CDN provider and cannot be disabled without affecting the security and availability of the service.

11. AI and Automated Processing

When you upload invoices and documents, our AI system automatically processes them to extract structured data (invoice numbers, amounts, dates, etc.). This constitutes automated processing under GDPR.

  • AI extraction is performed via the Anthropic Claude API. Anthropic, PBC is located in the United States. The transfer is governed by the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs). Retention of API request content follows Anthropic's commercial default (up to 30 days for safety monitoring); a contractual zero-retention addendum is in active negotiation.
  • Our primary infrastructure (Kubernetes, database, object storage) is EU-hosted in Frankfurt (DigitalOcean DOKS).
  • Your documents are not used to train or improve any AI models — ours or Anthropic's.
  • AI-extracted data is always presented for your review before being finalized
  • You can manually correct any AI-extracted data at any time
  • No automated decisions with legal or similarly significant effects are made

12. Children's Privacy

TaxItEasy is a business tool and is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through a prominent notice on our platform at least 30 days before the changes take effect.

The "Last updated" date at the top of this page indicates when this policy was last revised.

14. Contact Us

If you have questions about this Privacy Policy, want to exercise your rights, or have concerns about how we handle your data, please contact us:

You also have the right to lodge a complaint with a supervisory authority in your EU member state if you believe your data protection rights have been violated.

Questions?

If anything in this policy is unclear, don't hesitate to reach out at [email protected]. We're happy to explain how we handle your data.