Legal

Privacy Policy

We take your privacy seriously. This policy explains what data we collect, how we use it, and what rights you have. Last updated: February 2026.

1. Overview

TaxItEasy ("we", "us", "our") operates the TaxItEasy platform for invoice processing and document management. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website and services.

We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR) and applicable national data protection laws.

2. Data Controller

The data controller responsible for processing your personal data is:

THE GROVVEST AI LTD
Evangelou Floraki 10, Villa 4
8220 Paphos, Cyprus

Email: [email protected]
Website: taxiteasy.org

3. What Data We Collect

3.1 Account Data

When you create an account, we collect:

  • Name — Your first and last name
  • Email address — Used for login, verification, and communication
  • Phone number — Optional, for account recovery and communication
  • Password — Stored only as a bcrypt hash (we never see your actual password)
  • Language preference — Your preferred UI language (German or English)
  • Notification preferences — Your custom notification settings
  • Two-factor authentication — If enabled, we store an encrypted TOTP secret for generating verification codes

3.2 Company Data

When you create a company on our platform, we collect:

  • Company name and legal form
  • Business address — Street, city, postal code, state/province, country
  • Tax identification number — Tax ID, VAT number, or EIN (optional)
  • Company registration number — e.g. Handelsregister (optional)
  • Banking information — IBAN, routing number, and SWIFT/BIC code (optional, for payment matching)
  • Billing details — Billing email, billing address, and billing VAT ID for invoice generation

3.3 Document Data

When you upload documents, we process:

  • Uploaded files — Invoices, receipts, bank statements, and other documents you upload
  • Extracted data — Invoice numbers, amounts, dates, VAT rates, sender/recipient details, line items, and other data extracted by our AI
  • Metadata — Upload timestamps, file sizes, file types, processing status, and file hashes
  • OCR data — Full text extracted from documents via optical character recognition, including confidence scores
  • Version history — Previous versions of re-uploaded documents

3.4 Banking & Transaction Data

If you connect a bank account (e.g. via Revolut integration), we collect:

  • Bank account details — IBAN, BIC, account holder name, bank name, account type, and current balance
  • Transactions — Transaction date, amount, currency, description, counterparty name/IBAN, merchant information, and categorization
  • Bank statements — Statement periods, opening/closing balances, and transaction summaries
  • OAuth tokens — Encrypted access and refresh tokens for API connections (you can revoke access at any time)

3.5 Email Integration Data

If you set up automatic email invoice forwarding, we collect:

  • Email credentials — Your email address and app password, stored encrypted (AES) on our servers
  • IMAP settings — Server address, port, and folder to monitor
  • Processing logs — Email subject, sender address, received date, and number of attachments processed

3.6 Sharing Data

When you share documents with others (e.g. tax advisors), we collect:

  • Recipient information — Name and email address of the person you share with
  • Access logs — IP address, browser information, and timestamps of each access to shared documents
  • Share settings — Access level, expiry date, password protection status, and access limits

3.7 Usage Data

When you use our platform, we automatically collect:

  • IP address — For security, rate limiting, and audit logging
  • User agent — Browser and device information
  • Action logs — Records of actions taken within the platform (uploads, shares, logins, downloads)
  • Timestamps — When actions were performed
  • Login security data — Failed login attempts, account lockout timestamps

3.8 Payment Data

Payment processing is handled by Stripe (PCI-DSS Level 1 compliant). We do not store or have access to your full credit card numbers. We store:

  • Stripe customer and subscription IDs
  • Subscription status, plan, and billing interval
  • Payment confirmation and invoice records (amount, status, dates)
  • Last 4 digits of your payment method (for display purposes only)
  • Usage records per billing period (invoices processed, storage used)

4. How We Use Your Data

We process your personal data for the following purposes:

Purpose Legal Basis (GDPR)
Providing the TaxItEasy service Contract performance (Art. 6(1)(b))
AI invoice processing and OCR Contract performance (Art. 6(1)(b))
Account verification and security Legitimate interest (Art. 6(1)(f))
Audit logging and access tracking Legitimate interest (Art. 6(1)(f))
Payment processing via Stripe Contract performance (Art. 6(1)(b))
Email notifications about your account Contract performance (Art. 6(1)(b))
Responding to support requests Contract performance (Art. 6(1)(b))
Bank account integration and transaction matching Contract performance (Art. 6(1)(b))
Automatic email invoice processing Contract performance (Art. 6(1)(b))
Document sharing with tax advisors Contract performance (Art. 6(1)(b))
We do not

We do not sell your data. We do not share your data with advertisers. We do not use your data for profiling or targeted advertising. We do not train AI models on your documents.

5. Where We Store Your Data

All data is stored on servers physically located within the European Union. We use European cloud infrastructure providers to ensure your data never leaves EU jurisdiction.

Documents are stored in encrypted object storage. Database records are stored in encrypted PostgreSQL databases. All connections between services use TLS encryption.

6. How Long We Keep Your Data

Data Type Retention Period
Account data Until account deletion
Documents and invoices Until deleted by you, or 30 days after account deletion
Deleted documents (recycle bin) 30 days after deletion, then permanently removed
Audit logs 6 months
Share access logs 6 months
Payment records 10 years (legal requirement for financial records)
Bank transactions Until deleted by you, or 30 days after account deletion
Email integration credentials Until you disconnect the email account
Bank connection tokens (OAuth) Until you revoke the connection

7. Who We Share Your Data With

We share your data only with the following categories of recipients, and only to the extent necessary:

  • Stripe (payment processor) — Receives payment-related data only. Stripe Privacy Policy
  • Cloud infrastructure providers — Host our servers and storage within the EU. They process data on our behalf under strict data processing agreements.
  • Your tax advisor (if you choose to share) — Receives access only to documents you explicitly share, with the permissions and time limits you set.
  • Revolut (banking integration, optional) — If you connect your Revolut account, transaction data is exchanged via Revolut's API. You can disconnect at any time. Revolut Privacy Policy
  • Email providers (email integration, optional) — If you set up email forwarding, we connect to your email provider via IMAP to read invoice attachments. Credentials are stored encrypted.

We do not sell, rent, or otherwise share your personal data with any other third parties.

8. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

Right of Access (Art. 15)

You can request a copy of all personal data we hold about you at any time.

Right to Rectification (Art. 16)

You can request correction of inaccurate or incomplete data. You can also update most data directly in your account settings.

Right to Erasure (Art. 17)

You can request complete deletion of all your data. We will delete your account, documents, invoices, and all associated data within 30 days of your request.

Right to Data Portability (Art. 20)

You can export all your data in standard machine-readable formats (JSON, CSV, PDF) at any time from your account settings.

Right to Restrict Processing (Art. 18)

You can request that we limit the processing of your data under certain circumstances.

Right to Object (Art. 21)

You can object to processing based on legitimate interest. We will stop processing unless we demonstrate compelling legitimate grounds.

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days.

9. Security Measures

We implement the following technical and organizational measures to protect your data:

  • Encryption in transit — All data transfers use TLS encryption
  • Encryption at rest — All stored data is encrypted with AES-256
  • Password hashing — Bcrypt with sufficient cost factor
  • Access control — Role-based access with principle of least privilege
  • Tenant isolation — Complete data separation between companies at the database level
  • Rate limiting — Protection against brute-force and abuse
  • Account lockout — Automatic lockout after 5 failed login attempts
  • Audit logging — Complete trail of all user actions
  • File validation — Magic bytes validation to prevent malicious uploads
  • Temporary download links — Presigned URLs expire after 1 hour

10. Cookies

TaxItEasy uses only essential cookies required for the service to function properly:

Cookie Purpose Duration
Session token Keeps you logged in Session / 7 days
CSRF token Protects against cross-site request forgery Session
Preferences Stores your UI preferences (language, theme) 1 year

We do not use tracking cookies, analytics cookies, or advertising cookies. We do not use Google Analytics, Facebook Pixel, or any similar third-party tracking tools.

11. AI and Automated Processing

When you upload invoices and documents, our AI system automatically processes them to extract structured data (invoice numbers, amounts, dates, etc.). This constitutes automated processing under GDPR.

  • AI processing is performed on our EU-hosted infrastructure
  • Your documents are not used to train or improve our AI models
  • AI-extracted data is always presented for your review before being finalized
  • You can manually correct any AI-extracted data at any time
  • No automated decisions with legal or similarly significant effects are made

12. Children's Privacy

TaxItEasy is a business tool and is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through a prominent notice on our platform at least 30 days before the changes take effect.

The "Last updated" date at the top of this page indicates when this policy was last revised.

14. Contact Us

If you have questions about this Privacy Policy, want to exercise your rights, or have concerns about how we handle your data, please contact us:

You also have the right to lodge a complaint with a supervisory authority in your EU member state if you believe your data protection rights have been violated.

Questions?

If anything in this policy is unclear, don't hesitate to reach out at [email protected]. We're happy to explain how we handle your data.