Privacy Policy
Last updated: May 12, 2026 · GDPR-compliant
This Privacy Policy explains how Taxo ("we", "us") collects, uses and protects your personal data when you use our service at gettaxo.com.
1. Who we are
Taxo is operated by Nikolay Kyntsevich, an independent contractor based in Ukraine. Contact: taxoapp.team@gmail.com.
2. What data we collect
| Category | Examples | Purpose |
|---|
| Account | Email, name, language | Authenticate, communicate |
| Financial | Income, expenses, invoices you upload | Calculate taxes, generate filings |
| Billing | Plan, billing country (collected by Paddle) | Process subscription |
| Technical | IP, browser, device, cookies | Security, analytics |
| Support | Messages you send us | Help you |
3. Legal basis (GDPR)
- Contract: to provide the service you subscribed to.
- Legitimate interest: security, fraud prevention, product improvement.
- Consent: marketing emails (you can opt out anytime).
- Legal obligation: tax records, anti-fraud requirements.
4. Who we share data with
- Paddle.com Market Limited — payment processing and VAT (our merchant of record).
- Supabase Inc. — database and authentication (EU region).
- Anthropic PBC — AI assistant (only the text you send to the assistant; not your financial records).
- Resend — transactional email delivery.
- Vercel Inc. — website hosting.
We never sell your data. We share only what's strictly required to deliver the service.
5. Where data is stored
Primary storage is in the EU (Ireland, via Supabase). Some processors operate in the US under Standard Contractual Clauses (SCCs) approved by the European Commission.
6. How long we keep data
- Account & financial data: while your account is active + 6 years (Spanish tax law minimum).
- Backups: rotated within 90 days.
- Support emails: 24 months.
- Analytics: aggregated, no personal data after 14 months.
7. Security
- AES-256 encryption at rest, TLS 1.3 in transit.
- Two-factor authentication (TOTP) available and recommended.
- Strict access controls — no employee can read your invoices unless you request support.
- Annual penetration test by a third-party security firm.
8. Your rights (GDPR)
You can:
- Access a copy of your data.
- Correct inaccurate data.
- Delete your account and all associated data.
- Export your data (PDF or JSON).
- Object to processing for marketing.
- Lodge a complaint with your national data protection authority (in Spain: AEPD).
To exercise any right, email taxoapp.team@gmail.com. We respond within 30 days.
9. Cookies
We use only essential cookies (login session, CSRF protection) and privacy-friendly analytics (no third-party tracking by default). No cross-site advertising cookies.
10. Children
Taxo is not directed at anyone under 18. We do not knowingly collect data from minors.
11. Changes
We'll notify you by email of any material changes at least 14 days in advance.
12. Contact
Privacy questions: taxoapp.team@gmail.com