Privacy Policy
Last updated: May 2026 · Effective immediately
TaxBE is operated by Devium, a company established under Belgian law. This Privacy Policy explains how we collect, process, retain, and protect your personal data in full compliance with the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and the Belgian Act of 30 July 2018 on the Protection of Natural Persons with regard to the Processing of Personal Data. By using TaxBE you acknowledge that you have read and understood this policy.
1. Data Controller
The data controller responsible for your personal data is:
We do not currently have a designated Data Protection Officer (DPO) as we do not fall within the mandatory DPO categories under Art. 37 GDPR. All privacy-related queries can be directed to the email above.
2. Personal Data We Collect
We collect only the minimum personal data necessary to provide our services (data minimisation — Art. 5(1)(c) GDPR).
a. Data you provide directly
- Tax proposal documents (PDF): The PDF you upload may contain your national register number, income figures, family composition, real estate data, and other sensitive financial information. This document is processed temporarily and automatically deleted within one hour.
- Self-Assessment inputs: Gross annual income, employment type, and family situation you enter voluntarily.
- AI chat messages: Text submitted to our AI tax assistant or legal assistant during your session.
- Contact form submissions: Name, email address, telephone (optional), and message text.
- Email address (payment): Provided when initiating an optional payment to unlock your detailed results.
b. Data collected automatically
- Privacy-friendly analytics (Plausible): Plausible Analytics does not use cookies, does not collect personal identifiers, does not fingerprint users, and processes only aggregated, anonymised page-view data.
- Session identifiers: Temporary server-side session tokens to maintain your browsing session. Auto-deleted when your session ends.
c. Optional account data
- Email address and bcrypt-hashed password (if you create an account).
- Saved optimisation results (only if you are logged in and choose to save).
3. Legal Bases for Processing (Article 6 GDPR)
| Processing Activity | Legal Basis |
|---|---|
| Processing uploaded tax PDF & chat messages for AI analysis | Art. 6(1)(b) Contract performance & Art. 6(1)(a) Consent |
| Responding to contact form submissions | Art. 6(1)(b) Contract performance |
| Processing payments & delivering paid results | Art. 6(1)(b) Contract performance |
| Creating & maintaining user accounts | Art. 6(1)(b) Contract performance |
| Privacy-preserving analytics | Art. 6(1)(f) Legitimate interest (no personal data collected) |
| Compliance with legal obligations (accounting records) | Art. 6(1)(c) Legal obligation |
Special category data (Art. 9 GDPR): Your tax documents may indirectly contain health-related or other sensitive data. Processing is strictly limited to providing the requested service and is based on your explicit consent (Art. 9(2)(a) GDPR).
4. How We Use Your Data
- AI Tax Analysis & Self-Assessment: Your document and chat responses are processed exclusively to generate your personalised tax optimisation report.
- Legal AI Assistance: Chat messages to the Legal Assistant are used solely to formulate a response and are not stored permanently.
- Payment processing: Your email and payment reference are used only to deliver your paid results.
- Communication: Contact form data is used only to respond to your inquiry.
- Service improvement: Aggregated, anonymous usage statistics (Plausible). No individual user is tracked or profiled.
- Legal compliance: Payment records retained as required by Belgian accounting law.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Uploaded PDF files | Auto-deleted within 1 hour of upload |
| AI chat session data | Stored in a secure server-side session during your active conversation, then automatically cleared at session end (or within 24 hours) |
| Paid results (access token) | Detailed result payload auto-erased after 30 days; payment record retained only for legal/accounting obligations |
| Contact form submissions | Retained only as long as needed to handle your request |
| User account data | Until account deletion request, subject to legal obligations |
| Analytics data (Plausible) | Aggregated stats only — no personal data retained |
| Payment records | 7 years (Belgian accounting law obligation) |
6. Third-Party Data Processors
We rely exclusively on EU-based sub-processors, all bound by Data Processing Agreements (DPA) pursuant to Art. 28 GDPR:
| Processor | Role | Country |
|---|---|---|
| Hetzner Online GmbH | Cloud hosting & server infrastructure | Germany (EU) |
| Mistral AI SAS | AI language model processing of tax documents | France (EU) |
| Mollie B.V. | Payment processing (PCI-DSS certified) | Netherlands (EU) |
| Plausible Analytics OÜ | Privacy-preserving website analytics (no personal data) | Estonia (EU) |
We do not sell, rent, or share your personal data with third parties for marketing, advertising, or commercial profiling purposes.
7. International Data Transfers
All data processing and storage takes place within the European Economic Area (EEA). We do not transfer personal data to countries outside the EEA. All sub-processors are EU-based and fully subject to the GDPR.
8. Your Rights Under the GDPR
- Right of Access (Art. 15): Request a copy of the personal data we hold about you.
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
- Right to Erasure — "Right to be Forgotten" (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
- Right to Restriction of Processing (Art. 18): Request that we limit how we use your data.
- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to Object (Art. 21): Object to processing based on our legitimate interests.
- Right to Withdraw Consent (Art. 7): Withdraw consent at any time without affecting prior lawful processing.
- Right not to be subject to automated decision-making (Art. 22): TaxBE does not make legally binding automated decisions about you.
To exercise any right, email privacy@taxbe.ai. We will respond within 30 days as required by Art. 12 GDPR.
Right to lodge a complaint
You have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de Protection des Données):
Website: www.gegevensbeschermingsautoriteit.be •
Email: contact@apd-gba.be
Address: Drukpersstraat 35, 1000 Brussels, Belgium
9. Cookies & Tracking Technologies
| Technology | Purpose | Duration |
|---|---|---|
| Session cookie | Maintain login / session state (strictly necessary) | Session end |
| localStorage (consent) | Remember cookie consent preference | Persistent (until cleared) |
| Plausible Analytics | Anonymised page-view counting | No cookies used |
We do not use advertising cookies, cross-site tracking, social media pixels, or third-party marketing trackers. The session cookie is strictly necessary and exempt from consent requirements under Art. 5(3) of the e-Privacy Directive.
10. Data Security
- All data transmission encrypted via TLS/HTTPS.
- Uploaded files stored on encrypted Hetzner (Germany) infrastructure and auto-deleted after processing.
- Access to production systems restricted to authorised personnel only.
- Passwords salted and hashed with bcrypt — we never store plain-text passwords.
- Payment processing handled entirely by Mollie B.V. — we never store card numbers or sensitive payment data.
In the event of a personal data breach presenting a risk to your rights and freedoms, we will notify the Belgian Data Protection Authority within 72 hours and affected data subjects without undue delay, as required by Art. 33–34 GDPR.
11. Children's Privacy
TaxBE is intended exclusively for individuals aged 18 years and older. We do not knowingly collect personal data from minors under 18. Contact privacy@taxbe.ai immediately if you believe a minor has provided us with personal data.
12. Changes to This Policy
We may update this Privacy Policy to reflect changes in our services, legal requirements, or data processing practices. Material changes will be announced via a prominent notice on the website. Your continued use of TaxBE after changes are posted constitutes acceptance of the revised policy.