Privacy Policy

Your privacy matters. Learn how we protect and handle your personal data in compliance with GDPR.

Last Updated: 12 February 2026

Beta Product Notice

This product is currently in beta. As an active development stage, you may encounter breaking changes, incomplete features, or unexpected behaviour. We appreciate your patience and feedback.

TaxHILFE, operated by NAO Technologies UG (haftungsbeschränkt), takes your privacy seriously. This Privacy Policy describes how we collect, use, and protect your personal data when you use our website and services. It applies to all users, including visitors, registered clients, and tax advisors (Steuerberater).

1. Data Controller

TaxHILFE — operated by NAO Technologies UG (haftungsbeschränkt)

Bleichertstraße 25, 12277 Berlin, Germany — HRB 283898 B, Amtsgericht Charlottenburg

Privacy contact: [email protected]

2. Personal Data We Process

Depending on how you use our platform, we process the following categories of personal data:

Visitors (website only)

  • IP address and anonymised device identifiers
  • Browser type, operating system, and language
  • Pages visited, time on site, and referral source

Registered Users (clients and advisors)

  • Full name, email address, and phone number
  • Account credentials (passwords stored hashed — never in plain text)
  • Profile information, service listings, availability, and uploaded documents

3. Purposes and Legal Basis for Processing

We process personal data for the following purposes and legal grounds (Art. 6 GDPR):

  • Operating and providing the platform (Art. 6(1)(b) — contract performance)
  • Processing payments and managing subscriptions (Art. 6(1)(b) — contract performance)
  • Sending transactional notifications and service communications (Art. 6(1)(b) — contract performance)
  • Platform security, fraud prevention, and service improvement (Art. 6(1)(f) — legitimate interest)
  • Analytics using anonymised data only (Art. 6(1)(f) — legitimate interest; analytics cookies require separate consent under §25 TTDSG)

4. Legitimate Interests Specified

Where we rely on legitimate interests (Art. 6(1)(f) GDPR), those interests are:

  • Security and fraud prevention: Protecting our platform and users from unauthorised access, abuse, and fraudulent activity.
  • Service improvement: Understanding how users interact with the platform using only anonymised or aggregated data to fix issues and improve functionality.
  • Support communications: Responding to support requests and maintaining our platform relationship with users.

5. Data Sharing and Processors

We do not sell personal data. We share data only with the following service providers, each under a Data Processing Agreement (Art. 28 GDPR):

  • Amazon Web Services S3 (EU Frankfurt region) — file and document storage
  • Stripe, Inc. — payment processing (EU + US; certified under EU-US Data Privacy Framework)
  • PostHog (EU Frankfurt) — product analytics; GDPR-compliant, EU-hosted

Google Analytics 4 (Google LLC) — web traffic analysis (IP anonymisation enabled; EU-US DPF certified). SendGrid / Twilio — transactional email delivery. We may also disclose data to public authorities or law enforcement when required by law.

6. Data Retention

We retain personal data only as long as necessary for the stated purpose or as required by law. Specific retention periods:

Account data: duration of account + 30 days post-deletion (for recovery), then deleted. Transaction and invoice records: 10 years (§147 AO). Uploaded tax documents: per data owner instruction; max 10 years where fiscal law applies. Security and access logs: 90 days. Support communications: 3 years. Analytics data — PostHog: 12 months; Google Analytics: 14 months. Marketing consent records: until withdrawal + 3 years (proof of consent).

7. Your Rights Under GDPR

You have the following rights regarding your personal data (Arts. 15–21 GDPR):

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to Erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
  • Right to Restriction (Art. 18): Request that we limit how we use your data in certain circumstances.
  • Right to Portability (Art. 20): Receive a copy of your data in a machine-readable format where technically feasible.
  • Right to Object (Art. 21): Object to processing based on legitimate interests. We will stop unless we demonstrate compelling legitimate grounds.

To exercise any of these rights, contact us at [email protected]

Right to Lodge a Complaint

You have the right to lodge a complaint with the competent data protection supervisory authority in your country of residence within the EEA (Art. 13(2)(d) GDPR).

8. Cookies and Analytics

We use essential cookies required for the platform to function (session management, security, authentication). These are strictly necessary and do not require consent under §25(2) TTDSG.

We also use the following analytics services, which use cookies and require your consent under §25 TTDSG:

  • PostHog: PostHog — Product analytics platform, EU-hosted (Frankfurt). Tracks page views, feature usage, and user flows. Data retained for 12 months.
  • Google Analytics: Google Analytics 4 — Web traffic analytics by Google LLC. IP anonymisation is enabled. Data may be processed in the US under EU-US Data Privacy Framework (DPF) safeguards. Data retained for 14 months.

Your consent for analytics cookies is recorded when you click "Accept All Cookies" in our cookie banner. You may withdraw consent at any time by contacting [email protected]. Withdrawal does not affect the lawfulness of prior processing. We do not use advertising cookies or share your data with advertisers.

9. Data Security

We implement appropriate technical and organisational measures (TOMs) in accordance with Art. 32 GDPR, including TLS/HTTPS encryption in transit, encrypted storage at rest, access controls and role-based permissions, secure password hashing, and regular security assessments. In the event of a personal data breach, we will notify the supervisory authority within 72 hours and affected users without undue delay where required by Arts. 33–34 GDPR.

10. Automated Decision-Making

We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects (Art. 22 GDPR). Where algorithmic tools assist with advisor matching or recommendations, these serve as support tools only — a human review or user choice is always part of the outcome.

11. Changes to This Policy

We may update this Privacy Policy as our services evolve or legal requirements change. Material changes will be communicated via email (for registered users) or a prominent notice on the website at least 14 days before taking effect. The "Last Updated" date at the top reflects the most recent revision.

12. Contact

For all privacy-related enquiries, contact us at [email protected]

Back to Home