Privacy Policy

Effective date: February 2026

Last updated: February 2026. This policy is subject to review by legal counsel.

1. Data Controller

Taxation.ai is operated by Vaionex Corporation, a company incorporated in the State of Delaware, United States. For all matters relating to data protection, you may contact us at:

Vaionex Corporation
Email: one@vaionex.com

Vaionex Corporation acts as the data controller for personal data processed through the Taxation.ai platform, as defined under the EU General Data Protection Regulation (GDPR), the UK GDPR, and applicable US privacy laws.

2. Data We Collect and Legal Basis

We collect and process the following categories of personal data, each with a specific legal basis under GDPR Article 6(1):

2.1 Account Information

  • Data: Name, email address, password (hashed)
  • Legal basis: Performance of contract (Art. 6(1)(b)) — necessary to create and maintain your account

2.2 Financial and Tax Data

  • Data: Income information, tax identification numbers, employment details, deductions, financial statements, tax return data
  • Legal basis: Performance of contract (Art. 6(1)(b)) — necessary to provide the tax preparation service; and explicit consent (Art. 6(1)(a) and Art. 9(2)(a)) where data constitutes special category data

2.3 Payment Information

  • Data: Billing address, payment method details (processed by Stripe; we do not store full card numbers)
  • Legal basis: Performance of contract (Art. 6(1)(b)) — necessary to process payments

2.4 Usage Data

  • Data: Page views and general usage patterns (collected via Plausible Analytics)
  • Legal basis: Legitimate interest (Art. 6(1)(f)) — to improve our services. Plausible is cookieless and does not collect personal data or IP addresses. Data is hosted in the EU.

2.5 Session Data

  • Data: Authentication session tokens (via Supabase Auth)
  • Legal basis: Performance of contract (Art. 6(1)(b)) — necessary to maintain your authenticated session. We use only essential session cookies; no tracking or advertising cookies are employed.

3. Tax Data Processing

Given the sensitive nature of tax and financial data, we apply enhanced protections:

  • All tax data is encrypted at rest (AES-256) and in transit (TLS 1.2+)
  • Tax data is stored on EU-based servers (Hetzner, Germany) with strict access controls
  • Access to raw tax data is limited to automated systems; human access requires explicit authorization and is logged
  • Tax data is processed solely for the purpose of preparing your tax returns and providing related AI-assisted insights
  • We do not sell, rent, or share your tax data with third parties for marketing purposes

4. AI Processing Disclosure

Taxation.ai uses artificial intelligence, powered by OpenAI, to assist with tax preparation. When you use AI features:

  • Relevant portions of your tax and financial data are transmitted to OpenAI's API for processing
  • Data sent to OpenAI is used solely for generating responses to your queries and is not used by OpenAI to train their models (per our Data Processing Agreement with OpenAI)
  • This transfer involves an international data transfer from the EU to the United States, governed by Standard Contractual Clauses (SCCs) — see Section 9
  • AI-generated outputs are informational and do not constitute professional tax advice

5. Sub-Processors

We engage the following sub-processors to deliver our services:

Sub-ProcessorPurposeLocation
SupabaseDatabase, authentication, file storageEU
StripePayment processingUS (SCCs)
OpenAIAI-powered tax assistance featuresUS (SCCs)
Plausible AnalyticsPrivacy-friendly, cookieless website analyticsEU
HetznerCloud infrastructure and hostingEU (Germany)

6. Data Retention

  • Account data: Retained for the duration of your account. Deleted within 30 days of account deletion request.
  • Tax and financial data: Retained for the duration of your account or as required by applicable tax law (whichever is longer). In most jurisdictions, tax records must be retained for 3-7 years.
  • Payment records: Retained as required by financial regulations and for legitimate business purposes (up to 7 years).
  • Usage analytics: Plausible retains aggregated, non-personal statistics indefinitely. No personal data is collected.
  • Session data: Authentication tokens expire automatically and are not retained beyond the session.

7. Your Rights

Under the GDPR, UK GDPR, and other applicable data protection laws, you have the following rights:

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to Erasure (Art. 17): Request deletion of your personal data. You can delete your account and all associated data directly from your account settings.
  • Right to Data Portability (Art. 20): Request an export of your data in a structured, machine-readable format. You can export all your data directly from your account settings.
  • Right to Restrict Processing (Art. 18): Request that we limit how we use your data.
  • Right to Object (Art. 21): Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence.

8. How to Exercise Your Rights

You may exercise your rights in the following ways:

  • Self-service: Use the data export and account deletion features available in your account settings.
  • Email: Send a request to one@vaionex.com. We will respond within 30 days as required by the GDPR.

We may need to verify your identity before processing your request. We will not charge a fee for reasonable requests.

9. International Data Transfers

Your data is primarily stored within the European Union (Hetzner servers in Germany). However, certain sub-processors are located in the United States:

  • OpenAI: Tax data is transmitted to OpenAI's US-based API for AI processing.
  • Stripe: Payment data is processed by Stripe in the United States.

These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914), supplemented by additional technical and organizational safeguards including encryption in transit and at rest.

10. Cookies

Taxation.ai does not use cookies for tracking, advertising, or analytics purposes. We use only essential session cookies set by Supabase Auth, which are strictly necessary for the platform to function (maintaining your authenticated session). These cookies do not require consent under the ePrivacy Directive as they are technically necessary.

11. Children's Privacy

Taxation.ai is not directed at individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at one@vaionex.com and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (using the address associated with your account) or by placing a prominent notice on our platform at least 30 days before the changes take effect. Your continued use of the platform after the effective date constitutes acceptance of the updated policy.

13. Contact

For any questions or concerns regarding this Privacy Policy or our data practices, please contact:

Vaionex Corporation
Email: one@vaionex.com

If you are located in the EU or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.