Privacy Policy
Effective Date: 10 April 2026
1. Introduction
This Privacy Policy explains how TaxWize ("we," "us," "our," or the "Service") collects, uses, discloses, and safeguards your information when you visit and use our website, web application, and related services.
TaxWize is a Swiss-based tax preparation assistant designed to help individuals and families organize financial documents and prepare tax declarations. We are committed to protecting your privacy and ensuring transparency in how we process your data.
This policy is governed by the Swiss Federal Act on Data Protection (DSG). For users in the EU, EEA, or Switzerland, GDPR and DSG principles apply to the extent applicable.
2. Controller
The data controller is Szilárd Szakács, operating under the trade name Szakács Solutions, a registered sole proprietorship (Swiss UID: CHE-289.567.114) domiciled in Eggenwil, Canton Aargau, Switzerland.
Contact: privacy@taxwize.ch
Website: taxwize.ch
No Data Protection Officer (DPO) has been appointed. Under DSG, a DPO is not mandatory for sole proprietorships. Persons with questions regarding data protection may contact the controller directly at the email address above.
3. Scope
This policy applies to all individuals who access or use TaxWize (the "Service"), including users of our website and web application. Personal data is collected in connection with account creation, tax declaration preparation, document uploads, and payment processing.
This policy does not apply to third-party websites or services linked from TaxWize. We are not responsible for the privacy practices of external sites.
4. Data We Collect
We collect data in the following categories:
4.1 Account Data
When you create an account, we collect: email address, first and last name, phone number (optional), password (hashed and salted), account creation date, and language preference.
4.2 Tax and Financial Data
Tax declarations require you to upload sensitive financial documents, including but not limited to: salary statements, bank statements, savings account information, investment holdings, Pillar 3a account details, insurance premiums (health, building, etc.), childcare costs, commuting expenses, charitable donations, property values, mortgages, rental income, and other deductions relevant to Swiss tax filing.
We also collect structured data extracted or manually entered regarding your household composition, employment status, family situation, and other facts relevant to tax computation.
Tax and financial data is treated as sensitive data under DSG and GDPR and is subject to enhanced protection.
4.3 Usage Data
We collect information about your interaction with TaxWize: pages or sections visited, documents uploaded, time spent on each screen, actions taken (e.g., form submissions, declaration creation), errors encountered, and aggregate feature usage patterns. This data is collected to improve the Service and understand user behavior.
4.4 Payment Data
Payment processing is handled by Stripe. TaxWize does not directly collect or store full credit card numbers or bank account details. Stripe processes and stores payment card information in accordance with PCI DSS standards.
We receive and store: transaction ID, amount, currency, billing address, payment method type (e.g., "Visa"), transaction date, and tax year/declaration purchased.
4.5 Device and Technical Data
We collect technical information to maintain and improve our Service: IP address, browser type and version, operating system, device type, access times, referrer URL, and pages visited. This data is used for security, abuse prevention, and service diagnostics.
5. Purposes and Legal Bases for Processing
Service Delivery and Sensitive Data Processing: The core Service involves processing your financial and tax data, which constitutes sensitive personal data (besonders schützenswerte Personendaten) under Art. 5 lit. c DSG. We process this data on the following legal bases: (a) Performance of contract (Art. 31 para. 2 lit. a DSG, GDPR Article 6(1)(b)): Processing is necessary to provide the Service you have contracted for, including document extraction, tax computation, and report generation. (b) Explicit consent (Art. 6 para. 7 DSG): By creating an Account and uploading financial documents, you explicitly consent to the processing of your sensitive financial and tax data for the purposes described in this Privacy Policy. You may withdraw consent at any time by deleting your Account, which will result in the deletion of your data as described in Section 9. We rely on both legal bases concurrently. The contractual basis ensures the Service can function; your explicit consent provides additional legal certainty for the processing of sensitive data categories.
Payment Processing: Legal basis is performance of contract. We share payment information with Stripe to process your subscription or per-declaration payments.
Legal and Regulatory Compliance: Legal basis is legal obligation (DSG Article 31(a), GDPR Article 6(1)(c)). We may retain and disclose tax and financial data in response to lawful requests from Swiss or EU tax authorities, law enforcement, or as required by applicable law.
Service Improvement and Analytics: Legal basis is legitimate interest (DSG Article 31(b), GDPR Article 6(1)(f)). We analyze usage patterns, error logs, and feature engagement to improve the Service, fix bugs, and prioritize development.
Security and Fraud Prevention: Legal basis is legitimate interest. We monitor for unauthorized access, malicious activity, and fraud. This includes reviewing login patterns, device fingerprints, and transaction anomalies.
Communication: Legal basis is legitimate interest or consent. We may contact you via email about your account, service updates, changes to this policy, or support matters. You may opt out of non-essential communications.
Data Protection Impact Assessment: TaxWize has conducted a Data Protection Impact Assessment (Datenschutz-Folgenabschätzung) in accordance with Art. 22 DSG for its processing of sensitive financial and tax data using AI-assisted extraction. The assessment evaluates the risks to your personality and fundamental rights and identifies the technical and organisational measures implemented to mitigate those risks. A summary of the DPIA is available upon request to privacy@taxwize.ch.
6. AI-Assisted Document Processing
TaxWize uses Google Cloud (Gemini models) to extract structured data from financial and tax documents you upload. This processing happens on EU-resident endpoints within the European Union.
Processing Method
Your uploaded documents are transmitted to Google Cloud and processed on EU-resident endpoints within the European Union, where AI models analyze them to extract fields such as income, deductions, family status, and financial holdings. The extracted data is structured and returned to TaxWize.
Nature of AI Processing and Automated Decision-Making
The AI-assisted extraction is a data structuring tool, not an automated decision-making system. Specifically: Document extraction uses AI models to identify and extract data fields (names, amounts, dates) from uploaded documents; this is a recognition task, not a decision. Tax computation is performed by deterministic, rules-based algorithms (not AI models) that apply published cantonal tax rules to the extracted data. Insights and suggestions are generated by rules-based logic and are presented as informational only, with explicit qualifiers ("worth checking", "may be relevant").
No automated decision with legal or significant financial effect (within the meaning of Art. 21 DSG) is made by the Service. All AI-extracted data and computed outputs are presented to you for review, correction, and approval before any use. You have the right to: review and correct all AI-extracted data before computation; override any extracted value with your own input; disregard any suggestion or insight; and request human review of any specific extraction result by contacting support@taxwize.ch.
Data Retention by Google
Google processes your documents in accordance with Google Cloud's Data Processing Terms (Data Processing Addendum incorporating Standard Contractual Clauses). Document content is not used to train Google's AI models (per Google Cloud AI/ML Additional Terms of Service). Google retains processing logs and may retain aggregated metadata for service improvement, but does not store the content of your documents beyond the processing window required to complete the extraction.
Your Choices Regarding AI Processing
You have the following options: (a) Use AI-assisted extraction: Upload your documents and allow AI to extract structured data. You retain the right to review, correct, and approve all extracted data before it is used. (b) Manual data entry: You may use the Service without uploading documents by entering your financial data manually. All Service features (tax computation, insights, report generation) remain available with manually entered data. (c) Withdraw consent: If you have previously uploaded documents and wish to withdraw consent to AI processing, you may delete the uploaded documents through the Service. Previously extracted data that you have approved and incorporated into your Declaration will be treated as user-provided data.
Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
7. Data Sharing and Subprocessors
We do not sell your data to third parties. We share your data only with the following subprocessors, each of whom processes data on our behalf under a Data Processing Agreement (DPA) or equivalent terms.
| Subprocessor | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase | Database, authentication, file storage, serverless functions | Zürich, Switzerland (eu-central-2) | DPA signed; encryption at rest and in transit; access controls |
| Google Cloud Platform | Application hosting, compute infrastructure, OCR, and AI-powered document extraction and tax insights (Gemini models) | Application hosting in Switzerland (Zürich, europe-west6); AI processing on EU-resident endpoints within the EU | Data Processing Addendum (signed/accepted), incorporating Standard Contractual Clauses; ISO 27001/27017/27018 certified; SOC 2 Type II audited; no use of customer data for model training (per Google Cloud AI/ML Additional Terms of Service); encryption at rest (AES-256) and in transit (TLS 1.3); DPA available upon request to privacy@taxwize.ch |
| Stripe | Payment processing and invoicing | EU + Global | PCI DSS Level 1; DPA available; payment data per Stripe's Data Processing Terms |
| Plausible Analytics | Privacy-friendly website analytics (pageviews, referrers, device types). No personal data collected, no cookies used. | EU (Germany) | No personal data processed; no cookies; no cross-site tracking; fully GDPR and DSG compliant without consent; data policy at plausible.io/data-policy |
| Resend (Plus Five Five, Inc.) | Transactional emails (support-ticket replies, notifications). Authentication emails such as magic links are sent separately by Supabase Auth and are not passed to Resend. | EU (Ireland, AWS eu-west-1) sending infrastructure; legal counterparty Plus Five Five, Inc. (USA) | DPA signed (incl. EU Standard Contractual Clauses, Module Two); EU sending region configured; TLS encryption in transit; current sub-processor list at resend.com/legal/subprocessors |
We remain responsible for subprocessors' compliance with data protection law. If you have concerns about any subprocessor, please contact us at privacy@taxwize.ch.
8. International Data Transfers
Primary Data Location: Your tax documents, extracted data, and Declaration content are stored exclusively in Switzerland (Supabase, Zürich region, eu-central-2).
AI Processing: Document extraction and tax-insight generation use Google Cloud (Gemini models) on EU-resident endpoints within the European Union. Google Cloud's Data Processing Addendum and Standard Contractual Clauses (SCCs) apply.
Payment Processing: Stripe, Inc. processes payment data in the European Economic Area and the United States. The transfer of payment data to the United States is covered by: (i) the Swiss-U.S. Data Privacy Framework, to the extent Stripe is certified thereunder; and (ii) Standard Contractual Clauses (SCCs) approved by the European Commission and recognised by the FDPIC as providing adequate safeguards under Art. 16 para. 2 lit. d DSG.
Analytics: Plausible Analytics processes aggregated, non-personal data in Germany (EU). No personal data is transferred.
Transactional Email: Resend (Plus Five Five, Inc.) is a US entity that operates the EU sending infrastructure (Ireland, AWS eu-west-1) configured for TaxWize. Transfer to the US parent is covered by the EU Standard Contractual Clauses (Module Two) incorporated in the signed DPA, recognised by the FDPIC as providing adequate safeguards under Art. 16 para. 2 lit. d DSG.
Adequacy: Switzerland, EEA member states, and countries recognised as adequate by the Swiss Federal Council do not require additional safeguards. For all other jurisdictions, we rely on SCCs or equivalent safeguards recognised under Art. 16 DSG.
You may request a copy of the applicable SCCs or other transfer safeguards by contacting privacy@taxwize.ch.
9. Data Retention
We retain your data for as long as necessary to provide the Service and fulfill the purposes outlined in this policy.
Active Account Data: Data associated with an active TaxWize account is retained as long as the account is active and for a reasonable period thereafter for security and support purposes.
Tax Declarations: You may delete individual tax declarations at any time through the Service. Once deleted, the declaration data is marked for deletion and removed from production systems within 30 days.
Backups and Redundancy: Data removed from active systems may persist in automated backups for an additional period of up to 30 days before being purged during regular backup maintenance cycles.
Account Deletion: You may delete your Account and all associated data at any time through the Account settings in the Service, or by submitting a request to privacy@taxwize.ch. Upon receiving a valid deletion request, all Personal Data and Content will be deleted from production systems within thirty (30) calendar days. Data in automated backup systems will be purged within an additional thirty (30) calendar days. We recommend downloading your tax reports and any data you wish to retain before initiating Account deletion, as this action is irreversible.
Legal Holds: If we receive a legal request from tax authorities or law enforcement, we may retain data beyond the standard retention period as required by law.
10. Your Rights
Under DSG and GDPR, you have the following rights:
Right of Access: You have the right to request confirmation of whether we process your data and to receive a copy of your personal data in a structured, machine-readable format.
Right to Rectification: You may request correction of inaccurate or incomplete data. Within the Service, you can edit most of your account information and tax data directly.
Right to Erasure ("Right to be Forgotten"): You may request deletion of your personal data, subject to legal obligations we may have to retain it. This right is not absolute and may be limited by law (e.g., tax record retention requirements).
Right to Restrict Processing: You may request that we limit processing of your data while you dispute its accuracy or validity.
Right to Data Portability: You have the right to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to Object: You may object to processing of your data for legitimate interest or direct marketing purposes.
Right to Lodge a Complaint: You have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or, if you are an EU/EEA resident, with your local supervisory authority.
To exercise any of these rights, please contact us at privacy@taxwize.ch. We will respond to requests within 30 days or as otherwise required by law.
11. Children
TaxWize is not intended for children under the age of 16. We do not knowingly collect personal data from individuals under 16. If we become aware that we have collected data from a child under 16, we will delete such data promptly.
Persons aged 16 and older may use the Service. If you are between 16 and 18, you should review this policy with your legal guardian.
12. Cookies and Similar Technologies
This section explains which cookies and similar technologies TaxWize uses, their purpose, and the legal basis under the Swiss Federal Act on Data Protection (DSG/FADP) and the EU General Data Protection Regulation (GDPR).
TaxWize uses only strictly necessary (essential) cookies. These cookies are required for the Service to function and do not require your consent under Art. 6(1)(b) GDPR and Art. 31(1) DSG.
Essential cookies used by TaxWize:
- Authentication session cookie (set by Supabase Auth): Maintains your authenticated session so you remain logged in while using the Service. This cookie is created when you sign in and is deleted when you sign out or when the session expires. Without this cookie, the Service cannot authenticate you.
- Language preference cookie (taxwize-locale): Stores your selected language (English or Deutsch). This cookie persists across sessions so you do not need to re-select your language each time you visit. It contains only the locale code (e.g. "en" or "de-CH") and no personal data.
- Payment session cookies (set by Stripe): When you proceed to payment, Stripe may set temporary cookies required for fraud prevention and payment processing. These cookies are governed by Stripe's own privacy policy and are strictly necessary for the payment transaction.
Website analytics:
TaxWize uses Plausible Analytics, a privacy-focused analytics service, to understand how visitors use the website (e.g. which pages are visited, referral sources, country of origin, device type). Plausible does not use cookies, does not collect personal data, and does not track individual visitors across sessions or websites. All data is aggregated and cannot be used to identify you. Because Plausible does not process personal data or use cookies, no consent is required under DSG or GDPR. For details, see the Plausible Data Policy at https://plausible.io/data-policy.
Technologies not used by TaxWize:
TaxWize does not use advertising cookies, social media tracking pixels, fingerprinting techniques, or any third-party marketing cookies. We do not participate in cross-site tracking or real-time bidding.
You can manage or delete cookies through your browser settings at any time. Disabling essential cookies will prevent you from logging in and using the Service. Deleting the language preference cookie will reset your language to the default.
13. Security
We implement commercially reasonable technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.
Safeguards include: encryption of data in transit (HTTPS/TLS 1.2 or higher) and at rest in the database; hashing and salting of passwords; access controls limiting data access to authorized personnel only; regular monitoring for suspicious activity and intrusion detection; and secure deletion procedures for data no longer needed.
Despite these measures, no security system is completely secure. We cannot guarantee absolute security of your data. You are responsible for maintaining the confidentiality of your login credentials.
14. Data Breach Notification
In the event of a personal data breach (Verletzung der Datensicherheit) as defined in Art. 5 lit. h DSG, TaxWize will: (i) Notify the Swiss Federal Data Protection and Information Commissioner (FDPIC) as soon as possible, in accordance with Art. 24 para. 1 DSG, if the breach is likely to result in a high risk to your personality or fundamental rights; (ii) Inform you without undue delay if the breach is likely to result in a high risk to your personality or fundamental rights and notification is necessary for your protection, or if the FDPIC so requires, in accordance with Art. 24 para. 4 DSG; (iii) Document the breach, its effects, and the remedial measures taken, in accordance with Art. 24 para. 2 DSG.
Notification to you will include: a description of the nature of the breach; the categories of data affected; the likely consequences; and the measures taken or proposed to address the breach and mitigate its effects.
TaxWize maintains an incident response plan and will use commercially reasonable efforts to contain, investigate, and remediate any data breach promptly.
15. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of material changes by updating the "Effective Date" at the top of this policy and, where required, by sending a notification to your registered email address.
Your continued use of TaxWize following notification of changes constitutes your acceptance of the updated policy.
16. Contact
For data protection requests (access, rectification, erasure, objection, portability): privacy@taxwize.ch. For general inquiries and support: support@taxwize.ch. For security vulnerabilities: security@taxwize.ch.
Data protection requests submitted to privacy@taxwize.ch will be acknowledged within five (5) business days and processed within thirty (30) calendar days, as required by applicable law.
Controller: Szilárd Szakács, Szakács Solutions (UID: CHE-289.567.114)
Address: Eggenwil, Canton Aargau, Switzerland
Data Protection Authority (Switzerland): Federal Data Protection and Information Commissioner (FDPIC), www.edoeb.admin.ch
If you are an EU/EEA resident, you may also lodge a complaint with your local supervisory authority.
TaxWize maintains a register of processing activities (Verzeichnis der Bearbeitungstätigkeiten) in accordance with Art. 12 DSG. A summary is available upon request to privacy@taxwize.ch.