Privacy Policy

1. Controller and scope TaxRouter GmbH, Holzdamm 47, 20099 Hamburg, Germany, email: info@taxrouter.com, is the controller for personal data processed through the TaxRouter website, account administration, security, and service operations unless this notice expressly states that we act only as a processor for a customer. 2. When TaxRouter acts as controller and when we act as processor For account creation, login, invitations, organization administration, customer communication, security, and contractual administration, TaxRouter acts as the controller. For Amazon source data, raw imports, DATEV export data, and other workspace content that a customer processes through the service, the customer is generally the controller and TaxRouter acts as the processor under the applicable contract and Data Processing Addendum. 3. Categories of personal data Depending on how you use TaxRouter, we may process: - account and profile data such as name, email address, profile image, authentication credentials, and two-factor authentication status; - organization and workspace data such as company name, address, roles, invitations, consultant and client relationships, DPA acceptance, and DATEV settings; - technical and security data such as session identifiers, IP address, user agent, timestamps, browser or device information, locale preference, and audit or error logs; - integration and operational data such as Amazon refresh tokens, marketplace settings, VAT transaction data, settlement events, raw import files, export metadata, and related bookkeeping context; - communication data when you contact us or receive transactional emails such as password reset messages. 4. Purposes and legal bases We process personal data to provide and secure the service, authenticate users, manage workspaces and permissions, connect Amazon Seller Central, sync source data, generate exports, respond to requests, and operate the business relationship. The main legal bases are Article 6(1)(b) GDPR where processing is necessary to perform a contract, Article 6(1)(c) GDPR where processing is necessary to comply with legal obligations, and Article 6(1)(f) GDPR for legitimate interests such as service security, fraud prevention, abuse detection, product reliability, and the establishment, exercise, or defense of legal claims. Where consent is legally required, we rely on Article 6(1)(a) GDPR. 5. Cookies and similar technologies TaxRouter currently uses cookies and similar technologies that are technically necessary to run the service and remember core preferences. These include authentication and session cookies, language preference cookies, the last selected organization cookie, and a short-lived cookie used during the Amazon authorization flow. This notice does not describe advertising cookies because they are not required for the current core service. 6. Recipients and subprocessors We may disclose personal data to: - Amazon and related marketplace infrastructure when you connect Amazon Seller Central and request sync operations; - hosting, database, infrastructure, security, and email delivery providers that help us operate TaxRouter; - consultants, clients, and other authorized users inside the relevant workspace structure; - professional advisors, auditors, courts, and public authorities where disclosure is necessary to comply with law or protect our rights. Where we use service providers to process personal data on our behalf, we require appropriate contractual and data protection safeguards. 7. International data transfers Depending on your setup and the providers involved, personal data may be processed in countries outside the European Economic Area. If we transfer personal data to a country that is not subject to an adequacy decision, we use appropriate safeguards such as the European Commission's Standard Contractual Clauses or another lawful transfer mechanism. 8. Retention We keep controller-side data for as long as necessary to provide the service, maintain the account relationship, meet legal retention obligations, resolve disputes, and enforce agreements. Customer workspace content that we process as a processor is generally retained for the duration of the customer relationship and then returned or deleted in line with the contract, the Data Processing Addendum, and applicable law unless further retention is legally required. 9. Security We use appropriate technical and organizational measures designed to protect confidentiality, integrity, and availability. These measures may include role-based access restrictions, encryption in transit, authentication controls, session management, logging, and two-factor authentication features. No system can be guaranteed to be completely secure, so you should also protect your credentials and authorized user access. 10. Your rights and contact If TaxRouter is the controller for your personal data, you may have the right to request access, rectification, erasure, restriction of processing, data portability, and to object to certain processing. Where processing is based on consent, you may withdraw consent at any time with effect for the future. You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. Privacy requests can be sent to info@taxrouter.com.