Privacy Policy

Last updated: April 2026

Taxly AI respects your privacy. This policy describes how we collect, use, and protect personal data when you use our website and services, in compliance with the EU General Data Protection Regulation (GDPR) and applicable Dutch law.

1. Who We Are

The data controller for personal data processed through Taxly AI is Andrei Vandalac (eenmanszaak / sole proprietorship), operating under the trade name Taxly AI.

Company details:
Trading name: Taxly AI
Operator: Andrei Vandalac (eenmanszaak)
KvK: 42001653
BTW (VAT): NL005424759B58
Location: Rotterdam, Netherlands
Contact: support@taxlyai.nl

2. What Data We Collect

When you use Taxly AI, we collect the following types of data:

• Account information: Email address (used for account creation, authentication, and communication)
• Payment information: Processed securely by Stripe. We do not store your credit card details on our servers.
• Uploaded documents: Payslips, contracts, tax documents, and other files you upload for analysis
• Analysis results: AI-generated insights and scan results from your documents
• Usage data: Number of scans, chat messages, subscription status, and feature usage
• Technical data: IP address, browser type, device information (for security and analytics)

3. How We Use Your Data

We use your personal data for the following purposes:

• Service delivery: To provide document analysis, AI assistance, and other features
• Communication: To send transactional emails (scan results, magic links, account notifications)
• Payment processing: To process subscriptions and one-time payments via Stripe
• Service improvement: To improve our AI analysis accuracy and develop new features
• Security: To detect fraud, prevent abuse, and maintain platform security
• Legal compliance: To comply with legal obligations and respond to lawful requests

4. Document Processing & AI Analysis

When you upload documents or use the AI assistant, your content is processed via the OpenAI API (and related infrastructure) to generate analysis and insights. All transmissions use industry-standard encryption (HTTPS/TLS).

Important: We do not use your data to train public AI models. OpenAI processes data according to their API terms, which prohibit using customer data for model training. For details on OpenAI's data handling, see OpenAI Enterprise Privacy.

5. Data Retention

We retain your data as follows:

• Uploaded documents: Analyzed immediately and NOT stored permanently on our servers. Document content is temporarily processed and then deleted after analysis completes.
• Scan results: Stored for a maximum of 30 days, then automatically deleted (unless part of an active subscription or conversation history)
• Account data: Retained while your account is active. You can delete your account at any time from account settings.
• Invoices and payment records: Retained for 7 years as required by Dutch tax law

6. Your Rights (GDPR)

Under GDPR, you have the following rights:

• Right to access: Request a copy of all personal data we hold about you
• Right to rectification: Correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten"): Request deletion of your data
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing of your data for specific purposes
• Right to restrict processing: Limit how we use your data
• Right to withdraw consent: Withdraw consent at any time (where processing is based on consent)

To exercise any of these rights, contact us at support@taxlyai.nl. We will respond within 30 days as required by law.

7. Third-Party Processors

We use trusted third-party services to operate Taxly AI. These processors have access to your data only to perform specific tasks on our behalf and are obligated to protect your data:

• OpenAI (US) — AI-powered document analysis and chat assistance. Data processed according to OpenAI's API terms (not used for model training).
• Stripe (US/EU) — Payment processing. PCI-DSS compliant. We do not store card details.
• Supabase (EU) — Database and authentication. Data stored on EU servers.
• Resend (EU) — Transactional email delivery (scan results, magic links).
• Vercel (EU) — Website hosting and edge network. EU infrastructure.
• Microsoft Clarity (US) — Website analytics. Anonymized session recordings and heatmaps. No personal data collected.

Data transfers: Some processors (OpenAI, Microsoft Clarity) are based in the US. Data transfers are protected by Standard Contractual Clauses (SCCs) and other GDPR-compliant safeguards.

8. Cookies

We use minimal cookies to operate Taxly AI. See our full Cookie Policy for details:

• Essential cookies: Authentication session (Supabase), language preference. Required for the service to work.
• Analytics cookies: Microsoft Clarity (anonymized, no personal data). Used to improve user experience.
• No advertising cookies: We do not use advertising or third-party tracking cookies.

9. Data Security

We implement industry-standard security measures to protect your data:

• HTTPS/TLS encryption for all data in transit
• Encrypted database storage
• Secure authentication (Supabase Auth)
• Regular security audits and monitoring
• Access controls and logging

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

10. Children's Privacy

Taxly AI is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Significant changes will be communicated via email or in-app notification.

12. Contact & Complaints

For privacy questions, data requests, or to exercise your rights:
Email: support@taxlyai.nl

If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):
autoriteitpersoonsgegevens.nl