Privacy Policy

1. Controller of personal data and roles in processing

1.1 Two roles in the processing of personal data

In the processing of personal data, Taxorio acts in two distinct roles, which must be strictly distinguished:

• Controller of personal data — towards its own registered users (self-employed persons, entrepreneurs). Taxorio itself determines the purpose and means of processing their registration, identification and operational data (name, email, Company ID, billing address for the subscription, technical logs).
• Processor of personal data — towards the personal data of third parties (the user's clients and suppliers) that the user enters into the application as part of their invoicing agenda. In this relationship, the user is the sole controller, deciding whom, what and on what grounds to invoice. Taxorio provides only a technical tool.

The contractual framework of the controller–processor relationship is governed by the Data Processing Agreement (DPA) in Art. 9 of the Terms and Conditions, which the user agrees to upon registration. The user, as controller, has the obligation to ensure a lawful basis for entering the personal data of their clients into the application.

1.2 Data Protection Officer

The operator has not appointed a Data Protection Officer (DPO), as it does not meet the conditions under Art. 37 GDPR — its core activity is neither large-scale regular and systematic monitoring of data subjects nor large-scale processing of special categories of data. All inquiries regarding the processing of personal data are handled directly by the operator at info@taxorio.cz.

2. What personal data we process

2.1 Data upon registration and sign-in

You can register and sign in in two ways:

• Sign-in via Google (OAuth): Name, email and profile picture from your Google account
• Sign-in with email and password: Email address and password. We do not store the password in readable form — we store only its one-way cryptographic hash (the bcrypt algorithm). We also temporarily retain one-time tokens for email verification and for recovery of a forgotten password.
• User identification: A unique user ID generated by the system; preferred interface language

2.2 Business data (self-employed persons)

• Company ID (IČO), VAT ID (DIČ) (if a VAT payer)
• Business name or first and last name
• Address of the registered office or place of business
• Bank details (account number, bank code) for generating invoices
• Email and phone contact for invoices

2.3 Invoicing and accounting data

• Issued invoices (invoice number, line items, amounts, VAT)
• Expense records (suppliers, amounts, categories, document attachments)
• Uploaded PDF files and scanned documents (receipts, invoices)
• Document metadata (date of creation, AI-recognized data)

2.4 Technical data

• IP address: For the purposes of traffic analytics, it is processed in anonymized form. For the purposes of security (sign-in records, protection against account misuse), the IP address and browser type are stored alongside the sign-in (refresh) tokens and with MCP integration connections in non-anonymized form for the validity period of the token (typically 30 days) on the basis of legitimate interest.
• Browser and device type (user-agent)
• Date and time of access, last sign-in
• Operational logs and error logs (for technical support and security)

2.5 Payment data (Pro plan only)

• Subscription data (plan, activation date, billing period)
• Payment cards: We do not process or store complete payment card numbers - all payment data is securely processed by the payment gateway provider Stripe (PCI DSS Level 1 certified). In our database we keep only the customer and subscription identifiers from Stripe (stripeCustomerId, stripeSubscriptionId).

2.6 Personal data of third parties (the user's clients and suppliers)

• Name / business name, Company ID, VAT ID, VAT payer status
• Address, email, phone, notes
• Bank account details and invoicing data (invoice numbers, amounts)
• Scanned documents on which this data appears

You, as controller, are responsible for the lawful basis for entering this data and for informing the persons concerned (see Art. 7 and Art. 13).

2.7 Data from the AI assistant (chat)

If you use the AI assistant, we process:

• The conversation history (both your queries and the assistant's responses), which we store in your account until you end the conversation or delete the account
• The context for answering the query, which is passed to the language model: your name, Company ID, VAT ID, tax status and aggregate financial data (income, expenses, tax base, VAT for the period) and — if needed for the query — a list of your invoices, expenses and clients. For details on processing by the model, see Art. 9.

2.8 Data from automatic payment matching (optional)

If you activate the matching of payments from email banking notifications, we process the content of these forwarded emails and machine-extract (AI) the payment data from them:

• Amount, currency, variable symbol, date and description of the payment
• Name, account number and IBAN of the payer (personal data of a third party — the payer, towards whom you are the controller)
• Notification attachments (bank statements) and the sender's email address

3. Purpose of personal data processing

Purpose	Legal basis
Operation of the account and user authentication	Performance of a contract (Art. 6(1)(b) GDPR)
Issuing invoices and recording expenses	Performance of a contract
AI document recognition (OCR)	Performance of a contract
AI assistant (chat) and its history	Performance of a contract
Automatic matching of payments from email notifications	Performance of a contract, legitimate interest
Tracking delivery and opening of sent invoices	Legitimate interest (Art. 6(1)(f)) — the controller is the user, see Art. 4.4
XML export for EPO (the tax office)	Compliance with a legal obligation (Art. 6(1)(c))
Processing of subscription payments	Performance of a contract
Account security and protection against misuse (IP, logs)	Legitimate interest (Art. 6(1)(f))
Technical support and troubleshooting	Legitimate interest (Art. 6(1)(f))
Analytics and service improvement	Consent (analytics cookies) — see Art. 8
Marketing communication (newsletter)	User consent (Art. 6(1)(a))

4. To whom we disclose your data

We DO NOT SELL your personal data to third parties. We share it only with trusted partners essential for the operation of the service:

4.1 Sub-processors (technology partners)

To operate the service we use the sub-processors listed below. For each we state the purpose, the location of processing and the safeguard for any transfer outside the EU (for details on transfers to the USA, see Art. 10):

• Railway (Railway Corp., USA) — application hosting, the database (PostgreSQL) and file storage of scanned documents and invoices. The data is stored and processed in the European Union data region (edge in Amsterdam, EU).
• Google — Gemini API (Google Ireland Limited / Google LLC) — AI document recognition (OCR), AI assistant and machine extraction of payment notifications. We use exclusively the paid interface ("Paid Services"), for which, according to its terms and Data Processing Addendum, Google does not use inputs or outputs to train its models. See Art. 9.
• Resend (Resend, Inc., USA) — sending system emails, verification emails, invoices to recipients and the newsletter, and receiving email banking notifications for payment matching.
• Stripe (Stripe Payments Europe, Ltd. / Stripe, Inc.) — processing subscription payments; PCI DSS Level 1 certification. Does not apply to your clients' invoicing data.

We DO NOT SELL your personal data or your clients' data and we do not disclose it to third parties for their own marketing purposes. Sub-processors process it solely according to our instructions and for the purposes set out above.

4.2 Analytics tools

• Google Analytics 4 (Google) — anonymized website traffic statistics (IP anonymization enabled). It is activated only with your consent via the cookie banner (Google Consent Mode v2 — analytics storage is disabled by default).

4.3 Official communication

We may provide personal data to:

• The tax office on the basis of a legal requirement
• Courts and law enforcement authorities (where required by law)

4.4 Tracking the delivery of sent invoices

If you send an invoice to a recipient by email through the application, we record whether the email was delivered, opened, or whether delivery failed (and the reason for non-delivery). This feature helps you find out that the invoice arrived. In relation to your recipients, you are the controller and you use this feature on the basis of your legitimate interest; we provide only the technical execution through the sub-processor Resend.

5. How we protect your data

5.1 Technical security measures

• Encrypted transmission (TLS/HTTPS): All communication between the browser and the server is encrypted
• Encryption of data at rest: The database and the file storage are encrypted at the infrastructure provider level (Railway)
• Passwords: When signing in with email, passwords are stored exclusively as one-way cryptographic hashes (bcrypt), never in readable form. Alternatively, sign-in via Google (OAuth 2.0) can be used
• Session management: Short-lived access tokens (JWT) and rotated sign-in (refresh) tokens stored as hashes; secure cookies (HttpOnly, Secure)
• Rate-limiting: Protection of the API against excessive and automated load
• Regular backups: Automatic daily database backups (retained for 30 days; serving for service recovery after a disaster, not for restoring individually deleted data)

5.2 Organizational measures

• Only the operator, as the sole authorized person bound by confidentiality, has access to the production database and infrastructure
• Multi-factor authentication (MFA) on the administrative accounts through which the service is managed (infrastructure provider, Google, payment gateway)
• Regular security reviews of the source code
• Continuous monitoring of the application's operation and error states

No technical measure provides an absolute guarantee of security; the measures adopted correspond to the nature of the processing, the scope of the service and the current state of the art within the meaning of Art. 32 GDPR.

6. How long we retain your data

Type of data	Maximum retention period in the Taxorio system
Accounting documents (invoices, expenses)	Max. 10 years, if the account is active — statutory archiving is ensured by the user themselves
Tax documents (XML exports)	Max. 10 years, if the account is active — statutory archiving is ensured by the user themselves
User account (active)	For the duration of the contract
User account (inactive)	An inactive account may be cancelled no earlier than 3 years after the last sign-in; erasure can also be requested earlier
AI assistant history (chat)	Until the conversation is ended by the user or until the account is deleted
Payment matching records	For the duration of the account or until deleted by the user
Operational AI usage records (token counts, latency — without document content)	For statistics and cost control; they do not contain personal data from documents
Sign-in (refresh) tokens incl. IP and browser type	Until the token expires, typically 30 days
Technical and security logs	90 days
Database backups	30 days (disaster recovery of the service)
Uploaded files (PDF, scanned documents)	For the duration of the account or until deleted by the user

7. Your rights under the GDPR

You have the following rights concerning your personal data:

7.1 Right of access

You can request a copy of all personal data we process about you. You can export your data directly in the application (Settings → My data → Prepare export).

7.2 Right to rectification

You can correct inaccurate or incomplete personal data directly in the account settings or contact us by email.

7.3 Right to erasure ("right to be forgotten")

You can request the deletion of your account and all related data by sending a request to info@taxorio.cz from the email with which you are registered. After erasure, all invoices, expenses, clients, documents and uploaded files are deleted. Please note that the statutory obligation to archive accounting documents for 5–10 years rests exclusively with the user — after the account is deleted, the data is not recoverable (see section 6).

7.4 Right to restriction of processing

Under certain circumstances, you can request the suspension of the processing of your data.

7.5 Right to data portability

You have the right to obtain your data in a structured, commonly used and machine-readable format (JSON, CSV, XML). The export is available in the account settings.

7.6 Right to object

You can object to the processing of data based on legitimate interest (e.g. marketing communication).

7.7 Right to withdraw consent

If you have given consent to marketing communication (newsletter), you can withdraw it at any time by clicking the "Unsubscribe" link in the email or in the account settings.

8. Cookies and tracking technologies

8.1 Essential cookies

We use only essential cookies for the functioning of the application:

• Session cookie: Keeps you signed in (deleted after closing the browser)
• Auth token: A security token for authentication (HttpOnly, Secure)

8.2 Analytics cookies (optional)

With your consent we use:

• Google Analytics 4: Anonymized traffic statistics (IP anonymization enabled)

You can refuse analytics cookies at any time in your browser settings or via the cookie banner on the website.

9. AI features (document recognition and assistant)

How we process data in the AI features:

• Scanned documents (photographs, PDF), queries in the AI assistant and the content of email payment notifications are sent for machine processing to the Google Gemini API service
• We use exclusively the paid Gemini interface ("Paid Services"). According to Google's terms and the Data Processing Addendum, Google does not use inputs or outputs to train its models; it processes the data only for the time necessary to fulfill the request. (For completeness: the free Gemini interface would allow Google to use the data to improve its models — which is why we do not use it.)
• After recognition, the document image is stored in your account in the file storage in the EU (Railway); you can delete it at any time in the application
• With the AI assistant, the model is provided with context from your account as described in Art. 2.7
• We recommend: Always verify the recognized and generated data by comparing it with the original document or source

9.1 Transparency of AI outputs under the EU AI Act

In compliance with Art. 50 of Regulation (EU) 2024/1689 of the European Parliament and of the Council on artificial intelligence (EU AI Act), which requires operators of AI systems to transparently label outputs generated or processed by artificial intelligence, Taxorio ensures that the user is clearly informed in the user interface that the results of the AI document recognition feature are probabilistic in nature — they are not a guaranteed machine transcription, but a statistical estimate by the model.

This information is communicated to the user upon the first interaction with the AI recognition feature. AI outputs are neither binding nor accurate — the user is obliged to always verify and manually confirm them before saving them to the records.

9.2 Special categories of personal data

10. Transfer of data outside the EU

Your data is stored at rest on servers in the European Union.

• Database and file storage: Railway — European Union data region (edge Amsterdam)

However, some of our sub-processors are companies based in the United States (Google / Gemini API and Google Analytics, Resend, Stripe), and part of the processing (especially machine processing in AI and the sending of emails) may take place on their infrastructure outside the EU. For these transfers, appropriate safeguards under Chapter V of the GDPR are applied:

• EU-US Data Privacy Framework (DPF) — for sub-processors that are certified under this mechanism
• Standard Contractual Clauses (SCC) of the European Commission as a supplementary or alternative safeguard

These safeguards are part of the Data Processing Agreements (DPA) concluded with the individual sub-processors.

11. Changes to the privacy policy

We may update this policy from time to time. We will inform you of significant changes:

• By email (if you have an active account)
• By a notification in the application
• By updating the "Last updated" date in the header of this document

12. Contact and complaints

12.1 Right to lodge a complaint

If you believe that we process your personal data in violation of the GDPR, you have the right to lodge a complaint with the supervisory authority:

13. Security incidents

In the event of a personal data security breach, Taxorio, as a processor, proceeds as follows:

• It informs the user (controller) without undue delay after becoming aware of the security breach (Art. 33(2) GDPR), so that the user can meet their own 72-hour notification deadline towards the ÚOOÚ
• It provides the user with available information needed to assess the nature and scope of the incident
• It takes immediate technical measures to secure the system and prevent further leakage

14. Limitation of liability

← Back to homepage