Privacy Policy
Last updated: June 9, 2026 · Effective from this date
This Privacy Policy explains how SpanishTax AI ("we", "us") collects, uses, and protects your personal data when you use spanishtaxai.com (the "Service"). We comply with the EU General Data Protection Regulation (GDPR, Regulation EU 2016/679) and the Spanish Data Protection Act (Ley Orgánica 3/2018, LOPDGDD).
1. Data Controller
- Controller: Oscar Gonzalez Febles (operating as autónomo)
- NIF:
[NIF A COMPLETAR ANTES DE PRIMERA VENTA] - Address:
[DIRECCIÓN FISCAL A COMPLETAR — Madrid, Spain] - Email: privacy@spanishtaxai.com
We have not appointed a Data Protection Officer (DPO) because the scale of processing does not require it under Article 37 GDPR. For all privacy matters, contact privacy@spanishtaxai.com.
2. What personal data we collect
Data you provide directly
- Account data: name, email address, country of residence (when you create an account)
- Profile data: nationality, income type (1099/W-2/freelance/etc.), tax residency status, family situation — only data you choose to provide for personalized advice
- Billing data: billing name, address, VAT number (processed by Stripe; we receive metadata only — not full card numbers)
- Documents you upload: CPA letters, bank statements, tax returns, and other DNV-related documents (Premium Concierge / Pro Audit subscribers only)
- Communications: emails, chatbot conversations, support tickets
Data collected automatically
- Technical data: IP address, browser type, operating system, device type
- Usage data: pages visited, time on page, chatbot interactions, click patterns
- Cookies: see Cookie Policy for details
Data we do NOT collect
- Special category data (health, religion, political views, biometric data) — we do not request it; do not include it in your messages
- Data about minors under 18
- Full payment card numbers (handled exclusively by Stripe)
3. Why we collect data (purposes & legal bases)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide and operate the Service (chatbot, dashboard, document review) | Contract performance (Art. 6.1.b) |
| Process payments via Stripe | Contract performance (Art. 6.1.b) |
| Customer support | Contract performance + legitimate interest (Art. 6.1.b, 6.1.f) |
| Send transactional emails (welcome, password reset, refund confirmation) | Contract performance (Art. 6.1.b) |
| Send marketing newsletter | Consent (Art. 6.1.a) — opt-in only |
| Comply with Spanish tax and accounting law (invoice retention) | Legal obligation (Art. 6.1.c) |
| Improve the Service (quality assurance, debugging, prompt iteration) | Legitimate interest (Art. 6.1.f) |
| Detect fraud and abuse | Legitimate interest (Art. 6.1.f) |
| Comply with legal requests from authorities | Legal obligation (Art. 6.1.c) |
4. Who has access to your data (third parties / sub-processors)
We use the following trusted third parties to operate the Service. Each is bound by a Data Processing Agreement (DPA) compatible with GDPR:
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Web hosting (Pages, Workers, KV storage) | USA (with EU edge nodes) |
| Supabase Inc. | Database (Postgres) and authentication | EU (Frankfurt) for our project |
| Anthropic PBC | AI chatbot (Claude API) | USA |
| Voyage AI | Text embeddings for chatbot retrieval | USA |
| Stripe, Inc. | Payment processing | USA / Ireland (EU operations) |
| Resend | Transactional email delivery | USA |
International data transfers
Some sub-processors are located outside the European Economic Area (EEA), primarily in the USA. These transfers are safeguarded by Standard Contractual Clauses (SCCs) adopted by the European Commission (Article 46.2.c GDPR), and where applicable, the EU-US Data Privacy Framework. Copies of relevant SCCs are available on request: privacy@spanishtaxai.com.
5. How long we keep your data (retention)
| Data category | Retention period |
|---|---|
| Account data (active accounts) | While account exists + 6 months after deletion |
| Profile data and uploaded documents | While account exists; can be deleted on request |
| Chatbot conversation logs | 24 months (for service improvement and QA) |
| Billing records and invoices | 6 years (Spanish accounting law — Código de Comercio Art. 30) |
| Marketing email subscribers | Until unsubscribed |
| Cookies (analytics) | 13 months max (Spanish AEPD recommendation) |
6. Your rights (GDPR Articles 15-22)
As a data subject, you have the following rights:
- Access: request a copy of the personal data we hold about you
- Rectification: correct inaccurate or incomplete data
- Erasure ("right to be forgotten"): request deletion of your data (subject to legal retention obligations)
- Restriction: ask us to limit processing in certain circumstances
- Data portability: receive your data in a structured, machine-readable format
- Objection: object to processing based on legitimate interests or for direct marketing
- Withdraw consent: withdraw consent at any time (for processing based on consent — does not affect prior processing)
- Lodge a complaint: with the Spanish supervisory authority (Agencia Española de Protección de Datos, AEPD) at aepd.es
How to exercise your rights
Email privacy@spanishtaxai.com with your request. We will respond within 30 days (extendable by 60 days for complex cases per Article 12.3 GDPR). We may need to verify your identity before processing the request.
7. Security measures
We implement technical and organizational measures to protect your data:
- Encryption in transit (TLS/HTTPS everywhere)
- Encryption at rest (Supabase managed encryption)
- Row-Level Security (RLS) policies on database tables
- Secrets stored in Cloudflare Worker secrets (not in code or version control)
- Access controls: only Oscar Gonzalez Febles has administrative access
- Regular review of sub-processor security practices
No method of transmission or storage is 100% secure. In the event of a personal data breach with risk to data subjects, we will notify the AEPD within 72 hours per Article 33 GDPR and affected users without undue delay (Article 34 GDPR).
8. Children's privacy
The Service is not directed at children under 18. We do not knowingly collect data from minors. If you believe a minor has provided data, contact us at privacy@spanishtaxai.com and we will delete it.
9. Automated decision-making
Our chatbot uses AI to generate responses, but we do not make legal, financial, or immigration decisions about you based solely on automated processing. Any human review (e.g., Pro Audit) is performed by Oscar Gonzalez Febles personally. You always retain the right to seek human review of any output that affects you significantly.
10. Updates to this policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be notified by email (if you have an account) and via the website. Always check the "Last updated" date at the top.
11. Contact
For all privacy-related questions:
- Email: privacy@spanishtaxai.com
- Postal:
[DIRECCIÓN FISCAL A COMPLETAR], Madrid, Spain - Supervisory authority: Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan 6, 28001 Madrid · aepd.es