The entity responsible for the processing of personal data within the meaning of the General Data Protection Regulation ("GDPR") is:
AnyTax GmbH
Rudower Chaussee 17, 12489 Berlin, Germany
Email: info@anytax.io
If you have any questions about data protection, you can contact us at any time at the email address above.
Our website and Services may contain links to external websites or third-party services. We accept no responsibility for the privacy policies applicable there or for the handling of your data by these providers. We advise you to review their respective privacy notices before submitting personal information to such sites.
By "personal data" we mean all information that is capable of identifying you as a natural person directly or indirectly. The processing of your personal data is always carried out in accordance with the GDPR, the Federal Data Protection Act (BDSG) and — with respect to tax-relevant data — in compliance with the German tax secrecy obligation (§ 30 AO). We rely on the following legal bases:
Contractual and pre-contractual measures. Where data processing is necessary for the performance of a contract concluded with you or for the implementation of pre-contractual measures at your request, this is based on Art. 6(1)(b) GDPR. This includes in particular the processing of transactions, responding to support requests, needs analysis, and the processing of tax-relevant information for the preparation of your tax return.
Consent. Where you have consented to the processing of your data for specific purposes, processing is carried out on the basis of Art. 6(1)(a) or Art. 9(2)(a) GDPR. Consent given may be withdrawn by you at any time with effect for the future. After withdrawal, the relevant processing on the basis of your consent will cease.
Legitimate interests. In certain cases, we process your data on the basis of our legitimate interests pursuant to Art. 6(1)(f) GDPR, provided that your interests or fundamental rights do not override ours. This concerns, among other things, measures to ensure IT security, the further development and optimisation of our products, the conduct of market analyses, the improvement of your user experience, and the assertion or defence of legal claims.
Legal obligations. We also process your data where this is necessary to fulfil legal requirements (Art. 6(1)(c) GDPR). This includes, for example, verifying your identity, fraud prevention measures, and compliance with tax and commercial documentation and retention obligations.
Data processing agreements. To provide our Services, we engage external service providers in selected areas who process data on our behalf (Art. 28 GDPR). We have entered into a separate agreement with each processor that ensures the protection of your personal data in accordance with GDPR requirements.
We process your personal data in order to provide you with the best possible service. Data is collected either through your voluntary input or automatically when you use our Services. Details on the cookies used can be found in the Cookies and Similar Technologies section below.
Each time you access our website or embedded Services, certain technical information is automatically collected and transmitted to our servers. This includes: browser type and version, operating system used, your IP address, time and duration of access, the previously visited page (referrer URL), device information, session data, as well as transferred data volumes and status codes. This data is logged in server log files and is used for ensuring the functionality of our website, generating aggregated server statistics, ensuring IT security, error analysis, and product improvement. The legal basis is Art. 6(1)(b) GDPR (provision of the website) and Art. 6(1)(f) GDPR (our legitimate interest in the security and further development of our offerings).
As part of account creation, we collect your email address (which we verify), your name, assign you an AnyTax user ID, and record the time of registration and your IP address. We also obtain your consent to our Terms and Conditions. Legal basis: Art. 6(1)(b) GDPR (contract initiation and performance). Your registration data will be stored for as long as your user account with AnyTax is active.
AnyTax offers the option to pre-populate your tax return with data electronically stored with the tax authorities ("pre-fill data"). At your request, we retrieve this data via the ELSTER interface (SSL-encrypted) and store it in your AnyTax account so it can be transferred into your return. If you access our Services via a partner platform (e.g. a banking app) and have given your express consent, we may also use partner-provided data for pre-filling.
Legal basis: Art. 6(1)(b) GDPR (contract performance); for partner data and any special categories included (e.g. religious affiliation) Art. 6(1)(a), Art. 9(2)(a) GDPR (consent).
After registration, you will be asked a series of questions through our Services to capture the information needed for your tax return. This may include, among other things: salutation, first and last name, marital status, occupation and employment status, address, religious affiliation, employer, data from wage tax certificates or payslips, information about a potential second residence, responsible tax office, tax identification number, bank details (IBAN) for receiving your tax refund, information on education and training, expenditure on work equipment and job applications, memberships in professional associations and trade unions, income from capital assets and other income, insurance contributions, medical costs, information about disabilities or care expenses, data on children living in the household (including their costs and any disabilities), information on maintenance obligations, donations, church tax, household-related services, and tax loss carryforwards.
Retention. After submission to the tax office, we retain your pre-fill data in fully encrypted form in our European database for four (4) years, corresponding to the standard assessment limitation period (§ 169(2) No. 2 AO). This allows you to amend prior-year filings, file objections (Einspruch), and benefit from automatic pre-filling in subsequent years. AnyTax provides this retention as a service and is not subject to the statutory record-keeping obligations of tax advisors (§ 66 StBerG, § 147 AO). The only statutory retention obligation imposed on AnyTax concerns identification data (see D.6). You may request earlier deletion at any time (G.1). Extended retention beyond 4 years may be offered as part of a paid Service tier; the terms will be presented before purchase.
Tax-relevant information may also include special categories of personal data ("sensitive data"), such as information about health, care expenses, denomination, or trade union membership. We obtain your separate consent for the processing of this data. You may withdraw this consent at any time with effect for the future; in this case, some Services may no longer be available to you. Your tax data will also be retained to simplify the preparation of your tax return for the following year.
For quality assurance, error resolution, and assisted filing purposes, your tax data may also be manually reviewed and processed by authorised AnyTax personnel or approved sub-processors. All such persons are bound by strict confidentiality obligations and act only on documented instructions.
Legal basis: Art. 6(1)(b) GDPR (contract performance) and for sensitive data Art. 6(1)(a), Art. 9(2)(a) GDPR (consent); for the processing of religious affiliation additionally § 51a EStG (calculation and withholding of church tax as part of income tax assessment). As a service to enable amendments, objections (Einspruch), and pre-filling of subsequent returns within the standard assessment limitation period (Section 169(2) No. 2 AO), your tax data will be stored for four (4) years after submission to the tax office in fully encrypted form in our European database and subsequently anonymised. AnyTax is not a tax advisor (Steuerberater) within the meaning of the StBerG and is not subject to the record-keeping obligations of § 66 StBerG or § 147 AO. You may request earlier deletion at any time (see Section G.1); extended retention beyond 4 years may be offered as part of a paid Service tier.
The AnyTax Services are typically provided to End Users via partner applications under a B2B agreement between AnyTax and the partner. AnyTax does not directly receive payment from End Users for the Services and therefore does not process End User payment data (e.g. credit card details, bank account information used for fee payment). Where the partner application charges End Users for tax filing or related services, this is governed exclusively by the partner's terms and privacy notice.
For the avoidance of doubt: the IBAN you provide within your tax return for receipt of your tax refund is processed as part of your tax data pursuant to Section D.4 and is not used by AnyTax for billing purposes.
The submission of a tax return requires your clear identification for legal reasons. AnyTax enables you to confirm your identity digitally by submitting an identity document and, where applicable, by performing a biometric face match (liveness check) against the document photo. For this purpose, we engage Sumsub Operator Cyprus Ltd., Cyprus (EU), as a sub-processor under Art. 28 GDPR. Processing takes place within the European Union; no third-country transfer occurs. The verification process — including the document scan, face match, and any video or audio recording — is performed entirely within Sumsub’s systems. AnyTax does not access or store the document images, biometric data, or video or audio recordings; these are retained by Sumsub under their own data retention policy and privacy notice. AnyTax only receives and stores the verification result (e.g. “verified” / “not verified”) together with the minimum identification data required to comply with statutory retention obligations under § 87d(2) AO (e.g. name, document type, document number, date of verification). We are legally required to keep this information for at least five (5) years after the end of the year of submission. Legal basis: Art. 6(1)(c) GDPR (fulfilment of legal obligations); for biometric data Art. 9(2)(a) GDPR (your explicit consent, obtained before the verification is performed).
By submitting your tax return via AnyTax, you authorise us to transmit it electronically to the responsible tax office via the ELSTER software. Legal basis: Art. 6(1)(b), Art. 6(1)(a), and Art. 9(2)(a) GDPR. ELSTER is the software provided by the tax authorities for processing electronic tax data. We draw your attention to the fact that in the context of transmission via ELSTER, personal data within the meaning of Art. 4 No. 1 and Art. 9(1) GDPR is collected for the purpose of tax assessment. In addition to the actual tax data, information about the operating system used is also collected and transmitted to the tax authorities in order to ensure proper processing and avoid errors.
After successful submission and confirmation of receipt by the tax office, the PDF version of your submitted tax return ("ELSTER PDF") is available within the partner application for viewing and download for as long as you are logged into your user account. If you do not wish the ELSTER PDF to be stored, you may contact us and we will delete this data. Legal basis: Art. 6(1)(b), Art. 6(1)(a), and Art. 9(2)(a) GDPR.
We retrieve your electronic tax assessment via the ELSTER portal in order to display the final refund amount to you and to show any deviations from the calculated refund. In addition, we may use the retrieved information in aggregated or anonymized form for statistical purposes and to improve our Services. The retrieved tax assessment may contain special categories of personal data within the meaning of Art. 9(1) GDPR (e.g. information on religious affiliation through church tax line items, health-related data through medical expenses or disability allowances, or trade union membership through deductible union dues), in so far as you have included such information in your tax return. Processing of these data is based on your explicit consent pursuant to Art. 9(2)(a) GDPR. All data from the retrieval of the electronic tax assessment is not passed on to third parties, stored in fully encrypted form in our European database, and retained in accordance with the periods set out in Sections D.3 and D.4. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in an improved and more precise service), Art. 6(1)(b) GDPR (contract performance), and Art. 9(2)(a) GDPR (consent).
Our customer support is available for questions about our Services. Please note that we do not offer tax advice – for this, please consult a tax advisor. We are happy to answer questions about the use of our Services, registration, technical issues, and similar matters.
Technical errors in our Services may give rise to error logs containing technical information and possibly also entered tax data. If you send us such a log for troubleshooting purposes, you consent to the processing of this information for that purpose by submitting it. Error logs will be deleted or fully anonymised no later than twelve months after submission. For the technical collection and storage of error logs, we use Functional Software, Inc. (Sentry) as a sub-processor under a data processing agreement pursuant to Art. 28 GDPR (see Section F.1). Legal basis for error logs: Art. 6(1)(a), Art. 9(2)(a) GDPR (consent); for other support requests: Art. 6(1)(b) GDPR (contract performance).
We use a ticketing system of an external customer support service provider to handle customer enquiries. We have concluded a data processing agreement with this provider pursuant to Art. 28 GDPR. We may also use your contact details (email address, telephone number) to contact you in connection with your tax return, in particular when missing documents are needed to complete it. Transactional emails (e.g. account confirmations, status notifications) are delivered via Mailgun Technologies, Inc., engaged as a sub-processor under Art. 28 GDPR (see Section F.1). Legal basis: Art. 6(1)(b) GDPR (contract performance).
If you have consented to receiving marketing communications, we may send you marketing emails or postal information – for example, newsletters, satisfaction surveys, invitations to submit reviews, or information about news and offers. The legal basis is Art. 6(1)(a) GDPR (consent). If you no longer wish to receive marketing communications, you may unsubscribe at any time – either via the unsubscribe link in the respective email or by sending a message to info@anytax.io.
To increase the security and delivery speed of our website, we use a Content Delivery Network (CDN) of an external service provider (Cloudflare, Inc.). Personal data may be processed in server log files in this context. Legal basis: Art. 6(1)(f) GDPR (our legitimate interest in a secure and high-performance website). We have concluded a data processing agreement with Cloudflare pursuant to Art. 28 GDPR. Cloudflare operates edge servers globally; where personal data is transferred outside the EU/EEA, transfers are safeguarded by EU Standard Contractual Clauses in accordance with Section F.2. Cloudflare is used solely for our marketing website www.anytax.io and does not have access to tax-relevant user data, which is processed on EU-based infrastructure (see Section F.1). You have the right to object to this processing, although the full functionality of the website may not be guaranteed without it.
In order to continuously improve our Services, we test new or modified features with selected user groups first. This may result in different users temporarily seeing different versions of our Services or website. Legal basis: Art. 6(1)(f) GDPR (our legitimate interest in the continuous improvement of our products and user experience).
AnyTax also provides its tax services as an embedded solution ("White-Label") within applications of selected partner companies ("partner applications"). If you use the AnyTax Services via such a partner application, the following additional information applies.
Data transfer between partner and AnyTax. To provide the embedded tax solution, it may be necessary for the operator of the partner application ("partner") to transmit certain data to AnyTax in order to identify you and provide you with seamless access to the Services. This may include in particular: a pseudonymised user ID, authentication information (e.g. token for session verification), name and email address, and any further data required to provide the tax services. The exact scope of transmitted data is determined in the respective agreement between AnyTax and the partner. Legal basis: Art. 6(1)(b) GDPR (contract performance) or Art. 6(1)(a) GDPR (consent).
Data protection responsibilities. Where AnyTax provides its tax services within a partner application, AnyTax acts as a data processor on behalf of the partner within the meaning of Art. 28 GDPR. The partner is the controller and determines the purposes and means of processing; AnyTax processes personal data only on the partner's documented instructions and on the basis of a data processing agreement concluded pursuant to Art. 28(3) GDPR. The partner's privacy notice governs the processing within the partner application, and data subject rights (access, rectification, erasure, etc.) are to be exercised vis-à-vis the partner.
Consent and transparency. Before your data is transferred between the partner and AnyTax, you will be informed about the nature and scope of the data transfer and – where legally required – asked for your express consent. You may withdraw this consent at any time with effect for the future. Legal basis: Art. 6(1)(a) GDPR (consent).
Privacy notice of the partner. Please note that the partner's privacy notice applies to data processing within the partner application itself (e.g. banking app).
Security measures during integration. Data transmission between the partner application and AnyTax systems is always encrypted (TLS/SSL). All data collected in this context is subject to the same security standards and retention periods described in this Privacy Notice.
Additional use by the partner. The partner may, with your separate prior consent, use data from your tax filing for additional purposes. Any such additional use is governed by the partner’s own privacy notice, is always subject to your explicit and withdrawable consent, and is not performed by AnyTax.
AnyTax does not use AI services to make automated decisions about your tax return that would have legal effect on you or similarly significantly affect you (see also Section G.4), to electronically submit your tax return to the tax authorities on your behalf, or to provide tax advice. AnyTax does not enter your personal data into consumer-facing AI chatbot interfaces or any AI service that is not bound by a data processing agreement with AnyTax.
For internal quality assurance and product improvement, AnyTax may use AI-assisted tools only with datasets that have been anonymised before use. Where anonymisation cannot be reliably ensured, such data is not processed with external AI tools unless a valid data processing agreement, an appropriate legal basis, documented transfer safeguards, and internal access controls are in place.
Where AnyTax offers AI-supported product features (such as an in-product tax assistant or planning copilot) that process your personal data, this is done on the applicable legal basis for the underlying processing purpose — in particular Art. 6(1)(b) GDPR for features integral to the provision of the tax filing service, and, where sensitive personal data within the meaning of Art. 9(1) GDPR is involved, the consent already provided under Art. 9(2)(a) GDPR in the context of your registration — only with AI providers that have entered into a data processing agreement with AnyTax pursuant to Art. 28 GDPR, and only under the same security and retention standards described in this Privacy Notice. You may withdraw your consent at any time with effect for the future. The AI providers currently engaged in this context are listed in the sub-processor table in Section F.1; AnyTax does not transfer customer personal data to AI providers outside this framework.
Our Services are designed according to the principle of Privacy by Design and are operated on cloud infrastructure within the European Union. We implement technical security measures at the state of the art to protect your personal data against loss, unauthorised access, misuse, alteration or disclosure. All data transmissions are encrypted using SSL/TLS technology. The information you provide is fundamentally encrypted (AES-256) and stored in a certified data centre in Europe in compliance with the highest security standards. All servers on which your tax data and identification data are stored or processed are located within the EU. Where sub-processors located outside the EU/EEA are engaged for ancillary purposes (e.g. internal team communication or AI-supported product features), transfers are safeguarded in accordance with Section F.2. We carefully select our service providers, monitor them regularly, and ensure that all data processing – including any transfers to third countries – is subject to strict technical security requirements.
To provide our Services, we transmit data at your instigation to the responsible tax authorities and work with selected service providers, particularly in the areas of hosting, payment processing, IT maintenance, identity verification, and software development. Your personal data is only passed on to third parties where this is necessary for contract performance, where we have a legitimate interest in doing so, where you have given your consent, or where we are legally required to do so. Our service providers receive personal data solely within the scope of the services commissioned by us and are contractually obliged not to use it for other purposes.
Current sub-processors. We engage the following sub-processors under data processing agreements pursuant to Art. 28 GDPR:
Processing by sub-processors based within the EU/EEA takes place exclusively in the European Union / European Economic Area. Where sub-processors are based outside the EU/EEA (Slack Technologies, LLC and Anthropic, PBC, both USA), transfers are safeguarded through EU Standard Contractual Clauses and additional protective measures in accordance with Section F.2 below. We will inform you of any changes to this list in good time and in accordance with our partner agreements. Cloudflare and Webflow are used solely in connection with our marketing website www.anytax.io and do not have access to tax-relevant user data; see Section H.
Where processing of your data takes place outside the European Economic Area (EEA), this is done in accordance with Art. 44 GDPR on the basis of appropriate safeguards. Where no adequacy decision of the European Commission exists, we conclude the Standard Contractual Clauses (SCCs) approved by the EU Commission with the data recipient and take additional protective measures where necessary to ensure an equivalent level of data protection. A copy of the SCCs can be provided upon request.
As a data subject, you have the following rights: the right of access to your stored data (Art. 15 GDPR), the right to rectification of inaccurate data (Art. 16 GDPR), the right to erasure of your data (Art. 17 GDPR), the right to restriction of processing (Art. 18 GDPR), and the right to data portability (Art. 20 GDPR). Please note that the restrictions of Sections 34 and 35 BDSG may apply to the right of access and erasure. In addition, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work, or place of the alleged infringement.
If you have given us your consent to the processing of your data, you may withdraw it at any time pursuant to Art. 7(3) GDPR. The lawfulness of processing carried out prior to withdrawal remains unaffected. You may address your withdrawal to info@anytax.io or to our postal address above.
Where the processing of your personal data is based on the safeguarding of legitimate interests pursuant to Art. 6(1)(f) GDPR, you may object to such processing. This applies in particular where the processing is neither necessary for contract performance nor for compliance with legal obligations. Please explain your reasons when raising an objection so that we can review the situation and, where appropriate, cease or adjust the processing. You may object to processing for advertising or direct marketing purposes at any time without giving reasons. Please send your objection to info@anytax.io.
AnyTax does not make any automated individual decisions including profiling pursuant to Art. 22 GDPR that have a legal effect on you or similarly significantly affect you.
Cookies are small text files that are stored on your device when you visit our website. They allow certain information to be saved in order to facilitate the use of our website and to provide essential functionalities. In addition to cookies, similar technologies such as local storage may also be used. The following information applies to all such technologies accordingly.
Our website only uses technically necessary (essential) cookies. We do not use cookies for analytics, tracking, or advertising purposes, and we do not build user profiles. Therefore, we do not require a cookie consent banner. The use of these strictly necessary technologies is based on our legitimate interest in providing a secure and functional website pursuant to Art. 6(1)(f) GDPR in conjunction with Section 25(2) No. 2 TDDDG.
These cookies are strictly necessary for the operation of our website. They enable basic functions such as page navigation, form security (spam prevention), and session management. Without these cookies, the website cannot function properly.
Since our website only uses strictly necessary cookies, there is no cookie consent banner to manage. However, you can manage or delete cookies at any time through your internet browser settings. Please note that disabling these essential cookies may limit the security and functionality of our website.
Some of the essential cookies listed above are set by third-party providers (e.g., Cloudflare) that may be based outside the EU/EEA (e.g., USA). In such cases, we ensure that your data is adequately protected through appropriate safeguards (e.g., EU Standard Contractual Clauses, adequacy decisions). For further details, see Section F.2 of this Privacy Notice.
We review this Privacy Notice at regular intervals and reserve the right to update it as necessary. Changes will be published on this page. In the case of material changes, we will additionally notify you by email or – if you use our Services via a partner platform – through the respective partner upon your next access to our Services. You may be asked to confirm the changes in order to continue using our Services. You can always view the current version of this Privacy Notice in the settings of your user account.
Please inform us if your personal data changes during our business relationship so that we can always maintain accurate and up-to-date records.
Last updated: May 2026
