I. General data protection information on our website

The first part contains general information.

What is the issue of data protection about?

We take the protection of personal data very seriously. This concerns the protection of all data relating to you personally (e.g. name, address, email address, user behaviour). When we refer to data in this privacy policy, we mean such personal data.

We want you to know when we store which data, how we use it, and what your rights are. We process your data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). Below, we explain how we do this.

Who is responsible for your data and whom can you contact?

The responsible party within the meaning of the GDPR and other data protection regulations is:

forium GmbH (Lohnsteuer kompakt)
Kantstraße 13
10623 Berlin

Telephone: (030) 4202-46-30
Fax: (030) 4202-4655
Email: [email protected]

Website: https://www.lohnsteuer-kompakt.de/

We have appointed a Data Protection Officer. You can reach them at the above address (attn. Data Protection Officer) and at the following email address:

[email protected]

for all questions regarding the protection of your data, as well as for information, corrections, blocking or deletion of data and the revocation of consents granted

What rights do you have?

As an affected person, you have the following rights, which you can assert against us (e.g.: [email protected]):

Right of access (Art. 15 GDPR)

You can request information about the data we process about you. Please inform us by email if you wish to receive information under Art. 15 GDPR. We will then make the data stored with us available for you to view in a protected area within the legal deadline.

Right to rectification and completion (Art. 16 GDPR)

If any information we process is incorrect, you can request that we correct or complete it without delay. In the login area, you can also change or complete your data at any time. Until you submit your tax return, you can also correct or complete the information contained in it yourself. After submitting the return, it is no longer possible for us or via our website to change the data contained in it. In such cases, please contact the relevant tax office.

Right to erasure (Art. 17 GDPR)

You can request the deletion of your data stored with us. You can delete the data in your tax return yourself until it is submitted. In the login area, you can also delete information from your user account. Under "My user account" you can also delete your entire user account. Deletion by us requires that further processing is not necessary for other reasons (e.g. to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims). More about the deletion of your data can be found in the section "When do we delete your data?".

Restriction of processing (Art. 18 GDPR)

You can request the restriction of the processing of your data if the accuracy of the data is disputed by you or the processing is unlawful. If you have already submitted your tax return, please contact the relevant tax office to restrict the processing of the data contained therein.

Right to data portability (Art. 20 GDPR)

You can request that we provide your data in a structured, commonly used and machine-readable format or transfer it to another controller.

Right to object (Art. 21 GDPR)

You can object to the processing for reasons arising from your particular situation if the processing is based on Art. 6 para. 1 sentence 1 lit. e or lit. f GDPR. The relevant legal bases are listed for each data processing operation. In the event of a justified objection, we will no longer process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, or the processing is for the assertion, exercise or defence of legal claims.

Right to withdraw your consent (Art. 7 para. 3 GDPR)

You can withdraw any consent you have given to us at any time. In this case, we will not carry out any further data processing that requires your consent.

Right to complain (Art. 77 GDPR)

You can lodge a complaint with a data protection supervisory authority about the processing of your data by our company, for example with the data protection supervisory authority responsible for us:

Berlin Commissioner for Data Protection and Freedom of Information
Friedrichstrasse 219
10969 Berlin

Telephone: 030/138 89-0
Email: [email protected]
Homepage: https://www.datenschutz-berlin.de

How do we protect your data?

We store the data you submit for the tax return in encrypted databases on specially protected servers exclusively in Germany.

Our websites are encrypted with 256-bit encryption and certified by international institutions (HTTPS / SSL). The padlock symbol near your browser's address bar confirms that the data entered is sent in encrypted form only to a certified and authorised web server.

We also secure our applications and other systems through technical and organisational measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorised access by third parties. We update the security measures in line with the state of the art, taking into account the nature, scope, context, and purpose of the processing, as well as the risks associated with a data breach (including their likelihood and impact).

However, we would like to point out that data transmission over the Internet (e.g. when communicating by email) can have security vulnerabilities. Complete protection outside our area of access is therefore not possible.

On what legal basis are your data processed?

We may only process your data if we are legally permitted to do so. Below, we specify the legal bases for the individual processing operations. The legal basis is:

• Art. 6 para. 1 sentence 1 lit. a GDPR: if you have consented to the processing;
• Art. 6 para. 1 sentence 1 lit. b GDPR: if the processing is necessary for the performance of a contract with you or for pre-contractual measures taken at your request;
• Art. 6 para. 1 sentence 1 lit. c GDPR: if the processing is necessary for compliance with a legal obligation to which we are subject (e.g. statutory retention obligations);
• Art. 6 para. 1 sentence 1 lit. f GDPR: if the processing is necessary to protect our legitimate (in particular legal or economic) interests or the legitimate interests of a third party and your interests or rights do not override these;
• Art. 6 para. 1 sentence 1 lit. a in conjunction with Art. 9 para. 2 lit. a GDPR: if you have consented to the processing of special categories of personal data (e.g. data on religious or philosophical beliefs, health data or data on sexual orientation).

For the storage of information (e.g. cookies) on your devices (e.g. computer or mobile device) and access to information on your devices, the legal basis is:

• Section 25 para. 1 TDDDG: if you have consented to this;
• Section 25 para. 2 no. 1 TDDDG: if this is solely for the transmission of a message over a public telecommunications network;
• Section 25 para. 2 no. 2 TDDDG: if this is absolutely necessary for the provider of a digital service to provide a digital service expressly requested by you

The specific data processing operations and their legal basis can be found in the second part of this privacy policy under the individual applications and processing operations. 

When do we delete your data?

We process your data only for as long as is permitted and necessary to achieve the relevant purpose. We then delete your data. You can find out when we specifically delete your data in the second part of the privacy policy under the individual applications and processing operations.

We will also delete your data as soon as you initiate this via the corresponding button in your user account, and we no longer need the data for the execution of the contract and any possible warranty and limitation periods from the contractual relationship have expired. This is usually at the beginning of the fourth year following our last service. If we are obliged to store the data for a longer period due to statutory retention periods, we will delete the data after these periods have expired (e.g. § 257 HGB, § 147 AO).

You can delete unpaid tax returns on the overview page (after logging in). All entered data will then be completely deleted. Only the information that and when a tax return was created and deleted remains in our database. Paid tax returns are automatically deleted later after the statutory retention periods have expired.

In exceptional cases, we may process data beyond the originally intended time if the data is required for a (also: pending) legal dispute (Art. 6 para. 1 sentence 1 lit. f GDPR, Art. 17 para. 3 lit. e GDPR) or other legal proceedings, or if storage is required by legal regulations to which we as the data controller are subject (Art. 6 para. 1 sentence 1 lit. c GDPR, Art. 17 para. 3 lit. b GDPR).

Was gilt bei Datenübermittlung in Drittländer?

Wir übermitteln Daten auch an Dienstleister außerhalb der EU bzw. des EWR (sog. Drittstaaten). Diese Dienstleister haben wir aufgrund unserer berechtigten Interessen an einer ordnungsgemäßen und wirtschaftlichen internen Organisation ausgesucht.

Diese Dienstleister bzw. ihre Auftragsverarbeiter verfügen in den im Folgenden benannten Drittländern über die für die Verarbeitung notwendige Infrastruktur, um dort die Zwecke der Datenverarbeitung zu erfüllen. Die Zwecke der jeweiligen Datenverarbeitung finden Sie geordnet nach Diensten hier.

Ihre Rechte werden dadurch geschützt, dass die Datenübermittlung in die folgenden Länder, die in Zusammenarbeit mit folgenden Dienstleistern erfolgt, auf einen Angemessenheitsbeschluss der EU-Kommission i.S.d. Art. 45 Abs. 1, 3 DS-GVO gestützt wird:

Da für die Datenübermittlungen an die folgenden Dienstleister entweder keine Angemessenheitsbeschlüsse existieren oder die Dienstleister in den USA sitzen, haben wir bzw. unsere Dienstleister mit diesen Dienstleistern zum Schutz Ihrer Daten (im Falle der USA: zusätzlich zu dem Angemessenheitsbeschluss) Standardvertragsklauseln der Kommission gem. Art. 46 Abs. 2 lit. c DS-GVO vereinbart, und soweit uns dies technisch möglich ist, zusätzliche technische Maßnahmen ergriffen, wie die Anonymisierung oder Pseudonymisierung von Daten:

Nur vorsorglich weisen wir darauf hin, dass trotz Vereinbarung der Standardvertragsklauseln der Kommission nicht abschließend ausgeschlossen werden kann, dass

• die staatlichen (US-)Behörden Auskunftsersuchen gegen unseren Dienstleister richten und so die staatlichen (US-)Behörden auf Ihre personenbezogenen Daten zugreifen könnten. Dies entspricht zwar grundsätzlich auch den europäischen gesetzlichen Regelungen, z. B. zum Zweck der Gefahrenabwehr. Jedoch ist die Zulässigkeitsschwelle für derartige Datenverarbeitungen in der EU höher als in den USA;
• das Risiko, dass Sie Ihre Rechte aus der DS-GVO gegenüber den (US-)Behörden im Falle eines Zugriffs auf Ihre personenbezogenen Daten nicht oder in einem geringeren Umfang durchsetzen können.

To whom do we pass on your data?

Like almost every company, we also use external domestic and international service providers to conduct our business (e.g. for IT, logistics, telecommunications, sales and marketing). Data processing by these processors is based on our legitimate interest in our internal organisation and resource management (Art. 6 para. 1 sentence 1 lit. b or lit. f GDPR). They only act on our instructions and have been contractually obliged to comply with data protection regulations in accordance with Art. 28 GDPR.

Depending on how you use our services, the following recipients or categories of recipients may have access to some of your personal data:

• Service providers for the operation of our applications (i.e. our website and our mobile application) and the processing of data stored or transmitted by the systems (e.g. for data centre services, IT security). The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. b or lit. f GDPR.
• The payment service provider you have selected. The legal basis for data processing is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.
• The tax office for the submission of your tax return. The legal basis for data processing is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR and Art. 6 para. 1 sentence 1 lit. a in conjunction with Art. 9 para. 2 lit. a GDPR regarding sensitive data.
• Other government bodies/authorities, insofar as this is necessary to fulfil a legal obligation. The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. c GDPR.
• Google Workspace (Google Ireland Limited Gordon House, 4 Barrow St, Dublin 4, Ireland) in the case of correspondence via email. The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. b or lit. f GDPR.
• Persons commissioned or employed in the course of our business operations (e.g. employees, auditors, banks, insurance companies, legal advisors, supervisory authorities, etc.). The legal basis for disclosure is Art. 6 para. 1 sentence 1 lit. b or lit. f GDPR.

For the services integrated into our applications, you will find the recipients and the corresponding legal bases under the heading “Other integrated services”.

Persons under 18 should not submit personal data without the consent of their parents or guardians.

Was sind Cookies?

Cookies sind kleine Dateien, die auf Ihrer Festplatte gespeichert werden und eine bestimmte Lebensdauer haben. Die meisten Cookies sind nur so lange aktiv, wie der Browser geöffnet ist (Session-Cookies). Andere Cookies werden beim Beenden des Browsers dauerhaft als Datei in einem "Cookie-Verzeichnis" gespeichert (Langzeit-Cookies). Diese Cookies ermöglichen es uns, Ihren Computer bei Ihrem nächsten Besuch wiederzuerkennen. Mittels dieser Cookies werden die Inanspruchnahme von Webseiten-Funktionen, die Häufigkeit von Seitenaufrufen, Suchbegriff und eine Sitzungs-ID gespeichert und übermittelt.

Wir verwenden Cookies, um die Sicherheit und Funktionsfähigkeit unserer Webseite zu gewährleisten und um Ihnen die von Ihnen gewünschten Funktionen und Leistungen zur Verfügung zu stellen (Rechtsgrundlage: § 25 Abs. 2 Nr. 2 TDDDG). Mit Ihrer Einwilligung werden Cookies auch zu anderen Zwecken verwendet. Mehr Details dazu (bspw. die jeweilige Dauer der Datenverarbeitung) und darüberhinausgehende Datenverarbeitungen mittels Cookies, finden Sie unter der Überschrift "Weitere eingebundene Dienste".

Beim Aufruf unserer Webseite werden Sie über die Verwendung von Cookies informiert und auf die Datenschutzerklärung verwiesen. Über Ihren Browser können Sie die Verwendung von Cookies beschränken, wobei dies dazu führen kann, dass unser Angebot für Sie nicht mehr bzw. nur eingeschränkt funktioniert.

Folgende Cookies werden direkt von uns gesetzt. Diese Cookies dienen überwiegend der Sitzungsverfolgung, Nutzererfahrung, Sicherheit und Quellenanalyse. Sie unterstützen eine nahtlose Nutzung der Steueranwendung und schützen vor Sicherheitsrisiken (z. B. durch 2-Faktor-Authentifizierung und Sitzungsüberwachung).

Sie können Cookies über Ihre Browsereinstellungen auch selbst löschen. Zum Beispiel:

• Microsoft Edge: Einstellungen > Cookies und Websiteberechtigungen > Verwalten und Löschen von Cookies und Websitedaten > Alle Cookies und Websitedaten anzeigen > Alle entfernen
• Mozilla Firefox: Chronik > Neueste Chronik löschen
• Google Chrome: Einstellungen > Datenschutz und Sicherheit > Browserdaten löschen > Cookies und andere Websitedaten > Daten löschen

Bitte löschen Sie so nach einem Widerruf Ihrer Einwilligung in die Datenverarbeitung bestimmter Cookies auch die entsprechenden Cookies in Ihrem Browser, um eine automatische Übersendung Ihrer Daten an den Dienstleister zu verhindern.

Is it possible for the privacy policy to change?

Yes. We continuously develop our services and internal processes to deliver a great product to you. Changes in data processing also require changes to the privacy policy. Furthermore, we regularly revise it to make it clearer and more accessible. You can always find the current version of the privacy policy on our website and in the app.

II. Specific Data Processing

The second part deals with the individual applications and services.

External hosting

This website is hosted by an external service provider (host) on servers located in Germany. The personal data collected on this website is stored on the host's servers. This data includes, in particular:

• IP addresses,
• Contact enquiries,
• Meta and communication data,
• Contract data,
• Contact details,
• Names,
• Website access,
• Tax data,
• and other data generated during the use of our website.

The host is used for the purpose of fulfilling contracts with our potential and existing customers in accordance with Art. 6 para. 1 lit. b GDPR and in the interest of a secure, fast, and efficient provision of our online offer in accordance with Art. 6 para. 1 lit. f GDPR.

Encryption and data transfer security: IP addresses are used unencrypted to enable the display and provision of the website. All other personal data (e.g. contact enquiries, contract data) is secured during transmission over the Internet using SSL encryption. Sensitive data such as tax data is generally stored encrypted on our servers to protect it from unauthorised access even when at rest.

Our host processes your data only to the extent necessary to fulfil its service obligations and follows our instructions regarding this data. To ensure the protection of your data, we have concluded a data processing agreement (DPA) with the host in accordance with Art. 28 GDPR. This contract ensures that the host processes the data in compliance with data protection regulations and that your rights are safeguarded.

We use the following host for our web servers:

Herbst Datentechnik GmbH
Philippistr. 10
14059 Berlin
Germany

Visit the website

If you visit our website as an unregistered customer, we do not know who you are. We only learn

• your IP address,
• date and time of the request,
• time zone difference to Greenwich Mean Time (GMT),
• access status/HTTP status code,
• browser, language and version of your browser software,
• operating system,
• the name of your internet service provider,
• if applicable, the website from which you visit us, and
• the web pages you visit on our site.

These data are not stored together with other personal data. We use these data solely to improve our services and ensure the security of our IT systems. The legal basis for the temporary storage of the data is Art. 6 para. 1 sentence 1 lit. f GDPR.

We delete these data as soon as we no longer need them for these purposes. This is usually no later than seven days. If we exceptionally store the data for a longer period, we delete or anonymise the users' IP addresses so that they can no longer be assigned. The data thus anonymised are no longer personal data and are not subject to data protection law.

The collection of these data for the provision of the website and the storage of the data in so-called log files is essential for the operation of the website.

Linked websites

Our online services contain links to other websites. We have no influence over whether their operators comply with legal data protection regulations.

Registration (user account) and creation of the tax return

You can visit our website without registering.

However, some of our services are only accessible to registered customers. Registration is free of charge. When registering, you choose a personal username (email address) and a password. We will then create a user account for you. Your password is not stored in plain text and is therefore only known to you. Please always keep your login information confidential and close the browser window when you finish communicating with us. This is especially important if you share the computer with others.

By registering, you agree to our General Terms and Conditions. Apart from that, your registration does not entail any obligations.

When you register with us, we collect and store, in addition to the data mentioned above, the data you provide during registration and later enter into the online tax form. This initially includes your name, contact details, and account information (legal basis: your consent according to Art. 6 para. 1 sentence 1 lit. a GDPR) and, in the context of the tax return – and we expressly point this out – possibly also information about your racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, marital status, and sexual orientation (legal basis: your consent according to Art. 6 para. 1 sentence 1 lit. a in conjunction with Art. 9 para. 2 lit. a GDPR).

If you use the pre-filled tax return (VaSt), we electronically retrieve certain data stored about you at the tax authorities (so-called data retrieval) (e.g. wage tax certificates submitted by the employer) and make them available to you on our website for inclusion in your tax return. These documents may also contain the information mentioned in the previous paragraph. The processing of this data is based on the legal basis stated there.

You must expressly authorise the data retrieval and storage by us in advance. The data retrieval then takes place via a secure internet connection from the tax authorities' servers. The storage is encrypted on our servers under your user account. You can revoke your consent to data retrieval at any time with effect for the future. From the revocation of your consent, we will no longer retrieve any new data from the tax authorities. If you wish to delete the data already stored on our servers, you can do so at any time via your user account.

If you use the AI functions to create your tax return, the data you provide will be transmitted to the service provider and processed by them. For more information, see "Artificial Intelligence" and „What applies to data transfer to third countries?“.

In some areas of our service, we ask you to provide a rating of the service offered. You can give a rating on a scale from "0" (very poor) to "10" (very good) and add a comment to the rating. By providing a rating, you help us to continuously improve our service and adapt it to the needs of our customers. If you provide a comment as part of the survey, our customer service may contact you if you have any questions. Participation in the surveys is voluntary. The legal basis for the associated data processing is your consent according to Art. 6 para. 1 sentence 1 lit. a GDPR.

Telephone communication

We use Sipgate to handle telephone calls with customers and prospects. Connection data (e.g. telephone number, time, duration) is processed to respond to enquiries and ensure communication.

This data is processed on the basis of Art. 6 (1) (b) GDPR to fulfil contractual obligations or pre-contractual measures, as well as on the basis of Art. 6 (1) (f) GDPR due to our legitimate interest in effective customer communication.

More information on data processing can be found under “Other integrated services”.

Customer support

All customer enquiries are managed centrally via Jira Service Desk. The process is as follows:

• Email enquiries: Customers send their enquiries to our Google Workspace email address. These emails are automatically imported into Jira Service Desk and processed further as tickets.
• Enquiries by letter and telephone: Enquiries received by post or telephone are also manually recorded in Jira Service Desk to ensure complete documentation and tracking.

The processing of the data collected in this context is based on Art. 6 (1) (b) GDPR for the fulfilment of contractual obligations or pre-contractual measures, as well as on Art. 6 (1) (f) GDPR, supported by our legitimate interest in a structured and efficient handling of customer enquiries.

For more information on data processing, please see “Other integrated services”.

Artificial intelligence

We use services from OpenAI Ireland Limited (1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland) in two key areas of our application to provide you with an enhanced service:

Customer service: Our customer service is supported by an OpenAI application that accesses our manual and tax knowledge to answer your questions quickly and reliably. To ensure quality and efficiency, the necessary data to process your request is shared with OpenAI. You can also contact a member of our customer service team directly at any time. The legal basis for the associated data processing is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR if you submit special categories of personal data.

Summary of income tax assessment: This feature helps you better understand the differences between our calculation and the tax office's assessment. You will learn what changes the tax office has made and how these affect your calculation. The explanations from the tax office in the assessment as well as discrepancies between our application's calculations and the tax office's figures are taken into account. Here too, the necessary data for processing is shared with OpenAI. The legal basis for the associated data processing is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR and Art. 9 para. 2 lit. a GDPR.

IntelliScan: With IntelliScan, we use artificial intelligence to make your tax return even more convenient. The system processes your uploaded files, identifies relevant information, and automatically inserts it in the appropriate place in your tax return. To provide this function, the necessary data from your documents is transmitted to OpenAI. Processing is carried out solely to support the IntelliScan function and in compliance with all applicable data protection regulations. The legal basis for the associated data processing is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR and Art. 9 para. 2 lit. a GDPR.

OpenAI Ireland Limited may process your data at other locations outside the EU due to internal resource management and other business reasons (Art. 6 para. 1 sentence 1 lit. f GDPR). Depending on the location (third country), the data transfer is based on a corresponding EU adequacy decision or on the Commission's standard contractual clauses. For more information, see "What applies to data transfers to third countries?".

We have concluded a data processing agreement with OpenAI. For more information, see "What applies to data transfers to third countries?", "To whom do we pass on your data?" and Google Workspace under "Other integrated services".

E-mails

If you contact us by email, the personal data you provide will be automatically stored for the purpose of contacting you and processing your request (legal basis: Art. 6 para. 1 sentence 1 lit. a GDPR; if this occurs in connection with a (pending) contract: Art. 6 para. 1 sentence 1 lit. b GDPR and Art. 6 para. 1 sentence 1 lit. f GDPR, as we have an interest in processing your request and in the internal management of our activities for you). All incoming emails are managed via the Google Workspace platform (Google Ireland Limited, located at Gordon House, Barrow Street, Dublin 4, Ireland). Therefore, access to your transmitted personal data by Google Workspace cannot be ruled out. You can find more information about the Google Workspace platform here. We have concluded a data processing agreement with this service provider.

For more information, see "What applies to data transfers to third countries?", "To whom do we pass on your data?" and Google Workspace under "Other integrated services".

By registering, you also agree to receive emails that support you in processing your tax return (legal basis: Art. 6 para. 1 sentence 1 lit. a GDPR). If you agreed during registration, we will also use your email address for (exclusively) our own information and advertising purposes (§ 7 para. 3 UWG) (legal basis: Art. 6 para. 1 sentence 1 lit. a GDPR).

These emails are managed via the Inxmail Commerce platform (Inxmail GmbH Wentzingerstrasse 17, D-79106 Freiburg, Germany). We have concluded a data processing agreement with this service provider. For more information, see "To whom do we pass on your data?" and Inxmail under "Other integrated services".

Newsletter

When you subscribe to our newsletter, we process the following data for the delivery of the newsletter (legal basis: Art. 6 para. 1 sentence 1 lit. a GDPR) and to prevent misuse (legal basis: Art. 6 para. 1 sentence 1 lit. f GDPR):

• Your email address;
• Your name;
• The date and time the newsletter is accessed;
• A description of the type of web browser used;
• The IP address of the requesting computer, which is shortened so that it can no longer be linked to a person;
• The date and time of your subscription and confirmation.

By subscribing to our newsletter, you agree (legal basis: Art. 6 para. 1 sentence 1 lit. a GDPR):

• to be informed by email about news, offers and advertising from us,
• that the personal data collected during your subscription (see above) will be processed for this purpose, and
• that cookies are used for this data processing (§ 25 para. 1 TDDDG).

We use the double opt-in procedure for subscribing to our newsletter. This means that after you register, we send an email to the specified email address in which we ask you to confirm that you are the owner of the specified email address and wish to receive the notifications.

Your data will be stored for the duration of your subscription.

We work with the platform Inxmail (Inxmail GmbH Wentzingerstrasse 17, D-79106 Freiburg, Germany) to provide you with the newsletter. We have concluded a data processing agreement with this service provider. For more information, see "To whom do we pass on your data?" and Inxmail under "Other integrated services".

You can revoke your consent for the newsletter at any time for the future by using the link at the end of each newsletter and thus unsubscribe from the newsletter.

Cancellation of emails and newsletters

E-mails that are essential for processing your tax return cannot be unsubscribed from, such as those for dispatch confirmation or password reset.

If you subscribe to our newsletter, we will send it to the e-mail address you provided during registration. You can unsubscribe from the newsletter at any time, either via the unsubscribe link found at the end of each newsletter and in the login area, or by sending an e-mail from your registered e-mail address to [email protected].

There are no fees for unsubscribing from e-mails and newsletters.

Your evaluation of the tax offices

Reviews of tax offices that you submit on our website are permanently publicly accessible on the Internet. You should carefully check your contributions before publication to ensure they do not contain any personal data or information not intended for the public. To ensure the security of the review system, prevent incorrect or fake reviews, and ensure the proper operation of the review system, we also collect and store your email address when you submit a review (legal basis: Art. 6 para. 1 sentence 1 lit. f GDPR). Your email address will not be publicly displayed. You can change or delete the reviews you have submitted at any time in your user account. By submitting the review, you consent to the necessary data processing (Art. 6 para. 1 sentence 1 lit. a GDPR).

Mobile application (app)

When downloading and installing the mobile application, the necessary information is transferred to the App Store or Google Play Store, such as username, email address, and customer number of your account, time of download, payment information, and the individual device identifier. The App Store also independently collects various data and provides you with analysis results. We have no influence over this data processing and are not responsible for it. We process the data only to the extent necessary for downloading the mobile application to your mobile device. The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. b GDPR, as this processing is necessary for the execution of this pre-contractual measure, or if a contract already exists between us, for the fulfilment of this contract.

When using the mobile application, we process the personal data described below to enable the convenient use of the functions: IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (page visited), access status/HTTP status code, error data, amount of data transferred in each case, previously visited page, browser, operating system, language, version of the browser software, and the device used.

When you use our mobile application, we process this data, which is technically required to offer you the functions of our mobile application and to ensure stability and security. The legal basis is Art. 6 para. 1 sentence 1 lit. b and lit. f GDPR.

Some data is collected via Mobile SDK on your device. This data is processed via Mobile SDKs, particularly Google Firebase and Singular.

Firebase

We use Firebase, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter "Google Firebase"), to improve the performance and stability of our app and to conduct usage analyses. Firebase processes the following data:

• Device information (e.g. device type, operating system, app version)
• Technical identifiers (e.g. IP address, Google advertising ID)
• Usage data (e.g. app interactions, error reports, in-app purchases)

This data helps us identify errors in the app, improve the user experience, and ensure technical functionality.

Data transfer & storage: The collected data may be transferred to and stored in the USA. Google uses EU Commission standard contractual clauses to ensure an adequate level of data protection.

The use of Firebase is based on your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

To permanently disable Firebase on your device, you can make the appropriate adjustments in your smartphone settings at any time (iOS: Privacy/ Advertising/ No Ad Tracking; Android: Account/ Google/ Ads).

Further information on data processing by Firebase can be found in the Google Privacy Policy.

More information on data processing can be found under "Other integrated services".

Singular

We use the analysis service Singular of Singular Labs, Inc., 25 Stillman Street, San Francisco, CA 94107, USA (hereinafter "Singular"), to analyse the effectiveness of our marketing campaigns and measure the success of app installations and in-app activities. When using Singular, the following data may be processed:

• Device information (e.g. device type, operating system, app version, language settings)
• Technical identifiers (e.g. IP address, Google advertising ID, IDFA)
• Usage data (e.g. user behaviour, click rates, visited websites, in-app purchases)

Singular allows us to analyse which marketing measures led to the app installation or to certain user actions within the app. The data is partially aggregated and stored anonymously.

Data transfer & storage: The collected data may be transferred to the USA. Singular relies on EU Commission standard contractual clauses to ensure an adequate level of data protection.

The use of the service is based on your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

To permanently disable Singular on your device, you can make the appropriate adjustments in your smartphone settings at any time (iOS: Privacy/ Advertising/ No Ad Tracking; Android: Account/ Google/ Ads).

Further information on data processing by Singular can be found in the Singular Privacy Policy.

More information on data processing can be found under "Other integrated services".

Payments in our applications

On our website and mobile application, you can initiate payment transactions. To enable a payment using the payment service providers you have selected, we transmit the necessary data to the relevant payment service provider and also receive data from them. These payment data include all information required for payment processing. This also includes details used by external payment service providers for identification purposes, such as your PayPal ID if you pay with PayPal.

The exchange of your data with the payment service providers, their further processing, and the processing of data generated by this process are carried out for the performance of the contract concluded with you and the payment method you have selected (Art. 6 para. 1 sentence 1 lit. b GDPR). In addition, we process this data to combat misuse and fraud (Art. 6 para. 1 sentence 1 lit. f GDPR).

Identification for signed online submission

In the event that you wish to submit your tax return signed (i.e. fully digital, with the certificate from forium GmbH, in short: "Online submission") to the tax office, prior identification is legally required (§ 87d Fiscal Code). Before the data is transmitted, we must verify your identity and address. For this purpose, we use various methods to identify you as a user when submitting online with identification. Without this data processing, we cannot transfer your tax return signed to the tax office.

(1) If you use the pre-filled tax return (VaSt) in your user account, your master data (including name, address, date of birth, tax identification number) stored by the tax authorities will be used for identification.

(2) If you use PayPal for payment, we can carry out the identification by comparing the payment data received from PayPal with the data from your tax return.

(3) Customer service conducts an identity check after copies of the German identity card, residence permit or passport have been uploaded. The copies must show the front and back of the document as well as the current address. If the address is missing, a registration certificate or a copy of a utility bill showing the current address is required. In addition, the customer must upload a selfie with the ID card, showing them together with the ID card.

By selecting the relevant identification measure ("VaSt", "PayPal", "Customer service"), the submission of your tax return using this identification measure becomes part of the contract between you and us. The necessary processing of your personal data is therefore carried out for the performance of the contract in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR.

These automated processes ("VaSt", "PayPal") or the manual check ("Customer service") determine whether a signed online submission can take place. They are required in accordance with § 22 para. 2 lit. a GDPR for the fulfilment of our contract with you.

Data protection at the tax office

Should we electronically transmit your data to the tax authorities on your behalf, they will further process your data. Naturally, the tax authorities are also bound by the relevant data protection laws. We therefore inform you below about the data protection notice of the tax authorities:

"This software collects personal data within the meaning of Art. 4 No. 1 of the General Data Protection Regulation (GDPR) and Art. 9 para. 1 GDPR for processing purposes. In addition to the pure data required for tax assessment, the software collects data about the user's operating system and transmits this to the tax authorities.

This data is needed to ensure the proper processing of the data and to prevent errors in the processing procedure. The data is used in accordance with Art. 6 para. 1 subpara. 1 lit. e in conjunction with para. 3 subpara. 1 lit. b GDPR in conjunction with federal or state tax laws by the tax authorities and only for the stated purpose."

General information on the implementation of the data protection requirements of Articles 12 to 14 of the General Data Protection Regulation in tax administration can be found here.

Integration of social networks

The standard buttons (so-called plugins) of social networks (e.g. Facebook or X) transfer user data to these social networks unnoticed every time a page is accessed. This allows social networks to receive information about your browsing behaviour. You do not need to be logged in or a member of the network for this to happen.

Our website replaces the standard social network plugins with the so-called Shariff button, thus protecting your data. A single click on the logo of the respective network is still sufficient to share information with others. However, the Shariff button only establishes contact between you and the social network when you click on the logo. This prevents the unwanted transfer of your usage data.

If you click on the respective logo, the social networks may collect usage and user data. We have no influence on the extent to which such data is collected and evaluated.

Please refer to the privacy notices of these services for the purpose and scope of data collection and use by the social networks, as well as your rights and settings options to protect your privacy:

• https://www.facebook.com/about/privacy/
• https://x.com/de/privacy

Applications

We collect and process applicants' personal data for the purpose of handling the application process (Art. 6 para. 1 sentence 1 lit b GDPR in conjunction with § 26 para. 1 BDSG). Processing may also be carried out electronically. This is particularly the case if an applicant submits application documents electronically, for example by e-mail or via a web form on the website.

If we subsequently conclude an employment contract with an applicant, the submitted data will be stored for the purpose of processing the employment relationship (Art. 6 para. 1 sentence 1 lit. b GDPR in conjunction with § 26 para. 1 BDSG) in compliance with legal requirements (in particular tax and social security law Art. 6 para. 1 sentence 1 lit c GDPR in conjunction with § 26 para. 1 BDSG).

If no employment contract is concluded with the applicant, we delete the application documents two months after the rejection decision is announced, unless there are legitimate interests on our part that prevent deletion (Art. 6 para. 1 sentence 1 lit f GDPR, Art. 17 para. 3 lit. e GDPR) or the data is required for legal proceedings or storage is provided for by legal regulations to which we as the data controller are subject (Art. 6 para. 1 sentence 1 lit. c GDPR, Art. 17 para. 3 lit. b GDPR). A legitimate interest in this sense is, for example, evidence in a procedure under the General Equal Treatment Act (AGG).

Additional integrated services (cookies, plugins, etc)

In our applications, we use services from other providers and enable you to use services from other providers. We do this to simplify, improve, and analyse the use of the website and to place advertising on other websites. The individual services and plugins we use are listed below. You can activate or deactivate each service individually by clicking on the checkbox. This is also possible for entire categories and all services in the settings window. Please delete the relevant cookies in your browser after withdrawing your consent to prevent your data from being automatically sent to the service provider.