Privacy Policy

Effective Date: 1 June 2026 · Last Updated: 1 June 2026

tAIxable LLC ("tAIxable", the "Company", "we", "us", or "our"), registered at 2785 Paradise Ridge Road, Spearfish, South Dakota 57785, USA, is committed to protecting your privacy and to handling your personal information transparently and responsibly.

This Privacy Policy explains how we collect, use, process, store, disclose, and safeguard personal information when you visit our website, create an account, use our platform, interact with our planning tools, or otherwise engage with our services (collectively, the "Services").

By using our Services, you acknowledge this Privacy Policy.

1. Scope of This Privacy Policy

This Privacy Policy applies to:

visitors to our website;
registered platform users;
prospective and current customers;
business users and authorised collaborators;
individuals who communicate with us or subscribe to marketing communications.

It does not apply to third-party services or websites that may be linked from our Services, which have their own privacy policies.

2. Identity of the Controller, EU/UK Representative, and Data Protection Officer

Controller

tAIxable LLC
2785 Paradise Ridge Road
Spearfish, South Dakota 57785, USA
General privacy contact: privacy@taixable.com

EU Representative (Article 27 GDPR)

Our EU representative will be designated and contact details published here prior to active marketing in the European Union. In the interim, EU users may contact us directly at privacy@taixable.com.

UK Representative (Article 27 UK GDPR)

Our UK representative will be designated and contact details published here prior to active marketing in the United Kingdom. In the interim, UK users may contact us directly at privacy@taixable.com.

Data Protection Officer

You may contact our DPO at dpo@taixable.com.

3. Information We Collect

We collect information you provide directly, information generated through your use of our Services, and information collected automatically through the operation of our platform.

Category	Examples	Source
Identity & Account	Name, email address, telephone number, account credentials, language/timezone, profile settings	Direct from you at sign-up
Planning & Platform	Relocation planning inputs, country selections, employment arrangements, compensation assumptions, equity/stock planning scenarios, tax-related planning assumptions, filing preferences, fiscal year selections, modelling inputs, scenario configurations	Direct from you while using the Services
Collaboration	Names, contact details, role permissions of team members, authorised users, or collaborators added by you or by an advisor	Direct from the user adding the collaborator; sometimes from a third-party advisor
Communications	Correspondence with us, support requests, form submissions, privacy-related requests, marketing-subscription state	Direct from you when you contact us
Technical & Usage	IP address, browser and device information, operating system, approximate location derived from IP, usage activity, referral URLs, session data, cookie identifiers, analytics/tracking information	Automatically collected when you use our Services
Payment (when paid Services launch)	Billing name and address, last 4 digits of payment instrument, transaction history. Full card data is processed by our payment processor (see Section 8) and we do not store it.	Direct from you at checkout

Unless expressly stated otherwise, planning information is treated as planning / scenario data for informational purposes rather than as official tax filing records or regulated financial documentation.

We do not intentionally collect any "special categories" of personal data under GDPR Art. 9 (data revealing race, ethnic origin, political opinions, religion, trade-union membership, health, sex life, biometric or genetic data). Where the information you enter for planning purposes could indirectly reveal such categories (for example, charitable-giving categories or medical-expense deductions), we ask you not to enter free-text content that identifies the underlying source, and we treat any such inferred data with the highest protective standards available in our systems.

4. How We Use Your Information

We use personal information to:

provide, operate, and maintain our Services;
create and manage user accounts;
generate planning outputs and scenario modelling;
personalise platform functionality and user experiences;
support collaboration features;
respond to enquiries and provide customer support;
communicate with users regarding services, updates, and support matters;
improve our platform, products, and user experience;
monitor usage, performance, and platform effectiveness;
send newsletters, marketing communications, and product updates only with your prior opt-in consent where required by law (e.g., for EU/UK residents);
maintain security and system integrity;
detect, investigate, and prevent fraud, abuse, or misuse;
comply with legal obligations (including tax-record retention obligations in jurisdictions where they apply);
protect our contractual and legal rights.

5. Legal Basis for Processing (EU / UK Users)

Where GDPR, UK GDPR, or similar privacy laws apply, we process personal information under one or more of the following legal bases:

Purpose	Legal basis
Account creation, login, planning tool delivery, paid-tier billing	Contractual necessity — Art. 6(1)(b)
Platform analytics, security monitoring, fraud prevention, product improvement	Legitimate interests — Art. 6(1)(f)
Non-essential cookies, marketing emails, browser notifications, optional integrations	Consent — Art. 6(1)(a)
Tax-record retention, accounting obligations, responses to law-enforcement requests	Legal obligation — Art. 6(1)(c)
Any incidental processing of Art. 9 special-category data	Explicit consent — Art. 9(2)(a)

You may withdraw consent at any time for processing that relies on consent, without affecting the lawfulness of processing carried out before withdrawal.

6. Cookies, Analytics, and Tracking Technologies

We use cookies and similar technologies to operate our platform, improve functionality, analyse performance, understand user behaviour, personalise experiences, and support communications and marketing activities.

These technologies fall into the following categories:

Strictly necessary — required for the platform to function (e.g., session, CSRF tokens). No consent required.
Analytics & performance — Google Analytics (GA4) and similar tools that help us understand usage patterns. Consent required for EU/UK users.
Functionality — remembers your preferences (e.g., language, timezone). Consent required for EU/UK users.
Marketing & advertising — used to deliver and measure marketing communications. Consent required for EU/UK users.

EU/UK users will see a consent banner on first visit; preferences can be changed at any time via the cookie settings link in the page footer. A current inventory of cookies (name, provider, purpose, retention) is available on request to privacy@taixable.com.

We use Google Consent Mode v2 to ensure that analytics and advertising scripts respect user consent choices.

7. Marketing Communications

For EU/UK residents, we send marketing communications only with your prior opt-in consent, or to existing customers under the "soft opt-in" exception where permitted by local law (e.g., UK PECR), in each case with a clear unsubscribe link.

For users in other jurisdictions, we send marketing communications subject to applicable local law, and you may unsubscribe at any time using the link included in each communication or via account settings.

We do not sell personal information to third parties for the purpose of marketing.

8. Sharing of Personal Information & Sub-processors

We do not sell personal information.

We share personal information with the following categories of trusted sub-processors as reasonably necessary to operate the Services. A current list with the name, role, and processing location of each sub-processor is available on request to privacy@taixable.com and updated when material changes occur.

Category	Examples
Cloud hosting & infrastructure	Google Cloud Platform — production in the United States, staging in the European Union (Belgium)
Database hosting	Google Cloud SQL — same regions as above
Analytics & product telemetry	Google Analytics 4 (Google LLC)
Email delivery (transactional & marketing)	Our email service provider, contracted under data-processing terms
Customer support	Handled by our internal team via email
Payment processing (once paid tier launches)	Stripe Inc. (USA)
Professional advisers (legal, accounting)	Engaged on a confidential basis

Where you explicitly choose to connect with an advisor or collaborator through the platform, relevant information will be shared as necessary to facilitate that interaction and only to the extent you direct.

We may also disclose information where required by law, court order, or where necessary to protect the security, legal rights, business operations, or users of the Services.

9. International Data Transfers

Because tAIxable operates internationally, personal information may be processed, stored, or transferred outside your country of residence, including between the European Union and the United States.

We rely on the following transfer mechanisms:

EU–US Data Privacy Framework (DPF): for transfers to US-based sub-processors (including Google LLC) that maintain a valid DPF certification, we rely on that certification together with the UK Extension.
Standard Contractual Clauses (SCCs): for any transfer where DPF is not available, we use the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) and the UK International Data Transfer Agreement (IDTA) / UK Addendum, with supplementary technical and organisational measures consistent with EDPB Recommendations 01/2020.
Adequacy decisions: for transfers to countries the European Commission has recognised as providing adequate protection (e.g., UK, Switzerland, Japan, South Korea), we rely on the relevant adequacy decision.

A copy of the safeguards in place for any specific transfer is available on request to privacy@taixable.com.

10. Data Retention

We retain personal information only for as long as reasonably necessary for the purposes for which it was collected, subject to legal and operational obligations. The table below sets out our default retention periods:

Data category	Default retention	Reason
Account information (name, email, credentials)	Lifetime of the account + 3 years after closure	Account recovery, fraud prevention, dispute resolution
Planning & scenario data	Lifetime of the account + 1 year	User access and modification
Tax-relevant records (where classified as such by local law, e.g., DE: 10 yrs, FR: 6 yrs, ES: 4–10 yrs, UK: 5–6 yrs, US: 7 yrs)	Local statutory tax retention period	Compliance with tax law
Marketing consent records	3 years from last interaction	Proof of consent (GDPR Art. 7(1))
Support correspondence	3 years from closure of the ticket	Quality assurance and dispute handling
Server logs and security event records	12 months	Security investigation
Backups	30 days	Disaster recovery
Payment / transactional records (when paid tier launches)	7 years	Accounting and tax law

After expiry of the applicable retention period, data is either deleted, anonymised, or retained in a securely archived state if required to defend legal claims.

11. Security

We implement technical, organisational, and administrative safeguards designed to protect personal information against unauthorised access, misuse, loss, disclosure, or alteration. These include:

encryption of personal data at rest (managed encryption keys) and in transit (TLS 1.2+);
role-based access control and the principle of least privilege;
centralised audit logging of administrative access;
regular vulnerability scanning and dependency updates;
secrets management via a dedicated secret store (no plaintext credentials in source code);
CSRF protection on all state-changing endpoints;
segregated production and staging environments.

No online platform or storage environment can be guaranteed completely secure. We continuously work to strengthen our security posture.

12. Data Breach Notification

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and within 72 hours where feasible (GDPR Art. 33).

Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly and without undue delay (GDPR Art. 34), via the contact details on your account.

13. Your Privacy Rights

Depending on the privacy law applicable to you, you have the right to:

access personal information we hold about you;
rectification of inaccurate or incomplete information;
erasure of personal information ("right to be forgotten");
restriction of certain processing;
objection to certain processing activities, including direct marketing;
portability of data in a structured, commonly used, machine-readable format;
withdraw consent where processing relies on consent, at any time;
opt out of marketing communications;
not be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you (GDPR Art. 22);
lodge a complaint with a supervisory authority in your country of residence (EU list: edpb.europa.eu/about-edpb/about-edpb/members_en; UK: ico.org.uk).

To exercise privacy rights, please email privacy@taixable.com. We respond within 30 days for GDPR requests and 45 days for CCPA requests. We may request identity verification before processing certain requests.

14. Automated Decision-Making and AI Transparency

Our Services use automated logic, computational models, and (in some features) artificial-intelligence / machine-learning systems to generate planning outputs, comparisons, and scenario analyses based on the inputs you provide.

Nature of the processing. These tools are decision-support tools, not decision-makers. They generate indicative outputs that you, your advisor, or an authorised collaborator interpret and act upon.

Logic and significance. Calculations are based on (i) your inputs (jurisdiction, compensation, equity holdings, fiscal year, etc.), (ii) jurisdiction-specific tax rate tables and rules we maintain, and (iii) algorithmic models we have developed. The outputs are illustrative, may not reflect actual legal, tax, or financial outcomes, and may change with law, facts, or timing. They should not be relied upon as definitive professional advice.

No solely automated decisions with legal or similarly significant effect. We do not make decisions about you that are solely based on automated processing and produce legal or similarly significant effects within the meaning of GDPR Art. 22. Any meaningful decisions (e.g., account suspensions, eligibility decisions) involve a human reviewer.

Your rights. You have the right to obtain human intervention regarding any automated output, to express your point of view, and to contest any decision influenced by automated processing. Email privacy@taixable.com to exercise this right.

EU AI Act transparency (Regulation 2024/1689). Where our Services use AI systems to interact with you or to generate content, we will clearly indicate that fact at the point of use, as required by Art. 50 of the EU AI Act.

15. Account Deletion

You may request deletion of your account and associated personal information at any time via account settings or by emailing privacy@taixable.com. Deletion may involve account deactivation, anonymisation, or removal, subject to applicable legal, security, operational, fraud-prevention, and statutory tax-retention obligations. We will tell you what (if anything) is retained, why, and for how long.

16. Children's Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a person under 18, we will delete it promptly. If you believe a child has provided us with personal information, please contact privacy@taixable.com.

17. Third-Party Services and Links

Our Services may include links to or integrations with third-party websites, services, or tools (for example, your accountant's portal, social-login providers, or payment processors). We are not responsible for the privacy practices, content, or security of third-party services and recommend you review their privacy policies separately.

18. California / US State Privacy Notice

This section provides additional disclosures for residents of California, Virginia, Colorado, Connecticut, Utah, Texas, and other US states with privacy laws.

Categories of Personal Information Collected (CCPA Format)

In the past 12 months, we have collected the following CCPA categories of personal information: identifiers (name, email, account ID); commercial information (subscription history when paid tier launches); internet/network activity (browsing, usage); geolocation (IP-derived approximate location); inferences (planning-tool inferences drawn from your inputs).

We have not sold personal information within the meaning of CCPA/CPRA, nor have we shared personal information for cross-context behavioural advertising.

California Rights

California residents have the right to: know, delete, correct, request a list of categories shared, opt out of sale/sharing (where applicable), limit use of sensitive personal information (where applicable), and not be discriminated against for exercising these rights ("Shine the Light" disclosure).

To exercise California rights, email privacy@taixable.com. For authorised-agent requests, we will request authorisation.

Other US State Privacy Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and other states with comprehensive privacy laws have similar rights and may exercise them using the same channels.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, regulatory, operational, or technological changes. Updated versions will be posted on our website with a revised effective date. Where the changes are material and adversely affect you, we will notify registered users by email at least 30 days before the new version takes effect.

20. Contact

General privacy questions: privacy@taixable.com
Data Protection Officer: dpo@taixable.com
EU Representative: to be designated (see Section 2)
UK Representative: to be designated (see Section 2)
Postal: tAIxable LLC, 2785 Paradise Ridge Road, Spearfish, South Dakota 57785, USA