Privacy Policy & GDPR

Last updated: May 9, 2026

TaxForm Pro is operated by Ariva Group. This policy explains how we collect, use, and protect your personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable EU data protection law.

1. Data Controller

The data controller responsible for your personal data is:

Entity: Ariva Group
Website: taxform.jvmsaas.com
Contact: Contact form or [email protected]

2. What Data We Collect

We collect only what is necessary to provide the Service:

Account data: Name, email address, and password (stored as a bcrypt hash).
Billing data: Company name, VAT number, and billing address — only if you choose to provide these for invoice purposes.
Payment data: Payment transactions are handled entirely by Stripe. We store only the number of credits purchased — no card details ever reach our servers.
Usage data: The number of credits consumed per account. We do not log individual report contents.
Session data: A standard Laravel session cookie used to keep you logged in. It contains no personal data beyond a session identifier.

3. What We Do NOT Collect

Your uploaded Interactive Brokers files are processed entirely in memory and are never written to disk or stored on our servers.
The financial data extracted from your statements (dividends, trades, positions) is returned to your browser and exists only in your session. It is not stored in our database.
We do not use tracking cookies, advertising pixels, or third-party analytics.

4. Legal Basis for Processing

Contract performance (Art. 6(1)(b) GDPR): Processing your account data and credits is necessary to provide the Service you signed up for.
Legitimate interests (Art. 6(1)(f) GDPR): Basic security logging to protect the Service against abuse.
Legal obligation (Art. 6(1)(c) GDPR): Retaining payment records as required by applicable EU accounting and tax law.

5. How We Use Your Data

To authenticate you and maintain your account.
To track your credit balance and process purchases.
To generate invoices if you have provided company billing details.
To send transactional emails (password resets, payment confirmations). We do not send marketing emails.
To respond to support requests.

6. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We share data only with:

Stripe, Inc. — payment processing. Stripe is a certified PCI DSS Level 1 provider. See Stripe's Privacy Policy.
Frankfurter.app / European Central Bank — EUR exchange rate lookups. No personal data is sent in these requests.

We may disclose data if required by law or to protect the rights and safety of users.

7. Data Retention

Account data: Retained for as long as your account is active. You may delete your account at any time from your profile settings.
Payment records: Retained for 5 years to comply with applicable EU accounting legislation.
Uploaded files: Not retained — processed in memory only.
Session data: Expires after 120 minutes of inactivity.

8. Your Rights Under GDPR

As a data subject in the EU/EEA you have the following rights. To exercise any of them, contact us and we will respond within 30 days.

Right of Access (Art. 15) Request a copy of the personal data we hold about you.

Right to Rectification (Art. 16) Ask us to correct inaccurate or incomplete data.

Right to Erasure (Art. 17) Request deletion of your account and personal data ("right to be forgotten").

Right to Restriction (Art. 18) Ask us to restrict processing of your data in certain circumstances.

Right to Portability (Art. 20) Receive your personal data in a structured, machine-readable format.

Right to Object (Art. 21) Object to processing based on legitimate interests.

You also have the right to lodge a complaint with the data protection supervisory authority in your EU member state. A full list of EU supervisory authorities is available at edpb.europa.eu.

9. Cookies

We use only technically necessary cookies:

Session cookie — keeps you logged in during your browser session. Deleted when you log out or the session expires.
CSRF token cookie — protects form submissions from cross-site request forgery attacks.

We do not use advertising, tracking, or analytics cookies.

10. Security

We implement appropriate technical measures to protect your data, including HTTPS encryption in transit, bcrypt password hashing, and CSRF protection on all forms. Uploaded files never leave PHP's temporary file system and are deleted automatically after each request.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The date at the top of this page reflects the most recent revision. Continued use of the Service after changes are posted constitutes acceptance of the updated policy.

12. Contact

For any privacy-related questions or to exercise your GDPR rights, please use our support form or email [email protected]. We aim to respond within 5 business days.