Data Protection & Privacy Policy

Last updated: March 2026

1. Data Controller

TaxPilot is operated under Luxembourg law and acts as data controller for all personal data processed through this service. We process your data in compliance with Regulation (EU) 2016/679 (GDPR) and Luxembourg's Loi du 1er août 2018 relative à la protection des personnes physiques à l'égard du traitement des données à caractère personnel. For data protection enquiries, contact us at: [email protected]

2. Lawful Basis for Processing

We process your personal data under the following legal bases:

  • Contractual necessity (Art. 6(1)(b) GDPR): processing is necessary to provide the tax preparation services you have requested.
  • Legal obligation (Art. 6(1)(c) GDPR): compliance with Luxembourg tax law, including the Loi générale des impôts (LGR) and the Loi concernant l'impôt sur le revenu (LIR).
  • Legitimate interests (Art. 6(1)(f) GDPR): fraud prevention and service security.

3. Data Categories Collected

We collect the following categories of personal data:

  • Personal identifiers: full name, email address, date of birth, and national identification number (matricule — 13-digit YYYYMMDDNNNCC format).
  • Financial data: income details, employment information, uploaded tax documents, and deduction records.
  • Technical data: usage logs with anonymised IP address and session timestamps; authentication cookies.

4. Processing Purposes

Your data is used exclusively for the following purposes:

  • Preparation and calculation of Luxembourg income tax returns (Form 100 / Form 163).
  • Compliance with ACD (Administration des contributions directes) filing obligations.
  • Fraud prevention and service security.
  • Service improvement through aggregated, anonymised analytics only — no individual profiling.

5. Data Retention Periods

We retain your data only as long as legally required or necessary for the purposes described above:

  • Tax records, returns, and supporting documents: 7 years from the end of the relevant tax year, as required by Luxembourg tax law (Art. 1 LGR, Art. 16 LIR).
  • Commercial accounting records: 10 years where applicable.
  • Account data: deleted upon account closure, subject to the retention obligations above.

Once retention periods expire, data is permanently deleted from all systems.

6. Your Rights (GDPR Arts. 15–22)

As a data subject you have the following rights:

  • Right of Access (Art. 15): request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): correct inaccurate or incomplete data.
  • Right to Erasure (Art. 17): request deletion of your data, subject to legal retention obligations.
  • Right to Data Portability (Art. 20): receive your data in a structured, machine-readable format.
  • Right to Restriction (Art. 18): restrict processing in certain circumstances.
  • Right to Object (Art. 21): object to processing based on legitimate interests.

To exercise any of these rights, email: [email protected]

7. Security Measures

We implement the following technical and organisational security measures:

  • Application-layer AES-256-GCM encryption for sensitive identifiers (matricule, document storage paths).
  • Documents stored in Microsoft Azure Blob Storage with customer-managed encryption keys.
  • Document access via time-limited secure tokens (5-minute expiry) — never via public URLs.
  • Sensitive data (matricule, tax amounts) is never written to logs.
  • HTTPS-only data transmission; no sensitive data in URL parameters.

8. Data Protection Authority

If you believe your personal data is being processed unlawfully, you have the right to lodge a complaint with the Luxembourg supervisory authority:

CNPD — Commission nationale pour la protection des données
15, Boulevard du Jazz — L-4370 Belvaux, Luxembourg
Tel: +352 26 10 60-1
Web: cnpd.public.lu