Privacy Policy

1. Introduction

CryptoTax.be is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Belgian crypto tax reporting service.

This policy complies with the General Data Protection Regulation (GDPR) (EU) 2016/679 and Belgian data protection laws.

2. Data Controller Information

3. Information We Collect

3.1 Personal Information

• Account Information: Name, email address, password (encrypted)
• Contact Details: Phone number (optional), mailing address (for invoicing)
• Tax Information: Tax identification number, residency status, and (if you record it) the registration status of your foreign accounts with the National Bank of Belgium (CAP)
• Business Information (accountants): firm name, VAT number, billing address and team membership within an accountant workspace

3.2 Financial and Cryptocurrency Data

• Exchange API Credentials: Encrypted API keys for connected exchanges (e.g., Kraken)
• Wallet Addresses: Ethereum and other blockchain wallet addresses you provide
• Transaction History: Trades, transfers, deposits, withdrawals, staking rewards
• Portfolio Data: Asset holdings, historical balances, cost basis information

3.3 Technical Information

• Device Information: IP address, browser type, operating system
• Usage Data: Pages visited, features used, interaction patterns
• Cookies: Session cookies, preference cookies

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

• Contract Performance: To provide our tax reporting services
• Legal Compliance: To comply with Belgian tax laws and anti-money laundering regulations
• Legitimate Interests: To improve our services, ensure security, and prevent fraud
• Consent: For marketing communications and optional features

5. How We Use Your Information

5.1 Provide Services

• Generate accurate tax reports for Belgian tax authorities
• Calculate capital gains, losses, and taxable income
• Track portfolio performance and tax obligations
• Synchronize data from exchanges and blockchains

5.2 Legal and Compliance

• Comply with Belgian tax reporting requirements
• Meet anti-money laundering (AML) obligations
• Respond to legal requests from authorities
• Maintain records as required by Belgian tax law (7 years)

6. Data Sharing and Disclosure

6.1 Service Providers

• Hosting Infrastructure: Hetzner (EU data centers) for application hosting and Cloudflare for content delivery and encrypted file storage
• Identity Provider: Auth0 for secure login and authentication
• Payment Processors: Stripe for subscription billing
• Email Services: Mailgun (EU region) for transactional emails
• Blockchain and Market Data Providers: To build your reports we query blockchain indexers and price data providers (such as Moralis, Alchemy and Etherscan) with the wallet addresses you provide, and the APIs of exchanges you connect

6.2 Toegang door accountant

U kunt leestoegang tot uw CryptoTax.be-account verlenen aan een derde partij, zoals uw accountant of belastingadviseur, door vanuit uw accountinstellingen een uitnodiging te versturen. Met deze toegang kan de derde partij uw belastinggegevens inzien maar niet wijzigen. De rechtsgrondslag voor deze gegevensdeling is uw toestemming (AVG artikel 6, lid 1, onder a). U kunt deze toegang op elk moment intrekken via uw accountinstellingen, waarna de derde partij onmiddellijk alle toegang tot uw gegevens verliest.

Daarnaast kan een accountant die met uw mandaat uw fiscaal dossier beheert, op CryptoTax.be een beheerd cliëntdossier voor u aanmaken. In een beheerd dossier kan de accountant namens u databronnen toevoegen (walletadressen, exchange-koppelingen, CSV-bestanden), correcties aanbrengen op uw belastingdata en uw belastingrapport vastleggen. Heeft u al een CryptoTax.be-account met hetzelfde e-mailadres, dan wordt het beheerde dossier aan dat account gekoppeld. De rechtsgrondslag voor deze verwerking is de overeenkomst tussen u en uw accountant (AVG artikel 6, lid 1, onder b); de accountant bevestigt aan ons dat hij over uw mandaat beschikt. Accountants en hun teamleden zijn contractueel gebonden aan onze gebruiksvoorwaarden voor accountants, met strikte vertrouwelijkheids- en beveiligingsverplichtingen.

Vragen over een beheerd dossier, of wilt u een samenwerking beëindigen? Neem contact op met uw accountant of bereik ons via [email protected].

6.3 Wettelijke vereisten

We may disclose information when required by:

• Belgian tax authorities (SPF Finances/FOD Financiën)
• Court orders or legal proceedings
• Law enforcement agencies

7. Data Security

We implement industry-standard security measures:

• Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
• API Keys: Encrypted storage using Spring Security Crypto
• Access Controls: Role-based access, multi-factor authentication
• Security Audits: Regular penetration testing and vulnerability assessments
• Infrastructure: Secure cloud hosting with SOC 2 compliance

8. Data Retention

We retain your data according to Belgian legal requirements:

• Tax Data: 7 years from the tax year, as required by Belgian tax law
• Account Information: Duration of account plus 7 years
• Transaction History: 7 years from transaction date
• Support Communications: 2 years from last interaction

Deleted data is securely erased from our systems and backups within 90 days.

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

9.1 Access Right

Request a copy of your personal data we process

9.2 Rectification Right

Correct inaccurate or incomplete personal data

9.3 Recht op verwijdering ("Recht om vergeten te worden")

U kunt op elk moment verzoeken om uw account en bijhorende gegevens te verwijderen. Dit kan rechtstreeks via de optie "Verwijder mijn account" in de instellingen van uw profiel. Na bevestiging wordt uw data onherroepelijk verwijderd, behoudens gegevens die wij wettelijk verplicht zijn te bewaren (zoals facturen). Uw loginaccount bij onze identiteitsprovider (Auth0) wordt handmatig verwijderd binnen 14 dagen.

9.4 Restriction Right

Limit processing of your data in certain circumstances

9.5 Portability Right

Receive your data in a structured, machine-readable format

9.6 Objection Right

Object to processing based on legitimate interests or direct marketing

10. Contact Information

10.1 Klachten

If you're unsatisfied with our handling of your personal data, you have the right to lodge a complaint with the Belgian Data Protection Authority or your local supervisory authority.

Questions? Contact us at [email protected]