← BackClairtax

Privacy Policy

Last updated: 4 May 2026. This policy applies to the Clairtax website and service at clairtax.com.

1. Who we are (data controller)

Clairtax (“we”, “us”, “our”) is the data controller for personal data processed through this service.

Contact: hello@clairtax.com

Clairtax provides an online tool that parses broker transaction exports (currently DEGIRO and Revolut) and produces Finland-ready capital gains and dividend summaries. For the scope and limitations of the service, see our Terms of Service.

2. What data we process

When you use Clairtax we may process the following categories of personal data:

  • Uploaded broker files — CSV or XLSX exports from your broker (currently DEGIRO and Revolut) containing transaction details (dates, ISINs, quantities, prices, fees, order IDs).
  • Interest form submissions — if you complete the interest form on our site (via Tally), we collect your email address, country, broker name, tax platform, and optionally a transaction file upload. This data is used solely to notify you when your broker or country is supported and to prioritise development.
  • Generated tax results — FIFO lot matches, gain/loss calculations, and audit data derived from your upload.
  • Technical data — IP address, user-agent string, and HTTP request metadata automatically received by our hosting infrastructure when you visit the site or call our API.
  • Usage analytics data — page views, referrer information, browser/OS type, and country-level geolocation collected via Vercel Web Analytics and Umami in aggregated form.
  • Payment data — when you pay, Stripe collects and processes card and billing details directly. We receive only limited payment-status information (e.g. session ID, payment confirmation, amount). We never receive or store your full card number.
  • Rate-limiting identifiers — a hashed representation of your IP address stored temporarily in our rate-limiting service to prevent abuse.

3. How and why we use your data

  • Provide the service — parse your uploaded file, run FIFO lot matching, calculate tax results, and return them in your browser.
  • Process payments — create a Stripe Checkout session, verify payment status, and unlock paid features.
  • Secure the service and prevent abuse — enforce rate limits, detect anomalous traffic, and maintain operational stability.
  • Measure product usage and performance — understand traffic patterns and page performance to improve reliability and user experience.
  • Improve the service (with your consent) — if you opt in via the consent checkbox at upload, we retain your broker file for up to 60 days in Cloudflare R2 to test and harden our parsing algorithms against real-world exports. You may withdraw this consent at any time by contacting us and we will delete your file.
  • Comply with legal obligations — respond to lawful requests and maintain accounting records as required by Finnish and EU law.

We do not sell your personal data. We do not use uploaded broker files or derived tax results to train general-purpose AI or machine-learning models.

4. Is providing your data required?

To use the service you must upload a broker export file and, for paid features, complete payment via Stripe. If you do not provide this data we cannot perform the calculations or unlock paid access. Technical data (IP address, request metadata) is collected automatically by the hosting infrastructure whenever you visit the site.

5. Legal bases (GDPR)

Where the GDPR applies, we rely on:

  • Performance of a contract (Art. 6(1)(b)) — to process your file, deliver tax results, and handle payment for the service you request.
  • Legitimate interests (Art. 6(1)(f)) — to secure the service, enforce rate limits, prevent abuse, and maintain operational reliability. You have the right to object to processing based on legitimate interests (see section 10).
  • Legal obligation (Art. 6(1)(c)) — where we must comply with applicable law, for example retaining accounting records.
  • Consent (Art. 6(1)(a)) — where you have explicitly opted in, for example by checking the file retention checkbox at upload. You may withdraw consent at any time by contacting us at hello@clairtax.com.

6. Storage and retention

We do not maintain a persistent customer document store of uploaded broker files. Files are processed transiently to generate results and are deleted after processing, subject to temporary technical logging, caching, and security records as described below.

  • Uploaded files (default) — written to temporary server storage for the duration of the request, then deleted immediately when processing completes (typically within seconds).
  • Uploaded files (with consent) — if you check the optional retention checkbox at upload, your file is additionally stored in Cloudflare R2 (EU jurisdiction) and automatically deleted after 60 days by a lifecycle rule. You may request earlier deletion by contacting us.
  • Generated tax results — returned to your browser and held in your browser’s session storage. We do not persist results on our servers after the response is sent.
  • Server / application logs — Vercel retains function logs for up to 30 days. These may contain request metadata, error messages, and file names but not the contents of uploaded files.
  • Rate-limiting records — Upstash Redis stores hashed IP identifiers with a sliding window of 1 minute; keys expire automatically after that window.
  • Payment and accounting records — Stripe retains transaction records in accordance with its own privacy policy and legal obligations. We retain Stripe session/payment IDs as needed for accounting and legal compliance, for up to 6 years in line with Finnish bookkeeping requirements (Kirjanpitolaki 2:10 §).

7. Recipients and subprocessors

We share personal data only with the service providers listed below, each acting as a data processor on our behalf (or, in Stripe’s case for payment data, as an independent controller). We do not share data with advertisers or data brokers.

  • Vercel Inc. — hosting, request routing, serverless function execution, temporary file processing, server logs, and Vercel Web Analytics. Our deployment is configured to run in the EU.
  • Umami — privacy-focused website analytics (page views, referrer, browser/OS, and country-level traffic trends) to help us understand product usage and improve reliability.
  • Stripe — checkout session creation, payment processing, and payment-status verification. Stripe collects card and billing details directly under its own privacy policy and PCI DSS compliance. When you are redirected to Stripe Checkout, Stripe’s privacy policy and cookies on stripe.com apply to that experience.
  • Upstash Inc. — Redis-based rate limiting. Receives hashed IP identifiers and request counts; keys expire within 1 minute. Our Upstash database is hosted in the EU.
  • Cloudflare, Inc. — object storage (R2) for broker files retained with your explicit consent. Our R2 bucket is configured in the EU jurisdiction. Files are automatically deleted after 60 days by a lifecycle rule.
  • Tally — interest and waitlist form submissions. When you complete a form on our site, your responses (email, country, broker, and any uploaded file) are stored by Tally in accordance with their privacy policy.

If we add or replace a subprocessor, we will update this section before the change takes effect.

8. International transfers

We have configured our hosting (Vercel) and rate-limiting (Upstash) infrastructure to process data within the EU/EEA. Stripe, as an independent controller for payment data, may process data in the US or other regions in accordance with its own privacy policy. Additionally, our other subprocessors are US-headquartered companies and limited transfers outside the EEA may occur for operational purposes (e.g. support, security incident response). Where such transfers take place, appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) adopted by the European Commission and, where applicable, the EU–US Data Privacy Framework.

You may contact us at hello@clairtax.com to request more information about the safeguards used for any international transfers or to obtain a copy where available.

9. Cookies and similar technologies

We do not use advertising, session-replay, or marketing cookies or tracking pixels on clairtax.com. We use Vercel Web Analytics and Umami for aggregated traffic and performance measurement.

Essential technical cookies or browser storage may be set by the platform for security or checkout flows (e.g. Stripe session tokens). These are strictly necessary for the service to function and do not require consent under Finnish and EU cookie rules.

Our analytics setup is privacy-focused and does not rely on cross-site advertising cookies for profiling.

If we introduce additional non-essential analytics or marketing trackers in the future, we will update this policy and obtain your consent before enabling them where required by law.

10. Your rights

Under the GDPR and applicable Finnish law, you have the right to:

  • Access — request confirmation of whether we process your personal data and, if so, a copy of that data.
  • Rectification — have inaccurate personal data corrected.
  • Erasure — request deletion of your personal data where it is no longer necessary or where processing is unlawful.
  • Restriction — request that processing be limited in certain circumstances.
  • Data portability — receive your personal data in a structured, commonly used, machine-readable format.
  • Object — object to processing based on our legitimate interests. Where you object, we will stop processing unless we demonstrate compelling legitimate grounds that override your interests.
  • Withdraw consent — if we ever rely on consent as a legal basis (e.g. for future analytics), you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Lodge a complaint — you have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu): tietosuoja.fi, or with another EEA supervisory authority in your country of residence.

To exercise any of these rights, contact hello@clairtax.com. We will respond within one month, or notify you if an extension is needed, as required by the GDPR.

11. Automated decision-making

Clairtax performs automated calculations (FIFO lot matching, gain/loss computation) on the data you upload. These calculations are deterministic and rules-based — they do not involve profiling or automated decision-making that produces legal effects or similarly significant effects concerning you. The results are informational and intended for you to review and verify before use.

12. Security

We use measures appropriate to the nature of the data processed, including: HTTPS encryption in transit, access controls on hosting infrastructure, minimal data retention, immediate deletion of temporary upload files, and rate limiting to prevent abuse. No online service can guarantee absolute security. If you become aware of a potential vulnerability, please contact us at hello@clairtax.com.

13. Children

Clairtax is not directed at children under 16. If you believe we have processed a child’s data in error, contact us and we will delete it promptly.

14. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top will change when we do. Material changes will be highlighted on the site. We encourage you to review this page periodically.

15. Contact

For any questions about this Privacy Policy or to exercise your rights: hello@clairtax.com