Privacy policy
1. Data controller
QuadroTax (quadrotax.it) is the controller of the personal data collected through this site and the application. For any data request: [email protected].
2. Data we process
| Data | Purpose | Legal basis |
|---|---|---|
| Email and password (bcrypt-hashed) | Account creation and sign-in | Contract performance (art. 6.1.b) |
| Crypto transactions you upload or sync | The tax computation you request | Contract performance (art. 6.1.b) |
| Read-only exchange API keys (AES-256-GCM encrypted) | Transaction sync | Contract performance (art. 6.1.b) |
| Payment data (handled by Stripe: we only receive outcome, plan and amount) | Plan purchases | Contract and legal obligations (art. 6.1.b, 6.1.c) |
| Email left in the reminder form | Tax-deadline notices | Consent (art. 6.1.a), withdrawable at any time |
We process no special categories of data, do no profiling or automated decision-making, and never sell or share data with third parties for marketing.
3. Cookies and local storage
The site uses no profiling cookies and no third-party trackers. Your sign-in session is handled with a strictly-necessary technical HttpOnly cookie (not readable by JavaScript, sent only to our server), which requires no consent. Your browser's localStorage holds only non-sensitive information — a flag that a session exists and your language choice — which stays on your device.
4. Recipients and processors
- Hosting in the European Union.
- Stripe for payments (card data never touches our servers).
- Resend for transactional email (password reset, reminders).
- CoinGecko for market prices: requests are made from our server and contain no personal data of yours.
5. Retention
Account data and transactions are kept for as long as the account exists. If you delete the account, the account, transactions, API keys and saved prices are erased immediately and irreversibly. Only payment accounting records are retained for legal obligations (10 years, art. 2220 Italian Civil Code), unlinked from the deleted account.
6. Your rights
You have the rights of access, rectification, erasure, restriction, portability and objection (arts. 15–22 GDPR). Full deletion is self-service in the app (Account → Delete account & data). For anything else write to [email protected]: we reply within 30 days. You may also lodge a complaint with the Italian supervisory authority (Garante, gpdp.it).
7. Security
bcrypt-hashed passwords, AES-256-GCM-encrypted API credentials, TLS transport, security headers and rate limiting. We only ever ask for read-only API keys, never keys with fund-transfer permissions.
8. Changes
Material changes to this policy will be published on this page with a new update date.