Privacy policy

Last updated: 6 July 2026 · under Regulation (EU) 2016/679 (GDPR)

1. Data controller

QuadroTax (quadrotax.it) is the controller of the personal data collected through this site and the application. For any data request: [email protected].

2. Data we process

DataPurposeLegal basis
Email and password (bcrypt-hashed)Account creation and sign-inContract performance (art. 6.1.b)
Crypto transactions you upload or syncThe tax computation you requestContract performance (art. 6.1.b)
Read-only exchange API keys (AES-256-GCM encrypted)Transaction syncContract performance (art. 6.1.b)
Payment data (handled by Stripe: we only receive outcome, plan and amount)Plan purchasesContract and legal obligations (art. 6.1.b, 6.1.c)
Email left in the reminder formTax-deadline noticesConsent (art. 6.1.a), withdrawable at any time

We process no special categories of data, do no profiling or automated decision-making, and never sell or share data with third parties for marketing.

3. Cookies and local storage

The site uses no profiling cookies and no third-party trackers. Your sign-in session is handled with a strictly-necessary technical HttpOnly cookie (not readable by JavaScript, sent only to our server), which requires no consent. Your browser's localStorage holds only non-sensitive information — a flag that a session exists and your language choice — which stays on your device.

4. Recipients and processors

5. Retention

Account data and transactions are kept for as long as the account exists. If you delete the account, the account, transactions, API keys and saved prices are erased immediately and irreversibly. Only payment accounting records are retained for legal obligations (10 years, art. 2220 Italian Civil Code), unlinked from the deleted account.

6. Your rights

You have the rights of access, rectification, erasure, restriction, portability and objection (arts. 15–22 GDPR). Full deletion is self-service in the app (Account → Delete account & data). For anything else write to [email protected]: we reply within 30 days. You may also lodge a complaint with the Italian supervisory authority (Garante, gpdp.it).

7. Security

bcrypt-hashed passwords, AES-256-GCM-encrypted API credentials, TLS transport, security headers and rate limiting. We only ever ask for read-only API keys, never keys with fund-transfer permissions.

8. Changes

Material changes to this policy will be published on this page with a new update date.