Privacy Statement - Loctax Platform
This is the privacy statement of:
Loctax NV, a limited company registered in Belgium under company number 0754.858.750, having its registered address at Gebroeders Vandeveldestraat 68, 9000 Ghent, Belgium.
Also referred to as "we" or "us".
We run and manage the Loctax software as a service (SaaS) platform accessible at https://app.loctax.com/ (the "Platform").
This Platform-specific privacy statement focuses on how we collect, use, and process personal data in the context of the Platform, specifically personal data of customers and users, as well as any personal data of customer-affiliated individuals they provide or input into the Platform.
This Platform-specific privacy statement complements the general privacy statement on our website. For a complete overview of how we manage your personal data, we encourage you to review both privacy policies.
Why this privacy statement?
We believe that true transparency is essential when it comes to your personal data. This privacy statement is designed to explain how we handle your personal data in the context of the Platform in a clear and easy-to-understand way. To help you fully understand the information in this privacy statement, it's important that we first explain some key concepts. Understanding these concepts will provide the context you need to make informed decisions and feel confident in how we manage your personal data.
We are committed to following privacy laws that protect your personal data, particularly the General Data Protection Regulation (GDPR), the ePrivacy Directive, and all applicable Belgian laws that implement and/or specify the EU legislation regarding personal data protection.
Key concepts
Here are some important terms related to data protection that will be used in this privacy statement:
Personal data: this refers to any information that can identify you, either directly (like your name or email address) or indirectly (like an online identifier such as an IP address).
Data processing: this term refers to any action taken with your personal data, such as collecting, storing, using, or sharing it.
Data controller and data processor: the GDPR distinguishes between two roles when it comes to handling personal data:
- A data controller is the entity that decides what personal data is collected and for what purposes it will be used (deciding).
- A data processor handles the personal data on behalf of the data controller and follows their instructions (facilitating).
At Loctax, we act as a data controller for the personal data of customers and users we collect and use for our own purposes. This means we determine why and how this personal data is used, and it is our responsibility to ensure that it is handled lawfully, fairly, and transparently.
For other personal data—such as data users input into the Platform or certain user data processed on behalf of our customers—we act on the customer's instructions. In this case, we are a data processor and the customer is the data controller.
As the data controller, it is the customer's responsibility to inform data subjects—such as employees, contractors or affiliated individuals whose personal data is processed—about how and why their personal data is used. This should be clearly outlined in the customer's privacy statement in line with their transparency obligations under the data protection laws. This privacy statement is designed to support our customers in meeting these obligations by providing an overview of how we process personal data within the Platform. However, it does not replace or fulfill the customer's duty to ensure data subjects are fully informed.
We make it a priority to provide you with access to this privacy statement before you share your personal data with us. This allows you to understand how your personal data will be handled and make an informed decision. Please take the time to read this privacy statement carefully and make sure you fully understand it.
If you have any feedback or suggestions for improving our privacy practices, please contact us at [email protected].
Loctax as data controller
3.1 What personal data do we collect from you and why?
As a data controller, we collect and use certain personal data of customers (account holders) and, in some cases, personal data of users for purposes directly related to the relationship they have with us and their use of the Platform. The types of personal data we collect and their purposes are detailed in the tables below.
In line with data protection laws, we ensure that all processing of your personal data is based on a lawful basis, such as fulfilling the contract we have with you, complying with legal obligations, obtaining your consent or pursuing our legitimate interests.
We will only use your personal data for the specific purposes for which it was collected, unless a new purpose arises that is compatible with the original intent. If we need to process your personal data for a new or unrelated purpose, we will notify you and, where required, seek your consent.
Please note that we do not intentionally collect or process 'special category' or 'sensitive' personal data, such as information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, or details about sex life or sexual orientation, in the context of our role as a data controller on the Platform.
Customers (account owners)
In this context, 'customer' refers to the legal representative of the customer organization responsible for managing or upholding the SaaS agreement with us. This individual may or may not have a user account on the platform.
| Processing activity | Category of personal data | Specific personal data | Lawful basis |
|---|---|---|---|
| Account creation and management | Personal identification data, contact details | First name, last name, professional email, phone number | Contract performance |
| Managing legal processes and documentation (e.g. compliance, contract management) | Communication data | Internal/external professional emails, chats | Legitimate interest |
| Billing and financial transactions | Financial data | Bank account details, transaction history | Contract performance Legal obligation |
| Sending service communications (e.g. onboarding emails) | Personal identification data, communication data | First name, last name, professional email | Contract performance |
| Sending marketing communications (e.g. product updates) | Personal identification data, communication data | First name, last name, professional email | Legitimate interest |
| Customer satisfaction surveys | Communication data | Survey responses, feedback | Legitimate interest |
| Dispute resolution | Identification data, transaction data, communication data | Name, contact details, transaction history, payment records, invoices, emails, and communication records related to disputes | Contract performance Legitimate interest |
Users
A 'user' refers to any individual, other than the account owner, who has a user account on the Loctax platform. These users are generally employees or contractors of the customer and interact with the platform to perform tax-related or compliance tasks on the customer's behalf.
As a data controller, we process personal data of users for our operational purposes, such as feedback collection, usage tracking, personalization, security, and legal compliance.
| Processing activity | Category of personal data | Specific personal data | Lawful basis |
|---|---|---|---|
| Account management and authentication | Personal identification data, contact details | Username, professional email, authentication data | Contract performance |
| Tracking user behavior and product usage | Behavioral data, online identifiers | User activity logs, IP address, device ID, session cookies | Legitimate interest |
| Collecting user feedback | Behavioral data, communication data | Feedback data, responses to surveys or feedback forms | Legitimate interest |
| Personalization and user experience | Behavioral data, preferences | User activity, language preferences, UI settings | Legitimate interest |
| Sending marketing communications (e.g. product updates) | Contact details, preferences | Professional email address, marketing preferences | Consent Legitimate interest |
| Security and fraud prevention | Behavioral data, online identifiers | IP address, login attempts, device data | Legitimate interest |
| Dispute resolution | Identification data, activity data, communication data | Name, email address, usage data, transaction history, support inquiries, chat logs | Contract performance Legitimate interest |
When you use our Platform, we may collect certain technical information about your device and browser, including your IP address, browser type, and operating system. This information is considered personal data and helps us improve your user experience.
3.2 How long do we keep your personal data?
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including compliance with legal, regulatory, or contractual obligations. In some cases, this may require retaining personal data even after our relationship with you has ended.
For customers and users, we distinguish between:
- Existing: customers or users with whom we currently maintain a relationship.
- Former: customers or users with whom the relationship has ended.
We take all reasonable steps to delete personal data once it is no longer needed. Specific retention periods for both customers and users are detailed in the retention tables below.
To understand whom we refer to under 'customers' and 'users', please refer to the definitions provided earlier in this policy.
Customers
We retain personal data of customers during the active business relationship and for up to 7 years after, for legal, regulatory, or contractual purposes.
| Status | Type of personal data | Retention period | Lawful basis |
|---|---|---|---|
| Existing (ongoing customer relationship) | Contact details, contractual information | Retained for the duration of the commercial relationship | Contract performance |
| Former (customer relationship has ended) | Contact details, contractual information | Any personal customer information directly related to the customer account on the Platform: deleted within 180 days after the customer contract ends Other personal data (e.g. included in invoices): up to 7 years post termination of the customer relationship | Contract performance (deletion of personal customer information in the Platform) Legitimate interest (dispute resolution) Legal obligation (requirement to retain invoices for 7 years under Belgian tax and accounting laws) |
Following the end of our business relationship, we will no longer use your contact details for marketing purposes if our communications were based on our legitimate interest as a lawful basis. If you previously provided valid consent for marketing communications, we will continue to send you updates and information for which you opted in until you choose to withdraw your consent. You may withdraw your consent at any time.
Users
We retain personal user information for the duration of their access to the platform and, if applicable, for up to 2 years after they stop being a user, e.g. to do usage analytics.
| Status | Type of personal data | Retention period | Lawful basis |
|---|---|---|---|
| Existing (active user account) | Contact details, login credentials, usage data | Retained as long as the customer relationship is active | Contract performance |
| Former (inactive user account) | Contact details, login credentials, usage data | Any personal user information in support tickets, feedback forms, etc.: up to 2 years after they stop being a user | Legitimate interest (customer support, usage feedback and analytics) |
Following the end of your access to the Platform, we will no longer use your contact details for marketing purposes if these communications were based on our legitimate interest as the lawful basis. If you previously provided valid consent for marketing communications, we will continue to send you updates and information for which you opted in until you choose to withdraw your consent. You may withdraw your consent at any time.
3.3 Do we share your personal data with third parties?
We rely on trusted third-party providers who assist us for a variety of purposes. In doing so, they process personal data on our behalf. These providers are known as "data processors". We have made the necessary contractual arrangements with them to ensure that they handle your personal data securely and process it solely for our purposes, not for their own.
Below is a list of the types of data processors we work with and the purposes they serve:
- Platform analytics providers: companies that help analyze user behavior and engagement specifically related to the usage of our Platform, including tracking interactions, feature usage, and overall activity within the Platform.
- Payment processors: providers that securely handle online payments from paying customers, ensuring the safe processing of payment transactions for our services.
- Survey and feedback tools: providers of platforms used to collect and analyze user feedback.
- Communication tools: providers that facilitate customer (user) support communication through our Platform, enabling interactions such as chat support, ticket management, and other customer service functions.
- Customer relationship management (CRM) systems: systems used to manage information about the customer entity and its representatives for purposes such as communication, support, and account management.
If any of your personal data is shared with a third party, as described above, we will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party's obligations under the law.
If any personal data is transferred outside of the European Economic Area (EEA), we will take suitable steps in order to ensure that your personal data is treated just as safely and securely as it would be within the EEA and under the GDPR, as explained below in Part 5.
If we sell, transfer, or merge parts of our business or assets, your personal data may be transferred to a third party. Any new owner of our business may continue to use your personal data in the same way(s) that we have used it, as specified in this privacy statement.
In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.
3.4 What privacy rights do you have?
Under the GDPR, you have the following rights:
- The right to be informed about our collection and use of your personal data. This privacy statement should tell you everything you need to know, but you can always contact us to find out more.
- The right to access the personal data we hold about you. Part 3.5 will tell you how to do this.
- The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete.
- The right to erasure, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we hold. Do note, however, that this is not an absolute right and that we can deny a request for erasure if retaining the data is necessary for compliance with a legal obligation, the performance of a contract, or for the establishment, exercise, or defense of legal claims.
- The right to restrict (i.e. prevent) the processing of your personal data. You can request that we limit how we use your personal data in certain circumstances (e.g., while accuracy is being verified).
- The right to object to us using your personal data for a particular purpose or purposes, such as marketing.
- The right to withdraw consent. This means that, if we are relying on your consent as the legal basis for using your personal data, you are free to withdraw that consent at any time.
- The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business.
For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 7.
It is important that your personal data is kept accurate and up-to-date. If any of the personal data we hold about you changes, please keep us informed as long as we have that data.
3.5 How can you access your personal data?
If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). All subject access requests should be made in writing and sent to the email or postal addresses shown in Part 7.
There is normally no charge for a subject access request. If your request is 'manifestly unfounded or excessive' (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs.
We will respond to your subject access request within one month. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.
3.6 Complaints?
If you have any concerns about how we use your personal data as a data controller, you have the right to file a complaint with the Data Protection Authority (DPA) in the EU country where you reside, work, or where the issue occurred.
We are regulated by the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de Protection des Données), so it is most logical to contact them for assistance. You can visit their website for more information here.
We would welcome the opportunity to resolve your concerns ourselves, however, so please contact us first by reaching out to [email protected].
Loctax as data processor
4.1 What personal data do we process from you and why?
As a data processor, we process certain types of personal data strictly on behalf of and under the instructions of our customers, who act as data controllers. The personal data we process, the purposes for which it is processed, and the sub-processors engaged for these activities are detailed in the tables below.
Our role as a processor means that we handle this personal data solely to provide the agreed-upon services to our customers, ensuring compliance with their instructions and applicable data protection laws. We do not determine the purposes or means of processing this data, and any decisions regarding its collection, use, or disclosure are made by the customer.
The Platform is a tax compliance tool and is not designed or intended to collect or process 'special category' or 'sensitive' personal data, as defined under the GDPR. This includes information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, or details about sex life or sexual orientation.
As the data controller, it is the customer's responsibility to ensure that the Platform is used appropriately and in compliance with applicable data protection laws. Customers and their users should avoid inputting special category or sensitive personal data into the Platform unless absolutely necessary and supported by a valid legal basis under the GDPR.
Users
A "user" refers to any individual, other than the account owner, who has a user account on the Loctax platform. These users are generally employees or contractors of the customer and interact with the platform to perform tax-related or compliance tasks on the customer's behalf.
As a data processor, we process personal data of users explicitly tied to customer activity or expectations.
| Processing activity | Category of personal data | Specific personal data | Sub-processor |
|---|---|---|---|
| Live monitoring of application errors and performance | Behavioral data, online identifiers | User activity logs, IP address, device information, browser and OS details, session data | Sentry |
| Delivering transactional emails (e.g., password resets, user invites) | Contact details, communication data | Email addresses, email content | ActiveCampaign Postmark |
| Streamline user authentication and access control | Personal identification data, contact details | First name, last name, email address | WorkOS |
Customer-affiliated individuals
"Customer-affiliated individuals" refers to individuals directly or indirectly associated with the customer's business organization whose personal data is entered into the platform by users for the customer's tax management and compliance purposes. These may include shareholders, directors, beneficiaries, employees of entities managed by the customer, or other stakeholders.
As a data processor, we process personal data of customer-affiliated individuals because the customer expects us to. We securely store any personal data they input into the platform ("customer-provided personal data"), both in a structured and unstructured way.
Structured customer-provided personal data refers to personal data provided by the customer or its users in a structured format, typically through specific data fields, templates or "data entries" within the platform. This data is organized and searchable, making it readily usable for automated processing or reporting.
Examples: first name, last name and country of residence (e.g. of governance board members or shareholders) entered into designated fields.
Unstructured customer-provided personal data refers to personal data included in free-form or unstructured content uploaded to the platform by users. This data may be embedded in documents, text, or other media and requires additional processing to extract or utilize.
Examples: personal data included in free text fields in the platform (e.g. user notes and user comments in workflows); personal data included in tax documents uploaded to the platform (e.g. full name, contact information, tax identification number, address, income details, ownership percentages, bank account details, job title, etc.).
The table below outlines how we process the personal data of customer-affiliated individuals:
| Processing activity | Personal data (category and specific) | Sub-processor |
|---|---|---|
| Hosting data and managing server infrastructure | Customer-provided personal data: Structured: First and last name. Unstructured: Full names, contact information, tax identification numbers, addresses, income details, ownership percentages, bank account details, job titles, intercompany transaction details, and payment amounts embedded in uploaded tax documents or free-text fields (e.g., comments). | Amazon Web Services (AWS) |
| Enhance website performance, security, and reliability | Customer-provided personal data: Structured: Names, addresses, tax identification numbers, and other metadata that may pass through content delivery processes. Unstructured: Any personal data contained in uploaded documents or free-text fields that might be transmitted during platform interactions, such as when documents are accessed, edited, or viewed. | Cloudflare |
| Facilitate effective communication and support services | Customer-provided personal data: Unstructured: Any personal data shared in support tickets or conversations, e.g. uploaded screenshots of platform activity. | Intercom |
| Converting customer documents to text via OCR | Customer-provided personal data: Structured: Extracted structured personal data (e.g., names, addresses, tax identification numbers) that becomes part of the organized platform records. Unstructured: Full names, contact information, tax identification numbers, addresses, income details, ownership percentages, bank account details, job titles, intercompany transaction details, and payment amounts contained in tax documents. Note: These third-party AI providers support our optional Intelligent Document Processing (IDP) feature for automating tax data collection. No data is shared with these sub-processors unless you opt in to use the IDP feature, and they are strictly prohibited from using your data for any AI model training. | Microsoft Azure OpenAI, Instabase |
4.2 How long do we keep your personal data?
Retention during the customer relationship
As a data processor, we retain personal data of users and customer-affiliated individuals for as long as necessary to fulfill our contractual obligations to the customer. This includes personal data directly associated with the customer's users, as well as any personal data of customer-affiliated individuals stored within user accounts. When a user account is deactivated within a customer account, neither the associated personal data nor the data stored within the user account is automatically deleted. Both are retained as long as the customer relationship with us remains active, unless otherwise requested.
If the customer determines that the personal data of a deactivated user or the data stored within their user account is no longer necessary for its purposes, the customer may request its deletion. The customer is responsible for ensuring that such a request does not conflict with any applicable legal or regulatory retention obligations, such as those related to tax compliance or record-keeping requirements.
Retention after the end of the customer relationship
Upon termination of the customer relationship, we will delete all operational data, including any personal data, stored within the customer account (covering both data related to users and to customer-affiliated individuals), within 180 days. This process includes the deletion of any back-up data and ensures that personal data shared with our sub-processors is also promptly deleted within the same timeframe, in accordance with our Data Processing Agreement (DPA) and in compliance with GDPR and other applicable regulations.
4.3 What are sub-processors and why do we share your personal data with them?
A sub-processor is a third-party vendor which we engage in our role as a data processor, to assist us in fulfilling our contractual obligations to our customers, who act as data controllers. While the GDPR does not explicitly define "sub-processor," we identify sub-processors as third parties that process personal data on our behalf under our instructions, which are, in turn, strictly based on the instructions of our customers.
This includes vendors involved in hosting, providing essential built-in functionalities, and customer support. Sub-processors are carefully selected to ensure compliance with GDPR standards, and we only share personal data with them when necessary to deliver our services. You can view the current list of sub-processors here.
4.4 What privacy rights do you have?
As a data processor, we process personal data on behalf of our customers, who are the data controllers. If you wish to exercise your privacy rights under the GDPR (such as access, rectification, erasure, or objection), you should contact the customer directly, as they are responsible for handling these requests. We will support our customers in responding to your requests as needed, in accordance with our contractual obligations.
4.5 Complaints?
If you have any concerns or complaints about how your personal data is being processed, you should direct your complaint to the customer, who is the data controller. You have the right to file a complaint with the Data Protection Authority (DPA) in the EU country where you reside, work, or where the issue occurred.
While we, as a data processor, are not the primary party responsible for addressing such complaints, we will assist our customers in coordinating with the relevant DPA if necessary.
How and where do we store or transfer your personal data?
We will mainly store your personal data within the European Economic Area (the "EEA"). The EEA consists of all EU member states, plus Norway, Iceland, and Liechtenstein. This means that your personal data will be fully protected under the GDPR and/or to equivalent standards by law. Transfers of personal data to the UK are permitted under the 'Decision on the adequate protection of personal data by the United Kingdom'.
Furthermore, we may store some of your personal data in countries outside of the EEA. These are known as "third countries". We will take additional steps in order to ensure that your personal data is treated just as safely and securely as it would be within the EEA as follows:
- According to the European Commission, the country of destination offers an adequate level of protection (e.g. transfers of personal data to the UK are permitted under the 'Decision on the adequate protection of personal data by the United Kingdom');
- The country of destination does not in itself provide an adequate level of protection, but we have entered into the necessary contractual arrangements with the party in question, taking into account the standard contractual clauses published by the European Commission.
How do we keep your personal data safe?
The security of your personal data is essential to us. To protect it, we implement a range of measures tailored to our responsibilities as both a data controller and a data processor, including:
- Limiting access to personal data to employees, agents, contractors, and other third parties with a legitimate need to know, and ensuring they are subject to strict confidentiality obligations.
- Implementing technical safeguards such as encryption, firewalls, and secure data storage systems to protect personal data against unauthorized access, loss, or alteration.
- Regularly testing, assessing, and evaluating the effectiveness of our technical and organizational measures to ensure the ongoing security of personal data.
- Keeping systems and software up-to-date to prevent vulnerabilities and enhance data protection.
- Providing regular training to employees and contractors to maintain awareness and compliance with data protection obligations.
- Establishing procedures for managing data breaches, including identification, reporting, and mitigation.
- Minimizing data collection and retention, ensuring we only process personal data necessary for the purposes outlined in this privacy statement or as instructed by the customer (the data controller).
- Requiring all (sub-)processors who process personal data to implement robust security measures and adhere to strict contractual obligations.
Questions?
To contact us about anything regarding your personal data and data protection, please use the following details for the attention of our Data Protection Officer (DPO):
Email address: [email protected]
Postal Address: Loctax NV, Gebroeders Vandeveldestraat 68, 9000 Gent (Belgium)
Changes to this privacy statement
We may update this privacy statement from time to time to ensure compliance with new legislation or to reflect changes in our business that impact how we handle personal data.
We encourage you to check this page regularly to stay informed about how we protect your personal data.
This privacy statement was last updated on 22 May 2025.