Legal
Privacy Policy
Last updated · 8 July 2026
Recovering withholding tax inherently means processing sensitive-by-nature data: identity, financial statements, tax documents. This page describes what we process, why, for how long, who receives it — and how to exercise your rights. No unnecessary jargon.
Art. 01
Data controller
The data controller is [DATA CONTROLLER ENTITY TO BE COMPLETED — COMPANY NAME], fully identified in the legal notice. Contact point for any data question: contact@fiscalplace.com.
Art. 02
Data we process
- Identity and contact — surname, first name, email address, phone, postal address, country of tax residence.
- Verification data (KYC) — identity document, evidence required by regulation, results of compliance checks.
- Financial data — brokerage statements, dividend lines and tax withheld, bank details for paying out recovered amounts.
- Tax documents — residence certificates, treaty forms, signed mandates, administrations' decisions and correspondence.
- Site usage data — technical security logs and the four browser-storage entries described in the cookie policy — no advertising trackers.
We only collect what serves the claim: no “just in case” data.
Art. 03
Purposes and legal bases
Each processing operation rests on a legal basis under article 6 GDPR:
| Purpose | Legal basis | In practice |
|---|---|---|
| Processing your recovery claim: diagnostic, preparation, filing, follow-up, payout | Performance of the contract (art. 6.1.b) | Without this data, no claim can be filed. |
| Verifying your identity and preventing money laundering (KYC / AML) | Legal obligation (art. 6.1.c) | Checks imposed by applicable regulation. |
| Invoicing and bookkeeping | Legal obligation (art. 6.1.c) | Mandatory invoices and accounting records. |
| Improving the service: internal statistics, hardening user journeys | Legitimate interest (art. 6.1.f) | Aggregated data; never advertising profiling. |
| Sending you communications not required for your claim | Consent (art. 6.1.a) | Only where applicable — withdrawable at any time. |
Art. 04
Recipients
The tax administrations of the countries covered by your claims: that is the very purpose of the mandate you give us. They receive only the data their refund procedure requires.
Technical providers acting on our behalf under contract: identity verification, electronic signature, payment, hosting. [KYC / SIGNATURE / PAYMENT PROVIDERS TO BE CONFIRMED — the named list will be published on this page.]
Where relevant, our advisers bound by professional secrecy (lawyers, accountants) and the authorities where the law requires it.
Your data is never sold, rented, or passed to third parties for advertising purposes.
Art. 05
Transfers outside the European Union
They are inherent to the service: filing a claim with an administration established outside the EU — United States, Switzerland, United Kingdom, Canada, Japan, Australia in our current panel — means transmitting to it the data its procedure requires. This transfer relies on the derogations of article 49 GDPR: it is necessary for the performance of the contract concluded in your interest.
Where technical providers are established outside the EU, the transfer is framed by the safeguards of article 46 GDPR (standard contractual clauses, adequacy decision where available). We favour EU-based providers whenever possible.
Art. 06
Security
Security measures — encryption, access segregation, logging — are described on the security and privacy page. In the event of a data breach likely to create a high risk to your rights, you are informed as required by article 34 GDPR.
Art. 07
Retention periods
Each category of data has its own clock:
| Category | Duration | Grounds |
|---|---|---|
| Tax file: claims, forms, decisions, supporting evidence | 10 years | Statutory accounting and tax record-keeping period. |
| KYC / AML data | 5 years after the relationship ends | Statutory anti-money-laundering obligation. |
| Client account and contractual documents | Duration of the relationship, then 5 years | Statutory limitation period for contractual actions. |
| Prospects with no ensuing contract | 3 years after last contact | Legitimate interest, aligned with CNIL guidance. |
| Browser storage | See the cookie policy | Four technical entries, zero trackers. |
Once these periods expire, data is deleted or irreversibly anonymised.
Art. 08
Your rights and how to exercise them
Under the GDPR you have, over your data:
- a right of access (obtain a copy of what we hold);
- a right to rectification of inaccurate or incomplete data;
- a right to erasure, within the limits of the statutory retention periods above;
- a right to restriction of processing;
- a right to object, notably to processing based on legitimate interest and, at any time, to direct marketing;
- a right to portability of the data you provided to us;
- the right to withdraw consent at any time, without retroactive effect;
- the right to set directives on what happens to your data after your death (French law).
To exercise them: an email with the subject “Personal data” is enough. We answer within one month, extendable by two months for complex requests (article 12 GDPR); proof of identity is only requested where there is reasonable doubt about the requester's identity.
Art. 09
Data protection officer
The formal appointment of a data protection officer is under assessment: [DPO OR DATA-PROTECTION CONTACT TO BE APPOINTED WHERE REQUIRED]. In the meantime, all data requests are handled through the contact point in article 1, with the same rigour and the same deadlines.
Art. 10
Complaint to the CNIL
If, after contacting us, you consider that your rights are not respected, you may lodge a complaint with the French data protection authority (CNIL): www.cnil.fr. If you reside in another EU member state, your local data protection authority is also competent.
Art. 11
Contact and updates
This policy evolves with the service; the update date appears at the top of the page. Any substantial change is notified to clients with an active claim before it takes effect.
For any question about your data: