Privacy Policy – Fiscaro

Last updated: March 2026

At Fiscaro.tax, operated by Blue Pepper S.L., we take the protection of your personal data very seriously. This Privacy Policy provides detailed information on how we collect, process and protect your personal data.

1. Controller

Blue Pepper S.L. (in formation) Carrer dels molins 6 07159 S'Arracó (Andratx) Spain Email: rgpd@fiscaro.tax Represented by: Hanns-Christopher Deppe Note: Until Blue Pepper S.L. is registered, Hanns-Christopher Deppe is to be considered the controller within the meaning of the GDPR.

2. What data do we process?

a) User account & tax service – Name, email address, billing address – NIE/NIF (Spanish tax identification number) – Property data (cadastral reference, purchase price, type of use) – Payment data (Stripe only — we do not store card data) – Communication history (enquiries, support) b) Technical data – IP address (anonymised by Plausible) – Browser type, operating system, device type (anonymised) – Pages visited, time spent (aggregated, without personal reference) c) Transactional emails – Email address for confirmations, status updates, tax assessments

No data sharing with third parties – No hidden data processing – No secret profiling.

3. Legal bases for processing

Processing purpose | Legal basis Contract performance (tax return) | Art. 6(1)(b) GDPR Payment processing | Art. 6(1)(b) GDPR Legal retention obligations (tax, commercial law) | Art. 6(1)(c) GDPR Website operation, security, fraud prevention | Art. 6(1)(f) GDPR Anonymised usage statistics (Plausible) | Art. 6(1)(f) GDPR Newsletter / marketing (with consent) | Art. 6(1)(a) GDPR

4. Processors & third-party providers

We use the following external services acting as processors: Hosting & infrastructure: – Vercel Inc., San Francisco (USA): Website hosting & edge delivery. Data transfer to the USA based on Standard Contractual Clauses (SCC) pursuant to Art. 46 GDPR. DPA in place. – Supabase Inc., San Francisco (USA): Database & authentication. EU region configured (eu-central-1). DPA in place. SCC as fallback safeguard. – Cloudflare Inc. (R2 Storage): Storage of documents and uploads. EU region configurable. DPA in place. SCC as legal basis for USA transfer. Payment processing: – Stripe Payments Europe Ltd., Dublin (IE): EU entity, no third-country transfer for EU transactions. DPA automatically via ToS. Stripe stores card data in its own PCI-DSS-certified system. Email (transactional): – Resend Inc., USA: Sending transactional emails (confirmations, tax assessments). Data transfer to USA based on SCC. DPA to be concluded manually at resend.com/dpa. Email marketing: – Inxmail GmbH, Freiburg (DE): Newsletter and marketing emails. Hosting exclusively in Germany. ISO 27001-certified (TÜV Rheinland). CSA-certified. No third-country transfer. DPA to be concluded. Analytics: – Plausible Insights OÜ, Tallinn (EU): Privacy-friendly website analytics. No cookies, no personal data, no IP storage. EU-hosted. No third-country transfer.

5. Transfers to third countries

The following providers are based in the USA or process data there: Vercel, Supabase, Cloudflare, Resend. Transfers are made on the basis of Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR. Inxmail and Plausible process data exclusively within the EU — no third-country transfer.

6. Retention periods

Data category | Retention period User account (active) | Duration of contractual relationship + 4 years (Spanish tax retention obligation) Tax returns & assessments | 10 years (statutory obligation, Spain) Payment data (Stripe) | Per Stripe policies; no card data stored by us Marketing emails (consent) | Until withdrawal of consent Analytics data (Plausible) | Aggregated, no personal reference; no deletion obligation Support communication | 3 years after last contact

7. Your rights

You have the following rights under the GDPR in relation to us as controller: – Right of access (Art. 15 GDPR) – Right to rectification (Art. 16 GDPR) – Right to erasure (Art. 17 GDPR) – Right to restriction of processing (Art. 18 GDPR) – Right to data portability (Art. 20 GDPR) – Right to object (Art. 21 GDPR) – Right to withdraw consent (Art. 7(3) GDPR) To exercise your rights, contact: rgpd@fiscaro.tax You also have the right to lodge a complaint with the Spanish data protection authority: Agencia Española de Protección de Datos (AEPD) — www.aepd.es

8. Data security

We implement technical and organisational measures to protect your data: – Encryption of all data transfers via TLS/HTTPS – Database access only via authenticated API calls (Supabase RLS) – Documents in isolated cloud storage (Cloudflare R2, not publicly accessible) – Stripe PCI-DSS certification for payment data – Regular security reviews

9. Modelo 210 — specificities of tax data processing

Fiscaro transmits tax data to the Spanish tax authority (Agencia Tributaria / AEAT) on behalf of the user. This transmission: – Is made exclusively on the user's explicit instruction – Is based on Art. 6(1)(b) GDPR (contractual performance) – Is subject to the statutory retention periods of Spanish tax law – Is strictly necessary for the provision of the service The AEAT is a Spanish authority — no third-country transfer. Data transmission takes place via encrypted connections.

10. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy when changes to our service or legal requirements make this necessary. The current version is always available at modelo210online.com/privacy. We will notify you of material changes by email.

11. Contact & data protection enquiries

Blue Pepper S.L. (in formation) Responsible person: Hanns-Christopher Deppe Carrer dels molins 6 07159 S'Arracó (Andratx) Spain Email: rgpd@fiscaro.tax Response time: We respond to data protection enquiries within 30 days.

12. Changes to this Privacy Policy

We may update this Privacy Policy to reflect legal changes or service improvements. Last updated: March 2026