Privacy Policy

Last updated: 22 April 2026

This privacy policy applies to the website harriet.tax as well as the Harriet application (Closed Beta), which is provided under a separate subdomain. It informs you in accordance with Art. 13 and Art. 14 GDPR about the processing of personal data.

1. Controller

The controller within the meaning of the GDPR is:

Mario Deubler
Schödlbergergasse 16/53
1220 Vienna, Austria
Email: hello@harriet.tax

For questions about data protection, the exercise of your rights or processing on instruction, you can reach us at any time at hello@harriet.tax.

2. Overview of processing activities

We process personal data in the following contexts:

  • When visiting this website (server log files, optional web analytics)
  • When signing up for the waitlist or the Closed Beta (email address, optional survey responses)
  • When using the Harriet application (uploaded receipts, bank exports, OCR extraction, AI-supported classification, tax forecast)
  • For internal notifications about new pipeline requests (email to administrator)

We rely on the following legal bases under the GDPR:

  • Art. 6(1)(a) GDPR (consent): web analytics with PostHog, waitlist sign-up, optional pain-point survey, acceptance of the Beta Terms and the Data Processing Agreement (DPA).
  • Art. 6(1)(b) GDPR (performance of a contract): provision of the Harriet application, processing of uploaded receipts and bank data, generation of the tax forecast, sending of operationally necessary emails.
  • Art. 6(1)(c) GDPR (legal obligation): retention obligations under the Austrian BAO and UGB for tax-relevant documents, where applicable.
  • Art. 6(1)(f) GDPR (legitimate interest): server log files for ensuring operation, protection against abuse, technical security, internal pipeline notifications.

4. Data processing when visiting the website

When you visit our website, the server automatically captures information (server log files). These include:

  • Browser type and version
  • Operating system used
  • Referrer URL (previously visited page)
  • Hostname of the requesting computer
  • Time of the server request
  • IP address

This data is not merged with other data sources. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in error-free presentation and optimisation of our website).

5. Waitlist and Beta sign-up

When you register for the waitlist or the Closed Beta, we process your email address to confirm your registration, to grant Beta access and to communicate around your Beta status.

Optionally, you may take part in a short survey on your biggest pain points around taxes. The responses are evaluated in pseudonymous form. Legal basis: Art. 6(1)(a) GDPR (consent), revocable at any time by email to hello@harriet.tax.

6. Data processing in the Harriet application

When you use the Harriet application, we process the following categories of data:

  • Master data (email, chosen name, business form, optional company and contact data)
  • Uploaded receipts and invoices (PDF, image files)
  • Data extracted from receipts (OCR text, amounts, dates, vendor, suggested tax category)
  • Bank exports (CSV, parsed transaction data)
  • Calculated tax values (E/A bookkeeping, income tax forecast, SVS estimate, profit allowance)
  • Optional: token-based shares for your tax advisory firm

Legal basis: Art. 6(1)(b) GDPR (performance of a contract). Retention: for the duration of your Beta participation plus statutory retention periods under BAO/UGB, where applicable. You may request earlier deletion at any time by email (see Data subject rights).

7. AI-supported processing and automated decisions

Harriet uses AI-supported procedures to extract content from receipts (OCR) and to assign receipts to tax categories (classification). Classification runs in a multi-stage pipeline that produces suggestions with confidence scores:

  1. MCC code recognition (for card transactions with a Merchant Category Code)
  2. Vendor match (known providers)
  3. EKR mapping (Austrian unified chart of accounts)
  4. Keyword match
  5. LLM fallback (AI model, where rule-based steps do not apply)
  6. Generic fallback with low confidence

Notice under Art. 22 GDPR and Art. 50 EU AI Act: The results of this classification are suggestions for your own review and for review by an authorised tax advisory firm. There is no solely automated decision-making with legal effect within the meaning of Art. 22 GDPR: human review is required and intended before any further use — in particular before submission to the Finanzamt (Austrian tax authority).

AI-generated classifications are marked as such in the application. Beta users receive a detailed description of how the system works in the Beta Terms.

8. Processors used

For the operation of the website and the application, we use the following processors. Data processing in each case takes place on the basis of an agreement under Art. 28 GDPR.

8.1 Vercel (hosting)

Our website and the application are hosted with Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. Vercel operates a global CDN and preferentially serves content via European edge locations. Data processed: IP address, date/time of access, transferred data volume, browser type, referrer URL. Legal basis: Art. 6(1)(f) GDPR. Data transfer to the USA is based on the EU-US Data Privacy Framework (DPF) and additionally on Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. More information: vercel.com/legal/privacy-policy.

8.2 Supabase (database, authentication, storage)

We use Supabase as the backend platform for database, authentication and file storage. Provider: Supabase Inc., 970 Reserve Drive #201, Roseville, CA 95678, USA. Our instance runs in the EU region (Frankfurt); data is processed on European servers. Data processed: login data, uploaded receipts, extracted OCR data, bank data, tax values, session and metadata. Legal basis: Art. 6(1)(b) GDPR. Where administrative access or support by Supabase is required, any transfer to the USA is based on Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. More information: supabase.com/privacy.

8.3 Mistral AI (OCR and classification)

For text recognition (OCR) on receipts and for AI-supported classification and optimisation suggestions, we use the API of Mistral AI, operated by Mistral AI SAS, 15 rue des Halles, 75001 Paris, France. Only the content required for the respective task (e.g. image or text of a receipt) is transmitted. Mistral processes data in the EU; no transfer to a third country takes place. Mistral does not contractually use API content for training purposes. Legal basis: Art. 6(1)(b) GDPR. More information: mistral.ai/terms.

8.4 Proton Mail (email)

Operationally necessary emails (e.g. Beta invitations, confirmations, internal pipeline notifications) are sent via Proton Mail. Provider: Proton AG, Route de la Galaise 32, 1228 Plan-les-Ouates, Switzerland. Switzerland has an adequacy decision from the European Commission pursuant to Art. 45 GDPR; an additional transfer mechanism is not required. Data processed: email addresses of sender and recipient, content of the email, technical metadata. Legal basis: Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR. More information: proton.me/legal/privacy.

8.5 PostHog (web analytics, optional)

On the marketing website we use PostHog (PostHog Inc., EU hosting via PostHog Cloud EU) for pseudonymous analysis of website usage — page views, click behaviour, scroll depth, form interactions, device information. Data is processed on servers in the EU.

PostHog is loaded only after your explicit consent via the cookie banner. Without consent, no analytics data is collected. Legal basis: Art. 6(1)(a) GDPR.

Data transfer to PostHog runs through a managed proxy by Cloudflare (Cloudflare Inc., USA). Cloudflare is certified under the EU-US Data Privacy Framework and acts here exclusively as an infrastructure service provider in transit. More information: posthog.com/privacy and cloudflare.com/privacypolicy.

9. Processing via the pipeline (harriet-orchestrator)

For the final preparation of the E/A bookkeeping and the E1a annex, your receipt data and bank exports are exported from the application and processed by a separate pipeline (harriet-orchestrator). The pipeline runs as a command-line tool and does not persist data in a database: input and output occur exclusively as files that are returned to the application and stored in your workspace there. The pipeline may invoke AI-supported classification via the Mistral API described in section 8.3.

10. Data storage, security and retention

Transmission is encrypted (TLS). Data in the database and in file storage resides on European servers of our processor Supabase. We implement technical and organisational measures pursuant to Art. 32 GDPR (access controls, encryption in transit, pseudonymisation in analytics data, regular backups, restriction of access to authorised persons).

Retention period: for the duration of your Beta participation; after termination of the Beta we delete your content within 90 days at the latest, unless statutory retention obligations require otherwise. Server log files are typically deleted after 30 days.

11. Your rights as a data subject

You have the right to:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Object (Art. 21 GDPR)
  • Withdraw consent (Art. 7(3) GDPR)

To exercise your rights, please write to hello@harriet.tax. The lawfulness of processing carried out before withdrawal remains unaffected.

12. Right to lodge a complaint

You have the right to lodge a complaint with the competent supervisory authority:

Austrian Data Protection Authority (Österreichische Datenschutzbehörde)
Barichgasse 40–42
1030 Vienna
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: dsb.gv.at

13. Cookies

This website uses one cookie to store your cookie preference (consent or rejection of web analytics). This cookie is technically necessary (Art. 6(1)(f) GDPR in conjunction with § 165 TKG 2021). Analytics cookies from PostHog are only set with explicit consent. In the application itself, we use only session cookies required for operation (authentication).

14. Changes to this privacy policy

We update this privacy policy when processing activities, processors or legal requirements change. The current version with date applies to your visit.