Your privacy matters to us.
This policy explains how we collect, use and protect your personal data in accordance with GDPR.
1. Data Controller
Fiscal.ia SAS
17 Chemin du Prieuré, 79260 La Crèche
Email: contact@ifg.tax
2. Data Collected
2.1 Identification Data
- Email (required to create an account)
- First and last name (optional)
2.2 Usage Data
- Tax questions asked (processed to provide the service and improve it; direct identifiers are minimized where possible)
- Connection logs (IP address, dates, times)
- Conversation history
2.3 IFG France Workspace and Gmail Connector Data
- Client dossier metadata that you enter in IFG France, such as dossier name, status, tax period and working notes
- Documents or excerpts that you upload or paste for fiscal analysis, such as a tax reassessment proposal, request for information or client letter
- When you explicitly connect Gmail, Gmail account authorization data and the Gmail messages that you ask IFG France to pre-process
For IFG France, confidentiality mode is active by default. Personal data in questions, dossier notes, document excerpts, meeting notes and Gmail content is minimized or redacted before model synthesis or external source-search prompts whenever technically possible.
2.4 Payment Data
- Payment information (processed by Stripe, not stored on our servers)
- Transaction history
3. Purposes of Processing
Your data is used to:
- Provide and improve the IFG service
- Manage your user account
- Process your payments
- Provide IFG France tax research, document analysis, dossier memory and client-mail pre-analysis features
- Send service-related communications
- Ensure security and prevent fraud
- Comply with legal obligations
4. Legal Basis
We process your data based on:
- Contract performance: providing the requested service
- Consent: marketing communications (revocable at any time)
- Legitimate interest: service improvement, security
- Legal obligation: accounting, taxation
5. Data Sharing
Your data may be shared with:
- Supabase (Frankfurt, Germany): database and storage hosting (EU)
- Hetzner (Nuremberg, Germany): application hosting (EU)
- Stripe (Ireland): payment processing (PCI-DSS certified)
- OpenAI (USA): AI processing via API with minimized data and, where possible, pseudonymized inputs
- Groq (USA): AI inference for IFG France where enabled, with minimized or redacted inputs
- Google (USA / global): OAuth authentication and Gmail API access only when you connect your Google account
AI retention: contractual no-training / reduced-retention settings are used where available, and only the minimum data required for the feature is sent to AI APIs.
EU hosting: except AI inference, the platform (application, database, logs) is hosted in the European Union.
We never sell your data to third parties.
6. IFG France Gmail Connector
The Gmail connector is optional and requires your explicit Google OAuth consent. It is designed to help professionals pre-process client requests before manual review.
- IFG France requests read-only Gmail access for the connected user account.
- IFG France does not send emails automatically, mark emails as read, archive emails, delete emails or mutate Gmail labels.
- Gmail message bodies are used only to generate the requested pre-analysis and are minimized before analysis where technically possible.
- The IFG France intake queue stores limited metadata and analysis output; it does not store full Gmail message bodies as dossier memory.
- You can disconnect the connector in IFG France and can also revoke access from your Google Account security settings.
7. Your Rights (GDPR)
Under GDPR, you have the following rights:
- Right of access: obtain a copy of your data
- Right to rectification: correct inaccurate data
- Right to erasure: delete your data (“right to be forgotten”)
- Right to restriction: restrict processing of your data
- Right to data portability: receive your data in a structured format
- Right to object: object to processing
- Right to withdraw consent: at any time
To exercise these rights: contact@ifg.tax
8. Data Retention
- Account data: for the duration of your subscription + 3 years
- IFG France dossier data, conversation history, document analysis outputs and Gmail intake outputs: retained while your account is active, unless you delete them or request deletion, subject to legal and security requirements
- Full Gmail message bodies: not stored as IFG France dossier memory or intake records
- Payment data: 10 years (accounting obligation)
- Connection logs: 12 months (security)
9. Security
We implement appropriate security measures:
- Encryption in transit (HTTPS/TLS)
- Encryption at rest
- Secure authentication
- User-owned access controls and row-level security where applicable
- Encrypted storage of OAuth tokens where connector access is enabled
- Always-on privacy minimization for IFG France sensitive client inputs
- Restricted access to personal data
- Monitoring and incident detection
- Processor selection based on recognized controls (e.g., ISO/IEC 27001, SOC 2, PCI-DSS where applicable)
10. Cookies
We use essential cookies required for website operation (session, authentication). Audience measurement cookies are optional and only activated after explicit consent.
11. Complaints
If you believe your rights are not respected, you may lodge a complaint with the CNIL (French Data Protection Authority):
CNIL
3 Place de Fontenoy - TSA 80715
75334 PARIS CEDEX 07
www.cnil.fr
12. AI Assistant Connector (Model Context Protocol)
IFG can be connected to third-party AI assistants (for example ChatGPT or Claude) through the Model Context Protocol (MCP) at https://ifg.tax/v1/mcp. When you use IFG this way, the following applies, and it differs from the web application described above:
- What we receive. Only the specific tool inputs your assistant sends to perform a search (for example a legal reference, a jurisdiction code, a citation to verify, or search keywords). We do not receive — and never request — your full conversation or chat history.
- What we do with it. Each input is processed in real time by our routing engine — a fiscal and jurisdictional coverage graph — which determines the relevant access paths, retrieves the corresponding official text, and returns it to your assistant. Neither the request nor the result is retained.
- What we store. We do not store your queries, the inputs sent by the assistant, or the results returned. The only personal data retained for the connector is your OAuth credential (access and refresh tokens, stored hashed) so the connection stays authorized, plus minimal connection logs (IP address, date and time) for security.
- Recipients. Parameters pass through IFG servers (European Union). The engine queries official public sources according to jurisdiction and document type; we do not publicly disclose the detailed routing map. The AI assistant you connect is operated by its own provider (for example OpenAI or Anthropic) under that provider's own privacy policy. We never sell your data and do not send your parameters to commercial databases or model training.
- Retention. Queries and results are not retained (processed in memory for the duration of the request only). OAuth tokens are retained until you disconnect IFG or revoke access. Connection logs are kept for 12 months.
- Your controls. You can disconnect IFG from your assistant at any time, which revokes the connection, and you can exercise your GDPR rights at contact@ifg.tax.
13. Changes
This policy may be updated. We will inform you of any material changes by email.