BubbleTax
Privacy – plain English

Privacy – explained.

What we do with your IBKR data, what we don't, and why no cookie banner pops up on this site.

This page is for everyone who rightfully thinks „we encrypt your data“ is not a real answer. Here are the honest answers to the questions we get most often when someone is hesitating in front of the upload button.

The essentials in 60 seconds

Data stays in Germany

Processing on German Hetzner servers, database in Frankfurt. Nothing leaves the EU.

Zero-cookie policy

No Google Analytics. No Facebook pixel. No trackers. No cookie banner because there is nothing you would have to consent to. We are the only tax software for IBKR customers that takes this so seriously.

No AI sees your data

No ChatGPT, no Claude, no Gemini. The tax calculation is a classic deterministic program, running entirely on our infrastructure.

We filter before we read

From your IBKR export we only process the fields we need for the tax report. Everything else is discarded before the calculation even starts.

Delete your account in one click

If you never bought a report, clicking „Delete account“ removes everything. If you have an invoice, we process the request manually because of § 147 AO.

Encrypted, always

SSL in transit. Encrypted storage at rest.

Who we are

Behind BubbleTax is a German GmbH based in Bavaria. German law, German court of jurisdiction, German data-protection authority.

BubbleTax GmbH

An den Klostergründen 15, 93073 Neutraubling, Germany

support@bubbletax.de · +49 9401 5399011

1

What data do we actually look at in your IBKR export?

You upload an XML file from Interactive Brokers. There is quite a lot in there. We only read what we need for the tax calculation:

  • Your buys and sells (date, security, quantity, price, fees)
  • Dividends, interest, withholding tax and similar cash movements
  • Corporate actions like stock splits or spin-offs
  • Deposits, withdrawals and transfers to or from other brokers
  • Your holdings at the cut-off date

That's all we need.

What we deliberately do NOT read, even though it might be in the file:

  • Your master data stored at IBKR (name, address, date of birth)
  • Performance evaluations, margin details, risk metrics
  • All other sections of the IBKR export that are irrelevant for taxes

This is not a promise you have to take on faith. The filtering happens before the calculation starts. The algorithm itself never even sees the unused data.

2

Do we keep the file or only the calculation?

Both. For one practical reason:

If we keep the original XML, you can regenerate reports later at any time without triggering a fresh export at IBKR. Likewise we keep the finished result ZIP so you can download it again whenever you want.

Both are stored encrypted on our servers. Transfer is only over SSL (the lock icon in your browser). And you can delete both at any time without talking to us — see point 6.

3

Do we hand your data to anyone?

No. Nobody but us gets to see your tax and trading data. Concretely that means:

  • No AI providers (ChatGPT, Claude, Gemini, none of them)
  • No advertising or marketing platforms
  • No data brokers
  • No authorities, except by court order in Germany (that's the law)

We do work with a handful of service providers, but they do not see your tax data:

ProviderWhat for?What does it see?
Hetzner (German company, Gunzenhausen)Provides our servers in Germany on which the calculation runsEncrypted data in a data center in Germany
Neon (database provider)Stores our database in FrankfurtEncrypted data in a data center in Germany
PDFBolt (European SaaS, Poland)Renders our finished reports as PDFs. We need this because we generate massive amounts of PDFsSees fragments of your report during PDF rendering, but no name and not the full context
StripePaymentOnly payment data (name, billing address, amount)
FreshdeskSupport tickets, if you write to usOnly what you put into your message yourself
Plausible (Estonian company)Anonymous visitor statisticsAnonymous page views without cookies, no identification possible

What our servers send out during the calculation:

We query Yahoo Finance for the official master data of securities (e.g. whether a stock counts as a stock fund or a mixed fund). Only the ISIN goes there. Not your name. Not your quantities. Not your amounts.

That's it. Nothing else leaves our servers during the calculation.

4

Where are the servers?

In Germany.

The actual calculation of your tax data runs on servers of the German company Hetzner Online GmbH (based in Gunzenhausen, Bavaria). Hetzner is one of Germany's largest hosting providers, operates its own data centers in Germany and is fully subject to German law.

Our database, which stores your account, your uploaded XML and your finished report, sits in a data center in Frankfurt am Main. Again: data physically in Germany.

Honest assessment

Our database provider is called Neon and is registered as a US company (even though the servers are in Frankfurt). In theory this means US authorities could request the data (so-called US CLOUD Act). We have signed the GDPR-required data processing agreement with Neon, which restricts this as far as legally possible.

Why Neon then? Because it gives us an exceptionally stable and high-performance database environment with strong availability and automatic backups. Exactly what we need to run reliably during the tax peak from January to May. For a tool that has to deliver your tax return on time, that is non-negotiable. There is currently no German provider with the same combination of stability, speed and database features. We re-evaluate the market regularly.

For context: Anyone using Interactive Brokers has already entrusted their entire trading history to a US group of companies (IBKR Inc., USA). IBKR also reports this data regularly to US tax authorities (FATCA). The additional risk through our database provider is smaller than what comes with the broker itself anyway.

We are nevertheless looking into moving the database to a purely German provider (e.g. Hetzner Managed Postgres) over the medium term.

5

How long do we keep what?

WhatHow longWhy
Your last successful report per tax yearAs long as your account existsSo you can always re-download the latest version for your tax office
Older reports and failed processing attempts30 days, then automatically deletedData minimisation — you usually don't need old versions anymore
The associated XML filesDeleted together with the reportSo report and source data disappear consistently
Your accountUntil you delete itSo you don't have to create a new account every year
Invoices, if you bought something10 yearsStatutory obligation under § 147 AO. No choice.
Newsletter subscriptionUntil you unsubscribeActive consent applies until revoked

Database backups are kept for 7 days in case something goes wrong. After that they are gone for good as well.

6

Account deletion — what really happens?

In the settings you'll find a button „Delete account and data“. What happens next depends on whether you have ever bought something from us.

Case A: You never purchased anything

Immediate, automatic deletion. One click and all your data is removed from our system right away:

  • Your account
  • All uploaded XML files
  • All generated reports
  • Newsletter subscription, if active

Within the next 7 days the data also disappears from our backups.

Case B: You already bought a report

Processed as a manual request in the background. We have to check which invoice data we are required to keep due to the 10-year statutory retention period and which we may delete. This cannot be done fully automatically because each case has to be assessed individually.

What we delete:

  • Your account and login
  • All uploaded XML files
  • All generated reports
  • Your data at Stripe, Brevo (if newsletter), Freshdesk (if support request)

What we are required to keep (statutory obligation, no choice):

The invoices with name, billing address, line items, amount and date. These are automatically and permanently deleted once the 10-year period has expired.

You will receive a confirmation e-mail once the deletion is done, with a clear list of what was deleted and what we had to keep by law.

7

Zero-cookie policy: why we decided against cookies

We decided early and deliberately: BubbleTax does not track you. Period.

Concretely that means:

  • No cookies other than the technically necessary login cookie once you sign in. That's why no cookie banner.
  • Anonymous visitor statistics via Plausible, a European, privacy-friendly alternative to Google Analytics. Plausible sets no cookies and does not identify individual visitors.
  • No advertising trackers. No Google Analytics, no Facebook pixel, no Google Ads tracking, no LinkedIn Insight Tag, no TikTok pixel, no Hotjar, no Microsoft Clarity. None of it.
  • Newsletter only if you actively subscribe. Unsubscribe at any time via the link in every e-mail.

What to watch out for in any online tool

It's worth taking a look at the cookie banner before signing up. The list of third parties you're asked to consent to is surprisingly long in the tax and finance space. Typically you'll find a mix of:

  • Web analytics services like Google Analytics
  • Ad platforms like Google Ads, Meta, LinkedIn or TikTok that pixel-track who was on which page
  • Session-recording tools like Hotjar or Microsoft Clarity that record mouse movements and clicks

If you then click „Accept all“ — which most people do because it's the fastest option — the information that someone is currently using a tool for their capital gains tax flows into the advertising profiles at Google, Meta and co. That influences which ads they see afterwards, often for weeks.

For a tool that handles your entire trading year, we don't think that's the right approach.

That's why we forgo all trackers. It makes our marketing harder (we don't know which ad brought you to us, and we can't follow up via re-targeting). Conscious decision. Conscious trade-off.

Test it yourself

Open BubbleTax in your browser, hit F12, go to the „Application“ (or „Storage“) tab and look at the cookies. Apart from the login cookie after signing in, you'll find nothing there.

8

Your rights under GDPR

You can at any time:

  • Request access to the data we have stored about you (Art. 15 GDPR)
  • Request correction of incorrect data (Art. 16)
  • Request deletion, see point 6 (Art. 17)
  • Request restriction of processing (Art. 18)
  • Take your data with you in a machine-readable format (Art. 20)
  • Object to processing (Art. 21)
  • File a complaint with the data-protection authority (in Bavaria: Bayerisches Landesamt für Datenschutzaufsicht, BayLDA)

Just write to us: support@bubbletax.de. We usually answer within 1–2 working days.

Trusted. Encrypted. In Germany.

Upload your IBKR data and check the free preview. You only pay when you download the report.

Start free previewRead the full privacy policy

Contact for privacy matters

BubbleTax GmbH

An den Klostergründen 15, 93073 Neutraubling

support@bubbletax.de

+49 9401 5399011

We usually answer within 1–2 working days.

Last updated: April 2026