XRechnungs

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

A data protection officer has not been appointed, as there is no legal obligation to do so.

We process personal data exclusively in accordance with the GDPR and the applicable national data protection regulations (in particular the BDSG).

Processing is carried out for:

• Provision of our SaaS services
• Contract performance
• Ensuring IT security
• Improvement of our offering

3.1 Registration and Account Data

• Name
• Email address
• Password (stored as a hash)
• Company data (e.g. company name, address, VAT ID)

Purpose: Account management and use of the application

Legal basis: Art. 6(1)(b) GDPR

3.2 Invoice and Business Data

• Names and addresses of customers, suppliers, and business partners
• Email addresses and phone numbers
• VAT identification numbers
• Invoice and payment data (amounts, bank details, payment status)
• Service descriptions and invoice numbers
• Employee data (where indicated on invoices or documents)

Purpose: Creation, validation, and provision of electronic invoices (XRechnung, ZUGFeRD)

Legal basis:

• Art. 6(1)(b) GDPR (contract performance with the user)
• Art. 6(1)(f) GDPR (legitimate interest in providing the SaaS platform)

3.3 Technical Usage Data

• IP address
• Date and time of access
• Browser and device information
• Login times and activity logs
• Log files

Purpose: Operational security, error analysis, abuse detection

Legal basis: Art. 6(1)(f) GDPR (legitimate interest)

Personal data is generally processed on servers within the European Union (EU) or the European Economic Area (EEA). For technical provision, we use the following processors pursuant to Art. 28 GDPR:

Written data processing agreements exist with all service providers. Where providers are located outside the EU/EEA, data transfers are made exclusively on the basis of appropriate safeguards pursuant to Art. 46 GDPR, in particular EU Standard Contractual Clauses (SCCs).

When using the PDF-to-XRechnung/ZUGFeRD conversion feature, uploaded invoice documents (PDF or image files) are transmitted to the API of OpenAI, Inc., USA for automated extraction of invoice data.

This may involve the transfer of personal data contained in the document (e.g. names, addresses, VAT IDs, payment data).

OpenAI does not use API inputs to improve or train models. According to OpenAI's own statements, data is deleted after a maximum of 30 days.

The transfer to the USA is based on EU Standard Contractual Clauses (SCCs) pursuant to Art. 46 GDPR.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

More information: openai.com/policies/privacy-policy

For technical validation of invoice documents (XRechnung, ZUGFeRD), we use the KoSIT Validator and the Mustang Validator. Validation is performed server-side. The data contained in the invoice documents is technically verified.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

For processing subscriptions and payments, we use Stripe Payments Europe Ltd., Ireland.

Payment data (e.g. name, billing address, payment information) is processed directly by Stripe. XRechnungs does not store complete payment data.

Legal basis: Art. 6(1)(b) GDPR.

More information: stripe.com/en/privacy

If you have consented, we use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses cookies that enable analysis of how our website is used. We have activated IP anonymization, so your IP address is truncated within the EU.

Legal basis: Art. 6(1)(a) GDPR and § 25(1) TTDSG (consent).

Data transfer to Google servers in the USA cannot be excluded. This is based on SCCs pursuant to Art. 46 GDPR. You can revoke your consent at any time via the cookie settings.

More information: policies.google.com/privacy

We use:

• Technically necessary cookies (login, session, security)
• Analytics or statistics cookies (only with consent)

Technically necessary cookies: § 25(2) TTDSG; Art. 6(1)(f) GDPR (legitimate interest)

Analytics/statistics cookies: § 25(1) TTDSG; Art. 6(1)(a) GDPR (consent)

Personal data is only stored for as long as necessary for contract performance or as required by statutory retention obligations.

Invoice and account data remains stored as long as an active account exists.

Data deletion upon termination

Upon cancellation of the user account or termination of the usage agreement, we make your stored documents and data available for download for a period of 30 calendar days.

• We will notify you by email at least 7 days before expiry of this period about the upcoming data deletion.
• After the 30-day period, all stored data and documents will be irrevocably deleted. Recovery is technically not possible.
• The deletion is logged internally.

Please note: XRechnungs stores your documents for the duration of active account use. As a user, you are solely responsible for complying with your tax and commercial law retention obligations (§§ 147 AO, 257 HGB). We recommend regularly creating your own backup copies outside the platform.

Insofar as statutory retention obligations on our part prevent immediate deletion, the relevant data will be stored until the expiry of such obligation and then deleted without delay.

In the context of using XRechnungs, we process personal data on behalf of our customers (Art. 28 GDPR). The corresponding Data Processing Agreement (DPA) is part of the usage agreement.

By registering and using the platform, you electronically agree to the DPA. The DPA (XRechnungs – Data Processing Agreement (DPA)) is available after registration in the user area of the platform.

The DPA governs in particular the nature, scope, and purpose of processing, the sub-processors used, and the technical and organizational measures (TOMs) pursuant to Art. 32 GDPR.

You have the following rights:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object to processing (Art. 21 GDPR)
• Right to withdraw consent (Art. 7(3) GDPR)

To exercise your rights, please contact: info@xrechnungs.de

You have the right to lodge a complaint with the competent data protection supervisory authority:

The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg

www.baden-wuerttemberg.datenschutz.de

We implement appropriate technical and organizational measures pursuant to Art. 32 GDPR, in particular:

• TLS/HTTPS encryption of all data transmissions
• Two-factor authentication (2FA) for system access
• Role-based access control
• Logical tenant separation of user data
• Encrypted data backups
• Monitoring and logging of security-relevant events
• Regular security updates

The complete description of our technical and organizational measures (TOMs) is available in Annex 3 of the DPA.

Despite all technical and organizational measures, absolute protection of data against access by third parties cannot be fully guaranteed.

Automated decision-making including profiling pursuant to Art. 22 GDPR does not take place.

This privacy policy may be updated as needed. The current version is always available on this page. We will notify you by email of any significant changes.