Privacy Policy
This statement informs you about the nature, scope, and purpose of the processing of personal data when using XRechnungs.
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
Geury Roustand
Sole trader
trading under the name "XRechnungs"
Bahnhofstraße 24
73033 Göppingen
Germany
Email: info@xrechnungs.de
A data protection officer has not been appointed, as there is no legal obligation to do so.
We process personal data exclusively in accordance with the GDPR and the applicable national data protection regulations (in particular the BDSG).
Processing is carried out for:
3.1 Registration and Account Data
Purpose: Account management and use of the application
Legal basis: Art. 6(1)(b) GDPR
3.2 Invoice and Business Data
Purpose: Creation, validation, and provision of electronic invoices (XRechnung, ZUGFeRD)
Legal basis:
3.3 Technical Usage Data
Purpose: Operational security, error analysis, abuse detection
Legal basis: Art. 6(1)(f) GDPR (legitimate interest)
3.4 Error Analysis and Stability Monitoring
We use Sentry, a service provided by Functional Software, Inc., San Francisco, USA (“Sentry”), to improve the technical stability of our application by monitoring system stability and identifying code errors.
Sentry is used exclusively for these purposes and not for advertising. Data collection is minimized.
We do not knowingly transmit personal data such as names, email addresses, payment data, invoice documents, XML files, PDF files or attachments to Sentry. Where possible, personal data is removed or truncated before transmission.
The transmitted error data is stored only for as long as necessary to analyze and resolve technical errors.
Processing is based on our legitimate interest in the security, stability and troubleshooting of our application pursuant to Art. 6(1)(f) GDPR.
The core processing of production data, in particular the production database, invoice data, customer data, invoice documents, XML files, PDF files, and attachments, takes place exclusively on servers within the European Union (EU) or the European Economic Area (EEA). The backend, production database, and document storage are currently operated within the EU on Hetzner infrastructure. For technical provision, we use the following service providers:
| Service Provider | Location / Execution | Purpose | Legal Basis / Transfer Mechanism | Evidence / Certification |
|---|---|---|---|---|
| Hetzner Online GmbH | Germany (EU) | Server infrastructure hosting, backend operations, and production database | Agreement pursuant to Art. 28 GDPR | DPA / provider's data protection documentation |
| Hetzner Online GmbH / Object Storage | Germany (EU) | Storage of invoice documents, XML files, PDF files, and attachments | Agreement pursuant to Art. 28 GDPR | DPA / provider's data protection documentation |
| Vercel Inc. | USA, technical execution in EU regions where configured | Provision of the web frontend, CDN, deployment, and technical access and log data; no storage of the production database, invoice documents, XML files, PDF files, or attachments. Configured EU regions: cdg1 (Paris), arn1 (Stockholm), dub1 (Dublin), and fra1 (Frankfurt) | EU-US Data Privacy Framework, where currently certified; supplemented by SCCs pursuant to Art. 46(2)(c) GDPR | DPF list entry / provider's privacy notices |
| Stripe Payments Europe, Limited | Ireland (EU) | Payment processing and subscription management; processing of payment data as part of the checkout and subscription process | Agreement pursuant to Art. 28 GDPR; insofar as third-country transfers occur, in accordance with the provider's data protection documentation | DPA / provider's data protection documentation |
| Resend Inc. | USA, server location Ireland (EU) where configured | Sending transactional system emails | EU-US Data Privacy Framework, where currently certified; supplemented by SCCs pursuant to Art. 46(2)(c) GDPR | DPF list entry / provider's DPA |
| Sentry / Functional Software, Inc. | USA | Error analysis, technical stability monitoring and identification of code errors; no knowing transmission of invoice documents, XML files, PDF files or attachments | EU-US Data Privacy Framework, where currently certified; supplemented by SCCs pursuant to Art. 46(2)(c) GDPR | DPA / provider's data protection documentation |
| OpenAI, Inc. | USA | AI-powered text recognition/OCR only when actively using the PDF-to-XRechnung/ZUGFeRD conversion feature | SCCs pursuant to Art. 46(2)(c) GDPR or an adequacy decision pursuant to Art. 45 GDPR, where applicable | DPA / provider's data protection documentation |
For providers within the EU/EEA, an agreement pursuant to Art. 28 GDPR is in place. Where providers based in the USA are used, personal data is transferred primarily on the basis of an adequacy decision pursuant to Art. 45 GDPR, in particular the EU-US Data Privacy Framework, provided the respective recipient is currently certified. Additionally, or where required, EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR are agreed. The current certification status of each affected provider is regularly reviewed and documented.
When using the PDF-to-XRechnung/ZUGFeRD conversion feature, uploaded invoice documents (PDF or image files) are transmitted to the API of OpenAI, Inc., USA for automated extraction of invoice data.
This may involve the transfer of personal data contained in the document (e.g. names, addresses, VAT IDs, bank details, or payment terms).
By default, OpenAI does not use API inputs to improve or train models. According to OpenAI, API inputs and outputs may generally be retained for up to 30 days to provide the services and detect abuse, unless a different retention setting or legal obligation applies.
The transfer to the USA is based on EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR or an adequacy decision pursuant to Art. 45 GDPR, where applicable.
Legal basis: Art. 6(1)(b) GDPR (contract performance).
More information: openai.com/policies/privacy-policy
For technical validation of invoice documents (XRechnung, ZUGFeRD), we use the KoSIT Validator and the Mustang Validator. Validation is performed server-side. The data contained in the invoice documents is technically verified.
Legal basis: Art. 6(1)(b) GDPR (contract performance).
For processing subscriptions and payments, we use Stripe Payments Europe, Limited, Ireland.
Payment data within the checkout and subscription process, in particular complete credit card or SEPA payment data, is processed directly by Stripe. XRechnungs does not store complete payment instrument data, but only the subscription and payment status data required for contract and account management.
Legal basis: Art. 6(1)(b) GDPR.
More information: stripe.com/en/privacy
If you have consented, we use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Google Analytics uses cookies that enable analysis of how our website is used. We have activated IP anonymization, so your IP address is truncated within the EU.
Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG (consent).
Data transfer to Google servers in the USA cannot be excluded. This is based on SCCs pursuant to Art. 46 GDPR. You can revoke your consent at any time via the cookie settings.
More information: policies.google.com/privacy
We use:
Technically necessary cookies: § 25(2) TDDDG; Art. 6(1)(f) GDPR (legitimate interest)
Analytics/statistics cookies: § 25(1) TDDDG; Art. 6(1)(a) GDPR (consent)
Personal data is only stored for as long as necessary for contract performance or as required by statutory retention obligations.
Invoice and account data remains stored as long as an active account exists.
Data deletion upon termination
Upon termination of the usage agreement or cancellation of the user account, you may, at your choice, request the return or deletion of the personal data processed on your behalf.
Please note: XRechnungs stores your documents for the duration of active account use. You remain responsible for fulfilling your own tax and commercial law retention obligations (§§ 147 AO, 257 HGB). We recommend regularly creating your own backup copies outside the platform.
Insofar as statutory retention obligations on our part prevent immediate deletion, the relevant data will be stored until the expiry of such obligation and then deleted without delay.
In the context of using XRechnungs, we process personal data on behalf of our customers (Art. 28 GDPR). The corresponding Data Processing Agreement (DPA) is part of the usage agreement.
By registering and using the platform, you electronically agree to the DPA. The DPA (XRechnungs – Data Processing Agreement (DPA)) is available after registration in the user area of the platform.
The DPA governs in particular the nature, scope, and purpose of processing, the sub-processors used, and the technical and organizational measures (TOMs) pursuant to Art. 32 GDPR.
You have the following rights:
To exercise your rights, please contact: info@xrechnungs.de
You have the right to lodge a complaint with the competent data protection supervisory authority:
The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg
We implement appropriate technical and organizational measures pursuant to Art. 32 GDPR, in particular:
The complete description of our technical and organizational measures (TOMs) is available in Annex 3 of the DPA.
Despite all technical and organizational measures, absolute protection of data against access by third parties cannot be fully guaranteed.
Automated decision-making including profiling pursuant to Art. 22 GDPR does not take place.
This privacy policy may be updated as needed. The current version is always available on this page. We will notify you by email of any significant changes.
Last updated: July 2026 | Version 1.2 | XRechnungs – Geury Roustand, Bahnhofstraße 24, 73033 Göppingen