XRechnungs
FeaturesComplianceBenefitsPricing
Log inStart for free
Back to home

Privacy Policy

XRechnungs

This statement informs you about the nature, scope, and purpose of the processing of personal data when using XRechnungs.

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Geury Roustand

Sole trader

trading under the name "XRechnungs"

Bahnhofstraße 24

73033 Göppingen

Germany

Email: info@xrechnungs.de

A data protection officer has not been appointed, as there is no legal obligation to do so.

2. General Information on Data Processing

We process personal data exclusively in accordance with the GDPR and the applicable national data protection regulations (in particular the BDSG).

Processing is carried out for:

  • Provision of our SaaS services
  • Contract performance
  • Ensuring IT security
  • Improvement of our offering

3. Types of Data Processed

3.1 Registration and Account Data

  • Name
  • Email address
  • Password (stored as a hash)
  • Company data (e.g. company name, address, VAT ID)

Purpose: Account management and use of the application

Legal basis: Art. 6(1)(b) GDPR

3.2 Invoice and Business Data

  • Names and addresses of customers, suppliers, and business partners
  • Email addresses and phone numbers
  • VAT identification numbers
  • Invoice data, in particular amounts, invoice line items, bank details, payment terms, and payment status, insofar as these are stored in the application or indicated on invoices
  • Subscription and payment status data; complete credit card or SEPA payment data for subscriptions is processed by Stripe and not stored by XRechnungs
  • Service descriptions and invoice numbers
  • Employee data (where indicated on invoices or documents)

Purpose: Creation, validation, and provision of electronic invoices (XRechnung, ZUGFeRD)

Legal basis:

  • Art. 6(1)(b) GDPR (contract performance with the user)
  • Art. 6(1)(f) GDPR (legitimate interest in providing the SaaS platform)

3.3 Technical Usage Data

  • IP address
  • Date and time of access
  • Browser and device information
  • Login times and activity logs
  • Log files

Purpose: Operational security, error analysis, abuse detection

Legal basis: Art. 6(1)(f) GDPR (legitimate interest)

3.4 Error Analysis and Stability Monitoring

We use Sentry, a service provided by Functional Software, Inc., San Francisco, USA (“Sentry”), to improve the technical stability of our application by monitoring system stability and identifying code errors.

Sentry is used exclusively for these purposes and not for advertising. Data collection is minimized.

We do not knowingly transmit personal data such as names, email addresses, payment data, invoice documents, XML files, PDF files or attachments to Sentry. Where possible, personal data is removed or truncated before transmission.

The transmitted error data is stored only for as long as necessary to analyze and resolve technical errors.

Processing is based on our legitimate interest in the security, stability and troubleshooting of our application pursuant to Art. 6(1)(f) GDPR.

4. Hosting and Processors

The core processing of production data, in particular the production database, invoice data, customer data, invoice documents, XML files, PDF files, and attachments, takes place exclusively on servers within the European Union (EU) or the European Economic Area (EEA). The backend, production database, and document storage are currently operated within the EU on Hetzner infrastructure. For technical provision, we use the following service providers:

Service ProviderLocation / ExecutionPurposeLegal Basis / Transfer MechanismEvidence / Certification
Hetzner Online GmbHGermany (EU)Server infrastructure hosting, backend operations, and production databaseAgreement pursuant to Art. 28 GDPRDPA / provider's data protection documentation
Hetzner Online GmbH / Object StorageGermany (EU)Storage of invoice documents, XML files, PDF files, and attachmentsAgreement pursuant to Art. 28 GDPRDPA / provider's data protection documentation
Vercel Inc.USA, technical execution in EU regions where configuredProvision of the web frontend, CDN, deployment, and technical access and log data; no storage of the production database, invoice documents, XML files, PDF files, or attachments. Configured EU regions: cdg1 (Paris), arn1 (Stockholm), dub1 (Dublin), and fra1 (Frankfurt)EU-US Data Privacy Framework, where currently certified; supplemented by SCCs pursuant to Art. 46(2)(c) GDPRDPF list entry / provider's privacy notices
Stripe Payments Europe, LimitedIreland (EU)Payment processing and subscription management; processing of payment data as part of the checkout and subscription processAgreement pursuant to Art. 28 GDPR; insofar as third-country transfers occur, in accordance with the provider's data protection documentationDPA / provider's data protection documentation
Resend Inc.USA, server location Ireland (EU) where configuredSending transactional system emailsEU-US Data Privacy Framework, where currently certified; supplemented by SCCs pursuant to Art. 46(2)(c) GDPRDPF list entry / provider's DPA
Sentry / Functional Software, Inc.USAError analysis, technical stability monitoring and identification of code errors; no knowing transmission of invoice documents, XML files, PDF files or attachmentsEU-US Data Privacy Framework, where currently certified; supplemented by SCCs pursuant to Art. 46(2)(c) GDPRDPA / provider's data protection documentation
OpenAI, Inc.USAAI-powered text recognition/OCR only when actively using the PDF-to-XRechnung/ZUGFeRD conversion featureSCCs pursuant to Art. 46(2)(c) GDPR or an adequacy decision pursuant to Art. 45 GDPR, where applicableDPA / provider's data protection documentation

For providers within the EU/EEA, an agreement pursuant to Art. 28 GDPR is in place. Where providers based in the USA are used, personal data is transferred primarily on the basis of an adequacy decision pursuant to Art. 45 GDPR, in particular the EU-US Data Privacy Framework, provided the respective recipient is currently certified. Additionally, or where required, EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR are agreed. The current certification status of each affected provider is regularly reviewed and documented.

5. AI-Powered Text Recognition (OCR)

When using the PDF-to-XRechnung/ZUGFeRD conversion feature, uploaded invoice documents (PDF or image files) are transmitted to the API of OpenAI, Inc., USA for automated extraction of invoice data.

This may involve the transfer of personal data contained in the document (e.g. names, addresses, VAT IDs, bank details, or payment terms).

By default, OpenAI does not use API inputs to improve or train models. According to OpenAI, API inputs and outputs may generally be retained for up to 30 days to provide the services and detect abuse, unless a different retention setting or legal obligation applies.

The transfer to the USA is based on EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR or an adequacy decision pursuant to Art. 45 GDPR, where applicable.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

More information: openai.com/policies/privacy-policy

6. Invoice Validation

For technical validation of invoice documents (XRechnung, ZUGFeRD), we use the KoSIT Validator and the Mustang Validator. Validation is performed server-side. The data contained in the invoice documents is technically verified.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

7. Payment Processing

For processing subscriptions and payments, we use Stripe Payments Europe, Limited, Ireland.

Payment data within the checkout and subscription process, in particular complete credit card or SEPA payment data, is processed directly by Stripe. XRechnungs does not store complete payment instrument data, but only the subscription and payment status data required for contract and account management.

Legal basis: Art. 6(1)(b) GDPR.

More information: stripe.com/en/privacy

8. Web Analytics – Google Analytics

If you have consented, we use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses cookies that enable analysis of how our website is used. We have activated IP anonymization, so your IP address is truncated within the EU.

Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG (consent).

Data transfer to Google servers in the USA cannot be excluded. This is based on SCCs pursuant to Art. 46 GDPR. You can revoke your consent at any time via the cookie settings.

More information: policies.google.com/privacy

9. Cookies

We use:

  • Technically necessary cookies (login, session, security)
  • Analytics or statistics cookies (only with consent)

Technically necessary cookies: § 25(2) TDDDG; Art. 6(1)(f) GDPR (legitimate interest)

Analytics/statistics cookies: § 25(1) TDDDG; Art. 6(1)(a) GDPR (consent)

10. Storage Period and Data Deletion

Personal data is only stored for as long as necessary for contract performance or as required by statutory retention obligations.

Invoice and account data remains stored as long as an active account exists.

Data deletion upon termination

Upon termination of the usage agreement or cancellation of the user account, you may, at your choice, request the return or deletion of the personal data processed on your behalf.

  • For the return of data, we make the stored documents and data available for download in a common electronic format for a period of 30 calendar days.
  • If you request deletion, or if no return request or download takes place within the 30-day period, the stored data and documents will be deleted after the period expires, unless statutory retention obligations prevent this.
  • The deletion is appropriately documented internally. Recovery of the data after deletion is technically not possible.

Please note: XRechnungs stores your documents for the duration of active account use. You remain responsible for fulfilling your own tax and commercial law retention obligations (§§ 147 AO, 257 HGB). We recommend regularly creating your own backup copies outside the platform.

Insofar as statutory retention obligations on our part prevent immediate deletion, the relevant data will be stored until the expiry of such obligation and then deleted without delay.

11. Data Processing Agreement (DPA)

In the context of using XRechnungs, we process personal data on behalf of our customers (Art. 28 GDPR). The corresponding Data Processing Agreement (DPA) is part of the usage agreement.

By registering and using the platform, you electronically agree to the DPA. The DPA (XRechnungs – Data Processing Agreement (DPA)) is available after registration in the user area of the platform.

The DPA governs in particular the nature, scope, and purpose of processing, the sub-processors used, and the technical and organizational measures (TOMs) pursuant to Art. 32 GDPR.

12. Your Rights under the GDPR

You have the following rights:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing (Art. 21 GDPR)
  • Right to withdraw consent (Art. 7(3) GDPR)

To exercise your rights, please contact: info@xrechnungs.de

13. Right to Lodge a Complaint

You have the right to lodge a complaint with the competent data protection supervisory authority:

The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg

www.baden-wuerttemberg.datenschutz.de

14. Security

We implement appropriate technical and organizational measures pursuant to Art. 32 GDPR, in particular:

  • TLS/HTTPS encryption of all data transmissions
  • Role-based access control
  • Logical tenant separation of user data
  • Encrypted data backups
  • Monitoring and logging of security-relevant events
  • Regular security updates

The complete description of our technical and organizational measures (TOMs) is available in Annex 3 of the DPA.

Despite all technical and organizational measures, absolute protection of data against access by third parties cannot be fully guaranteed.

15. Automated Decision-Making

Automated decision-making including profiling pursuant to Art. 22 GDPR does not take place.

16. Changes to this Privacy Policy

This privacy policy may be updated as needed. The current version is always available on this page. We will notify you by email of any significant changes.

Last updated: July 2026 | Version 1.2 | XRechnungs – Geury Roustand, Bahnhofstraße 24, 73033 Göppingen