Privacy Policy
Last updated: February 24, 2026
This Privacy Policy explains how Business Automatica GmbH (“we,” “us,” or “our”) collects, uses, stores, and protects your personal data when you use the eInvoice Converter service (“Service”). This policy applies to all users of our website and Service, whether on a free or paid plan.
We are committed to protecting your privacy and processing your data in accordance with the EU General Data Protection Regulation (GDPR/DSGVO), the German Federal Data Protection Act (BDSG), and the Telecommunications Digital Services Data Protection Act (TDDDG).
1. Data Controller
The data controller responsible for the processing of your personal data is:
Business Automatica GmbH
Eisenbahnstraße 28
67725 Borrstadt, Germany
Email: info@businessautomatica.com
Phone: +49 176 3208 3776
Website: www.businessautomatica.com
Data Protection Contact: info@businessautomatica.com
2. Data We Collect
We collect and process the following categories of personal data:
2.1 Account Data
- Email address
- Full name (optional)
- Password (stored as a cryptographic hash, never in plain text)
- Email verification status
- Account creation date
2.2 Profile and Onboarding Data
- Company name and information
- Language preference
- Document type preferences
- Field mappings and extraction rules
- Delivery email address for converted invoices
2.3 Invoice Data (Uploaded Content)
- Original invoice files (PDF, DOCX, XLSX, CSV, PNG, JPEG)
- Extracted invoice data (names, addresses, tax IDs, bank details, amounts, line items)
- Converted eInvoice files (XRechnung, ZUGFeRD)
- Processing metadata (status, timestamps, confidence scores, validation results)
Important: Invoices typically contain personal data of third parties (e.g., names, addresses, tax identification numbers, bank account details). As the uploader, you are the data controller for this third-party data, and you are responsible for having a lawful basis to process it. We process this data solely on your behalf for the purpose of invoice conversion.
2.4 Payment and Billing Data
- Subscription plan and billing cycle
- Transaction history and invoices
Payment processing is handled by third-party payment processors (Stripe and/or Mollie). We do not store your full credit card number or bank account details on our servers.
2.5 Usage and Technical Data
- IP address
- Browser type and version
- Operating system
- Pages visited and features used
- Timestamps of access and actions
- Referrer URL
2.6 Communication Data
- Email inbox alias (for email-based invoice submissions)
- Support correspondence
- Email notifications sent by us
2.7 Cookies and Similar Technologies
Please refer to our separate Cookie Policy for detailed information about the cookies and tracking technologies we use.
3. Purposes and Legal Basis of Processing
We process your personal data for the following purposes, each with a corresponding legal basis under GDPR Article 6(1):
| Purpose | Data Categories | Legal Basis |
|---|---|---|
| Account creation and management | Account data, profile data | Art. 6(1)(b) — Contract |
| Providing the invoice conversion service | Invoice data, account data | Art. 6(1)(b) — Contract |
| AI-powered data extraction and conversion | Invoice data | Art. 6(1)(b) — Contract |
| Payment processing and billing | Payment data, account data | Art. 6(1)(b) — Contract |
| Compliance with legal obligations (e.g., tax, accounting) | Account data, payment data, invoice metadata | Art. 6(1)(c) — Legal obligation |
| Service improvement, error resolution, and security | Usage data, technical data | Art. 6(1)(f) — Legitimate interest |
| Communication (service notifications, support) | Account data, communication data | Art. 6(1)(b) / Art. 6(1)(f) |
| Cookie-based analytics (if applicable) | Usage data, cookies | Art. 6(1)(a) — Consent |
Where we rely on legitimate interests (Art. 6(1)(f)), our interests are: ensuring the security and stability of our Service, preventing fraud, improving our Service, and providing customer support.
4. AI Processing Disclosure
Our Service uses artificial intelligence (AI) to extract data from your uploaded invoices and convert them into structured eInvoice formats (XRechnung, ZUGFeRD).
4.1 How AI Processing Works
When you upload an invoice, the content of the document is sent to an AI model (provided by Anthropic, Inc.) via their commercial API. The AI analyzes the document to identify and extract structured invoice data (e.g., seller/buyer information, line items, tax details). This extracted data is then used to generate the compliant eInvoice output.
4.2 Data Sent to AI Provider
The text content and/or images of your uploaded invoices are transmitted to Anthropic's API servers for processing. This may include personal data contained within the invoices (names, addresses, tax IDs, etc.).
4.3 No AI Training
Your invoice data is NOT used to train AI models. Under Anthropic's commercial API terms, customer data submitted through the API is not used for model training purposes.
4.4 AI Provider Data Retention
Anthropic retains API input and output data for a limited period (currently up to 30 days) for safety and abuse monitoring purposes, after which it is automatically deleted. This retention is governed by Anthropic's data processing terms and applicable Standard Contractual Clauses.
4.5 No Automated Decision-Making with Legal Effects
The AI processing in our Service is used solely for data extraction and format conversion. It does not make automated decisions that produce legal effects or similarly significantly affect you within the meaning of GDPR Article 22.
5. Data Sharing and Recipients
We share your personal data with the following categories of recipients only to the extent necessary:
5.1 Sub-Processors and Service Providers
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Anthropic, Inc. | AI-powered invoice data extraction | Invoice content | United States |
| Supabase, Inc. | Authentication, database hosting | Account data, profile data | EU (Frankfurt) / US |
| Amazon Web Services (AWS) | File storage (S3), email processing | Invoice files, email data | EU (eu-central-1, Frankfurt) |
| Stripe, Inc. | Payment processing | Payment data | United States / EU |
| Mollie B.V. | Payment processing | Payment data | Netherlands (EU) |
| Resend, Inc. | Transactional email delivery | Email addresses, notification content | United States |
A current list of our sub-processors is available upon request at info@businessautomatica.com.
5.2 Legal and Regulatory Disclosures
We may disclose your data if required by law, court order, or regulatory request, or to protect our rights, property, or safety.
5.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer.
We do NOT sell your personal data to third parties. We do NOT share your data for advertising or marketing purposes with third parties.
6. International Data Transfers
Some of our sub-processors are located outside the European Economic Area (EEA), specifically in the United States. For these transfers, we rely on the following legal safeguards:
- EU-U.S. Data Privacy Framework (where the recipient is certified)
- EU Standard Contractual Clauses (SCCs) as adopted by the European Commission
- Additional technical and organizational measures (encryption in transit and at rest)
You may request a copy of the applicable safeguards by contacting us at info@businessautomatica.com.
7. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:
| Data Category | Retention Period |
|---|---|
| Account data | Duration of your account + 30 days after deletion request |
| Uploaded invoice files and converted eInvoice files | Depends on your subscription plan: Free plan — 30 days; Standard plan — up to 1 year; Premium/Custom plans — up to 7 years or indefinite. Files are automatically deleted upon expiry. You may also delete files manually at any time. |
| Payment and billing records | 10 years (as required by German commercial and tax law, HGB § 257, AO § 147) |
| Usage and technical logs | 90 days |
| Communication records | Duration of account + 3 years (statute of limitations) |
Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., financial records).
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption of data in transit (TLS 1.2+)
- Encryption of data at rest (AES-256 for stored files)
- Secure authentication via Supabase Auth with hashed passwords
- Role-based access controls
- Tenant isolation (your data is never accessible to other users)
- Regular security assessments
- Presigned URLs with limited validity for file access (default: 1 hour)
- Secure key management for API credentials and secrets
9. Your Rights (GDPR Articles 15–22)
As a data subject, you have the following rights:
9.1 Right of Access (Art. 15)
You may request confirmation of whether we process your personal data and obtain a copy of that data.
9.2 Right to Rectification (Art. 16)
You may request correction of inaccurate personal data or completion of incomplete data.
9.3 Right to Erasure (“Right to Be Forgotten”) (Art. 17)
You may request deletion of your personal data, subject to legal retention obligations.
9.4 Right to Restriction of Processing (Art. 18)
You may request that we restrict the processing of your data under certain conditions.
9.5 Right to Data Portability (Art. 20)
You may request to receive your personal data in a structured, commonly used, machine-readable format, or to have it transmitted to another controller.
9.6 Right to Object (Art. 21)
You may object to the processing of your personal data based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
9.7 Right to Withdraw Consent (Art. 7(3))
Where processing is based on your consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
9.8 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. The competent authority for us is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz (LfDI RLP)
Hintere Bleiche 34
55116 Mainz, Germany
Website: www.datenschutz.rlp.de
To exercise any of these rights, please contact us at: info@businessautomatica.com. We will respond to your request within one month of receipt.
10. Data Processing Agreement (DPA)
If you use our Service in a business capacity and process personal data of third parties through our Service (e.g., personal data contained in invoices), we act as your data processor under GDPR Article 28. A Data Processing Agreement (Auftragsverarbeitungsvertrag/AVV) is available upon request at info@businessautomatica.com.
11. Children's Data
Our Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children.
12. Third-Party Links
Our website may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on our website with a new “Last Updated” date
- Sending an email notification to the address associated with your account (for material changes)
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:
Business Automatica GmbH
Eisenbahnstraße 28
67725 Borrstadt, Germany
Email: info@businessautomatica.com
Phone: +49 176 3208 3776
Website: www.businessautomatica.com