Privacy Policy

1. Identity of Data Controller (Imprint)

Data Controller: Felix Gräber (operating as a registered Gewerbe in Germany).

Business Address: CAYA Postbox 652326, 96035 Bamberg, Germany
Contact Email: contact@invoice-converter.com

(Note: Invoice-Converter.com is not a limited liability company. It is operated by an individual sole proprietor. As such, Felix Gräber is personally responsible for the business. Liability is not limited by corporate status.)

2. Web Hosting and Service Providers

Hosting (Render): Our backend servers and database are hosted via Render, located in Frankfurt, Germany (EU). Your data is initially processed and stored on servers within Germany, ensuring GDPR-level protection.

Cloudflare (Domain Management & Security): We use Cloudflare for domain, DNS, and security services. Traffic passes through Cloudflare's global network, which may temporarily process your IP address and request data. Cloudflare employs Standard Contractual Clauses (SCCs) for international data transfers.

OpenAI API: We use the OpenAI API (provided by OpenAI in the U.S.) to convert invoice content. Invoice data is sent securely to the API for processing and returned to fulfill your request. We rely on OpenAI's Data Processing Addendum and SCCs to protect your data under GDPR standards.

Google Tag Manager & Google Analytics: We use Google Tag Manager to load Google Analytics, which helps us understand site usage. Google Analytics may place cookies and transfer data to Google servers in the U.S. Google uses SCCs and IP anonymization to safeguard EU data.

Mistral AI: We leverage large‑language‑model APIs from Mistral AI (Paris, France) to improve invoice data extraction. Processing is performed within the EU.

Google AI Platform (planned): We plan to integrate Google AI services in the future. If activated, invoice data may be processed by Google Ireland Ltd./Google LLC under Standard Contractual Clauses (SCCs). We will update this Policy before activation.

Stripe: Payments are processed via Stripe Technology Europe (Dublin, Ireland) and Stripe, Inc. (USA). Your billing details (e‑mail, payment method, address) are shared with Stripe under SCCs.

Supabase: We use Supabase (hosted in Frankfurt, Germany) for authentication and the user database. Supabase may access data from the USA for support under SCCs.

3. Personal Data We Collect and Use

a. Visiting Our Website: We collect technical data (IP address, time of access, referrer URL, etc.) in server logs for security and performance analysis. This processing is based on our legitimate interests (Art. 6(1)(f) GDPR).

b. Creating an Account: We collect necessary registration data (email address, hashed password, optionally your name/company). The legal basis is contract performance (Art. 6(1)(b) GDPR).

c. Converting Invoices: When you upload a PDF for conversion, its content may include personal data (names, addresses, line items). We transmit it securely to the OpenAI API, receive the converted output, then delete both the source file and result from our servers. We do not store invoice data permanently.

d. Cookies and Tracking: We use essential cookies for site functionality and analytics cookies (with your consent) to measure performance. You can opt out of analytics by rejecting cookies in our banner or by installing the Google Analytics Opt-out Browser Add-on.

e. Marketing Communications: When you create an account, we use your email address to send service updates, promotional content, newsletters, and marketing communications about our services and industry-related information. The legal basis for this processing is our legitimate business interest (Art. 6(1)(f) GDPR) in keeping customers informed about relevant services and updates, or your consent where required by applicable law. You can opt out at any time using the unsubscribe link in our emails or by contacting us directly.

4. Data Processing for Invoice Conversion (Processing on Behalf)

When you upload invoices for conversion, we act as a data processor on your behalf. The data within these invoices may contain personal data of third parties (e.g., your customers or suppliers). Your use of the Service for this purpose is governed by our Data Processing Agreement (DPA), which complies with Article 28 GDPR. You can find the DPA here.

We process this invoice data solely for the purpose of providing the conversion service to you. We do not share this data with third parties, except as necessary to fulfill the contract (e.g., payment service providers) or as required by law.

5. Data Retention and Deletion

- Invoices: We do not retain uploaded files after conversion; they are deleted once processed.

- Account Data: We keep registration info as long as you have an account. You may delete your account anytime, and we will remove your data unless legally required to keep it longer.

- Analytics: Google Analytics data is typically kept for 2 months. We use aggregated data to understand traffic patterns.

- Marketing Communications: We retain your email address for marketing communications as long as you have an account and have not opted out. When you opt out or delete your account, we immediately stop sending marketing emails and remove your data from marketing lists. We may retain opt-out records to respect your preferences and for compliance purposes.

- Server Logs: Automatically deleted after a short period unless needed for security investigations.

6. Your Rights

You have the right to:

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of Processing (Art. 18 GDPR)
• Data Portability (Art. 20 GDPR)
• Object (Art. 21 GDPR), especially to direct marketing or certain legitimate-interest processing
• Withdraw Consent at any time, without affecting prior lawful processing

To exercise these rights, email us at contact@invoice-converter.com. We may ask for identity verification. We typically respond within one month.

7. Right to Lodge a Complaint

If you believe your data protection rights are violated, you can lodge a complaint with your local supervisory authority or the relevant German authority:

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18, 91522 Ansbach, Germany
Website: www.lda.bayern.de
E-Mail: poststelle@lda.bayern.de

8. Data Security Measures

We use HTTPS encryption, secure hosting, and strict access controls. Passwords are hashed. Invoice files are deleted immediately after processing. Though no method is 100% secure, we strive to protect your data against unauthorized access or breach. If a breach occurs, we will notify you and authorities as required by law.

9. Disclaimer and Limitation of Liability

Accuracy of Conversion: We do not guarantee the completeness or accuracy of converted invoices. The output is provided "as is." Users must verify compliance with legal or customer requirements. We are not liable for losses arising from inaccuracies.

Service Availability: We do not guarantee uninterrupted availability; outages can occur. We are not liable for damages from service downtime or third-party failures (OpenAI, Cloudflare, hosting, etc.).

Data Transmission: We employ encryption and best practices, but transmission over the Internet has inherent risks. We are not liable for unauthorized interceptions or hacking beyond our reasonable control.

10. Changes to this Privacy Policy

We may update or modify this Policy to reflect changes in our practices or legal requirements. When we do, we will revise the "Last Updated" date and, for significant changes, notify users via email or prominent notice on our site. Your continued use of Invoice-Converter.com constitutes acceptance of the revised Policy.

11. Contact Information

For questions or requests related to this Privacy Policy, please contact:

Felix Gräber (Owner)
Email: contact@invoice-converter.com
Address: CAYA Postbox 652326, 96035 Bamberg, Germany