Introduction
Data protection has a particularly high priority for techreach GmbH (hereinafter: "we", "us"). We consider it our primary responsibility to maintain the confidentiality of the personal data you provide to us and to protect it from unauthorized access. Therefore, we use the utmost care and state-of-the-art security standards to ensure maximum protection of your personal data.
With the information presented below, we provide you with an overview of the processing of your personal data that arises in connection with the use of "anybill" (hereinafter "app") after download via an App Store.
We also want to inform you about your rights under data protection laws. We always process your personal data in accordance with the General Data Protection Regulation (hereinafter "GDPR"), the Telecommunications and Telemedia Data Protection Act (hereinafter "TTDSG") and all applicable country-specific data protection regulations.
1 Responsibility
The responsible person in the sense of the GDPR is:
techreach GmbH
Franz-Mayer-Strasse 1
93053 Regensburg
Germany
Tel.: +49 941 46297731
E-mail: hello@anybill.dehello@anybill.de
Website: www.anybill.de
2 Data Protection Officer
You can reach our data protection officer as follows:
Niklas Hanitsch, SECJUR GmbH
Steinhöft 9
20459 Hamburg
Germany
Phone number : +49 228 599 520
E-mail: dsb@secjur.com
You can contact our data protection officer directly with all questions and suggestions regarding data protection and the exercise of your rights.
3 Definition
This privacy policy is based on the terms of the GDPR. For your convenience, we would like to explain some important terms in this context:
4 No obligation to provide your personal data
We do not make the conclusion of contracts with us dependent on you providing us with personal data in advance. As a customer, you are under no legal or contractual obligation to provide us with your personal data; however, we may only be able to provide certain services to a limited extent or not at all if you do not provide the necessary data.
5 Origin of the personal data
We may obtain personal information in the following ways:
5.1 Information provided by you
You have the possibility to enter information about yourself in the app.
5.2 Automatically collected and generated data
When you use our app, we collect personal data about you.
5.3 Data collected by third parties
Furthermore, data may be collected by third parties, for example when the app is downloaded by the app store operator.
6 Scope, purpose, storage period and, if applicable, recipients and third country transfer of the respective processing of personal data
6.1 General information
In the following, we will give you an overview of which personal data we process. For this purpose, we explain to what extent and for what purposes. In addition, we indicate - if available - which third-party providers we use that receive your data. Finally, we inform you whether a third country transfer takes place in the respective processing by the third party provider.
The provision of your personal data is always voluntary. However, it may be that the respective functionality only works with your information.
We will not disclose your personal data to third parties without your consent, unless this is permitted by law (e.g. because it is necessary for the performance of the contract).
6.2 Data transfer to third countries
If we transfer personal data to a third country for processing, we ensure compliance with Art. 44 et seq. GDPR, i.e., before any transfer of personal data to third parties in a country outside the European Union ("EU") or the European Economic Area ("EEA"), we check whether an adequate level of protection is ensured.
An adequate level of protection can be ensured, among other things, by the fact that an adequacy decision of the EU Commission is available, that we have concluded standard data protection clauses with the recipient and taken other additional measures, or that the third-country transfer is permitted under other guarantees regulated in Art. 46 et seq. GDPR is permissible. Where the data transfer is based on Art. 46, 47 or 49 (1) GDPR, you may obtain from us a copy of the safeguards for the existence of an adequate level of data protection in relation to the data transfer or an indication of the availability of a copy of the safeguards. Copies of these guarantees can be requested from us.
6.3 Data deletion
The data processed by us will be deleted in accordance with the legal requirements as soon as their consents permitted for processing are revoked or other permissions cease to apply (e.g. if the purpose of processing this data has ceased to apply or you are not required for the purpose). If the data are not deleted because they are required for other and legally permissible purposes, their processing will be limited to these purposes. That is, the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law or whose storage is necessary for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person.
6.4 Security measures
We take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons.
The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to data as well as access to, input of, disclosure of, assurance of availability of, and segregation of data relating to you. Furthermore, we have established procedures to ensure the exercise of data subjects' rights, the deletion of data, and responses to data compromise.
Furthermore, we take into account the protection of personal data already during the development or selection of hardware, software as well as processes in accordance with the principle of data protection, through technology design and through data protection-friendly default settings.
The communication of the anybill app with the system (cloud servers) of techreach GmbH takes place in encrypted form throughout. The data is stored in an ISO 27001 certified data center in the EU.
6.5 Transfer of personal data
In the course of our processing of personal data, it may happen that the data is transferred to other bodies, companies, legally independent organizational units or persons or that it is disclosed to you. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into an app. In such cases, we comply with the legal requirements and, in particular, conclude corresponding contracts or agreements with the recipients of the data that serve to protect your data.
6.6 The processing of personal data concerning you in the app
6.6.1 Download the app from the App Store
When you download the app, certain personal data required for this purpose is transmitted to the corresponding app store (e.g. Apple App Store or Google Play Store). We do not act as a transmitter of the data here, rather the data is processed directly by the respective app store.
We have no influence on the collection and processing of this data, which is carried out exclusively by the app store you have selected. Accordingly, we are not responsible for this collection and processing; the responsibility for this lies solely with the respective app store. You can find more information in the privacy policy of the respective app store.
Google Play Store: https://policies.google.com/privacy
Apple App Store: https://www.apple.com/legal/privacy/de-ww/
6.6.2 Registration in the app/creation of a user account
6.6.2.1 Scope of processing
In order to use our app anybill, you must first register. The data requested is used to create your account for the anybill app. When you register, we process your name, your e-mail address and assign you a user ID.
6.6.2.2 Purpose of processing
The purpose of the processing is to perform the authentication and to manage your user account.
6.6.2.3 Legal basis
The legal basis for the data processing is the fulfillment of the contract concluded with you within the meaning of Art. 6 (1) (b) GDPR.
6.6.2.4 Storage period
We delete your personal data that we collect in connection with the registration of the app as soon as it is no longer necessary to achieve the purpose for which it was collected. We store your basic data and voluntary information as long as you actively use the anybill app. Upon inactivity of 3 years, your data will be deleted, with the option to download relevant receipt slips or delete all data. When you uninstall the app, all personal data in the app is deleted locally. However, you can of course download the app again at any time and log in to your anybill account using your login details.
6.6.3 Use of the app
6.6.3.1 Scope of processing
We can provide you with the benefits of our app if certain personal data about you that is required for app operation is collected when you use it. This includes the following personal data:
6.6.3.2 Purpose of processing
The purposes we pursue include, in particular:
6.6.3.3 Legal basis
The legal basis for data processing is, on the one hand, our legitimate interest within the meaning of Art. 6 (1) (f) GDPR. We have an overriding legitimate interest in being able to offer our service in a technically flawless manner.
6.6.3.4 Storage period
We delete your personal data as soon as they are no longer required to achieve the purpose for which they were collected. Automatically collected technical communication data will be deleted after 15 days at the latest .
6.6.3.5 Recipients of personal data
We use Datadog Inc, 620 8th Ave, 45th Fl, New York, NY 10018 USA to process technical logs. You can find more information about data protection at Datadog here: https://www.datadoghq.com/legal/privacy/
As a data base and for backend services, we use Microsoft Azure, a service of Microsoft Ireland Operations Limited,70 Sir John Rogerson's Quay, Dublin 2, Ireland. You can find more information about data protection at Microsoft here: https://privacy.microsoft.com/en-us/privacystatement
For the provision of texts we use Prismic.io Inc., 185 Alewife Brook Parkway, Suite 210 Cambridge Massachusetts 02138, USA. You can find more information about data protection at Microsoft here: https://prismic.io/legal/privacy
6.6.4 Permissions of the app
6.6.4.1 Scope of processing
The provision as well as use of functions of our app requires access to certain data or functions of your used device.
Our app requires the following permissions:
This gives us access to the personal data covered by the permissions that is located on your terminal device.
6.6.4.2 Purpose of processing
We need these permissions to provide app functionality.
6.6.4.3 Legal basis
The legal basis for data processing is your consent according to Art. 6 (1) (a) GDPR.
6.6.4.4 Storage period
We delete your personal data that we process on the basis of the authorizations granted as soon as they are no longer required to achieve the purpose for which they were collected.
You can change the settings on your device and revoke the permissions at any time. Granting permissions is optional. However, please note that you may not be able to use all the features of the app if you do not grant permissions or revoke them at a later time.
6.6.4.5 Recipients of personal data
For the management of permissions, we use Firebase Cloud Messaging a service provided by Google Cloud Platform, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. . Google | Privacy Policy
6.6.5 Google Analytics
6.6.5.1 Scope of processing
The app uses functions of the web analytics service Google Analytics. Here, we use non-essential cookies or similar technologies (e.g. analysis and marketing cookies). These are technologies that are not technically necessary. We use them to understand your behavior in our Application and to improve our offer. Through Google Analytics, we process the following personal data, among others:
6.6.5.2 Purpose of processing
With the help of Google Analytics, we analyze your user behavior in order to make decisions regarding product and marketing optimization based on the results.
6.6.5.3 Legal basis
The legal basis for the use of Google Analytics is your voluntary and revocable consent pursuant to Art. 6 (1) (a) GDPR.
You can consent to the processing of your data by Google Analytics using our Consent Manager , prevent the collection of your data, or revoke consent once given. To revoke, simply call up the Consent Manager in the app again.
6.6.5.4 Storage period
Personal data will be anonymized by Google 14 months after your last activity unless there is a legal obligation to retain it.
6.6.5.5 Recipients of personal data
Your data will be passed on to Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland to the extent necessary. Google | Privacy Policy
6.6.6 Digital receipt display
6.6.6.1 Scope of processing
The main function of the anybill app is the digital storage of receipts directly from the point-of-sale, i.e. the cash register, in the anybill app. For this purpose, all information that the merchants (our partner companies) have to provide to you in order to fulfill your receipt issuance obligation is recorded.
Instead of a paper receipt, these data categories are stored in our app in the form of a digital receipt:
If you have paid for your purchase electronically, the following information is also processed:
6.6.6.2 Purpose of processing
The purpose of the processing is to provide you with digital display of receipts.
6.6.6.3 Legal basis
The legal basis for the data processing is the fulfillment of the contract concluded with you within the meaning of Art. 6 (1) (b) GDPR.
6.6.6.4 Storage period
We delete your personal data as soon as it is no longer required to achieve the purpose for which it was collected. We store your basic data and voluntary information as long as you actively use the anybill app. If you decide to delete your account, your personal data from the app will be anonymized, which is equivalent to deletion.
Please note that personal data of you in the context of merchant payment receipts, which are created by the payment service provider of the merchant at the checkout in case of a card payment, must be stored for 10 years due to legal requirements of the German Commercial Code and the German Fiscal Code.
6.6.6.5 Recipients of personal data
If you have a customer card or the QR code from an app application scanned by the POS system when issuing a receipt, your user ID is transmitted to the POS system so that the receipts can be assigned accordingly in our systems.
If you scan the QR code yourself from the display of the POS system when issuing receipts, the POS system does not receive any user data at any time.
In order to send you emails, this data is transmitted to our mail service provider . These can be general letters, automated mails (e.g. password reset) and product results. For this we use MailJet by Sinch, a service of Sinch Holding AB, Lindhagensgatan 74, 112 18 Stockholm (Sweden). Information about privacy can be found here: Privacy Policy Sinch
6.6.7 Spending Manager
6.6.7.1 Scope of processing
Another feature of the anybill app is the expense manager, where your monthly expenses are listed.
6.6.7.2 Purpose of processing
The purpose of the processing is to provide you with a monthly overview of your expenses and to classify them into predefined categories for this purpose.
6.6.7.3 Legal basis
The legal basis for the data processing is the fulfillment of the contract concluded with you within the meaning of Art. 6 (1) (b) GDPR.
6.6.7.4 Storage period
We delete your personal data as soon as it is no longer required to achieve the purpose for which it was collected. We store your basic data and voluntary information as long as you actively use the anybill app. If you decide to delete your account, your personal data will be anonymized.
6.6.8 Link to a bank account
6.6.8.1 Scope of processing
As a further function, anybill gives you the option of linking the app to your own bank account so that you can view receipts and payments in one central location. For this purpose, the digital receipts are linked to the respective bank transaction. In doing so, we receive the following data about the transaction from the bank. The data is captured together with the receipt and attached to it:
- Amount
- Date
- Name of the payment partner
- IBAN of the payment partner
- BIC of the payment partner
- Intended use
- Bank transaction ID
- Eref the transaction
- Mref of the transaction
Furthermore, the following information about the account is processed in the app:
- Type of account
- Account holder
- Account number
- IBAN of the account
- General ID of the account
- Account balance
6.6.8.2 Purpose of processing
The purpose of the processing is to clearly bundle transactions and receipts.
6.6.8.3 Legal basis
The legal basis for the data processing is the fulfillment of the contract concluded with you within the meaning of Art. 6 (1) (b) GDPR.
6.6.8.4 Storage period
We delete your personal data as soon as it is no longer required to achieve the purpose for which it was collected. We store your basic data and voluntary information as long as you actively use the anybill app. If you decide to delete your account, your personal data will be anonymized.
6.6.8.5 Recipients of personal data
For loading bank transactions, we use the service of fino run GmbH , Universitätsplatz 12, 34127 Kassel, Germany. You can find more information on data protection here: https://fino.group/datenschutzerklaerung/
6.6.9 Store display
6.6.9.1 Scope of processing
The app displays the stores of retailers in your area that support our service. To display relevant stores in your vicinity, we recommend activating the location query. The smartphone and the anybill app determine this location using GPS data, identifiers of nearby Wi-Fi networks, or the mobile cell in which the device is currently logged in. At least one of these technologies must be active and the anybill app must be granted access to it so that the anybill app can determine the location. Whether a location is currently being determined by our app or not can be seen by the location icon of the respective operating system in the status bar of your smartphone. Sharing the location is optional and is therefore not mandatory for using the app. You can cancel the access granted once at any time in the settings of your smartphone.
6.6.9.2 Purpose of processing
The purpose of the processing is to display our cooperation partners.
6.6.9.3 Legal basis
The legal basis for data processing with regard to the authorization to access your location is your consent pursuant to Art. 6 (1) (a) GDPR. Otherwise, the legal basis for data processing is the fulfillment of the contract concluded with you within the meaning of Art. 6 (1) (b) GDPR.
6.6.9.4 Storage period
We delete your personal data as soon as they are no longer required to achieve the purpose for which they were collected.
6.6.9.5 Recipients of personal data
We use the Leaflet API, a map service that allows OpenStreetMap to be integrated into the app. Personal data is not exchanged with the Leaflet service. Due to the execution of the Leaflet JavaScript library directly in your browser, no data about the accessed map sections or displayed values is stored on the server side. The Leaflet library is temporarily stored in your browser's memory (cache). More information can be found here: https://leafletjs.com/
6.6.10 Help and feedback
6.6.10.1 Scope of processing
You have the possibility to contact us by e-mail. In the course of contacting you and responding to your inquiry, we process the following personal data, among others:
6.6.10.2 Purpose of processing
The purpose of the processing is to help you with your requests and to provide us with your feedback.
6.6.10.3 Legal basis
If your request is based on pre-contractual measures or an existing contract with us, the legal basis is the performance of the contract and the implementation of pre-contractual measures pursuant to Art. 6 (1) (b) GDPR.
If your request is made independently of contractual or pre-contractual measures, the legal basis for responding to your request pursuant to Art. 6 (1) (f) GDPR is our overriding legitimate interest in answering your request and responding to the contact initiated by you.
6.6.10.4 Storage period
We delete your personal data as soon as they are no longer required to achieve the purpose for which they were collected.
6.6.10.5 Recipients of personal data
To process customer inquiries, we use the email ticketing system of Freshworks, Inc, 2950 S. Delaware Street, Suite 201, San Mateo, California 94403, USA. Privacy information can be found here: https://www.freshworks.com/privacy/
6.6.11 Technical data / Troubleshooting data
6.6.11.1 Scope of processing
To establish and maintain the connection and for troubleshooting purposes in the app, the data that your smartphone automatically transmits to us and that are required for communication with the smartphone are collected and stored in so-called log files. They are only used in the event of the occurrence of faults. These include:
- the device name
- the operating system and app version
- the mobile phone provider
- User ID
- the time of occurrence of app malfunctions
- Error message
We only process the IP address for the duration of the connection.
6.6.11.2 Purpose of processing
The purpose of the processing is to provide you with an error-free app experience.
6.6.11.3 Legal basis
The legal basis for data processing is, on the one hand, our legitimate interest within the meaning of Art. 6 (1) (f) GDPR. We have an overriding legitimate interest in being able to offer our service in a technically flawless manner.
6.6.11.4 Storage period
We delete your personal data as soon as they are no longer required to achieve the purpose for which they were collected. We only process the IP address for the duration of the connection. Automatically collected technical communication data is deleted after 15 days at the latest.
6.6.11.5 Recipients of personal data
We use Datadog Inc, 620 8th Ave, 45th Fl, New York, NY 10018 USA to process technical logs. You can find more information about data protection at Datadog here: https://www.datadoghq.com/legal/privacy/
6.6.12 Synchronization with third-party services
6.6.12.1 Scope of processing
The app offers you the possibility to link various external applications with your anybill account. With the help of this link, you can transfer receipts to the external application. This is done via the "Apps & Services" screen. There you can add receipts to an application, which will then be synchronized.
This is a transfer of your personal data on your instruction. The selected third party services are independently responsible for your personal data once they receive it. Please note that the service providers have their own privacy policies, which you must agree to in order to register and use the respective service.
6.6.12.2 Purpose of processing
The purpose of the processing is to link the app to additional services in order to fulfill your linking request.
6.6.12.3 Legal basis
We process your data for the fulfillment of your export request and thus for the fulfillment of the contract between you and us according to Art. 6 (1) (b) GDPR.
6.6.12.4 Storage period
We delete your personal data as soon as they are no longer required to achieve the purpose for which they were collected. With regard to the personal data that remains with us, we refer to the above collection periods.
7 Your rights
In this section, we inform you about the rights you have with regard to the processing of your data. The exact scope of the right mentioned in each case can be found in the corresponding article of the General Data Protection Regulation (GDPR). Data subject inquiries should generally be addressed to us or our data protection officer via e-mail to dsb@secjur.com.
7.1 Right to confirmation
You have the right to request confirmation from us as to whether personal data concerning you is being processed.
7.2 Information (Art. 15 GDPR)
You have the right to receive from us at any time free of charge information about the personal data stored about you, as well as a copy of this data in accordance with the statutory provisions.
7.3 Rectification (Art. 16 GDPR)
You have the right to request the correction of inaccurate personal data concerning you. Furthermore, you have the right to request the completion of incomplete personal data, taking into account the purposes of the processing.
7.4 Erasure (Art. 17 GDPR)
You have the right to demand that personal data concerning you be deleted without delay if one of the reasons provided for by law applies and insofar as the processing or storage is not necessary.
7.5 Restriction of processing (Art. 18 GDPR)
You have the right to request that we restrict processing if one of the legal requirements is met.
7.6 Data portability (Art. 20 GDPR)
You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format. Furthermore, you have the right to transfer this data to another controller without hindrance by us, to whom the personal data was provided, provided that the processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR. Art. 6 (1) (b) GDPR and the processing is carried out with the aid of automated procedures, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
In addition, when exercising your right to data portability pursuant to Article 20 (1) GDPR, you have the right to have the personal data transferred directly from one controller to another controller, to the extent that this is technically feasible and provided that this does not adversely affect the rights and freedoms of other individuals.
7.7 Objection (Art. 21 GDPR)
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of data processing in the public interest pursuant to Art. 6 (1) (e) GDPR or on the basis of our legitimate interest pursuant to Art. 6 (1) (f) GDPR.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defense of legal claims.
7.8 Revocation of consent under data protection law
You have the right to revoke your consent to the processing of personal data at any time with effect for the future.
7.9 Complaint to a supervisory authority
You have the right to lodge a complaint about our processing of personal data with a supervisory authority responsible for data protection.
8 Up-to-dateness and changes of the privacy policy
This privacy notice is currently valid and has the following status: July 2023.
If we continue to develop our app or if legal or regulatory requirements change, it may be necessary to amend this privacy notice. You can access the current privacy policy at any time here.