Version 1.4 – effective 03 March 2026 · KontoCSV – https://kontocsv.de
This notice informs you pursuant to Art. 12 – 14 GDPR and § 25 TDDDG about the type, scope and purpose of processing personal data when using KontoCSV.
1 Controller
Tom Abraham
Riemekestraße 118 · 33102 Paderborn · Germany
Email support@kontocsv.de
(Fewer than 20 people regularly process personal data – no data protection officer is required under Sec. 38 BDSG. Please contact the controller directly if you have questions.)
2 Definitions
The definitions of Art. 4 GDPR apply (e.g. "processing", "personal data").
3 Hosting & Infrastructure
| Service | Location | Purpose | Legal basis | Agreement / Safeguard |
|---|---|---|---|---|
| Google Cloud Run (Google Ireland Ltd.) | Region europe-west3 (Frankfurt) | Serving website / API | Art. 6 (1) f | Cloud DPA incl. SCC, accepted 10 · 06 · 2025 |
| Supabase (Supabase Inc.) | eu-central-1 | Authentication, database, object storage | Art. 6 (1) b | DPA + SCC |
| Supabase | eu-west3 / eu-west1 | Realtime DB, storage, auth, push | Art. 6 (1) b / Art. 6 (1) f | Supabase Data Processing Terms + SCC, accepted 10 · 06 · 2025 |
| Google Vertex AI / Gemini (Google Ireland Ltd.) | Region europe-west3 (Frankfurt, Germany) | AI-assisted analysis of PDF documents | Art. 6 (1) b | Cloud Data Processing Addendum (CDPA) incl. SCC |
| Render (Render Inc.) | Frankfurt (FRA) | Operation of Python backend and document processing | Art. 6 (1) f | Data Processing Agreement (DPA) + SCC |
| Stripe (Stripe Payments Europe Ltd.) | Ireland | Payment processing | Art. 6 (1) b | Independent controller |
| Vercel Inc. | Frankfurt, eu-central-1 / fra1 | Frontend hosting, CDN, serverless functions | Art. 6 (1) f | DPA + SCC + EU-US DPF |
| Resend Inc. | Ireland (eu-west-1) | Transactional emails (registration, password reset) | Art. 6 (1) b | DPA + SCC |
| PostHog Inc. | EU (Frankfurt, AWS eu-central-1) | Web analytics, page views, clicks | Art. 6 (1) f | DPA + SCC |
| Sentry (Functional Software Inc.) | EU (Frankfurt) | Error logging and technical stability analysis of the platform | Art. 6 (1) f | Data Processing Agreement (DPA) + SCC |
Web analytics is cookieless, without cookies or local storage (PostHog cookieless_mode). No analytics cookies are set, so no consent banner is required.
4 Purposes of Processing & Legal Bases
| Processing | Data | Purpose | Legal basis |
|---|---|---|---|
| Website visit | IP address, user agent, timestamp, referrer | Technical delivery & security logs | Art. 6 (1) f |
| Registration / login | Email, password hash, session token | Performance of the contract | Art. 6 (1) b |
| PDF upload & AI analysis | PDF content, metadata | Conversion to CSV | Art. 6 (1) b |
| Payment | Name, email, card data | Performance of the contract | Art. 6 (1) b |
| Realtime sync / auth (Supabase) | Device token, app ID, event data | Live status & push notifications | Art. 6 (1) f |
| Support contact | Email, message | Handling your request | Art. 6 (1) f |
| Web analytics (PostHog, cookieless) | Anonymized user hash, page views, clicks | Product improvement & conversion optimization | Art. 6 (1) f |
| Error logs (Sentry) | technical error metadata, browser type, anonymized IP | Stability, error analysis and technical improvement of the platform | Art. 6 (1) f |
| Cookies / local storage | Session & CSRF tokens | Login persistence | § 25 (2) No. 2 TDDDG in conjunction with Art. 6 (1) f |
Sentry is used exclusively for technical error analysis. Personal data is not actively transmitted.
Error monitoring does not store uploaded document contents. Financial data, PDF content, and transaction data are never transmitted to error monitoring services. Only technical error metadata is processed.
No analytics or marketing cookies are set. Web analytics runs cookieless (PostHog cookieless_mode) without cookies or local storage, so a consent banner is not required.
5 AI Processing & Third-Country Transfers
Uploaded PDF pages are transmitted in encrypted form to AI services to automatically extract text and document structure. We primarily use Google Gemini via Vertex AI in the europe-west3 region (Frankfurt, Germany) within Google Cloud infrastructure.
- Google Gemini / Vertex AI (primary): Processing in region europe-west3 (Frankfurt, Germany) within Google Cloud infrastructure, based on the Google Cloud Data Processing Addendum (CDPA) incl. Standard Contractual Clauses (SCC).
- OpenAI (optional fallback): Used only in technical exception cases; processing in Ireland/USA with DPA 07 · 06 · 2025 incl. SCC & EU-US DPF.
The following applies to all AI services:
- Storage period: max. 30 days (API retention).
- Training: API data is not used for model training.
- Automated decisions: no decisions within the meaning of Art. 22 GDPR, only rule-based extraction.
Supabase runs in EU data centers. Processing is fully GDPR-compliant with additional technical safeguards (TLS 1.3, access controls).
6 Retention Periods
| Data type | Deletion / retention |
|---|---|
| Server logs | 30 days |
| PDF files & intermediate results | Automatic hard delete ≤ 7 days |
| Contract & invoice data | 10 years (HGB, AO) |
| Support emails | ≤ 1 year after completion |
| Session tokens | Deleted when the account is removed or user opts out |
7 Technical & Organisational Measures (TOM)
•TLS 1.3 end-to-end · AES-256 at rest
•Optional CMEK encryption in Cloud Run & Supabase
•Role & rights concept, MFA for admin accounts
•In-memory processing + 7-day deletion routine
•Pen tests & vulnerability scans at least annually
•Subprocessor monitoring (15 days prior notice)
8 Your Rights (Art. 15 – 22 GDPR)
You may request access, rectification, erasure, restriction, data portability or object at any time.
Self-service in Dashboard:
- Export data (Art. 20): Under Settings → "Export my data" you can download all your data as a JSON file.
- Delete account (Art. 17): Under Settings → "Delete account" you can permanently delete your account and all associated data.
Alternatively, contact us via email: support@kontocsv.de
You also have the right to lodge a complaint with a supervisory authority (e.g. BayLDA, Promenade 27, 91522 Ansbach).
9 Withdrawal of Consent
Processing activities based on your consent can be withdrawn at any time without formal requirements. The lawfulness of processing carried out before the withdrawal remains unaffected.
10 Obligation to Provide Data
Email, password and payment details are required for registration, PDF upload and payment. Without this data, the paid services cannot be provided.
11 Changes to this Notice
We update this privacy notice whenever processes, service providers or legal requirements change. Current version: https://kontocsv.de/en/privacy · Version 1.4 – effective 03 March 2026.