Confidentialité
This privacy policy explains the processing of personal data under the GDPR and the Austrian Data Protection Act (DSG). Version: July 2026. The German version prevails.
1. Controller
Michael Fellinger, Neuwiesenstraße 20, 8502 Lannach, Austria.
E-mail: office@eunormia.com.
No data protection officer has been appointed; there is no obligation to do so under Art 37 GDPR.
2. Core principle: invoice data is not stored
The invoice data and PDF files you submit are processed exclusively in memory (RAM) and are never stored permanently. Temporary conversion files reside solely in volatile memory (RAM/tmpfs) and are deleted immediately after the response is delivered. Invoice content is not logged. Legal basis: Art 6(1)(b) GDPR (performance of a contract).
Where your invoice data contains personal data of third parties (e.g. your customers), we process it on your behalf as a processor (Art 28 GDPR). The data processing agreement, which forms part of the terms of use, applies.
3. Processing activities in detail
| Processing | Data | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| User account | e-mail, password (hash only) | account, sign-in | Art 6(1)(b) | until account deletion |
| API tokens | token (hash only), label, timestamps | API authentication | Art 6(1)(b) | until revocation |
| Quota counters | usage counters | usage limits | Art 6(1)(b),(f) | current period |
| Sign-in events | shortened IP address, timestamp | IT security | Art 6(1)(f) | max. 2 months |
| Reach measurement | path, per-day salted IP hash, coarse origin (country/region), coarse client class, referrer host | anonymous statistics, operation | Art 6(1)(f) | aggregated/anonymous |
| Contact/feedback | e-mail, free text, optional rating | handling your request | Art 6(1)(b),(f) | until resolved |
| Two-factor auth | TOTP secret, recovery codes (hashed) | account security (optional) | Art 6(1)(b),(f) | until disabled |
For reach measurement, the IP address is processed exclusively as a per-day salted hash and never stored in clear text; we cannot trace it back to an individual.
4. Coarse origin lookup (GeoIP)
For coarse, anonymous analysis (country/region) we resolve the IP address using a local database (data source: IP Geolocation by DB-IP, CC-BY-4.0). The IP address is used only transiently in memory and is not transmitted to any third party; only the coarse result (country code/region name) is stored. Legal basis: Art 6(1)(f) GDPR.
5. Sign in with Google (optional)
If you use “Sign in with Google”, you are redirected to Google and the data required for sign-in (including your e-mail address) is transmitted to Google. The provider is Google Ireland Limited; this may involve a transfer to the USA (safeguarded via the EU-U.S. Data Privacy Framework and/or EU standard contractual clauses). Legal basis: Art 6(1)(b) GDPR. Using Google is voluntary; sign-in by e-mail/password is available as an alternative.
6. Cookies and reach measurement
We use only strictly necessary cookies (sign-in/session cookie and a CSRF security token). These are required for operation and are exempt from consent under § 165(3) TKG 2021. Our reach measurement is cookie-free and server-side (path and per-day salted IP hash only; no clear-text user agent, no clear-text referrer, no storage on your device). In our assessment, no cookie consent (no cookie banner) is therefore required. Should we introduce consent-requiring technologies in future, we will obtain your consent beforehand.
7. Recipients / processors
- netcup GmbH, Karlsruhe (Germany) — hosting/data centre (servers in Germany/EU) and e-mail delivery. Processor under Art 28 GDPR; a data processing agreement has been concluded.
- Google Ireland Limited — only when using “Sign in with Google” (see section 5).
Beyond this, we disclose personal data only where legally required to do so.
8. Transfers to third countries
A transfer to a third country occurs only when using Google (see section 5), safeguarded via the EU-U.S. Data Privacy Framework or standard contractual clauses. Otherwise, processing takes place within the EU/EEA.
9. Your rights
You have the right of access (Art 15), rectification (Art 16), erasure (Art 17), restriction (Art 18), data portability (Art 20) and to object to processing based on legitimate interests (Art 21 GDPR). You can delete your account yourself at any time in the dashboard (Art 17 GDPR); this anonymises the account and revokes all tokens.
Right to complain: you may lodge a complaint with the Austrian Data Protection Authority (Barichgasse 40–42, 1030 Vienna, www.dsb.gv.at).
10. No automated decision-making
There is no automated decision-making or profiling with legal effect (Art 22 GDPR). Invoice validation is a purely technical check with no assessment of individuals.