Confidentialité

This privacy policy explains the processing of personal data under the GDPR and the Austrian Data Protection Act (DSG). Version: July 2026. The German version prevails.

1. Controller

Michael Fellinger, Neuwiesenstraße 20, 8502 Lannach, Austria.
E-mail: office@eunormia.com.
No data protection officer has been appointed; there is no obligation to do so under Art 37 GDPR.

2. Core principle: invoice data is not stored

The invoice data and PDF files you submit are processed exclusively in memory (RAM) and are never stored permanently. Temporary conversion files reside solely in volatile memory (RAM/tmpfs) and are deleted immediately after the response is delivered. Invoice content is not logged. Legal basis: Art 6(1)(b) GDPR (performance of a contract).

Where your invoice data contains personal data of third parties (e.g. your customers), we process it on your behalf as a processor (Art 28 GDPR). The data processing agreement, which forms part of the terms of use, applies.

3. Processing activities in detail

ProcessingDataPurposeLegal basisRetention
User accounte-mail, password (hash only)account, sign-inArt 6(1)(b)until account deletion
API tokenstoken (hash only), label, timestampsAPI authenticationArt 6(1)(b)until revocation
Quota countersusage countersusage limitsArt 6(1)(b),(f)current period
Sign-in eventsshortened IP address, timestampIT securityArt 6(1)(f)max. 2 months
Reach measurementpath, per-day salted IP hash, coarse origin (country/region), coarse client class, referrer hostanonymous statistics, operationArt 6(1)(f)aggregated/anonymous
Contact/feedbacke-mail, free text, optional ratinghandling your requestArt 6(1)(b),(f)until resolved
Two-factor authTOTP secret, recovery codes (hashed)account security (optional)Art 6(1)(b),(f)until disabled

For reach measurement, the IP address is processed exclusively as a per-day salted hash and never stored in clear text; we cannot trace it back to an individual.

4. Coarse origin lookup (GeoIP)

For coarse, anonymous analysis (country/region) we resolve the IP address using a local database (data source: IP Geolocation by DB-IP, CC-BY-4.0). The IP address is used only transiently in memory and is not transmitted to any third party; only the coarse result (country code/region name) is stored. Legal basis: Art 6(1)(f) GDPR.

5. Sign in with Google (optional)

If you use “Sign in with Google”, you are redirected to Google and the data required for sign-in (including your e-mail address) is transmitted to Google. The provider is Google Ireland Limited; this may involve a transfer to the USA (safeguarded via the EU-U.S. Data Privacy Framework and/or EU standard contractual clauses). Legal basis: Art 6(1)(b) GDPR. Using Google is voluntary; sign-in by e-mail/password is available as an alternative.

6. Cookies and reach measurement

We use only strictly necessary cookies (sign-in/session cookie and a CSRF security token). These are required for operation and are exempt from consent under § 165(3) TKG 2021. Our reach measurement is cookie-free and server-side (path and per-day salted IP hash only; no clear-text user agent, no clear-text referrer, no storage on your device). In our assessment, no cookie consent (no cookie banner) is therefore required. Should we introduce consent-requiring technologies in future, we will obtain your consent beforehand.

7. Recipients / processors

Beyond this, we disclose personal data only where legally required to do so.

8. Transfers to third countries

A transfer to a third country occurs only when using Google (see section 5), safeguarded via the EU-U.S. Data Privacy Framework or standard contractual clauses. Otherwise, processing takes place within the EU/EEA.

9. Your rights

You have the right of access (Art 15), rectification (Art 16), erasure (Art 17), restriction (Art 18), data portability (Art 20) and to object to processing based on legitimate interests (Art 21 GDPR). You can delete your account yourself at any time in the dashboard (Art 17 GDPR); this anonymises the account and revokes all tokens.

Right to complain: you may lodge a complaint with the Austrian Data Protection Authority (Barichgasse 40–42, 1030 Vienna, www.dsb.gv.at).

10. No automated decision-making

There is no automated decision-making or profiling with legal effect (Art 22 GDPR). Invoice validation is a purely technical check with no assessment of individuals.