Privacy Policy

1. Data Controller

NextGen IT Solutions GmbH
Stockholmer Platz 1, 70173 Stuttgart, Deutschland
E-Mail: [E-Mail]
Managing Director: Sage Michael Speer

2. Overview of Data Processing

We process personal data only to the extent necessary to provide our SaaS platform for AI-powered invoice processing. This privacy policy informs you pursuant to Art. 13 and 14 GDPR about the processing of your data.

3. Types of Data Processed

  • Account Data: Name, email address, password (hashed)
  • Invoice Data: Uploaded PDF invoices, extracted data (supplier names, amounts, tax rates, invoice numbers)
  • Usage Data: IP address, browser type, access times, page views
  • Integration Data: SevDesk API tokens (AES-256 encrypted), tenant information

4. Purpose and Legal Basis

Contract Performance (Art. 6(1)(b) GDPR):

Processing of your account data to provide the service, processing of invoice data for extraction and validation, SevDesk API integration.

Legitimate Interest (Art. 6(1)(f) GDPR):

Security logging, error analysis, service improvement, fraud prevention.

Legal Obligations (Art. 6(1)(c) GDPR):

GoBD-compliant retention of audit logs (10 years pursuant to §147 AO).

5. Data Processors (Third Parties)

To provide our service, we use the following data processors:

ProviderPurposeLocation
Microsoft Azure (OpenAI)AI invoice extraction (GPT-4o)Germany West Central (EU)
Hetzner Online GmbHServer hostingGermany
SevDesk GmbHAccounting API integrationGermany

6. AI-Powered Processing

Our platform uses Azure OpenAI (GPT-4o) for automatic extraction of data from uploaded invoices. Processing takes place in the Azure Germany West Central (EU) region. Your invoice data is used exclusively for extraction and is not used to train AI models. All extraction results are presented to the user for review (human-in-the-loop).

7. Data Retention

  • Account data: Until account deletion by the user
  • Invoice data: 10 years (GoBD retention requirement per §147 AO)
  • Audit logs: 10 years (GoBD retention requirement)
  • Usage data: 90 days

8. Your Rights (Art. 15–21 GDPR)

You have the following rights regarding your personal data:

  • Right of access (Art. 15): You can request a copy of your stored data. This feature is available in your account settings under "Privacy & GDPR".
  • Right to rectification (Art. 16): You can have incorrect data corrected.
  • Right to erasure (Art. 17): You can request deletion of your data, provided no legal retention obligations apply. Account deletion is available in settings.
  • Right to data portability (Art. 20): You can export your data in a machine-readable format (JSON/CSV).
  • Right to object (Art. 21): You can object to processing based on legitimate interests.

To exercise your rights, contact us at: [E-Mail]

9. Data Security

We protect your data through comprehensive technical and organizational measures: AES-256 encryption for stored data and API tokens, TLS encryption for all data transfers, role-based access control (RBAC), audit logging of all access, and regular security reviews.

10. Cookies

We use only technically necessary cookies for session management and authentication. These cookies are required for the operation of the service and cannot be disabled. We do not use tracking or analytics cookies.

11. Right to Lodge a Complaint

You have the right to lodge a complaint with the competent data protection supervisory authority:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20, 70173 Stuttgart
Phone: +49 711 615541-0
E-Mail: poststelle@lfdi.bwl.de

12. Changes to This Privacy Policy

We reserve the right to update this privacy policy to reflect changes in legal requirements or modifications to the service. The current version is always available on this page.

Last updated: Februar 2026