Version 1.3 – effective 10 June 2025 · KontoCSV – https://kontocsv.de
This notice informs you pursuant to Art. 12 – 14 GDPR and § 25 TTDSG about the type, scope and purpose of processing personal data when using KontoCSV.
1 Controller
Hermann Hampel
Kreuzäckerstr. 7 · 85055 Ingolstadt · Germany
Email support@kontocsv.de
(Fewer than 20 people regularly process personal data – no data protection officer is required under Sec. 38 BDSG. Please contact the controller directly if you have questions.)
2 Definitions
The definitions of Art. 4 GDPR apply (e.g. "processing", "personal data").
3 Hosting & Infrastructure
| Service | Location | Purpose | Legal basis | Agreement / Safeguard |
|---|---|---|---|---|
| Google Cloud Run (Google Ireland Ltd.) | Region europe-west3 (Frankfurt) | Serving website / API | Art. 6 (1) f | Cloud DPA incl. SCC, accepted 10 · 06 · 2025 |
| Supabase (Supabase Inc.) | eu-central-1 | Authentication, database, object storage | Art. 6 (1) b | DPA + SCC |
| Supabase | eu-west3 / eu-west1 | Realtime DB, storage, auth, push | Art. 6 (1) b / Art. 6 (1) f | Supabase Data Processing Terms + SCC, accepted 10 · 06 · 2025 |
| OpenAI (OpenAI Ireland Ltd. / OpenAI LLC) | Ireland · USA | AI-powered PDF analysis | Art. 6 (1) b | DPA 07 · 06 · 2025 incl. SCC & EU-US DPF |
| Stripe (Stripe Payments Europe Ltd.) | Ireland | Payment processing | Art. 6 (1) b | Independent controller |
| Vercel Inc. | USA (Edge: Frankfurt) | Frontend hosting, CDN, serverless functions | Art. 6 (1) f | DPA + SCC + EU-US DPF |
| Resend Inc. | USA | Transactional emails (registration, password reset) | Art. 6 (1) b | DPA + SCC |
4 Purposes of Processing & Legal Bases
| Processing | Data | Purpose | Legal basis |
|---|---|---|---|
| Website visit | IP address, user agent, timestamp, referrer | Technical delivery & security logs | Art. 6 (1) f |
| Registration / login | Email, password hash, session token | Performance of the contract | Art. 6 (1) b |
| PDF upload & AI analysis | PDF content, metadata | Conversion to CSV / XLSX | Art. 6 (1) b |
| Payment | Name, email, card data | Performance of the contract | Art. 6 (1) b |
| Realtime sync / auth (Supabase) | Device token, app ID, event data | Live status & push notifications | Art. 6 (1) f |
| Support contact | Email, message | Handling your request | Art. 6 (1) f |
| Cookies / local storage | Session & CSRF tokens | Login persistence | § 25 (2) No. 2 TTDSG in conjunction with Art. 6 (1) f |
No analytics or marketing cookies are set – a consent banner is therefore not required. If analytics or similar tools are added in the future, a consent banner will appear.
5 AI Processing & Third-Country Transfers
Uploaded PDF pages are transmitted to AI services in encrypted form so the Vision model can extract text and structure. We use the following providers:
- Google Gemini / Vertex AI (primary): Processing in region europe-west4 (Netherlands). Google Cloud DPA incl. SCC.
- OpenAI (alternative): Ireland/USA with DPA 07 · 06 · 2025 incl. SCC & EU-US DPF.
The following applies to all AI services:
- Storage period: max. 30 days (API retention).
- Training: API data is not used for model training.
- Automated decisions: no decisions within the meaning of Art. 22 GDPR, only rule-based extraction.
Supabase runs in EU data centers. Processing is fully GDPR-compliant with additional technical safeguards (TLS 1.3, access controls).
6 Retention Periods
| Data type | Deletion / retention |
|---|---|
| Server logs | 30 days |
| PDF files & intermediate results | Automatic hard delete ≤ 7 days |
| Contract & invoice data | 10 years (HGB, AO) |
| Support emails | ≤ 1 year after completion |
| Session tokens | Deleted when the account is removed or user opts out |
7 Technical & Organisational Measures (TOM)
•TLS 1.3 end-to-end · AES-256 at rest
•Optional CMEK encryption in Cloud Run & Supabase
•Role & rights concept, MFA for admin accounts
•In-memory processing + 7-day deletion routine
•Pen tests & vulnerability scans at least annually
•Subprocessor monitoring (15 days prior notice)
8 Your Rights (Art. 15 – 22 GDPR)
You may request access, rectification, erasure, restriction, data portability or object at any time.
Self-service in Dashboard:
- Export data (Art. 20): Under Settings → "Export my data" you can download all your data as a JSON file.
- Delete account (Art. 17): Under Settings → "Delete account" you can permanently delete your account and all associated data.
Alternatively, contact us via email: support@kontocsv.de
You also have the right to lodge a complaint with a supervisory authority (e.g. BayLDA, Promenade 27, 91522 Ansbach).
9 Withdrawal of Consent
Processing activities based on your consent can be withdrawn at any time without formal requirements. The lawfulness of processing carried out before the withdrawal remains unaffected.
10 Obligation to Provide Data
Email, password and payment details are required for registration, PDF upload and payment. Without this data, the paid services cannot be provided.
11 Changes to this Notice
We update this privacy notice whenever processes, service providers or legal requirements change. Current version: https://kontocsv.de/en/privacy · Effective 13 · 01 · 2026.