Data protection

The security of your data is important to us. We assure you that we comply with high security standards and will never share your personal data with third parties.

initiation

Data protection is particularly important to techreach GmbH (hereinafter:”Wir“,”Uns“). We consider it our primary task to maintain the confidentiality of the personal information you provide and to protect it from unauthorized access. That is why we apply the utmost care and the latest security standards to ensure maximum protection of your personal data.

With the information presented below, we give you an overview of the processing of your personal data in connection with the use of “anybill” (hereinafter”app“) are created after download from an app store.

We also want to inform you about your rights under data protection laws. We always process your personal data in accordance with the General Data Protection Regulation (hereinafter “GDPR”), the Act on Data Protection and Privacy in Telecommunications and Telemedia (hereinafter”TTDSG“) and all applicable country-specific data protection regulations.

1 Responsibility

Responsible person within the meaning of the GDPR is:

techreach GmbH

Franz-Mayer-Strasse 1

93053 Regensburg

germany

Phone: +49 941 46297731

email: hello@anybill.de

Site: www.anybill.de

2 Data Protection Officer

You can contact our data protection officer as follows:

Niklas Hanitsch, secjur GmbH

Steinhoeft 9

20459 Hamburg

germany

Telephone number: +49 228 599 520

email: dsb@secjur.com

If you have any questions or suggestions regarding data protection and to exercise your rights, you can contact our data protection officer directly.

3 Definition

This privacy policy is based on the terms of the GDPR. To make things easier, we would like to explain some important terms in this context in more detail:

• Personal data: Personal data is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more particular characteristics that are an expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

• Data subject: Data subject is any identified or identifiable natural person whose personal data is processed by the controller.

• Processing: Processing is any process or series of operations carried out with or without the aid of automated processes in connection with personal data, such as collection, collection, organization, ordering, storage, adjustment or modification, reading, querying, using, disclosing through transmission, dissemination or any other form of provision, reconciliation or linking, restriction, deletion or destruction.

• Recipient: Recipient is a natural or legal person, authority, agency or other body to which personal data is disclosed, regardless of whether it is a third party or not. However, public authorities that may receive personal data as part of a specific investigation mandate under Union or Member State law are not considered recipients.

• Third party: Third party is a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct responsibility of the controller or processor, are authorized to process personal data.

• Consent: Consent is any expression of will given voluntarily by the data subject in an informed and unequivocal manner in the form of a statement or other unequivocal affirmative action by which the data subject indicates that they consent to the processing of personal data concerning you.

4 No obligation to provide your personal data

We do not make the conclusion of contracts with us dependent on you providing us with personal data beforehand. As a customer, there is generally no legal or contractual obligation for you to provide us with your personal data; however, we may only be able to provide certain offers to a limited extent or not at all if you do not provide the necessary data.

5 Source of personal data

We may obtain personal information in the following ways:

5.1 Information provided by you

You have the option to provide information about yourself in the app.

5.2 Automatically collected and generated data

When you use our app, we collect personal data about you.

5.3 Data collected by third parties

Furthermore, data may be collected by third parties, for example when the app is downloaded by the app store operator.

6 Scope, purpose, storage period and, if applicable, recipient and third country transfer of the respective processing of personal data

6.1 General information

In the following, we give you an overview of which personal data we process. For this purpose, we will explain to what extent and for what purposes. We also indicate — if available — which third parties we use to receive your data. Finally, we will let you know whether the respective processing by the third party provider involves a transfer to a third country.

Providing your personal data is always voluntary. However, the respective functionality may only work if you provide your information.

We will not share your personal data with third parties without your consent, unless this is permitted by law (e.g. because this is necessary to perform the contract).

6.2 Data transfer to third countries

Insofar as we transfer personal data to a third country for processing, we ensure compliance with Art. 44 ff. GDPR, i.e. that we check whether an adequate level of protection is ensured before any transfer of personal data to third parties in a country outside the European Union (“EU”) or the European Economic Area (“EEA”).

An adequate level of protection can be ensured, among other things, by the fact that the EU Commission has taken an adequacy decision, concluded standard data protection clauses with the recipient and has taken further additional measures, or that the transfer to third countries is permitted under other guarantees regulated in Art 46 et seq. GDPR. Insofar as the data transfer is based on Art. 46, 47 or 49 (1) GDPR, you can obtain from us a copy of the guarantees of an adequate level of data protection with regard to the data transfer or an indication of the availability of a copy of the guarantees. Copies of these guarantees can be obtained from us.

6.3 Deletion of data

The data processed by us will be deleted in accordance with legal requirements as soon as their consent permitted for processing is withdrawn or other permits no longer apply (e.g. if the purpose of processing this data has ceased to apply or you are not required for the purpose). Unless the data is deleted because it is necessary for other and legally permitted purposes, its processing will be limited to these purposes. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be stored for commercial or tax reasons or whose storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person.

6.4 Safety measures

In accordance with legal requirements, taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, we take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.

The measures include in particular ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access, input, transfer, availability and separation relating to you. We have also set up procedures that ensure the exercise of data subject rights, the deletion of data and responses to the data being compromised.

In addition, we take the protection of personal data into account when developing or selecting hardware, software and processes in accordance with the principle of data protection, through technology design and through privacy-friendly default settings.

Communication between the anybill app and the techreach GmbH system (cloud servers) is always encrypted. The data is stored in an ISO 27001 certified data center in the EU.

6.5 Transfer of personal data

As part of our processing of personal data, the data may be transferred to other bodies, companies, legally independent organizational units or persons, or it may be disclosed to you. Recipients of this data may include, for example, service providers tasked with IT tasks or providers of services and content that are integrated into an app. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of the data that serve to protect your data.

6.6 The processing of personal data concerning you in the app

6.6.1 Downloading the app from the App Store

When you download the app, certain necessary data about you is transmitted to the corresponding app store (e.g. Apple App Store or Google Play Store). We do not act as a transmitter of the data here; rather, the data is processed directly by the respective app store.

• The following personal data about you may be processed here: Email address

• Username

• Customer number of the downloading account

• time of download,

• payment information and the

• Individual device code

We have no influence on the collection and processing of this data; rather, it is carried out exclusively by the app store you have selected. Accordingly, we are not responsible for this collection and processing; the responsibility for this lies solely with the respective app store. You can find more information in the privacy policies of the respective app store.

Google Play Store: https://policies.google.com/privacy

Apple App Store: https://www.apple.com/legal/privacy/de-ww/

6.6.2 Registration in the app/attachment user account

6.6.2.1 Scope of processing

In order to use our anybill app, you must first register. The data requested is needed to create your account for the anybill app.

When you register, we process your name, email address and assign you a user ID.

6.6.2.2 Purpose of processing

The purpose of processing is to perform authentication and manage your user account.

6.6.2.3 Legal basis

The legal basis for data processing is the fulfilment of the contract concluded with you within the meaning of Article 6 (1) (b) GDPR.

6.6.2.4 Storage period

We delete your personal data that we collect in connection with registering the app as soon as it is no longer required to achieve the purpose of the collection. We store your basic data and voluntary information as long as you actively use the anybill app. If there is 3 years of inactivity, your data will be deleted, with the option to download the relevant receipt receipts or delete the entire data. When you uninstall the app, all personal data in the app is deleted locally. Of course, you can download the app again at any time and log in to your anybill account with your login details.

6.6.3 Using the app

6.6.3.1 Scope of processing

We can make the benefits of our app available to you if certain personal data required to operate the app is collected during use. This includes the following personal data:

• IP address

• Device ID

• Device type and device-specific settings and app settings as well as app properties

• The date and time of the retrieval and the amount of data transferred and the message as to whether the data exchange was complete

• Time zone

• App crash information

• Browser type and operating system

6.6.3.2 Purpose of processing

The purposes we pursue include in particular:

• Technical operation of the app

• ensuring a smooth connection to the app,

• clarifying acts of abuse or fraud,

• problem analyses in the network, and

• evaluation of system security and stability.

6.6.3.3 Legal basis

The legal basis for data processing is, on the one hand, our legitimate interest within the meaning of Article 6 (1) (f) GDPR. We have an overriding legitimate interest in being able to offer our offer in a technically flawless manner.

6.6.3.4 Storage period

We delete your personal data as soon as it is no longer required to achieve the purpose for which it was collected. Automatically collected technical communication data will be deleted after 15 days at the latest.

6.6.3.5 Recipients of personal data

We use Datadog Inc., 620 8th Ave, 45th Fl, New York, NY 10018 USA to process technical logs. You can find more information about data protection at Datadog here: https://www.datadoghq.com/legal/privacy/

As a data base and for backend services, we use Microsoft Azure, a service from Microsoft Ireland Operations Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland. You can find more information about data protection at Microsoft here: https://privacy.microsoft.com/en-us/privacystatement

To provide texts, we use Prismic.io Inc., 185 Alewife Brook Parkway, Suite 210 Cambridge Massachusetts 02138, USA. You can find more information about data protection at Microsoft here: https://prismic.io/legal/privacy

6.6.4 App Permissions

6.6.4.1 Scope of processing

The provision and use of functions of our app requires access to certain data or functions of the device you are using.

Our app requires the following permissions:

• Push notifications

• Location

• camera

• Photos/saved recordings

• Device storage

• File manager to save pdf

This gives us access to the personal data included in the permissions that is on your device.

6.6.4.2 Purpose of processing

We need these permissions to provide app functionalities.

6.6.4.3 Legal basis

The legal basis for data processing is your consent in accordance with Art. 6 (1) (a) GDPR.

6.6.4.4 Storage period

We delete your personal data, which we process on the basis of the granted authorizations, as soon as it is no longer required to achieve the purpose of collection.

You can change settings and revoke permissions on your device at any time. Granting permissions is optional. Please note, however, that you won't necessarily be able to use all features of the app if you don't grant the permissions or withdraw them later.

6.6.4.5 Recipients of personal data

To manage permissions, we use Firebase Cloud Messaging, a service provided by the Google Cloud Platform, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google | Privacy Policy

6.6.5 Google Analytics

6.6.5.1 Scope of processing

The app uses features of the web analysis service Google Analytics. We do not use essential cookies or similar technologies (e.g. analysis and marketing cookies) for this purpose. These are technologies that are not technically required. We use them to understand your behavior in our app application and to improve our offerings. Through Google Analytics, we process the following personal data, among others:

• Time of request

• IP addresses

• Online identifiers (including cookie identifiers)

• Device identifiers

• Technical characteristics of users (e.g. browser type and version, device type, operating system)

• Measurement of usage behavior (e.g. views of individual pages/content, views of content in various areas, session duration/length of stay, bounce rate)

• Use of individual app functionalities (e.g. registration, adding documents and page view)

• Referral URL (the previously visited page)

6.6.5.2 Purpose of processing

With the help of Google Analytics, we analyze your user behavior in order to make decisions about product and marketing optimization based on the results.

6.6.5.3 Legal basis

In accordance with Article 6 (1) (a) GDPR, the legal basis for using Google Analytics is the voluntary and revocable consent you have given.

You can consent to the processing of your data by Google Analytics with the help of our Consent Manager, prevent the collection of your data or withdraw consent once you have given. To withdraw, simply call up the Consent Manager in the app again.

6.6.5.4 Storage period

Google anonymizes personal data 14 months after your last activity, unless there is a legal obligation to store it.

6.6.5.5 Recipients of personal data

Your data will be passed on to Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland to the extent required. Google | Privacy Policy

6.6.6 Digital document delivery

6.6.6.1 Scope of processing

The main function of the AnyBill app is the digital storage of receipts directly from the point of sale, i.e. the cash register, in the AnyBill app. For this purpose, all information is collected that retailers (our partner companies) must provide to you in order to fulfill your receipt issuance obligation.

Instead of a paper receipt, these data categories are stored in our app in the form of a digital receipt:

• Shopping lists

• Retailer's company name

• Dealer address

• Purchased items

• Number of items

• Item price

• Tax rates per item

• discount on one item

• Total shopping cart

• Tax rates with amount

• discount on the total purchase

• Redeemed coupons

• Coupons issued

If you have paid for your purchase electronically, the following information will also be collected:

• The “Primary Account Number” (PAN) of your credit card or debit card in masked form

• Card expiration date

• Card sequence number

• Payment date

6.6.6.2 Purpose of processing

The purpose of processing is to enable you to deliver documents digitally.

6.6.6.3 Legal basis

The legal basis for data processing is the fulfilment of the contract concluded with you within the meaning of Article 6 (1) (b) GDPR.

6.6.6.4 Storage period

We delete your personal data as soon as it is no longer required to achieve the purpose for which it was collected. We store your basic data and voluntary information as long as you actively use the anybill app. If you decide to delete your account, your personal data will be anonymized by the app, which amounts to deletion.

Please note that personal data about you as part of merchant payment documents, which are created by the merchant's payment service provider at the cash register when making a card payment, must be stored for 10 years due to legal requirements of the Commercial Code and the Tax Code.

6.6.6.5 Recipients of personal data

If you have the cash register system scan a customer card or the QR code from an app application when issuing the receipt, your user ID will be transmitted to the cash register system so that the receipts can be assigned accordingly in our systems.

If you scan the QR code from the POS system display yourself when issuing the receipt, the cash register system will never receive user data.

In order to send you emails, this data is transmitted to our mail delivery service provider. This can include general letters, automated emails (e.g. Reset password) and product results. For this purpose, we use MailJet by Sinch, a service provided by Sinch Holding AB, Lindhagensgatan 74, 112 18 Stockholm (Sweden). Information about data protection can be found here: Privacy Policy Sinch

6.6.7 Output manager

6.6.7.1 Scope of processing

Another function of the AnyBill app is the expense manager, which lists your monthly expenses.

6.6.7.2 Purpose of processing

The purpose of processing is to give you a monthly overview of your spending and to classify it into predefined categories for this purpose.

6.6.7.3 Legal basis

The legal basis for data processing is the fulfilment of the contract concluded with you within the meaning of Article 6 (1) (b) GDPR.

6.6.7.4 Storage period

We delete your personal data as soon as it is no longer required to achieve the purpose for which it was collected. We store your basic data and voluntary information as long as you actively use the anybill app. If you decide to delete your account, your personal data will be anonymized.

6.6.8 Linking to a bank account

6.6.8.1 Scope of processing

As an additional feature, anybill gives you the option to connect the app to your own bank account so that you can view receipts and payments at a central location. For this purpose, the digital documents are linked to the respective bank transaction. In doing so, we receive the following transaction data from the bank. The data is entered together with the document and attached to it:

• Amount

• Date

• Payment partner name

• Payment partner's IBAN

• Payment partner's BIC

• Intended use

• Bank transaction ID

• Transaction

• Mref of the transaction

In addition, the following information about the account is generally processed in the app:

• Type of account

• Account owner

• Account number

• Account IBAN

• General account ID

• Account balance

6.6.8.2 Purpose of processing

The purpose of processing is the clear bundling of transactions and documents.

6.6.8.3 Legal basis

The legal basis for data processing is the fulfilment of the contract concluded with you within the meaning of Article 6 (1) (b) GDPR.

6.6.8.4 Storage period

We delete your personal data as soon as it is no longer required to achieve the purpose for which it was collected. We store your basic data and voluntary information as long as you actively use the anybill app. If you decide to delete your account, your personal data will be anonymized.

6.6.8.5 Recipients of personal data

To load bank transactions, we use the service of fino run GmbH, Universitätsplatz 12, 34127 Kassel, Germany. You can find more information about data protection here: https://fino.group/datenschutzerklaerung/

6.6.9 Branch display

6.6.9.1 Scope of processing

The app shows the branches of retailers in your area that support our service. To display branches near you that are relevant to you, we recommend activating the location query. The smartphone and the anybill app determine this based on GPS data, identifiers of nearby WiFi networks or the mobile cell in which the device is currently logged in. At least one of these techniques must be active and the anybill app must be granted access to it so that the anybill app can determine the location. Whether or not our app is currently being located can be identified by the location icon of the respective operating system in the status bar of your smartphone. Approving the location is optional and is therefore not absolutely necessary to use the app. Once you have granted access, you can cancel it at any time in your smartphone settings.

6.6.9.2 Purpose of processing

The purpose of processing is to report our cooperation partners.

6.6.9.3 Legal basis

The legal basis for data processing with regard to permission to access your location is your consent in accordance with Art. 6 (1) (a) GDPR. Otherwise, the legal basis for data processing is the fulfilment of the contract concluded with you within the meaning of Article 6 (1) (b) GDPR.

6.6.9.4 Storage period

We delete your personal data as soon as it is no longer required to achieve the purpose for which it was collected.

6.6.9.5 Recipients of personal data

We use the Leaflet API, a map service that makes it possible to integrate OpenStreetMap into the app. Personal data is not exchanged with the Leaflet service. Because the Leaflet JavaScript library is executed directly in your browser, no data about the retrieved map sections or displayed values is stored on the server side. The leaflet library is temporarily stored in your browser's memory (cache). You can find more information here: https://leafletjs.com/

6.6.10 Help and feedback

6.6.10.1 Scope of processing

You have the option to contact us via email. As part of contacting and responding to your request, we process the following personal data, among others:

• Name

• Email

• Date and time of request

• Other personal data that you provide to us when you contact us

6.6.10.2 Purpose of processing

The purpose of processing is to help you with your concerns and to provide us with your feedback.

6.6.10.3 Legal basis

If your request is based on pre-contractual measures or with an existing contract with us, the legal basis is the performance of the contract and implementation of pre-contractual measures in accordance with Art. 6 para. 1 lit. b GDPR.

If your request is made independently of contractual or pre-contractual measures, the legal basis for responding to your request in accordance with Article 6 (1) (f) GDPR is our overriding legitimate interest in answering your request and responding to the contact you have initiated.

6.6.10.4 Storage period

We delete your personal data as soon as it is no longer required to achieve the purpose for which it was collected.

6.6.10.5 Recipients of personal data

To process customer inquiries, we use the email ticketing system from Freshworks, Inc., 2950 S. Delaware Street, Suite 201, San Mateo, California 94403, USA. Information about data protection can be found here: https://www.freshworks.com/privacy/

6.6.11 Technical data/troubleshooting data

6.6.11.1 Scope of processing

To establish and maintain the connection and for troubleshooting purposes in the app, the data that your smartphone automatically transmits to us and that is required to communicate with the smartphone is collected and stored in so-called log files. They are used only in case of malfunctions. This includes:

• the device name

• the operating system and app version

• the mobile phone provider

• User ID

• The time when app malfunctions occurred

• Error message

We only process the IP address for the duration of the connection.

6.6.11.2 Purpose of processing

The purpose of processing is to provide you with an error-free app experience.

6.6.11.3 Legal basis

The legal basis for data processing is, on the one hand, our legitimate interest within the meaning of Article 6 (1) (f) GDPR. We have an overriding legitimate interest in being able to offer our offer in a technically flawless manner.

6.6.11.4 Storage period

We delete your personal data as soon as it is no longer required to achieve the purpose for which it was collected. We only process the IP address for the duration of the connection. Automatically collected technical communication data will be deleted after 15 days at the latest.

6.6.11.5 Recipients of personal data

We use Datadog Inc., 620 8th Ave, 45th Fl, New York, NY 10018 USA to process technical logs. You can find more information about data protection at Datadog here: https://www.datadoghq.com/legal/privacy/

6.6.12 Synchronization with third-party services

6.6.12.1 Scope of processing

Through the app, we offer you the option to connect various external applications with your anybill account. With this link, you can transfer documents to the external application. This is done via the “Apps & Services” screen. There you can add documents to an application, which are then synchronized.

This is a transfer of your personal data on your instructions. The selected third-party services are independently responsible for them from the moment they receive your personal data. Please note that the service providers have their own privacy policies, which you must agree to in order to register and use the respective service.

6.6.12.2 Purpose of processing

The purpose of processing is to connect the app with other services in order to fulfill your connection request.

6.6.12.3 Legal basis

We process your data to fulfill your export request and thus to fulfill the contract between you and us in accordance with Art. 6 para. 1 lit. b GDPR

6.6.12.4 Storage period

We delete your personal data as soon as it is no longer required to achieve the purpose for which it was collected. With regard to the personal data remaining with us, we refer to the tax dues above.

7 Your rights

In this section, we will tell you what rights you have with regard to the processing of your data. The exact scope of the respective law can be found in the corresponding article of the General Data Protection Regulation (GDPR). Data subject inquiries should always be addressed to us or our data protection officer via e-mail to dsb@secjur.com.

7.1 Right to confirmation

You have the right to request confirmation from us as to whether personal data concerning you is being processed.

7.2 Information (Art. 15 GDPR)

You have the right to receive information from us at any time, free of charge, about the personal data stored about you and a copy of this data in accordance with legal provisions.

7.3 Correction (Article 16 GDPR)

You have the right to request that incorrect personal data concerning you be corrected. You also have the right to request the completion of incomplete personal data, taking into account the purposes of processing.

7.4 Deletion (Article 17 GDPR)

You have the right to request that we delete personal data relating to you immediately if one of the reasons provided for by law applies and insofar as processing or storage is not necessary.

7.5 Restriction of processing (Art. 18 GDPR)

You have the right to ask us to restrict processing if one of the legal requirements is met.

7.6 Data portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to transfer this data to another person responsible without hindrance from us to whom the personal data has been provided, provided that the processing is based on consent in accordance with Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR or on a contract in accordance with Article 6 (1) (b) GDPR and the processing is carried out using automated procedures, provided that the processing is not necessary for the performance of a task is in the public interest or in the exercise of public interest Violence takes place that has been given to us.

In addition, when exercising your right to data portability in accordance with Article 20 (1) GDPR, you have the right to have the personal data transmitted directly from one person responsible to another person responsible, insofar as this is technically feasible and provided that this does not affect the rights and freedoms of other persons.

7.7 Objection (Article 21 GDPR)

For reasons arising from your particular situation, you have the right to object at any time to the processing of personal data concerning you based on data processing in the public interest in accordance with Article 6 (1) (e) GDPR or on the basis of our legitimate interest in accordance with Article 6 (1) (f) GDPR.

If you file an objection, we will no longer process your personal data unless we can prove compelling legitimate reasons for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

7.8 Withdrawal of consent under data protection law

You have the right to withdraw your consent to the processing of personal data at any time with effect for the future.

7.9 Complaint to a supervisory authority

You have the right to complain to a supervisory authority responsible for data protection about our processing of personal data.

8 Up-to-dateness and changes to the privacy policy

This privacy policy is currently valid and is as of July 2023.

If we continue to develop our app or legal or regulatory requirements change, it may be necessary to change this privacy policy. You can read the latest data protection information at any time here retrieve.

By clicking “Accept all cookies,” you agree that cookies will be stored on your device to improve website navigation, analyze site usage, and support our marketing efforts. For more information, please see our privacy policy.Datenschutzrichtlinie.