Privacy Policy & Terms of Service

1. Introduction

Welcome to DonnaTax, a service of Business Automatica GmbH (registered in Germany). DonnaTax supports users in managing their tax and financial accounting tasks, including the complete preparation of VAT reports. Your trust is our priority. This policy explains what data we collect, how we process and protect it, and with whom we share it. By creating an account, you agree to these terms and enter into a service contract with us for AI-powered financial document processing. We are committed to protecting your privacy and providing a secure, transparent, and powerful AI-driven service.

2. Data Collection

To provide our service, we collect the following data: • Financial Documents: Invoices, bank statements, receipts, and other financial documents you upload. • OAuth Connections: When you authorize a connection, we receive access tokens for your Gmail, Google Drive, Outlook, and OneDrive accounts to retrieve financial documents. We do not store your passwords for these services. • Account Information: Your username, first name, last name, and email address. Your password is not stored in plaintext; it is securely hashed using the bcrypt algorithm. • Usage Data: Anonymized or pseudonymized information about your interaction with our service (e.g., features used, session duration) to help us improve functionality and user experience.

3. Data Processing for Service Provision

Your data is processed for the sole purpose of providing and improving your digital accounting assistant. This includes: • Using AI to automatically extract structured information (e.g., amounts, dates, vendor names) from your financial documents. • Classifying and organizing your documents. • Matching invoices with bank transactions. • Securely storing your documents and extracted data for your access.

4. Our Sub-processors (Third-Party Services)

⚠️ IMPORTANT NOTICE FOR EU/EEA USERS: US DATA PROCESSING DonnaTax's AI-powered document processing requires the use of OpenAI's technology, which operates in the United States. This means your financial documents will be transferred to and processed in the USA as an essential part of our service. Legal Basis: This processing is necessary to perform our contract with you (Art. 6(1)(b) GDPR). Without this processing, we cannot provide the AI-powered features that are the core of our service. Safeguards in Place: • OpenAI is certified under the EU-U.S. Data Privacy Framework • Standard Contractual Clauses (SCCs) are in effect • End-to-end encryption (TLS 1.3, AES-256) • Data Processing Agreement (DPA) with OpenAI • Regular security audits and compliance reviews Important: If you do not accept data transfer to the United States, you should not create an account. By registering, you acknowledge and accept this processing as part of our service agreement. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Your financial documents are shared with the following sub-processors: OpenAI (ChatGPT API) - https://openai.com/policies/dpa • Purpose: AI-driven data extraction, document classification, OCR text analysis, invoice-transaction matching • Location: United States • Safeguards: Data transfers protected under EU-U.S. Data Privacy Framework. OpenAI is certified under the EU-U.S. DPF. Amazon Web Services (AWS) - https://aws.amazon.com/compliance/gdpr-center/ • Purpose: Cloud infrastructure (S3 storage, Lambda compute, SQS queues, CloudWatch monitoring) • Location: European Union (Frankfurt, Germany) • Safeguards: AWS GDPR-compliant processing. Data Processing Addendum in place. Supabase - https://supabase.com/docs/guides/platform/dpa • Purpose: Database storage for extracted data, user accounts, and metadata • Location: European Union (Frankfurt, Germany) • Safeguards: GDPR-compliant hosted PostgreSQL. DocParser (optional) - https://docparser.com/security/ • Purpose: OCR (Optical Character Recognition) for extracting text from scanned documents • Location: European Union / United States • Safeguards: Used only for OCR processing.

5. Cloud Infrastructure & Data Storage

Your data is stored and processed using a secure cloud infrastructure: • Cloud Provider: We use Amazon Web Services (AWS) for our hosting infrastructure. • Storage Location: All original files and primary databases are located in secure data centers in Frankfurt, Germany (AWS eu-central-1 region). • Encryption: Your data is protected using strong, industry-standard encryption: - AES-256 encryption for data at rest (stored documents and database entries) - TLS 1.3 for data in transit (between your device and our servers)

6. Email & Cloud Drive Integrations

When you connect your Google or Microsoft accounts: • Permission-Based Access: We only access your accounts with your explicit permission via the secure OAuth 2.0 protocol. • Scoped Access: Our system is designed to identify and sync only documents that appear to be financial in nature (e.g., based on keywords like "invoice," "receipt," "statement," or sender). We do not intentionally access or store non-financial or personal documents. • Sync Frequency: Connected accounts are synchronized every 5 minutes to retrieve new financial documents. • Secure Tokens: Connection tokens are encrypted using AES-256 and stored securely to maintain the connection. • Revocation: You can revoke our access at any time from your account settings. Upon revocation, the connection token is permanently deleted within 24 hours.

6.1. Google Services Integration - Data Access, Usage, Sharing, Storage, and Retention

This section provides detailed information about how we access, use, store, and protect Google user data in compliance with Google API Services User Data Policy and Google APIs Terms of Service. 6.1.1. Data Accessed When you connect your Google accounts (Gmail and Google Drive), we access the following types of Google user data: Google Drive: • Folder and file metadata: Folder names, file names, file IDs, modification dates, creation dates, file sizes, MIME types, folder structure and hierarchy, file checksums (MD5), file permissions, and parent folder relationships. • File content: Complete file content from selected folders, including documents, images, PDFs, and other file types. For Google Workspace files (Google Docs, Sheets, Slides), we access exported versions (typically as PDF or Office formats). • Folder structure: Information about folder organization, parent-child relationships, and shared drive access. Gmail: • Email labels: System labels (e.g., INBOX, SENT, DRAFT) and user-created labels that you have selected for synchronization. • Message metadata: Email subjects, sender information, recipient information (To, CC), message dates, label assignments, and message IDs. • Email attachments: Attachment metadata (filenames, sizes, MIME types, attachment IDs) and attachment content (downloaded files from email attachments). • Email content: Email body text and HTML content associated with messages containing attachments. User Account Information: • Email address: Your Google account email address (via userinfo.email scope). • Basic profile: Basic profile information via OpenID Connect (for Gmail connections). Authentication Data: • OAuth tokens: Access tokens and refresh tokens required to maintain the connection to your Google accounts. 6.1.2. Data Usage We use the Google user data we access exclusively for the following purposes: Primary Service Functions: • Folder and Label Selection: We list available Google Drive folders and Gmail labels to enable you to select which resources you want to monitor for financial documents. • Document Monitoring: We monitor your selected Google Drive folders and Gmail labels on a frequent basis to detect new or updated files and email attachments. • Document Retrieval: We download files from selected Google Drive folders and email attachments from selected Gmail labels that appear to be financial documents (e.g., invoices, receipts, bank statements). • Document Processing: Downloaded files and attachments are analyzed using our AI-powered system to identify financial documents. Files that do not appear to be financial in nature are filtered out after download but may be temporarily stored during the filtering process. • Service Delivery: Processed financial documents are made available to you through your DonnaTax account for AI-powered extraction, classification, and invoice-transaction matching. Processing Activities: • Authentication: We use OAuth 2.0 access tokens to authenticate API requests to Google services. • Synchronization: We periodically query Google APIs to check for changes in your selected folders and labels. • Content Download: We download file content and email attachments from Google services when they are detected in your selected resources. • Content Filtering: We analyze downloaded content to identify financial documents based on keywords, file names, sender information, and document structure. • Data Storage: We store downloaded files and attachments in our secure cloud storage for processing and to make them accessible to you through our service. 6.1.3. Data Sharing We share Google user data with the following third parties for the purposes specified: OpenAI (ChatGPT API): • Data Shared: Raw Google Drive files and Gmail email attachments that are downloaded from your selected folders and labels are shared with OpenAI for AI-powered document processing. • Purpose: OpenAI processes these files to perform AI-driven data extraction, document classification, OCR text analysis, and invoice-transaction matching. This processing is essential to provide the core AI-powered features of our service. • Location: United States • Legal Basis: This processing is necessary to perform our contract with you (Art. 6(1)(b) GDPR). • Safeguards: OpenAI is certified under the EU-U.S. Data Privacy Framework. Data transfers are protected by Standard Contractual Clauses (SCCs), end-to-end encryption (TLS 1.3, AES-256), and a Data Processing Agreement (DPA) with OpenAI. Regular security audits and compliance reviews are conducted. Amazon Web Services (AWS): • Data Shared: Google user data (downloaded files, attachments, metadata) is stored in AWS S3 buckets. • Purpose: Secure cloud storage infrastructure for Google user data. • Location: European Union (Frankfurt, Germany - AWS eu-central-1 region) • Safeguards: AWS GDPR-compliant processing. Data Processing Addendum in place. Data is encrypted at rest using AES-256. Supabase: • Data Shared: OAuth connection details, sync history, and metadata extracted from Google user data. • Purpose: Database storage for connection management and extracted data. • Location: European Union (Frankfurt, Germany) • Safeguards: GDPR-compliant hosted PostgreSQL. DocParser (when used): • Data Shared: PDF documents from Google Drive or Gmail attachments may be shared with DocParser for OCR processing. • Purpose: Optical Character Recognition for extracting text from scanned documents. • Location: European Union / United States • Safeguards: Used only for OCR processing. No Other Third-Party Sharing: We do not share Google user data with any other third parties beyond those listed above. We do not sell, rent, or trade Google user data. 6.1.4. Data Storage & Protection Storage Location: • Primary Storage: All Google user data (downloaded files, email attachments, metadata) is stored in Amazon Web Services (AWS) S3 buckets located in Frankfurt, Germany (AWS eu-central-1 region). • Database Storage: OAuth connection details, sync history, and extracted metadata are stored in Supabase PostgreSQL databases located in Frankfurt, Germany. • OAuth Tokens: Connection tokens (access tokens and refresh tokens) are stored in our Supabase database, encrypted using AES-256 encryption. Security Measures: • Encryption at Rest: All Google user data stored in AWS S3 is encrypted using AES-256 encryption. Database entries are also encrypted at rest. • Encryption in Transit: All data transfers between our systems and Google APIs, as well as between our systems and third-party processors, are protected using TLS 1.3 encryption. • Access Controls: We follow the Principle of Least Privilege. Our employees and systems can only access Google user data that is strictly necessary for their role. Access is logged and monitored. • Token Security: OAuth tokens are encrypted using AES-256 before storage. Tokens are only used for the specific purpose of accessing your selected Google resources. • Infrastructure Security: Our AWS infrastructure follows the AWS Well-Architected Framework for security best practices. AWS Lambda functions run in isolated execution environments with IAM role-based permissions. • Security Monitoring: We maintain security monitoring via AWS CloudWatch to detect and respond to potential security incidents. • Regular Audits: We conduct regular security audits and code reviews to ensure the ongoing security of Google user data. 6.1.5. Data Retention & Deletion Retention Policy: • Active Connections: Google user data (downloaded files, attachments, metadata) is retained for as long as your account is active and the Google connection remains active, or as needed to provide you with our services. • After Disconnection: If you disconnect your Google account, the OAuth connection tokens are permanently deleted within 24 hours. However, Google user data (files and attachments) that were previously downloaded and stored will remain in our systems until you manually delete them through the app interface. • Manual Deletion: You can delete individual files or attachments at any time through your account dashboard. Deleted items are scheduled for permanent removal from our active systems within 30 days. • Account Deletion: If you delete your entire account, all associated Google user data is scheduled for permanent removal from our active systems within 30 days. • Backup Retention: Deleted Google user data may remain in secure, isolated backups for disaster recovery purposes for up to 60 days before being permanently erased. User Deletion Rights: • Individual File Deletion: You can delete individual Google Drive files or Gmail attachments at any time through your account dashboard. Deleted items are removed from active systems within 30 days. • Account Disconnection: You can revoke our access to your Google accounts at any time from your account settings. Upon revocation, OAuth tokens are deleted within 24 hours. Previously downloaded files and attachments will remain stored until you manually delete them. • Complete Account Deletion: You can request complete account deletion by contacting support@businessautomatica.com or using the account deletion option in settings. Upon account deletion, all Google user data is scheduled for permanent removal within 30 days (60 days from backups). • Data Export: Before deletion, you can export your data in a machine-readable format (JSON) through your account dashboard. Process for Deletion Requests: To request deletion of your Google user data, you can: 1. Delete individual files/attachments through your account dashboard, or 2. Disconnect your Google account connection in account settings (removes access but files remain until manually deleted), or 3. Contact us at support@businessautomatica.com to request account deletion or specific data deletion. We will process deletion requests and confirm completion within 30 days for active systems and 60 days for backup systems.

7. Database Storage

We store the following data, extracted from your documents, in our database: • Document metadata (filenames, upload dates, checksums, file sizes) • Extracted invoice and receipt data (amounts, dates, vendor information, line items, invoice numbers) • Bank transaction records (date, amount, company, transaction type, additional information) • The results of invoice-transaction matching (correlation status, confidence scores) • OAuth connection details and sync history

8. Data Retention

We retain your data only for as long as your account is active or as needed to provide you with our services. • Account Deletion: You can delete individual documents or your entire account at any time. Upon account deletion, all associated data is scheduled for permanent removal from our active systems within 30 days. • Backup Policy: Deleted data may remain in secure, isolated backups for disaster recovery purposes for up to 60 days before being permanently erased.

9. Your Rights under GDPR

As an EU user, you have the following rights regarding your personal data: • Right to Access: Access your data anytime through your account dashboard. • Right to Rectification: Request the correction of inaccurate data. • Right to Erasure ('Right to be Forgotten'): Delete individual documents or your entire account. • Right to Data Portability: Export your data in a machine-readable format (JSON). • Right to Withdraw Consent: You can revoke connections to third-party services (Gmail, Google Drive, Outlook, OneDrive) at any time in your account settings. Note: Core service processing (document analysis, US transfers) is based on contract performance, not consent. To stop this processing, you must close your account by contacting support@businessautomatica.com or using the account deletion option in settings. • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority if you believe our processing of your data infringes on GDPR. The competent authority in Germany is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI), Graurheindorfer Str. 153, 53117 Bonn, Germany.

10. Data Security

We implement robust technical and organizational measures to protect your data: • End-to-End Encryption: Using TLS 1.3 for data in transit and AES-256 for data at rest. • Secure Password Hashing: Using the bcrypt algorithm with a cost factor of 12. • Access Controls: We follow the Principle of Least Privilege, meaning our employees and systems can only access data that is strictly necessary for their role. • Infrastructure Security: AWS Lambda functions run in isolated execution environments with IAM role-based permissions. • Security Audits: We conduct regular security audits and code reviews. Our AWS infrastructure follows the AWS Well-Architected Framework for security best practices.

11. International Data Transfers

Our primary data storage and processing occurs within the European Union (Frankfurt, Germany). However, as detailed in Section 4, some specialized sub-processors may be located in other countries, such as the United States. • Legal Safeguards: We ensure that any such transfer is lawful and secure. Transfers to the U.S. are protected by adequacy decisions such as the EU-U.S. Data Privacy Framework or are governed by Standard Contractual Clauses (SCCs), supplemented by a Transfer Impact Assessment (TIA), to guarantee a level of data protection equivalent to that within the EU. • OpenAI Transfers: OpenAI is certified under the EU-U.S. Data Privacy Framework and has implemented appropriate safeguards for GDPR compliance.

12. Changes to This Policy

We may update this policy to reflect changes in our services or legal requirements. • Notification: For any material changes, we will notify you at least 30 days in advance via email to your registered email address or an in-app notification. • Acceptance: We will summarize the changes and explain their impact. For significant changes that affect your rights or data processing, we will require your active consent via email confirmation or in-app consent screen. Continued use of the service after the notice period and consent request will constitute acceptance of the new policy.

13. Liability and Data Breaches

As the data controller, Business Automatica GmbH is responsible for the protection of your data. • Our Responsibility: We are liable for any damages caused by our non-compliant processing of your data, in accordance with Article 82 of the GDPR. This responsibility extends to the processing carried out by our sub-processors on our behalf. • Breach Notification: In the unlikely event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33 and 34. • Incident Response: We maintain an incident response plan and security monitoring via AWS CloudWatch to detect and respond to potential security incidents.

14. Contact & Support

If you have questions about this policy or your data, please contact us: Business Automatica GmbH Eisenbahnstraße 28 67725 Börrstadt Germany Data Protection Officer & Support: support@businessautomatica.com Website: https://www.businessautomatica.com/ You can also reach us through the support section in your account.

15. Legal Basis for Processing

We process your data based on the following legal grounds under GDPR: • Performance of a Contract (Art. 6(1)(b) GDPR): - AI-powered document processing via OpenAI (including US transfers) - Document extraction, classification, OCR, and matching - Account management and service delivery - This processing is necessary to provide the contracted service • Consent (Art. 6(1)(a) GDPR): - Connecting your email/cloud accounts (Gmail, Google Drive, Outlook, OneDrive) - You can withdraw these consents at any time in settings • Legitimate Interest (Art. 6(1)(f) GDPR): - Anonymized usage analytics for service quality improvement - Security monitoring and fraud prevention

Last updated: November 2025