Privacy Policy For The Use Of Fintract

Privacy Policy For The Use Of Fintract

Provided by fino data services GmbH

§ 1 Preamble

This data protection declaration of fino data services GmbH, Universitätsplatz 12, 34127 Kassel, intends to inform you as a customer/client which personal data of yours are collected and processed when using our fino service (hereinafter referred to as “service”). fino is acting as an order processor on behalf of the responsible party/customer in the sense of the General Data Protection Regulation. You can find the contact details in the imprint.

§ 2 What is the source of your data and what data is processed?

We prioritise the processing of personal data provided by our customers/clients in the course of using the Service (REST API Service) and which is necessary for the provision of our Service. This includes:

By fino as the responsible party:

  • Master data (see registration form): E-mail address, first name/last name, company name, title, language, address, VAT ID (if company is based within the EU).
  • System events and log data
  • Access data


On behalf of the customer/responsible party:

  • Data entered by our customers such as master data (e.g. e-mail address, first name/last name, company name, address) and other personal data contained in documents.
  • Special categories of personal data are only processed by the service if the customer uploads such data to our service. Such data is not actively processed without the customer’s instigation.
  • System events and log data



§ 3 Processing purpose and legal basis  

Your deposited or entered data are used for the operation of our service and therefore in accordance with Article 6 para. 1 lit. b DSGVO in conjunction with Art. 28 para. 3 DSGVO for the fulfilment of the order processing contract existing between you and us. Article 28 (3) DSGVO to fulfil the order processing contract between you and us, in accordance with our General Terms and Conditions, on the basis of your consent or our legitimate interest. Further data processing purposes also result from the existing order processing contract as well as from the General Terms and Conditions and concretise this data protection information.

  • Data collection and processing within the scope of our contractual/business relationship as a customer of fino:
  1. We process data of our customers and interested parties (collectively referred to as “contractual partners”) within the framework of contractual and comparable legal relationships (e.g. order processing relationship) as well as related measures (e.g. for analysis and statistics) and within the framework of communication with the contractual partners (or pre-contractually), e.g. to answer enquiries.
  2. The data processing according to Art. 6 Para. 1 lit. b DSGVO is carried out for the fulfilment of our contractual obligations, to secure our rights and for the purposes of the administrative tasks associated with this information as well as the entrepreneurial organisation. We only pass on the data of the contractual partners to third parties within the framework of the applicable law to the extent that this is necessary for the aforementioned purposes or for the fulfilment of legal obligations or with the consent of the contractual partners (e.g. to participating telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). The contractual partners will be informed about further forms of processing, e.g. for marketing purposes, within the framework of this data protection declaration.
  3. As part of the performance of the contract, we send semi-automated service and transactional emails (e.g. sending registration confirmations or invoices). These are necessary for the provision of our service.
    • Processing based on consent
  4. In addition, we process your data based on your consent under Art. 6 (1) lit. a DSGVO if, for example, you provide us with information about your user experience outside of our contractual relationship, such as via feedback forms or satisfaction surveys. If processing is based on your consent, we will inform you of this separately. You can revoke any consent you have given us at any time with effect for the future.
  5. You will receive further information on the data processing for which we request your consent within the scope of or before the submission of the respective declaration of consent.
    • Processing based on a legitimate interest

Furthermore, we process your data based on the legitimate interests of us or third parties under Art. 6 para. 1 lit. f DSGVO for the following purposes:

  1. Ensuring IT security and IT operations;
  2. Testing and optimizing procedures for needs analysis and direct customer contact;
  3. assertion of legal claims and defense in legal disputes;
  4. management measures and further development of services and products;
  5. prevention and investigation of criminal offenses.

For additional information, please refer to § 1 of the website’s privacy policy:

  • Processing based on legal requirements / legal obligations
  1. We process your data based on legal obligations under Art. 6 para. 1 lit c DSGVO. We are subject to various legal obligations, i.e. legal requirements (e.g. commercial laws), which essentially oblige us to archive. The purposes of processing in the case of legal obligations include, among other things, the fulfillment of control and reporting obligations under tax law as well as the assessment and management of risks.
  2. Depending on the currently applicable legal requirements and the services provided, data processing may vary; for more detailed information on your specific individual case, please write to

§ 4 Duration of storage

    • After successful processing and return of a document made available via the API, all data relating to it shall be deleted automatically. In special cases and upon request, the storage period can be extended to 90 days.
    • Your registration and user data will be stored indefinitely until you delete the data or your account. As soon as you delete your account, the data is immediately and irrevocably deleted.
    • As soon as your data (master data on the contractual relationship) is no longer required for the fulfillment of contractual and legal and processing purposes, it is compulsorily deleted unless you have given your consent for further storage or we have a legitimate interest in (further) storage.
    • In As a rule, however, we are obliged to store certain data, including personal data, beyond the end of the contractual relationship for reasons of commercial law and tax law. The period can be up to ten years. Reference is made to the relevant laws, in particular § 257 of the German Commercial Code, and § 147 of the German Fiscal Code. As a rule, this period does not apply to data that we have received directly from you as part of the provision of our service.
    • Insofar as we require data and documents with a personal reference as evidence for the assertion, exercise or defence of legal claims, these will be retained by us depending on the respective limitation periods, whereby we restrict the processing for other purposes. This also applies, for example, to the assertion and settlement of warranty and service claims (max. 3 years) that you bring to us and in this context we process your data (contact person, company and relevant invoice/service). The legal basis for this processing is Art. 6 Para. 1 lit. f DSGVO.


§ 5 Encrypted transmissions of personal data

All data traffic between your browser or terminal device and the server used by this service is encrypted. A modern transmission method, TLS protocol (Transport Layer Security protocol), is used for this purpose. This ensures that all data is transmitted in encrypted form and is protected from manipulation and unauthorized access by third parties during transmission.

§ 6 Hosting

The application servers are located in ISO 27001-certified data centers in Germany. We use the following services and service providers to operate our service:

  1. Amazon Web Services EMEA Sàrl, 5 Rue Plaetis L-2338 Luxembourg (Cloud Infrastructure Services, data center location: Frankfurt).
  2. Google Ireland Limited, Gordon House, Barrow Street 4, Dublin, Ireland (Cloud Infrastructure Services, data center location: Frankfurt)
  3. Cloudflare: Content Delivery Network (CDN); service provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA


§ 7 Recipients / transfer of your data

    • You can find out which service providers we pass on your data to within the scope of our contractual relationship in § 7 of this data protection declaration.
    • The data transfer takes place in order to be able to carry out individual application steps and only contains the data necessary for this. Provided that a group of service providers is named in the overview of the order processors used, the data is only passed on to one service provider at a time, depending on availability and service.
    • If we transfer personal data to service providers outside the European Economic Area (EEA), e.g. through the Microsoft Office 365 services we use in the U.S.A., the transfer will only take place under the premise of the existence of suitable guarantees under Art. 46 et seq. DSGVO. You can request detailed information on this and the level of data protection at our service providers in third countries using the contact information above.
    • We use the service provider ActiveCampaign for customer management. Usage data is not affected by this. Furthermore, contract confirmation emails and newsletters regarding contract changes are sent via this service. You can find out more about ActiveCampaign on the privacy policy of the website
    • To provide customer support, we use the email ticket system of the service provider Zoho-Desk (service provider:  Zoho Corporation B.V., Hoogoorddreef 15, 1101 BA, Amsterdam, The Netherlands). If you as a user contact our support by e-mail, your request will be stored in the ticket system and the (personal) data you entered will be transmitted to Zoho-Desk. The transmission of your data to Freshdesk is based on your consent under Art. 6 Para. 1 lit. a DSGVO. Your data, as far as provided by your request, but in any case, your name, first name as well as e-mail address, will be processed exclusively for the organization and processing of your request by us. Your data will be deleted after your request has been processed. This takes place when the circumstances indicate that the matter in question has been conclusively clarified and provided that there are no legal obligations to retain data. For more information, please see the Zoho Desk privacy policy:

§ 8 Rights of the data subjects

    • About the processing of your data, you have a wide range of rights, in particular the right to information about the personal data stored by us (Art. 15 DSGVO), correction (Art. 16 DSGVO), deletion (Art. 17 DSGVO), restriction of processing (Art. 18 DSGVO), data portability (Art. 20 DSGVO) and objection to processing (Art. 21 DSGVO), in the case of direct advertising.
    • Please use the contact details provided in the imprint or contact our data protection officer directly (see below).
    • Furthermore, you have the right to complain with the competent data protection supervisory authority (Art. 77 DSGVO), to which we expressly refer. You can reach the supervisory authority responsible for our company under the following contact details:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit

Postfach 3163

65021 Wiesbaden

Phone: +49 611 1408 – 0

  • Further information on data processing in the context of using our service can be found – in addition to the data protection declaration on our homepage – in our General Terms and Conditions.
  • If you have any further questions regarding the processing of your data in individual cases, please contact us or our data protection officer using the contact details provided in the imprint or below.

§ 9 Contact and Data Protection Officer

If you have any questions about the processing of your data or data protection in general, please contact the data protection officer, who is also available to you in the event of complaints:

Fino data services GmbH

Data Protection Officer

Universitätsplatz 12, 34127 Kassel



Kassel, 07.12.2022


What our customers say about fintract

ECM online
Daniel Huhn
Geschäftsführer /

As a provider of cloud-based DMS solutions, we have integrated fintract into our service for automated indexing of invoices. This enables our customers to find invoices by company name, date or number in the shortest possible time.