Kassenbon

Privacy Policy

Last updated: March 5, 2026

1. Data Controller

Softure UG (haftungsbeschränkt)
Scharfenberger Straße 28
13505 Berlin, Germany

Managing Director: Mohamed Hamda
Email: customers@softure-ug.de
Commercial Register: Amtsgericht Charlottenburg, HRB 275859 B
VAT ID: DE458487999

2. Overview

Kassenbon is a web application for scanning, archiving, and analyzing receipts and documents. We process personal data exclusively in accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the German Telecommunications Telemedia Data Protection Act (TTDSG).

3. Data We Collect

3.1 Account Data

  • Email address
  • Password (hashed, never stored in plain text)
  • Display name (optional)
  • Postal code (optional, for local price comparisons)
  • Language preference
  • OAuth profile information (name, email) when signing in via Google or Apple

3.2 Receipt Data

  • Receipt photos and uploaded files
  • Extracted data: vendor, date, amount, line items, prices
  • User-entered categories, tax classifications, and notes

3.3 Document Vault

  • Uploaded documents (contracts, insurance, IDs, etc.)
  • Extracted metadata: title, parties, amounts, expiry dates
  • Tags and folder structure

3.4 Technical Data

  • IP address
  • Browser type and version
  • Operating system
  • Access timestamp
  • Referrer URL

4. Legal Basis for Processing

  • Art. 6(1)(b) GDPR — Contract performance: account management, receipt processing, document storage, and all core app features.
  • Art. 6(1)(f) GDPR — Legitimate interest: security, fraud prevention, debugging, and service improvement.
  • Art. 6(1)(a) GDPR — Consent: optional features such as price comparison (anonymized, aggregated data).
  • Art. 6(1)(c) GDPR — Legal obligation: tax and commercial record-keeping requirements.

5. AI Processing of Receipts and Documents

When you scan a receipt photo or document, the image is sent to an AI service (currently Anthropic) for optical character recognition and data extraction. The following applies:

  • Images are transmitted solely to process your request.
  • Images are not used to train AI models and are not permanently stored by the provider.
  • We have a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR with the provider.
  • The legal basis is Art. 6(1)(b) GDPR (contract performance).

6. Sub-processors and Third-party Services

ServicePurposeLocation
Supabase (AWS)Database, authentication, file storageEU (Frankfurt)
AnthropicAI receipt extractionUSA*
VercelWeb application hostingGlobal (Edge)
Google OAuthSocial loginUSA*
Apple Sign InSocial loginUSA*

* Data transfers to the USA are based on the EU-U.S. Data Privacy Framework (EU Commission adequacy decision of 10.07.2023) and/or Standard Contractual Clauses (Art. 46(2)(c) GDPR).

7. Data Storage and Retention

  • Account data: Until account deletion.
  • Receipts and documents: Until deleted by user or account deletion.
  • Technical access logs: Maximum 90 days.
  • On account deletion: All personal data is permanently deleted within 30 days. Anonymized, aggregated statistics may be retained.

8. Data Security

  • Encryption of all data in transit (TLS 1.3) and at rest (AES-256).
  • Row-Level Security (RLS) in the database — each user can only access their own data.
  • Passwords are hashed and salted using bcrypt.
  • OAuth tokens are managed server-side and never exposed in the frontend.
  • Regular security reviews and dependency updates.

9. Cookies and Local Storage

We use only technically necessary cookies:

  • Authentication cookies (Supabase session) — required for login.
  • Language preference (NEXT_LOCALE) — stores your language choice.

We do not use tracking cookies, third-party analytics, or advertising cookies. Consent under § 25 TTDSG is not required for technically necessary cookies.

10. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15) — What data we have stored about you.
  • Right to rectification (Art. 16) — Correction of inaccurate data.
  • Right to erasure (Art. 17) — Deletion of your data (also via the account deletion feature in the app).
  • Right to restriction (Art. 18) — Restriction of processing.
  • Right to data portability (Art. 20) — Export your data in a machine-readable format.
  • Right to object (Art. 21) — Object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)) — At any time with future effect.

To exercise your rights, email: customers@softure-ug.de

We will respond within 30 days pursuant to Art. 12(3) GDPR.

11. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. Our competent authority is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219
10969 Berlin
www.datenschutz-berlin.de

12. Price Comparison and Anonymized Data

The price comparison feature uses exclusively anonymized, aggregated price data. It is not possible to trace individual price data points back to specific users. Participation in price comparison is voluntary.

13. Children

Kassenbon is not directed at persons under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with data, we will delete it immediately.

14. Changes to This Privacy Policy

We may update this privacy policy from time to time. For material changes, we will notify you by email or through a prominent notice in the app. Continued use after changes constitutes acceptance of the updated policy.

15. Contact

For privacy-related questions, contact us at:
customers@softure-ug.de