Skip to content

Privacy Policy

Last updated: 29.05.2026

1. Controller, Scope and Contact

This Privacy Policy applies to the website billance.de, the web user account, the web checkout, contact and support inquiries, and the optional online features of the Billance software. The controller responsible for data processing is: Billance GbR represented by the partners Marc Biehle and Maximilian Lutz Stettiner Straße 41 35410 Hungen Germany Email: [email protected] If you have questions about data protection or the exercise of your data subject rights, you can contact us using this address.

2. Local Data Processing in Billance

Billance is designed as a local-first desktop application. • Local invoice and business data: invoices, customer and supplier data, products, templates, attachments and similar business content are generally processed locally on your device in an encrypted file. • No regular access by us: as a rule, we do not have ongoing technical access to this locally stored content and do not permanently store it on our own servers. • Optional online processing: only when you use certain online features, in particular the user account, payment processing, cloud sync, support or Billance AI, do we process the personal data required for that feature on the server side. To the extent that you process personal data of your customers, suppliers or employees with Billance, you are generally yourself responsible for that business content under data protection law.

3. Website, Server Log Files, Cookies and Browser Storage

When you access our website and API, we process technically required connection and log data, in particular IP address, date and time, requested resource, status code, referrer and user agent. This processing is used to deliver the website, analyze errors, ensure system security and prevent abuse. We also use technically required cookies and browser storage: • authentication and session cookies for the web account login • one cookie containing the client-readable access token expiry time • local storage or session storage for theme selection, login display state and the redirect path requested by the user after login Your browser may locally store in particular your email address, user ID, language preference and customer number so that the signed-in state can be displayed correctly. The legal bases are Art. 6(1)(b) GDPR where processing is necessary to provide the requested service, Art. 6(1)(f) GDPR for security and stability purposes, and Section 25(2) No. 2 TDDDG for the use of technically required storage technologies.

4. User Account, Sign-In and Account Management

When you create or use a Billance account, we process in particular the following data: • email address • password only as a secure hash • customer number, language preference and timestamps of registration and changes • a secure security value for client-side encryption and optional cloud sync features • email verification data, deletion codes and security-related session data • for social login, the respective Google or Apple account ID, email address and verification status • when using web or desktop sign-in, device or browser information, session IDs, expiry times and security-related log data This processing is used for registration, authentication, session management, account security, email verification, two-factor security, recovery of access and general account administration. If you delete your account, it is first deactivated immediately and marked as soft-deleted for 30 days; after that, it is permanently deleted unless statutory retention obligations prevent this. The legal bases are Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR for abuse prevention, account security and technical integrity.

5. Contract Performance, Payments and Subscriptions

In connection with free and paid plans, we process contract and subscription data, in particular the selected plan, term, renewal and cancellation status, payment provider, billing-related identifiers, customer number and related timestamps. For purchases via billance.de, payment processing is handled by Stripe. Payment data is processed directly by Stripe; we receive in particular subscription-related status, customer and transaction information, but we do not store credit card data. For purchases via external platforms, we process only the data required for validation and contract administration. For Google Play subscriptions, this may include in particular purchase token, order ID, product ID and subscription term data. The legal basis is Art. 6(1)(b) GDPR. To the extent that we document billing processes, prevent abuse or maintain internal records, we also rely on Art. 6(1)(f) GDPR.

6. Support, Contact Form, Feedback and Event Logs

If you contact us via the contact form, we process your email address, your message, optionally uploaded image attachments, the selected language, where applicable your user ID, IP address, timestamps and the processing status of your request. We also send a support message to ourselves and an acknowledgement email to you. If you send feedback from the desktop application, we additionally process the type of feedback, technical metadata such as operating system, app version and platform, and optional image attachments. We also log selected events such as download starts, store clicks, checkout starts and checkout completions. These event logs are used to operate our services, evaluate demand and reach, document contract-related processes and prevent abuse. The contents of your local invoice data are not processed for these purposes. The legal bases are Art. 6(1)(b) GDPR where your request or the event is related to an existing or prospective contractual relationship, and Art. 6(1)(f) GDPR for support organization, product security, internal analysis and abuse prevention.

7. Optional Online Features, Service Providers and Third-Country Transfers

We use external service providers for certain functions: • Trafficcamp GmbH (Lima-City), Germany, for hosting and email delivery • Stripe for payment processing and the customer portal • Cloudflare Turnstile for bot and abuse protection on registration, login, contact and cancellation forms • Google and Apple when you use social login or cloud-related authentication processes • Microsoft Azure Document Intelligence when you use Billance AI for document analysis • cloud providers selected by you, such as iCloud, OneDrive, Google Drive, Dropbox or WebDAV, for optional cloud synchronization For Turnstile, Cloudflare processes in particular IP address, browser and device data, and interaction data in order to detect automated access. When you use Billance AI, the documents you select are transmitted to Azure Document Intelligence for analysis. On our side, we additionally store usage and quota information such as file type, file size, page count, status, timestamps and provider-related operation identifiers. For cloud sync, data is synchronized in encrypted form via the provider you choose. The synchronized database is not permanently stored on our own servers. For certain connection and authentication steps, in particular Google token exchange and iCloud synchronization requests, requests may be technically routed through our systems so that credentials or keys do not have to be stored in the app. Where a transfer to a third country, in particular the USA, cannot be ruled out, we rely on the EU-US Data Privacy Framework adequacy decision where the relevant recipient is certified there, or on other appropriate safeguards such as standard contractual clauses. Further information is available on request. The legal bases are Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

8. Storage Period

We store personal data only for as long as necessary for the respective purposes or as long as statutory retention obligations apply. In particular: • account and contract data are generally stored for the duration of the contractual relationship • email verification and deletion codes are stored only temporarily and usually expire after 15 minutes • session data are stored until the relevant session expires or is revoked and are then deleted or cleaned up through technical routines • support and feedback data are stored until final processing and beyond that only where required for records, abuse prevention or statutory obligations • when an account is deleted, it is deactivated immediately, scheduled for final deletion after 30 days, and then permanently removed unless commercial or tax retention obligations prevent this

9. Your Rights

Subject to the applicable legal requirements, you have the right of access, rectification, erasure, restriction of processing, data portability and complaint to a supervisory authority. Where we process data on the basis of Art. 6(1)(f) GDPR, you have the right to object to such processing on grounds relating to your particular situation. Where processing is based on consent, you may withdraw that consent at any time with effect for the future. The competent supervisory authority for our company is the Hessian Commissioner for Data Protection and Freedom of Information (HBDI): https://datenschutz.hessen.de/ Automated decision-making within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you does not take place.