This content is only available in English.

  1. Preamble

    This Privacy Statement by fino data services would like to inform you as the customer/contracting authority as to which of your personal data will be collected and processed by us as order processor/responsible party during the utilization of our fino service (hereinafter called “service”) in accordance with the General Data Protection Regulations.
    This data protection information concerns the processing of personal or person-related data of the following affected parties:

    1. Customers and the customers’ employees, e.g. when these are set up as persons authorized to access
    2. Our customers’ customers (B2B/B2C)
    3. Our customers’ suppliers/business partners
    4. Our customers’ cooperation partners
  2. Where does your data originate, and which data is processed?

    We primarily process the personal data you provide to us during the utilization of GetMyInvoices, and which are required for the performance of our service.

  3. Processing purpose and legal foundation

    The data deposited or entered by you will be collected and used for the purpose of operating GetMyInvoices and in accordance with Art. 6 (1) b GDPR, and to fulfil the existing service contract between you and us in accordance with our General Terms and Conditions. Further data processing purposes also arise from the existing service contract as well as from the General Terms and Conditions and concretize this Privacy Statement.

    1. 3.1. Collection and processing in the course of our contractual/business relationship as user of GMI
      1. (a) We process data belonging to our contract- and business partners, e.g., existing and prospective customers (collectively called “contract partners”) in the course of contractual and comparable legal relationships (e.g., order management contract) as well as any related measures, and during communications with the contract partners (or pre-contractual), e.g., to reply to queries.
      2. (b) We process this data to fulfil our contractual obligations (see our scope of functions of provided services/products on, to secure our rights, and to the purpose of administrative tasks and business organisation relating to this information. We pass on the contract partner’s data to third parties within in the framework of applicable legislation only insofar this is required in regard to the previously mentioned purposes, or to fulfil any legal obligations, or with the contract partner’s consent (e.g., to involved telecommunications-, transport-, or other service providers as well as sub-contractors, banks, tax- and legal consultants, payment service providers or tax authorities). In accordance with this Privacy Statement, the contract partner will be notified about any further manners of processing, e.g., for marketing purposes.
      3. (c) Information regarding the tools used during response of support queries can be retrieved in the relevant appointment invitations.
      4. (d) In the course of the contract fulfilment, we send partly automated service- and transactional emails (e.g., dispatch of registration confirmation or invoices). These are necessary to the delivery of our service.
    2. 3.2. Processing based on consent
      1. (a) We further process your personal data based on your consent in accordance with Art. 6 Para. 1 lit. a GDPR, if you give us information outside of our contractual relationship, for instance about your user experience, like feedback forms or customer satisfaction surveys. Any consent given to us can be revoked with future effect at any time.
      2. (b) You will receive further information regarding any data processing requiring your consent with or prior to your declaration of consent.
    3. 3.3. Processing due to legitimate interest
      We further process your personal data on basis of our legitimate interest, or that of third parties, in accordance with Art. 6 Para. 1 lit. f GDPR, for the following purposes:

      1. (a) Safeguarding of IT security and IT operations;
      2. (b) Inspection and optimization of processes regarding needs assessment and direct customer contact;
      3. (c) Advertisement or market research and opinion polling, insofar you have not vetoed the use of your data (you can find out more about the services used by us – Matomo, Google Analytics and ActiveCampaing – in the privacy statement on;
      4. (d) Assertion of legal entitlements and defence during legal conflicts;
      5. (e) Measures regarding business management and further development of services and products;
      6. (f) Prevention and investigation of criminal offences.
    4. 3.4. Processing based on legal requirements/legal obligations
      1. (a) We process your personal data on the basis of legal obligations in accordance with Art. 6 Para. 1 lit. c GDPR. We are subject to a number of legal obligations, that is, statutory requirements (e.g., commercial laws, taxation laws). The purposes of data processing include, among others, compliance with fiscal inspection- and reporting obligations, as well as the assessment and management of risks.
      2. (b) Your data processing may vary depending on the contractual relationship it is based on and the services provided; for more information on your specific individual case, please contact us here:
  4. Collection and usage of company- and personal data

    1. 4.1. All data is collected in compliance with the principles of data avoidance and data minimization. You are not obligated, neither legally nor contractually, to transmit your personal data to us. Insofar you decide against data entry/data transmission, we will be partly or fully unable to perform your order or the required service.
    2. 4.2. Data types processed by us:
      1. (a) Name of contact partner
      2. (b) Company address
      3. (c) VAT ID (if company is located in the EU)
      4. (d) Inventory data (e.g., names, addresses, email addresses, IBAN, or credit card data)
      5. (e) Payment-/order data (e.g., bank connections, invoices, payment history)
      6. (f) Contact data (e.g., email addresses, phone numbers)
      7. (g) Contract data (e.g., object of contract, term, customer category)
      8. (h) Usage- and login data
      9. (i) Documentation data (to be able to proof the communications and services provided throughout the business relationship)
      10. (j) Email contents/content data (emails are searched for invoice parameters/recognition automated)
      11. (k) Meta data from documents/mails (e.g., during transmission API to third parties)
      12. (l) Scan data (when using our Scan App for your documents)
      13. (m) Further data that we collect, manage and process based on your instruction
  5. Storage duration

    1. 5.1. Your customer data (e.g., in your online portal/archive) will be stored indefinitely, until you delete the data or your account. Documents will be archived permanently, provided the customer does not delete those via the user interface or API. As soon as you delete your account, the data will be saved for a 30-day period under processing restriction. Only after 30 days will the data be directly and irreversibly deleted. This is supposed to leave you with the option to recreate a deleted account.

    2. 5.2. As soon as your data (master data relating to the contractual relationship) is no longer needed for the fulfilment of contractual, legal, and process-intern purposes, the same will be mandatorily deleted, unless you have given consent for continued storage or we have a legitimate interest in (continued) storage.

    3. 5.3. As a rule, however, we are obligated under trading and fiscal laws to store certain data, including personal data, beyond the termination of the contract relationship. The time period can be up to ten years. You are referred to the relevant legislation, in particular § 257 Commercial Code, § 147 General Fiscal Law. As a rule, this period does not apply to data received from you in the course of the order during the performance of our service (GetMyInvoices).

    4. 5.4. Insofar we require data and personalized documents for the assertion, execution or defence of legal entitlements, those will be retained in compliance with the respective periods of limitation, while processing for any other purposes will be restricted. This also applies, for instance, for the assertion and settlement of warranty- and service claims (30 years max) that are brought to us by you and during which we process your data (contact partner, company, and relevant invoice/service). The legal foundation for these manners of processing is Art. 6 Para. 1 lit. f GDPR.

  6. Encrypted transmission of personal data

    1. The entire data traffic between your browser or device and the server using this service is encrypted. To this end, a modern transmission protocol – TLS Protocol (Transport Layer Security Protocol) – is used. This ensures that all data is transmitted encrypted and protected from manipulation and access by third parties on the transmission route.

  7. Hosting

    1. The application servers are located in an ISO 27001-certified computer centre run by our operators in Germany.

  8. Web-/customer portal/web application by GMI

    1. 8.1. To utilize the service (even in the form of a trial account), the user is required to register with GetMyInvoices. This data will only be used insofar it is necessary for the implementation of the service. To utilize the service, the user is required to enter the login data for his customer portals one time into the customer centre. The login data will be stored under encryption to ascertain that no staff member has access to the login data at any time.

    2. 8.2. To safeguard the correct performance of our services and guarantee data security, we process all logins performed by you (successful ones as well as unsuccessful ones). Further, we set a timestamp for automatic logout. The login activity data processed by us will not be passed on to external login service providers (see 8.4.).
    3. 8.3. GetMyInvoices provides the chat function “Communication Center” within the scope of the contractual scope of functions (Art. 6 para. 1 lit. b GDPR) for your application-related communication with the persons you wish to communicate with (e.g. tax consultant, team). The data processing in the communication between you and other users is exclusively provided by GetMyInvoices. A transfer to third parties does not take place in this case. The communication contents are stored in the application and can only be viewed by users involved in the communication process. The communication data will be stored until you initiate the deletion in the Communication Center or delete your account (see 5.1).
    4. 8.4. Login using third-party providers
      You have the option to log in to your account using the websites of the following third-party providers.

      1. (a) Facebook
      2. (b) Google
      3. (c) netID
      4. (d) LinkedIn
      5. (e) In each case, we receive your name and email address from the third-party provider when you log in there and have agreed to transmission of this data to us. In this context, please take note of the privacy statement of the respective third-party provider.
  9. Recipient/disclosure of your data

    1. 9.1. Which service providers we forward your personal data to during the course of our order processing relationship can be learned from the annex subprocessors, in your data processing agreement, see
    2. 9.2. The data transmission takes place to ensure implementation of individual application stages and exclusively contains the data required for that purpose. Insofar a group of service providers is listed in the appendix to our order processing contract for the utilization of GetMyInvoices, any data transmission will take place to only one service provider each time, depending on availability and service.
    3. 9.3. We also pass on data to or receive data from recipients authorized or instructed by you, e.g., from and to your tax consultant or to and from other accounting-/document systems (e.g., export of your data to third-party systems like Datev or LexOffice) that have existing interfaces to our program. We do not have any influence over any data processing in those external locations.
    4. 9.4. In case we transfer personal data to service providers outside the European Economic Area (EEA) to the USA through Microsoft Office 365 as a service used by us, any transmission will only take place after the conclusion of EU standard contractual clauses with transfer impact assessment pursuant to Art. 44 et seq. GDPR (according to ECJ and EDPS standards), including technical, contractual and organizational measures to protect the personal data of the data subjects. Companies/services certified under the EU-US Privacy Shield safeguard an appropriate level of data protection in accordance with the GDPR. Detailed information concerning this matter as well as the data protection levels of our service providers in third countries can be requested from the contact information given above.
    5. 9.5. For the management of contact queries and communications, we use the service Zoho Desk by Zoho Corporation Pvt. Ltd., Chengalpattu, Tamil Nadu, India. We have agreed to standard contractual terms with this service provider (safeguarding of data protection levels when processing in third countries).
  10. Payment service providers

    1. 10.1. In the framework of contractual and other legal relationships, based on legal requirements or on basis of our legitimate interests, we offer efficient and secure payment options to the affected persons, to which end we use banks and credit institutions as well as other payment service providers (collectively “payment service providers”).
    2. 10.2. The data processed by payment service providers includes inventory data, e.g., name and address; bank data, e.g., account number or credit card number; passwords, TANs and check sums; as well as contract-, amount- and recipient-related data. The information is required to perform the transaction. However, the entered data will only be processed and stored by the payment service provider. That means, we will not receive any information regarding accounts or credit cards, but only information with positive or negative confirmation regarding the payment. On occasion, the data may be passed on by the payment service provider to credit bureaus. The purpose of such a transmission is the verification of identity and credit rating. We refer you to the payment service provider’s T&Cs and privacy statement.
    3. 10.3. The terms and conditions of the respective payment service providers apply to the payment transactions, which can be retrieved from the respective websites or transaction applications. We refer you to the same for the purpose of gaining further information and for assertion of revocation-, information- and other rights of the affected persons.
      1. • Processed data types: Inventory data (e.g., names, addresses), payment data (e.g., bank connections, invoices, payment history), contract data (e.g., object of contract, term, customer category), usage data (e.g., visited websites, interests in content, access times), meta/communication data (e.g., device information, IP addresses).
      2. • Affected persons: Existing and potential customers.
      3. • Processing purpose: Contractual performance and service.
      4. • Legal foundation: Contract fulfilment and pre-contractual queries (Art. 6 Para. 1 S. 1 lit. b. GDPR), legitimate interests (Art. 6 Para. 1 S. 1 lit. f. GDPR).
      1. 10.4. Services and service providers employed:
        1. (a) PayPal: Provision of payment services and solutions (e.g., PayPal, PayPal Plus, Braintree); service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; website:; privacy statement:
        2. (b) Stripe: Provision of payment services; service provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; website:; privacy statement:
  11. Affiliate programme offer

    1. 11.1. We offer an affiliate programme, i.e., commissions and other benefits (collectively called “commission”) to users (called “affiliates”) who refer others to our offers and services. The referral takes places through a link assigned to the respective affiliate, or through a different method (e.g., discount codes), which enables us to recognize that the employment of our services is based on the referral (collectively called “affiliate links”).
    2. 11.2. To be able to monitor whether services have been employed by a user because of an affiliate link, it is necessary for us to know that the user followed an affiliate link. The allocation of affiliate links to the respective business transaction or other employment of our services exclusively serves the purpose of commission settlement and will be lifted as soon as it is no longer required to this end.
    3. 11.3. For the purpose of the previously mentioned allocation of affiliate links, the affiliate links may be complemented by specific values that are part of the link or that can be stored in a different way, e.g., in a cookie. These values may particularly include the original website (referrer), the time, an online identification for the operator of the website containing the link, an online identification of the respective offer, the type of link used, the type of offer, and an online identification of the user.
    4. 11.4. Information regarding legal foundations: Insofar we ask the user for consent regarding the employment of third-party providers, the consent forms the legal foundation for the processing of data. Furthermore, employment of those providers may be a part of our (pre-) contractual services, insofar the employment of third-party providers was agreed in this context. Otherwise, user data will be processed on basis of our legitimate interests (i.e., interest in efficient, economical and recipient-friendly services). In this context, we would like to refer you to the information regarding the use of cookies in this Privacy Statement.
      1. • Processed data types: Contract data (e.g., object of contract, term, customer category), usage data (e.g., websites visited, interests in content, access times).
      2. • Affected persons: Users (e.g., website visitors, users of online services), business- and contract partners.
      3. • Processing purpose: Contractual services, affiliate monitoring.
      4. • Legal foundation: Consent (Art. 6 Para. 1 S. 1 lit. a GDPR), contract fulfilment and pre-contractual queries (Art. 6 Para. 1 S. 1 lit. b. GDPR), legitimate interests (Art. 6 Para. 1 S. 1 lit. f. GDPR).
  12. Review platforms/customer feedback

    1. 12.1. We participate in assessment procedures to evaluate, optimize and advertise our services. When users evaluate us through the involved review platforms and procedures, or give feedback in other ways, the T&Cs, terms of use and data protection information of the respective operator apply additionally. Usually, a review or evaluation requires registration with the respective provider.
    2. 12.2. To ensure that the person leaving an evaluation has actually employed our services, and with the customer’s consent, we transmit the data required for this purpose, regarding the customer and the service employed, to the respective review platform (including name, email address, and order- or article number). This data will be exclusively used to verify the user’s authenticity.
      1. • Processed data types: Contract data (e.g., object of contract, term, customer category), usage data (e.g., websites visited, interests in content, access times), meta/communication data (e.g., device information, IP addresses).
      2. • Affected persons: Customers, users (e.g., website visitors, users of online services).
      3. • Processing purpose: Feedback (e.g., recording of feedback via online forms), range measurement (e.g., access statistics, recognition of repeat visitors), visit activity evaluation, interest-based and behaviour-related marketing, profiling (creation of user profiles).
      4. • Legal foundation: Consent (Art. 6 Para. 1 S. 1 lit. a GDPR), legitimate interests (Art. 6 Para. 1 S. 1 lit. f. GDPR).
        1. 12.3. Services and service providers employed:
          1. (a) Trustpilot: Evaluation and widget; service provider: Trustpilot A/S, Pilestræde 58, 5, 1112 Copenhagen, Denmark; website:; privacy policy:
  13. Rights of the affected persons:

    1. 13.1. Regarding the processing of your personal data, you have numerous rights, particularly the rights to disclosure about the personal data stored by us (Art. 15 GDPR), correction (Art. 16 GDPR), deletion (Art. 17 GDPR), processing restriction (Art. 18 GDPR), data portability (Art. 20 GDPR) und objection to processing (Art. 21 GDPR), especially in case of direct marketing.
    2. 13.2. In this context, please get in touch with us using the contact options listed in the imprint or directly with our data protection officer.
    3. 13.3. Furthermore, the right of appeal with the responsible data protection authority exists (Art. 77 GDPR), to which we particularly refer. The data protection authority responsible for our company can be reached under the following contact information:
      Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
      (The Hessian Officer for Data Protection and Freedom of Information)
      Postbox 3163
      65021 Wiesbaden
      Telephone: +49 611 1408 – 0
      Please refer to the contact options listed in the imprint.
    4. 13.4. Further information regarding data processing during the utilization of our product “GetMyInvoices” can be found – apart from the privacy statement on our homepage – in the order processing contract you signed with us, as well as on basis of the contract processing relationship within the framework of the instructions given to us by you.
    5. 13.5. For any queries beyond this point regarding the processing of your personal data in a given individual case, please contact us or our company’s data protection officer under the contact details given above; we will be delighted to furnish you with more information!

Kassel, 13 June 2023