Privacy Policy of the E-Invoicing Service

Date of last update: March 2, 2026

This privacy policy describes how personal data is processed when you use the Codebarista E-Invoicing Service to generate e-invoices.

This is a courtesy translation of the German privacy policy. In the event of any discrepancy, the German version shall prevail.

The protection of your data and the data of your customers is very important to us! In accordance with the General Data Protection Regulation (GDPR), we only process data that is necessary for providing the E-Invoicing Service.

Who is responsible?

The controller responsible for data processing is:

Codebarista Softwareentwicklung Winkler und Steuer GbR
Hanselmannstraße 32
80809 München, Germany

If you have any questions regarding the processing of your data or the exercise of your rights, you can contact us at any time by email: info@codebarista.de

How does data processing work with the E-Invoicing Service?

A system integration (e.g. the Codebarista E-Invoicing Plugin) transmits the invoice data from your system to our service when generating an e-invoice. The service processes the data and generates an e-invoice, which is then returned to your system. Communication between your system and our service is encrypted (HTTPS).

As the operator of your system, you are responsible for your customers' data (data controller within the meaning of the GDPR). We process this data exclusively for the purpose of generating e-invoices on your behalf (processing as a data processor pursuant to Art. 28 GDPR).

The transmitted invoice data is not used for our own independent commercial or analytical purposes. Processing of data for error analysis, error resolution, and technical development of the E-Invoicing Service within the scope of contract performance remains unaffected.

When is which personal data processed?

When using the E-Invoicing Service, the following information is automatically sent to our server and stored in a log file:

  • IP address of the requesting system,
  • Date and time of access,
  • Your license key.

When generating an e-invoice, the invoice data is transmitted to our service for processing. This data includes in particular:

  • Invoice number, invoice date, and other invoice metadata,
  • Line items with article descriptions, quantities, prices, and tax information,
  • Name and address of the invoice recipient (i.e. your customer),
  • VAT identification number of the invoice recipient, if applicable,
  • Name and address of the invoice issuer (i.e. your company data).

The invoice data is processed for the generation of the e-invoice and is not permanently stored after processing is complete. Temporary storage as part of technical processing and logging is subject to the retention period stated below. During operation of the service, request data is logged to ensure system security, detect and resolve errors, and prevent misuse. This log data is automatically deleted after a retention period of 30 days.

When concluding the contract for the E-Invoicing Service, the following data is stored by us:

  • Contact email address,
  • Company name to which the license key is bound,
  • Where applicable, additional contact details such as name, address, and phone number,
  • Where applicable, data required for invoicing.

Purpose of data processing

The personal data described above is processed by us for the following purposes:

  • Processing invoice data for generating e-invoices,
  • Verification of the license key to authenticate requests,
  • Quality assurance, error detection and resolution,
  • Ensuring smooth operation of the E-Invoicing Service,
  • Monitoring and evaluating system security and stability, as well as
  • for other administrative purposes in connection with the performance of the contract.

Furthermore, we need this data to assert our rights and fulfill legal obligations.

Legal bases for processing

The processing of the above-mentioned data is carried out on the basis of the following legal grounds:

  • Art. 6 para. 1 lit. b GDPR (performance of a contract), insofar as the processing is necessary for the provision of the E-Invoicing Service and for the performance of the contractual relationship.
  • Art. 6 para. 1 lit. f GDPR (legitimate interest), insofar as the processing serves to ensure IT security, prevent misuse, analyze errors, and ensure the stability and integrity of our systems.

Our legitimate interest lies in the secure, stable, and efficient provision of our E-Invoicing Service.

Storage period

The data automatically collected in log files during use of the E-Invoicing Service will be deleted no later than thirty (30) days.

Data associated with the E-Invoicing Service account (registration data) will be stored until the contractual relationship is terminated.

The provision of the aforementioned data is contractually required. Without this data, the E-Invoicing Service cannot be used.

Third-Party Services

To provide you with the E-Invoicing Service, we use third-party services.

Hosting provider: Hetzner

For operating the backend application.

Service Provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
Website: https://www.hetzner.com
Privacy Policy: https://www.hetzner.com/legal/privacy-policy/

A data processing agreement pursuant to Art. 28 GDPR has been concluded with this service provider.

Personal data is not transferred to countries outside the European Union or the European Economic Area.

What rights do you have?

You can assert your right to information (Art. 15 GDPR), right to correction (Art. 16 GDPR), right to deletion (Art. 17 GDPR), and right to restriction of processing (Art. 18 GDPR) at any time in writing via email, provided the respective legal conditions are met.

You have the right to receive the personal data concerning you in a structured, commonly used, and machine-readable format and, if necessary, transmit it to third parties (Art. 20 GDPR).

You have the right to object to the processing (Art. 21 GDPR) for certain processing purposes, especially for advertising purposes. If we process your data based on a balancing of interests (according to Art. 6 para. 1 lit. f GDPR), you have the right to object to this processing at any time for reasons arising from your particular situation.

You have the right to lodge a complaint with the competent data protection supervisory authority at any time (Art. 77 GDPR).

Automated decision-making

No automated decision-making within the meaning of Art. 22 GDPR takes place.

Changes to the Privacy Policy

If there are changes to laws, the E-Invoicing Service, or the website, we reserve the right to adjust this privacy policy.