Privacy Policy

Krone Baustein e.K. Eschenstieg 1, 20259 Hamburg, Germany Email: [email protected] Phone: +49 1525 176 4288

We have not appointed a Data Protection Officer as we are not required to do so (§ 38 BDSG).

We process personal data only to the extent necessary for providing our SaaS platform BauFin. Legal bases are Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(f) GDPR (legitimate interest) and Art. 6(1)(a) GDPR (consent).

During registration we collect: name, email address, company name, address and phone number. This data is required for contract performance.

When using the platform, we process the business data you enter (customers, invoices, orders, expenses etc.). This data remains in your tenant area and is not accessible to other users.

We use the following service providers for payment processing:

Revolut Bank UAB, Konstitucijos ave. 21B, LT-08130 Vilnius, Lithuania. Revolut processes your payment data (card number, expiry date) as an independent data controller. Privacy policy: https://www.revolut.com/legal/privacy

PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. PayPal processes your payment data as an independent data controller. Privacy policy: https://www.paypal.com/privacy

We do not store credit card numbers or bank details ourselves. We only receive payment confirmation from the payment providers.

Our platform is hosted on servers in Germany . Data does not leave the European Economic Area.

We use Cloudflare Inc. as a Content Delivery Network and DDoS protection. Cloudflare processes technical connection data (IP address, browser type) as a data processor based on Standard Contractual Clauses (SCC). Privacy policy: https://www.cloudflare.com/privacypolicy/

We only use technically necessary cookies and localStorage entries for authentication (session token) and language settings. No tracking cookies or analytics tools are used.

Cloudflare Turnstile is used for bot detection during registration and login. This serves the legitimate interest of protection against automated attacks (Art. 6(1)(f) GDPR).

Your data is stored for the duration of the contractual relationship. After cancellation or expiry of the trial period, your data will be completely and irreversibly deleted within 35 days, unless statutory retention obligations exist.

You can delete your account at any time (Settings → Profile → Delete account). Deletion is immediate and irreversible.

Statutory retention obligations: invoices and accounting documents are retained for 10 years in accordance with § 147 AO and § 257 HGB.

You have the following rights under the GDPR:

• Right of access (Art. 15 GDPR) — you may request information about your stored data. • Right to rectification (Art. 16 GDPR) — you may request correction of inaccurate data. • Right to erasure (Art. 17 GDPR) — you may request deletion of your data. • Right to restriction (Art. 18 GDPR) — you may request restriction of processing. • Right to data portability (Art. 20 GDPR) — you may receive your data in a common format. • Right to object (Art. 21 GDPR) — you may object to processing.

To exercise your rights, contact: [email protected]

You have the right to lodge a complaint with a supervisory authority. The competent authority is the Hamburg Commissioner for Data Protection and Freedom of Information, Ludwig-Erhard-Str. 22, 20459 Hamburg.

We implement technical and organisational measures to protect your data: encrypted transmission, access control, regular data backups and hardened server configuration.

Your data is completely isolated from other users' data. Cross-company data access is technically excluded.

BauFin offers an optional, paid add-on service called "Datenexport Pro". This service creates a complete copy of your business data daily in a machine-readable format (JSON in ZIP) and makes it available for download.

Purpose of processing: Implementation of your right to data portability (Art. 20 GDPR) in the form of a proactive service. You receive your data regularly in a structured, commonly used and machine-readable format.

Scope of exported data: All business data stored in your tenant area (customers, invoices, orders, expenses, quotes, projects, time tracking, mileage log, tax documents, settings) as well as uploaded media (receipts, photos, documents).

Storage location: Export files are stored in encrypted form on Backblaze B2 (data centre Amsterdam, Netherlands, European Economic Area). Encryption is performed server-side.

Backblaze Inc. is a US company based in San Mateo, California. Data processing takes place exclusively in the EU data centre in Amsterdam. The basis for data transfer is a Data Processing Addendum (DPA) with Backblaze Inc. including EU Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR. Backblaze privacy policy: https://www.backblaze.com/company/privacy.html

Retention period: Export files are stored on Backblaze B2 for 30 days and then automatically deleted. Exports from the last 7 days are available for download in the user panel.

Delivery: You receive an email notification with a personalised download link. The link is limited in time and number of downloads. Each download is logged for audit purposes.

Legal basis: Art. 6(1)(b) GDPR (contract performance — the service is part of the booked scope of services).

You can cancel the service at any time via the platform (Settings → Subscription). After cancellation, remaining export files will be deleted after the 30-day retention period expires.

Regardless of the "Datenexport Pro" service, you have the right at any time to receive your data in a structured, commonly used and machine-readable format. BauFin provides you with the free "Data Copy" function (Settings → Data Copy) for this purpose, through which you can download a complete copy of your data as a ZIP file at any time.

The difference to the paid "Datenexport Pro" service is that the latter automatically performs the export daily, stores the data on external storage (Backblaze B2) and notifies you by email. The free function requires a manual download by the user.

BauFin processes your business data on your behalf (data processing pursuant to Art. 28 GDPR). We provide you with a Data Processing Agreement (DPA) including technical and organisational measures (TOM) and a list of sub-processors.

These documents are available after login in your user account under Settings → Profile → Legal Documents.