KlaroFin LogoKlaroFin.
LoginGet Started Free
Back

Privacy Policy

Last updated: June 2026

§ 1 Controller

The controller for the processing of personal data in connection with the KlaroFin application is:

Kay Maik Fotografie Kay Maikowske Tönisberger Str. 33 47509 Rheurdt, Germany Phone: +49 176 42939687 E-mail: info@kaymaikfotografie.de

A data protection officer is not required by law.

§ 2 General information & legal bases

KlaroFin is a web-based finance and accounting application (invoices, offers, dunning, expenses, household budgeting, taxes, among others). We process your personal data solely to provide these functions.

Legal bases are the performance of the user contract (Art. 6(1)(b) GDPR), compliance with legal obligations (lit. c, e.g. tax retention), your consent (lit. a, e.g. for optional integrations) and our legitimate interests in secure, reliable operation and abuse prevention (lit. f).

§ 3 Your rights

As a data subject you have the following rights:

  • Access to the data stored about you (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR), unless retention obligations apply
  • Restriction of processing (Art. 18 GDPR)
  • Data portability in a common, machine-readable format (Art. 20 GDPR)
  • Objection to processing based on legitimate interests (Art. 21 GDPR)
  • Withdrawal of consent with effect for the future (Art. 7(3) GDPR)

§ 4 Hosting & infrastructure (processors)

To provide KlaroFin we use the following service providers as processors (Art. 28 GDPR):

  • Supabase, Inc. — database, authentication and server functions. Data location: EU (West EU region, Ireland).
  • Cloudflare, Inc. — storage of uploaded files (company logos, receipts, documents) via Cloudflare R2; data localization EU.
  • Google Ireland Ltd. / Google LLC (Firebase Hosting) — delivery of the application; technical access data is generated (see § 5).

§ 5 Server log files

When the application is accessed, technical access data transmitted by your browser is automatically collected (server log files). The purpose of this processing is the technically secure and stable operation of the application as well as the detection and prevention of misuse and attacks; the legal basis is our legitimate interest therein (Art. 6(1)(f) GDPR). The application is delivered via Firebase Hosting (Google Ireland Ltd. / Google LLC), during which this access data is generated. The log data is deleted as soon as it is no longer required for the stated purposes, at the latest after 30 days. In detail, the following is processed:

  • IP address
  • Browser type and version
  • Operating system used
  • Referrer URL
  • Date and time of access

§ 6 Registration & user account

To use the service you create an account. We process your e-mail address, your password (encrypted only) and optionally company name, address, VAT ID, tax number and bank details. Legal basis: Art. 6(1)(b) GDPR.

To prevent repeated abuse of the free trial, we additionally store a cryptographic hash (SHA-256) of your e-mail address (Art. 6(1)(f) GDPR). Deviating from the general deletion period (§ 15), this hash is stored for up to 24 months for abuse prevention and then automatically deleted, provided it can no longer be assigned to an existing account.

§ 7 Your content data in the application

In KlaroFin you process your own business data, which may include personal data of third parties (e.g. your customers). In particular, the following are processed:

  • Company data (company name, address, tax number, VAT ID)
  • Customer/contact data (name, address, VAT ID, contact details)
  • Invoice, offer and dunning data
  • Expenses, income and uploaded receipts/documents

§ 7a Feedback and roadmap board

You may optionally use our feedback/roadmap board (feature requests, bug reports, comments, votes). Posts, comments and attachments you create there are visible to all signed-in users. Please do not enter any confidential information or personal data of third parties there. The legal basis is our legitimate interest in improving the service (Art. 6(1)(f) GDPR); contributions are deleted as soon as they are no longer required for this purpose or when you delete your account.

§ 8 AI-assisted data recognition (optional)

If you use optional AI features, we transmit the respective input to Google Cloud Vertex AI (Gemini model), provided by Google Ireland Ltd. / Google LLC, for automatic extraction. Processing takes place in the EU region europe-west4 (Netherlands). The data is used only for extraction or structuring. Legal basis: Art. 6(1)(b) and (f) GDPR.

This concerns in particular: "analyze/scan receipt" (contents of the uploaded receipt, e.g. merchant name, amounts, addresses, VAT ID), contact recognition (entered or scanned contact data such as name, address, contact details, possibly VAT ID) and appointment/calendar parsing (appointment text and any names contained therein).

§ 9 Payment processing

Paid subscriptions are processed via Stripe Payments Europe, Ltd. (Ireland). We process your e-mail address, a customer identifier and the payment status. Payment data (e.g. card number) is entered directly with Stripe; we do not receive it.

More information: https://stripe.com/privacy

§ 10 Google Calendar & Google sign-in (optional)

If calendar synchronization or "sign in with Google" is enabled, we process data from your Google account (e.g. appointments, attendee e-mail addresses, profile and login data) via Google services. The legal basis is your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time by disconnecting.

The access tokens stored for this purpose are kept protected and are not accessible to the application itself in plain text.

§ 11 Stock and market data (portfolio tool, optional)

In the optional portfolio tool we retrieve price data via Finnhub or Yahoo Finance (providers based in the USA). The retrieval is performed server-side; neither personal data nor your IP address is transmitted, only security identifiers (e.g. ISIN/ticker).

§ 12 Cookies & local storage

We use only technically necessary cookies and local storage techniques — in particular for login/session management and for the offline function as an installable app (Progressive Web App / Service Worker). No consent is required for this (Art. 6(1)(f) GDPR, Sec. 25(2) TDDDG).

We do not use tracking or analytics tools (e.g. Google Analytics, Meta Pixel).

§ 13 Transfer to third countries

Your account, content and receipt data is stored within the EU. With the optional Google services (calendar synchronization, sign in with Google) and the delivery via Firebase Hosting, processing may also take place in the USA. In the optional portfolio tool, price data is retrieved from Finnhub/Yahoo Finance (USA); only security identifiers and no personal data are transmitted (see § 11).

Where no adequacy decision applies, the transfer is based on the EU Standard Contractual Clauses or a certification under the EU-US Data Privacy Framework. Access by US authorities cannot be ruled out.

§ 14 Order processing

Insofar as you process personal data of third parties in KlaroFin (see § 7), you are the controller and we act on your behalf. We provide you with a data processing agreement (DPA) pursuant to Art. 28 GDPR, which becomes part of the terms of use upon conclusion of the contract and governs, among other things, the sub-processors used and the technical and organizational measures.

§ 15 Storage duration & deletion

We store your data for as long as your account exists. After termination, your data is deleted within 30 days, unless otherwise stipulated below or in § 6 (e-mail hash for abuse prevention).

Excepted are documents subject to statutory retention obligations — in particular invoices, which must be retained for 10 years pursuant to Sec. 147 AO / Sec. 14b UStG. These are kept locked until the end of the period and then deleted.

§ 16 Data security

Your data is transmitted encrypted via TLS/HTTPS. Access to your data is secured by tenant-separated access rules at the database level (Row Level Security); sensitive access tokens are stored protected.

§ 17 Minors

The offer is aimed exclusively at entrepreneurs within the meaning of § 14 BGB. Persons under 18 may not use the service.

§ 18 Changes to this privacy policy

We adapt this privacy policy if the legal situation or our processing activities change. The version published on this page applies.

§ 19 Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen Kavalleriestraße 2-4 40213 Düsseldorf, Germany