Not legal advice. This page is a templated baseline aligned with DSGVO + BDSG-neu. It does not constitute independent legal advice and has not been reviewed by counsel for your specific circumstances. For questions or to request the executed PDF version, email legal@orisinvoice.com.
1. Who we are
Oris Invoice is operated by ORIS Intelligence Pvt Ltd ("we", "us", or "Oris"). For users resident in Germany, this Privacy Policy is governed by DSGVO (Datenschutz-Grundverordnung / GDPR) + BDSG-neu (Bundesdatenschutzgesetz). The competent supervisory authority depends on your federal state — we cooperate with whichever Landesdatenschutzbeauftragte applies to you (HmbBfDI for Hamburg, BlnBDI for Berlin, BayLDA for Bavaria, etc.).
2. What personal data we collect
We collect: account identifiers (Name, E-Mail, Telefon), organisation tax registration data (USt-IdNr., Steuernummer, Handelsregister-Nummer), invoice and customer master data you input, payment transaction metadata, and standard system telemetry (IP, device, timestamps). We do not collect special-category or sensitive personal data (Art. 9 DSGVO) unless you choose to upload it within an invoice description.
3. Lawful basis and purpose
We process personal data on the basis of (a) Art. 6(1)(b) DSGVO — Vertragserfüllung, to deliver the invoicing service you subscribed to; (b) Art. 6(1)(c) DSGVO — Rechtspflicht, to comply with §§ 14, 14a UStG, § 147 AO, and DSGVO record-keeping rules; (c) Art. 6(1)(f) DSGVO — Berechtigtes Interesse, to secure the service and prevent abuse; and (d) Art. 6(1)(a) DSGVO — Einwilligung, for non-essential analytics and marketing communications, which you may withdraw at any time.
4. Sub-processors and international transfers
We rely on a vetted list of Auftragsverarbeiter (cloud hosting, email delivery, payment gateways, anti-fraud, error monitoring). The current list is available on request. For users resident in Germany, primary data hosting is in eu-central-1 (Frankfurt). Cross-border transfers, where required, rely on Adequacy Decisions of the European Commission or on EU Standard Contractual Clauses (SCCs) plus Transfer Impact Assessments per Schrems II.
5. Retention
We retain account and invoice data for the longer of (a) the duration of your subscription plus 30 days, or (b) the statutory retention period applicable to invoices in Germany (§ 147 AO: 10 years from end of the calendar year in which the invoice was issued, plus § 257 HGB for accounting records). Audit logs are retained for the same period on an INSERT-only basis. Backups are retained for 35 days.
6. Your rights (DSGVO Art. 15–22)
Under DSGVO + BDSG you may have the right to: access (Art. 15), rectify (Art. 16), erase (Art. 17, subject to statutory retention overrides), restrict (Art. 18) or object to processing (Art. 21), receive your data in a portable format (Art. 20), and lodge a complaint with the supervisory authority (Art. 77). Submit any rights request to privacy@orisinvoice.com — we respond within 30 calendar days. Withdrawing consent does not affect the lawfulness of processing prior to the withdrawal.
7. Security
Data at rest is encrypted with AES-256-GCM. Bank account numbers, USt-IdNr., customer tax IDs, and other sensitive fields are individually encrypted at the column level with KMS-managed keys. Access is governed by PostgreSQL Row-Level Security keyed on the org context. Audit logs are append-only. We maintain SOC 2 Type II controls and an ISO 27001-aligned ISMS, plus an in-progress BSI C5 attestation track.
8. Cookies and analytics
We use a minimal set of essential cookies for authentication and session integrity. Optional analytics cookies are disabled by default and require your explicit consent (TTDSG § 25 / DSGVO Art. 6(1)(a)). We do not use cross-site tracking pixels or sell user data to advertising networks.
9. Children's data
Oris Invoice is a B2B service not directed at individuals under 16 (the age of digital consent under DSGVO + § 8 BDSG-neu). We do not knowingly collect personal data from children. If you believe a child has submitted personal data through our service, contact us at privacy@orisinvoice.com and we will delete it.
10. Contact and updates
Privacy queries: privacy@orisinvoice.com. Datenschutzbeauftragter (DPO): dpo@orisinvoice.com. We post material changes to this Policy 30 days before they take effect. Continued use of the service after the effective date constitutes acceptance of the revised Policy.