GDPR Compliance

BillKoala is fully committed to compliance with the EU General Data Protection Regulation (GDPR). As an Austrian company processing financial data, we take data protection seriously and have implemented comprehensive measures to protect your personal data.

BillKoala acts as the data controller for personal data collected through our website and services. For data processed on behalf of our users (e.g., invoice recipient data), BillKoala acts as a data processor. We provide a Data Processing Agreement (DPA) to all business customers upon request.

We process personal data based on the following legal grounds: - Contract performance (Art. 6(1)(b) GDPR): processing necessary to provide our services - Legitimate interests (Art. 6(1)(f) GDPR): service improvement, fraud prevention, security - Legal obligation (Art. 6(1)(c) GDPR): tax reporting, GoBD compliance - Consent (Art. 6(1)(a) GDPR): marketing communications, optional analytics

We process the following categories of personal data: - Identity data: name, company name, tax identification numbers - Contact data: email address, phone number, billing address - Financial data: invoice amounts, payment status, bank details (encrypted) - Technical data: IP address, browser type, device information - Communication data: chat messages, email content related to invoicing

All primary data processing occurs within the European Union. Our servers are located in Germany and Austria (Google Cloud EU regions). Where data transfer outside the EU is necessary (e.g., Telegram integration), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and adequacy decisions.

As a data subject, you have the following rights: - Right of access (Art. 15): request a copy of your personal data - Right to rectification (Art. 16): correct inaccurate data - Right to erasure (Art. 17): request deletion of your data - Right to restriction (Art. 18): limit how we process your data - Right to data portability (Art. 20): receive your data in a portable format - Right to object (Art. 21): object to data processing - Right not to be subject to automated decisions (Art. 22) You can exercise these rights by contacting privacy@billkoala.com. We will respond within 30 days.

For any questions or concerns regarding data protection, please contact our Data Protection Officer: Email: dpo@billkoala.com Address: Vienna, Austria

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals without undue delay.

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. The lead supervisory authority for BillKoala is: Austrian Data Protection Authority (Datenschutzbehörde) Barichgasse 40-42, 1030 Vienna, Austria dsb@dsb.gv.at

In addition to GDPR, BillKoala complies with the German GoBD (Grundsätze zur ordnungsmäßigen Führung und Aufbewahrung von Büchern, Aufzeichnungen und Unterlagen in elektronischer Form) requirements for electronic bookkeeping and invoice storage. This includes immutable audit trails, proper archiving of invoice documents, and retention periods as required by tax law.