Subscription terms for using Debitoor

Including privacy policy and Data Processing Agreement.

The following Terms & Conditions and Privacy Policy applies from the 25th May 2018 and onwards, and substitutes all previous Terms & Conditions and Privacy Policy.


1. Subject and scope of these Terms

(1) These terms and conditions govern the rights and obligations in connection with the use of the services of the provider Debitoor UK Ltd, 1st Floor Healthaid House, Marlborough Hill, Harrow, Middlesex, HA1 1UD, United Kingdom (hereafter: service provider), and the user in connection with the use of the service, which is generally made accessible on the Internet on the debitoor websites or other URLs of the service provider.

(2) The service of the provider consists essentially in the granting of the possibility of using the service via the Internet on servers that are within the sphere of influence of the service provider, to which the user, as far as this is required, receives access and usage rights. When using the Software as a Service (SaaS), the user will be able to enter data and use different functions.The services of Debitoor include - but are not limited to - the website, the Debitoor application, mobile applications, blog, news mail, forum and help section.

(3) A condition for the trouble-free use of the service is a reliable continuous Internet connection up to the servers of the service provider. It is up to the customer to establish this connection with the help of his device.

(4) Only the terms and conditions of the service provider apply. Conflicting or differing terms of conditions provided by the user are not recognized by the service provider, unless their validity was explicitly agreed in writing. In case of conflicting terms the present terms and conditions will still apply.

(5) If the term "the website of the service provider" is used hereafter, this refers to the website or the websites of the service provider, under which the service is made generally accessible by the service provider on the Internet within the meaning of Paragraph 1 .


2. Conclusion of contract

(1) Unless otherwise explicitly agreed individually, a contract is only concluded upon successful completion of the registration process by a confirmation of the service provider to the user in text form via email or the provision of the service.

(2) The user has the opportunity to print the text of the contract from the website during the registration process and before concluding the contract.

(3) There is no entitlement of the user to conclude a contract. The service provider is free to reject any offer by a user to conclude a contract without giving any reason.

(4) By signing up for the services provided under any of the Debitoor websites, you accept and agree to the Subscription Terms („the Terms“) as outlined below, including your consent to the processing and sharing of your personal data as required to provide the Debitoor service to you, and always in compliance with all Data Protection legislation.

(5) Acceptance of additional communications from only the Debitoor Group of Companies, that being SumUp S.A.R.L., is not required to begin your subscription, but is recommended for the best possible experience. Information which is distributed in such communications is business related.

(6) In order to use our services, you must completely accept the Privacy Policy along with the Terms & Conditions. You agree that you have read and understood the Terms & Conditions, and the Privacy Policy upon acceptance.

(7) Prerequisite for the registration is that the user is fully legally competent, has a minimum age of 18 years, and is an entrepreneur, freelancer, or business owner and uses the services exclusively for business use. Minors are prohibited from registering. In the case of a legal entity, the registration must be carried out by a natural person who has unlimited legal capacity and is authorized to represent.

(8) In the event that a company performs bookkeeping for third-parties on behalf of the contractor and the third-party is specified as contracting party, the accounting firm is obliged to inform the third-party in advance about the terms and conditions and subscribe only with the consent and power of representation. If this does not happen, it entitles the service provider to terminate the contract extraordinarily.


3. Services of the service provider

(1) The service provider provides users with various accounting and invoicing services.

(2) The content and scope of the services are governed by the respective contractual agreements, moreover exclusively according to the functionalities of the service described on conclusion of the contract on the website of the service provider.

(3) The service provider may offer test versions in the form of test access. During the specified test period, the use of the service is free. If the user wishes to continue using the services after the end of the trial period, a chargeable contract is required.

(4) The services provided by the service provider include in particular the areas of "online invoicing" and "bookkeeping", which are offered for a certain period as part of a "subscription". (5) Only the respective user has the right to use the service. A transfer of the user account to third-parties or any other options of use offered by the user to third-parties is prohibited and entitles the service provider to extraordinary termination.


4. Duties of the users

(1) The user is obliged to provide truthful information about himself or his company, in connection with the use of the service.

(2) When using the service, the user is obliged to comply with the applicable laws and to refrain from any activity that impairs or excessively strains the operation of the service or the underlying technical infrastructure.

3) The user is not authorized to pass on his login data to third-parties. The user is obliged to handle his login data carefully and to prevent misuse of the login data by third-parties.

(4) The user is solely responsible for complying with his retention obligations. He shall ensure that his documents and data are kept lawful - where necessary - and that the financial authorities have the necessary access to them.


5. Notice on the right of revocation

(1) The service provider offers its services exclusively to entrepreneurs and businesses.

(2) For all intended use of the services provided by the service provider, there is no right of revocation.


6. Duration of the contract

(1) The subscription begins with the conclusion of the contract and runs indefinitely.

(2) Any test access ends automatically at the end of the respective test period. A separate notice is not required for test access.


7. Prices and terms of payment, blocking account, account deletion, and price adjustments

(1) The service provider offers its services in various free and paid variants. The agreed prices can be found in the currently valid price and payment information.

(2) Payment for a paid subscription is made monthly or annually, depending on the duration of the contract offered and chosen by the user, by credit card (Visa, Mastercard) or (SEPA) direct debit. The billing period runs for one month or one year in advance, from the date on which the user successfully registers for the paid version. The service provider reserves the right to introduce the possibility to buy subscriptions for different periods (e.g. quarterly) or to introduce related services offering other billing models (e.g. usage).

(3) The entitlement to payment of the respective user charges shall become due immediately upon receipt of the invoice and will be deducted or withdrawn from the credit card or bank account (in the countries where this is available) on a monthly or annual basis, until the termination of the subscription contract.

(4) Debitoor reserves the right to change the billing entity to a different subsidiary of the Debitoor ApS Group as required.

(5) A refund of the monthly or annual contributions in case of premature termination by the user does not take place. Upon termination of the contract, the product version can be used in full to the end of the contract period.

(6) If the monthly or yearly subscription costs can not be debited in time from the credit card or the bank account, e.g. because of insufficient account coverage, the user's access to the invoicing and bookkeeping system is immediately blocked. Upon receipt of payment, access to the system will be released. The cost is € 20.00 per rejected charge and will be charged to the user. The user must then transfer the total amount to the bank account of the service provider within 4 working days.

(7) If the account is deleted by the user before the end of the contract, the account will be inaccessible immediately after deletion. In this case, and even if a new account is created, any remaining maturities can not be refunded or credited to a new account. The non-repayment of residual amounts shall also apply in the case of a lawful extraordinary termination by the service provider for non-contractual use of the services.

(8) The user agrees that email (using an email address provided by the user) will be used as a means of sending invoices and payment reminders.

(9) The service provider is entitled to change the agreed fees at its reasonable discretion. Such a price change is only permitted once per calendar year and must be announced at least four weeks before it becomes effective in text form. The user can terminate this user agreement within one month after receipt of the notification of change, with effect from the time at which the increase in fees is to take effect.


8. Termination of the contract

(1) The user can test the paid subscription for free for a period of time defined by the service provider. There is no need for a separate termination notice. If the user has not submitted any payment information after expiry of the test period, no further obligations or costs will be incurred for the user.

(2) The subscription can be terminated by users without a period of notice at the end of the respective month or year (or other billing periods), depending on which duration the user has chosen. The cancellation can be done in "Settings> Plans and Prices> Please cancel my subscription". If this is not possible or reasonable for the user, the termination can alternatively be declared in text form via email to the service provider.

(3) In some cases, the user may choose between an annual and a monthly subscription. If the user wishes to switch from a monthly subscription to an annual subscription, this is possible with effect from the first day of the next billing month. The subscription will then automatically be extended by one year and the annual amount is due immediately upon receipt of the invoice. The annual subscription can be canceled until the last day of the current subscription year. The same applies to the change from a monthly or annual subscription to another monthly or annual subscription. If the user switches from an annual subscription to a monthly subscription, this is possible until the last day of the subscription year and with effect from the first day of the next subscription year, if there is an option for a monthly subscription. The subscription will then continue to run automatically on a monthly basis. A similar mechanism will be valid if the service provider introduces a different billing period.

(4) The right of each party to extraordinary termination remains unaffected.

(5) Debitoor reserves the right to delete Customer data after termination of the contract regardless of the reason for termination, and Debitoor is not obligated to store any Customer data after such time. Debitoor retain only the data required for the minimum period to comply with relevant legal requirements following termination of the subscription.

(6) Debitoor ensure to always act in accordance with the General Data Protection Regulation (GDPR) and all data protection legislative requirements at all times.


9. Warranty and availability of services

(1) The Application and the service is provided “as is” and Debitoor expressly disclaims any further representations, warranties, conditions or other terms, express or implied, by statute, collaterally or otherwise, including but not limited to implied warranties, conditions or other terms of satisfactory quality, fitting for a particular purpose or reasonable care and skill.

(2) Debitoor is entitled to make operational changes to the System for improvements or otherwise (for example by developing or replacing technical equipment, maintenance or updating software) without giving the Customer prior notice. In some circumstances, it may be necessary to suspend access to the System, usually between 21:00 and 06:00 CET. Notice of such a suspension will be given to the Customer in advance if possible. Debitoor will not be responsible for any consequences of such a suspension.

(3) The service provider assumes no responsibility for the functionality of the connection to its servers, in the event of power failures and failures of servers that are not within its sphere of influence.


10. Rights of use

(1) The service provider grants the user for the duration of this contract a simple, spatially unrestricted, non-transferable, non-sublicensable and personal right to use the Debitoor software used by the service provider for the provision of its services as intended in accordance with these General Terms & Conditions.

(2) The user is entitled to access the software operated on the service provider's IT systems in order to process his data.

(3) The user may use the processing software only for his own business purposes and only by his own personnel.

(4) No intellectual property rights are assigned to the Customer. Individually customised software relating to the System also remains the property of Debitoor unless otherwise stipulated.

(5) In relation to any and all material uploaded by the Customer and any and all Customer data, the Customer grants to Debitoor, its suppliers and sub-contractors, a non-exclusive worldwide irrevocable licence to provide the Application and any required related services to the Customer. The Customer represents and warrants that no uploaded material or Customer data will infringe third-party rights or intellectual property rights and will not contain any material that is obscene, offensive, inappropriate or in breach of any applicable law.

(6) Debitoor is entitled to assign its rights and obligations vis-à-vis the Customer to a group company or to a third-party. If the Customer agrees to the enhancement of the relationship by permitting marketing services, these materials will relate only to entities related to SumUp S.A.R.L. Group Companies.

(7) The Customer accepts that Debitoor is entitled to use sub-contractors in all matters, including for the implementation and operation of the Application and the storage of Customer data.

(8) The service provider is not obliged to provide the user with the source code of the software.

(9) The Application and any information provided by it, other than the Customer’s data, is protected by copyright and other intellectual property rights and is owned by or licensed to Debitoor ApS. Any development or adaptations made to such intellectual property by the Customer shall vest in Debitoor. The Customer shall notify Debitoor of any actual or suspected infringement of Debitoor’s intellectual property rights and any unauthorised use of the Application that the Customer is aware of.


11. Privacy and Customer Data

(1) The service provider shall ensure that personal data is collected, stored and processed by users only in so far as this is necessary for the performance of the contract and allowed by law, or ordered by the legislator. The service provider will treat personal data confidentiality and in accordance with the provisions of applicable data protection law and will not disclose it to third-parties, unless this is necessary for the fulfillment of the contractual obligations and/or there is a legal obligation to transmit it to third-parties.

(2) In order to ensure audit-proof processing of the data, the creation, modification and deletion of data with details of the user name and the processing date are logged.

(3) The use of the service may require that the service provider process personal data on behalf of the user. For this, the conclusion of a separate Agreement for personal data processing is required. The parties agree that the Customer is the Data Controller for any data they upload to the Debitoor application and that they can amend or erase this data as required. Debitoor is at all times Data Processor, processing data on the Customer’s behalf. As an appendix to these terms, the parties will enter into a Data Processing Agreement (“DPA”).

(4) The Customer confirms that they are authorised to instruct Debitoor to process any such information and that all instructions given will be lawful.

(5) Debitoor will only process Customer data in accordance with the Customer's instructions and not for its own, unauthorised use.

(6) As between the parties, the Customer shall own any and all data it provides to Debitoor or the Application. The Application permits the Customer to export records and data held by the Application and the Customer agrees to export any and all data prior to their termination of the subscription.

(7) Debitoor shares information for data processing only as required to provide the Services to the Customer or where it is required to do so by any court or regulatory authority and in that case only to the extent necessary.

(8) If Debitoor are required to share data outside of the EEA, or with territories not pre-approved by the European Commission, we ensure full satisfaction with the level of data protection being maintained by such sub-processors. We are engaged with a contractor in Ukraine, and have agreed robust data protection and confidentiality agreements with this supplier, on par with current data protection legislative requirements.

(9) The Customer agrees that a copy of the bank certificate issued to the Customer by its bank may be stored in Debitoor’s database and an external database. The Customer also agrees that data retrieved from the Customer's bank via a bank feed is available and is stored in the System.

(10) Debitoor will keep confidential all of the Customer’s confidential information that the Customer provides to Debitoor except when such information has come into the public domain other than by breach of this clause, or where Debitoor has obtained the information from a third-party without a duty of confidence or where the information is required to be disclosed by a regulatory or government body or court of competent jurisdiction, and in that case only to the extent necessary.

(11) Debitoor shall take all necessary technical and organisational security measures to ensure safe and secure processing of any Customer data and prevent system information from being accidentally or illegally destroyed, lost or wasted, and to prevent such information from falling into the hands of any unauthorised party or from being misused or otherwise treated in a way which is contrary to Data Protection legislation. Debitoor shall comply with its obligations under all applicable data protection legislation as a data processor and takes specific guidance from the General Data Protection Regulation.

(12) In the event that data protection declarations of consent are obtained from the user as part of the use of the service provider's services, it is pointed out that these can be revoked by the user at any time.

(13) Moreover, we refer to our Privacy Policy, available at https://debitoor.com/privacy/privacy-policy.


12. Changes to services

(1) The service provider periodically adjusts its services provided on the internet at its own discretion to technological development and market needs in order to fulfill the intended use in accordance with the product description. This may change the service content, such as new or changed functionality, and adaptations to new technologies. Since these changes are in the nature of the solution, the user can not derive any rights or claims from this.

(2) The service provider is also entitled to make new services available against payment and to cease the provision of free services. Furthermore, the service provider can add additional paid services in addition to the current paid subscriptions. When changing paid services, the service provider will pay particular attention to legitimate user interests and announce them in good time.


13. Limitation of liability

(1) Damage claims for breaches of contract and illegal action can only be executed if there is evidence for intentional gross negligence of Debitoor and/or its agents. The aforementioned disclaimer does not apply to the violation of the essential contractual obligations.

(2) Additionally, the liability of Debitoor also remains unaffected in case of personal injuries and mandatory legal provisions.

(3) For services free of charge, there shall be no liability on the part of the service provider exceeding that specified in paragraphs 1 and 2.

(4) Debitoor is not responsible for service disruptions due to force majeure, in particular during a failure or overload of global communications networks. For this reason, the customer cannot claim a reduction of his service obligation.

(5) Debitoor is not liable for the information published about its services. The sender is responsible for their accuracy, completeness and timeliness.

(6) The service provider is not liable for the loss of data insofar as the damage is due to the fact that the user has failed to fulfill his statutory retention obligations (see Section 4.4 of these general terms and conditions) and therefore the lost data cannot be restored with reasonable effort.

(7) Debitoor shall not be liable for any damages that the customer may incur due to lack of security measures in the transmission of the data.

(8) Any liability for damages is limited to the amount of the annual fee. The liability for damages, due to data loss, is limited to the amount that would have resulted with proper data protection, however, this may not exceed the annual fee.

(9) Any compensation claims of the customer expire one year after its occurrence. This limitation does not apply if Debitoor acted with gross negligence or with intent.

(10) Liability under the Product Liability Act remains unaffected.


14. Changes to the terms and conditions

(1) The service provider reserves the right to change these terms and conditions at any time with effectiveness even within the existing contractual relationships, provided that this change, taking into account the interests of the service provider, is reasonable for the user; this is particularly the case when the change is without significant legal or economic disadvantages for the user, e.g. changes in the registration process or changes in contact information.

(2) All other changes to the terms and conditions will be notified by the service provider to registered users at least 4 weeks prior to the planned entry into force of the changes. The changes will be communicated to the user via email. Unless the user objects within 4 weeks from receipt of the notice, the usage agreement will continue upon entry into force of the changes with the changed terms and conditions. In the change notification, the service provider will inform the user of his right of opposition and of the consequences of an objection. In the event of an objection, the service provider has the right to terminate the contractual relationship with the user at the planned entry into force of the changes.


15. Final provisions

(1) These Terms and Conditions shall be governed by and construed in accordance with the laws of the United Kingdom, and the Courts of the United Kingdom shall have exclusive jurisdiction to determine any dispute concerning these Terms and/or their subject matter.

(2) If the user is a merchant, legal entity under public law or special fund under public law, the registered office of the service provider is the exclusive place of jurisdiction for all disputes arising from the contractual relationship.

(3) Should individual provisions of these Terms and Conditions be or become ineffective, this shall not affect the validity of the remaining provisions.


Privacy Policy

Data protection and data security have first priority for Debitoor. We process and use personal data only to the extent necessary in order to provide our services. We kindly ask you to carefully read our Terms & Conditions, our data privacy statement, and the Data Processing Agreement (“DPA”) which form part of our agreement with you.

Data privacy statement

We, Debitoor UK Ltd, 1st Floor Healthaid House, Marlborough Hill, Harrow, Middlesex, HA1 1UD, United Kingdom are the operator of the website debitoor.de as well as the service provider of the Debitoor iOS and Android App, including the other services that are provided via the websites (e.g. app.debitoor.com) and the Debitoor App. We are responsible for the collection, processing, and use of personal data according to all Data Protection legislation -specifically the General Data Protection Regulation (“GDPR”).

You, the Customer, are the Data Controller and Debitoor, the Service Provider, is the Data Processor on your behalf. We only use your data under consideration of the relevant data protection legislation. Debitoor also have an appointed Data Protection Officer (“DPO”) who can be contacted by letter or by email to [email protected].

With this data privacy statement we want to inform you which of your personal data is collected and saved when you visit our website or use our website offered services. Furthermore, you will receive information about how we use your data and which rights you have regarding the use of your data. This data privacy statement also applies for the access and use of the Debitoor App as well as the other available services.

1. Data security

In order to protect your data, all the data you provide us with is encrypted according to the security standard TLS (Transport Layer Security). TLS is a secure and tested standard, that is used, for instance, for online banking. You can recognize the secure TLS connection, for example from the “s” after the “http” in the URL shown in your browser (thus https://..), or from the lock symbol depicted in the browser tab.

We also take technical and organisational suitable security measures, in order to protect your data against random or deliberate manipulations, partial or complete losses, destruction and/or against unauthorized access. In order to avoid loss of data, we run a mirrored database setup which means that your data is always stored in two separate locations. Additionally, we update and store the data every hour in an Off-Site backup, and in line with high risk analysis we continuously run safety tests on our infrastructure. Your password is stored through a safe encrypted process. We will never ask you for your password, neither via email nor over the phone. If you happen to forget your password, we can reset it for you. Our security measures are continuously improved according to the technological development.

The personal data that we collect is stored in a secure environment within the EU, and treated confidentially. Access to this data is limited to selected Debitoor Group employees and suppliers. We adhere to Data Protection legislative requirements at all times.

We do our utmost to secure your data in the best possible way, but we cannot guarantee the safety of your data when transferred over the Internet. When data is transferred over the Internet, there is a certain risk that others can access the data illicitly. In other words, the safety of your data transfer is your own responsibility as the Data Controller.

2. Collection and storage of personal data, and nature and purpose of its use

a) If you visit our website

You can visit the Debitoor website without disclosing your identity. Your browser only sends automatically collected information to the servers of our website. This information is temporarily stored in a so called logfile. This is the information which is automatically collected and stored until the automatic deletion:

  • IP-Adress of the requesting computer
  • Date and time of the access
  • Name and URL of the accessed data
  • Website, from which the access came (Referrer-URL),
  • Browser in use, and if necessary, the operating system of your computer as well as the name of your access provider

This data is collected and processed for the purpose of making our website use (connection establishment) possible, for the purpose of guaranteeing the security and stability of our system, as well as for the purpose of technical administration of the network infrastructure. We do not draw any conclusions about you as a person.

Furthermore, we use cookies as well as Web analytic and marketing tools. You can find more information on this topic in paragraphs 3 to 5.

b) If you register for our online services

On our website we offer services for online invoicing and accounting. In order to use these services, you have to first register. When you register, you have to enter an email address and create a password, so we can create an account for you and you can log in. In order to use country specific features, you have to select the country where your business is located.

In order to use our services to its full extent, it might be necessary to enter more personal data. For example, in order to create a legal invoice it is necessary to enter your business name, address, invoice number and payment information etc.

We also use your name and your contact data:

  • To know who our contracting party is
  • For the justification, structure, processing and changes of the contractual relationship with you about the use of our services
  • To verify the plausibility of the entered data
  • If necessary, to contact you

c) If you register for our newsletter/infomail

If you have agreed to receive our newsletter/infomail we can use your email address to send you regular newsletters, as well as information about our services. In order to receive the newsletters, we must first gain consent from you agreeing to such communication. This consent can be chosen during sign up. You can revoke your consent to receiving such communications at any time, either within your account, opting out of the emails[s2] or by emailing us to request that you no longer wish to receive such communications.

You can also opt out of the newsletters at anytime, for example by clicking the opt out link at the bottom of the newsletter. Alternatively, you can also send us an email to [email protected].

If you cancel your subscription to the newsletter/infomail, we will keep your email address on record only to ensure that you will no longer receive these emails.

d) Developer, customer, supplier, accountant, and team

With our services you have the possibility to enter data of third-parties, to give third-parties access to your account, to connect your account with third-parties and to offer third-parties your own applications or use applications of third-parties. Of course we respect the data privacy also regarding data of third-parties, which we can access through the use of our service through you. Sometimes this can require a separate contract with you. If you think this is the case, please contact us.

According to our terms and conditions you have no right to share your login data with third-parties, and you are obliged to treat your data with due care. Furthermore, you are responsible for the data of third-parties that you enter in Debitoor. Please note that we have no influence on the compliance with data protection and security standards outside of our website, the Debitoor App or the services provided by us. In such cases, you - or the third-party that you have granted access to your data - are responsible.


We transmit your personal data to third-parties if you order us to do so (for example when you send an invoice electronically or if you declare your VAT to the financial authorities), only if you have given your explicit consent or if there are legislative obligations to do so.

A transfer of personal data to third-parties for other purposes does not take place. Your data is not disclosed to any third-party without your permission, unless legislative authorities require that they be delivered, and even then only to the extent necessary.

Debitoor maintain the right to share data within their Group of Companies, SumUp S.A.R.L, as required to provide services to you. Debitoor may also, from time to time, require to share data with a sister company, for example, to allow the billing of your account from a different Debitoor entity. Security of data is assured at all times. By signing up with Debitoor, you are giving your consent to the processing of your data.

You are also giving explicit consent to the sharing of your data with any third-parties as required to allow us to provide our service to you. We confirm that we share your data only with third-parties whom we are satisfied in maintaining your data at a standard which is acceptable to us and the standard required under all Data Protection legislation.

Specifically, when we share data with territories outside the EU/EEA or to one not under the approved EU Commission listing, we fully satisfy ourselves with their data security and confidentiality standards and are assured that they maintain all shared data in a manner which is acceptable to EU standards. We are required to make available, upon request, evidence of - or reference to - the appropriate safeguards, and can do so following receipt of a request received to Debitoor either in writing or by email.

You retain the right at any time to withdraw your consent to the processing and/or sharing of your data by either closing down your account, which has immediate effect, or by contacting us to request closure, at which stage we will do so as soon as is practicable. After your relationship with Debitoor ends, we maintain, only the minimum data that we are required to hold to satisfy all legal requirements, and only for the minimum period required.

If you have any queries about the processing of your personal data, or you would like to make a data access request, the Data Protection Officer can be contacted at [email protected] or by writing to the DPO at the previously stated address. If you are not satisfied, you have the right to lodge a complaint with the relevant data protection authority. Debitoor will cooperate fully with any such investigation and endeavour to satisfy all queries as fully as possible. The relevant authority for each country can be found on the European Commission website: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080[s4]


4. Cookies

Our website uses cookies. Cookies are small files, that are created automatically by your browser and are stored on your device (laptop, tablet, smartphone etc.), when you visit a page. Cookies do no harm to your device, and they do not contain viruses, trojans or other malware.

The cookies store information in relation to your specific device. However, this does not mean that we receive any detailed knowledge about your identity.

The use of cookies serves the purpose of creating a more pleasant use of our services. Therefore, we are using so called session cookies, to recognize if you have visited single pages of our website before or if you have already created a customer account. They will be deleted automatically deleted by your browser once they expire.

For usability purposes we are using temporary cookies, that are stored on your device for a specific time duration. If you visit our website again to use our services, it will be recognized that you have already visited our website before and which settings and actions you have performed, in order for you to not have to perform them again.

We also use cookies to statistically track the use of our website and to optimize our offering for you (s. 4.), as well as to show you specifically tailored information (s. 5.). When you visit our website again, these cookies make it possible for us to automatically recognize that you have already visited our website before. After a defined period of time the cookies will be automatically deleted.

Most of the browsers accept cookies automatically. You can configure your browser in a way so that no cookies are saved on your computer or so that a warning will always appear before a new cookie is created.

However, please note that the complete deactivation of cookies can also lead to a limited functionality of our website.


5. Web analysis

To design and continuously optimize our sites we are using various web analysis services. Therefore we create anonymous user profiles and use cookies (s. chapter 4).

Below you can find further information about our web analysis services and further deactivation options:

a) Google Analytics

We are using Google Analytics. This is a web analysis service by Google Inc. The information about your use of our website (including your IP address) that is collected via a cookie, is transferred to a Google server in the US and is stored there. IP addresses are anonymized, therefore it is not possible to assign it to you (IP masking). The information is used to analyse the use of our website, to create reports about website activities for us and to provide us with further services that are connected with the use of our website and internet. The data you have entered while using our service will not be merged with other data that is collected via Google in any way.

The transfer of information by Google to third-parties will only be carried out if it is legally required or if third-parties are processing the data on their behalf.

Furthermore we are using Google Optimize. This is a web analysis service by Google Inc, which is integrated in Google Analytics. Google Optimize enables us to do A/B- and multivariate-testing. Thereby we can find out, which version of our website is preferred by the users. Here you can find further information about this service.

You can prevent the data collection, that is carried out via the cookie, as well as the data processing of Google by downloading and installing a browser-add-on here. As an alternative to the browser-add-on, especially for browsers on mobile devices, you can prevent the data collection of Google Analytics, by clicking on this link. An opt-out-cookie will be placed, that prevents the future collection of data when visiting this website. The opt-out-cookie is valid only in this browser and for our website, and will be archived on your device. If you delete the cookie in your browser, you will have to place the opt-out-cookie again.

You can find further information about data protection in conjunction with Google Analytics in Google Analytics help.

Furthermore we are using Google Cloud Vision-API. The OCR (Optical Character Recognition)-tool serves the purpose of optical character recognition and allows the automatic recognition and analysis of letters as well as the categorisation of documents. You can find further information about this service here. The character recognition based on Cloud Vision-API is essential for the use of our services. If you don’t want Cloud Vision-API to be used, you have the possibility to create expenses without uploading documents. In this case you cannot use the services of Debitoor to their full extent.

Here you can find further information about data protection by Google: https://www.google.com/policies/privacy/

b) Mixpanel

Additionally we use Mixpanel. This is a web analysis service by Mixpanel Inc. The service is used to provide statistical data regarding the use of our website, the Debitoor-App as well as the offered services.

You can find further information about data protection by Mixpanel in their data privacy statement.

c) Intercom

Finally we are using Intercom by Intercom Inc. in the context of customer support, in order to manage customer requests.

In this connection, data is transferred to Intercom and statistically analysed. You can find more about data protection of Intercom in their privacy policy.


6. Targeting

We are using targeting-technologies of Google Inc. (e.g. Doubleclick, AdSense, AdWords) on our website. These technologies allow us to address you with individual interest based advertising. For this purpose, we collect and evaluate information about your user behaviour on our website via the use of cookies.

The collection and evaluation is carried out anonymously and doesn’t allow us to identify you. In particular we don’t connect this information with your personal data. If you don’t want to receive interest based advertising, you can prevent that via the relevant cookie settings in your browser.

You can change the settings for the display of interest based advertising via the advertising settings manager.

You can find further information as well as the data privacy regulations concerning advertising and Google here: Data privacy statement & terms of use of Google.


7. Facebook tracking

We are not using the Social Plugins of Facebook or other social networks. In connection with our Facebook advertising, we are using a pixel based tracking mechanism. This is a web analysis service provided by Facebook Ireland Ltd. The information is used to track conversions coming from the Facebook platform.

This service is provided by Facebook Ireland Ltd. for which the data privacy law of the European Union applies. We do not share any data that you enter while using our service with Facebook.

Please look into the data protection information of Facebook for more information about purpose and extent of the data collection, and the processing and use of the data by Facebook, as well as your rights and setting options for privacy protection.


8. Information, correction, blocking, and deletion

You have an information right concerning the personal data of you that we store, and a right to correct or amend wrong data as well as a right to block and delete it.

As Data Controller, you are responsible for the content you publish. You have the right to rectify, block or erase any of your data at any time. We may decide to remove content published by you on your request, but we maintain our right not to remove content which is already published or which we are required to maintain to satisfy legal requirements. For information about your personal data, for correction of wrong data or for the blocking or deletion as well as for further questions about the use of your personal data please send an email to [email protected].

Furthermore, you can look into and change the data that is stored in your account by logging into our website via your login data. You can delete your data on your account at all times. This can be done by use of the relevant option in your account. We are pointing out that if you delete your data, you will not be able to make use of our service to full extent or at all.


9. Changes to this data privacy statement

This data privacy statement is currently effective and has been last updated in April 2018.

Due to further development of the website, the Debitoor-App, or any other Debitoor service, or due to the change of legal or regulatory requirements it can become necessary to change this data privacy statement from time to time. Our data privacy statement can be accessed and printed out at all times on our website: Privacy Policy.


Introduction to Data Processing Agreement

This Data Processing Agreement (“DPA”) forms the basis for the relationship between you, the Customer, as Data Controller, and Debitoor, the Service Provider, as Data Processor under Data Protection Legislation, specifically the General Data Protection Regulation (“GDPR”).

It is an important Agreement, forming the contractual basis for us processing data on your behalf. It explains how your data may be processed and its purpose. We process your personal data only as required and on your instructions, as outlined in the Agreement.

Because of the volume of our customer base, it would be impossible to enter into individually signed agreements with each and all of our Users. We also hope that the ease of agreement to this DPA will ensure that the acceptance of the new Terms, to satisfy the GDPR, will be less time consuming for you as a busy business owner.

This DPA assures you that we, as your Data Processor, comply with the requirements arising from the GDPR. You are further assured that we maintain the required agreements with all our third parties. Your business details are completed automatically within your account when you accept the Terms and Conditions and Privacy Policy including this DPA. Your details will always represent the most up to date information you have provided us with. The DPA is detailed below for your information.


Data Processing Agreement

Between:

Customer name (hereinafter “the Customer” or “Data Controller”) [This information will be automatically filled in once you have completed your registration]

And

Debitoor UK Ltd. 1st Floor, Healthaid House, Marlborough Hill, Harrow, Middlesex, HA1 1UD, United Kingdom (hereinafter “Debitoor” or “Data Processor”)

each a “party”; together “the parties”,

HAVE AGREED to the terms of this Data Processing Agreement (hereinafter the “DPA” or “Agreement”) on Personal Data Protection regarding the processing of Personal Data when the Customer is acting as Data Controller and Debitoor is acting as Data Processor, to fulfill the service obligations outlined in the Services Agreement (detailed below). As part of the fulfilment of those service obligations, Debitoor will process certain Personal Data on behalf of the Data Controller, in accordance with the terms of this contract. Each party agrees and will ensure that the terms of this contract shall also be fully applicable to its Affiliates which may be involved in the processing operations of Personal Data for the project defined in the Services Agreement. Specifically, Debitoor will ensure that all Sub-Processors operate within the same terms as this Agreement when processing Customer’s Personal Data.


Introduction and Definitions:

Personal Data is defined as any information relating to a data subject by which it can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person or legal entity (where applicable)

All other definitions referred to herein, including the terms Data Controller and Data Processor, are as determined by the relevant Data Protection laws, including EU General Data Protection Regulation Regulation 2016/679 of 27 April 2016 (hereinafter “GDPR”).

Sensitive Personal Data is not deemed to be processed under the Application Service offered by the Data Processor and so is excluded from the terms of this Agreement.

By signing up to use the Debitoor program and accepting the Terms and Conditions, including the Privacy Policy and this DPA, the parties agree under all national data protection laws and under GDPR that this Agreement governs the relationship between the Data Controller and the Data Processor, determining the processing of personal data by Debitoor of the Customer’s data. This Agreement takes precedence unless it has been replaced by another signed DPA which communicates its precedence over this Agreement.

The purpose of Debitoor’s processing of Personal Data for the Customer is to ensure the Customer’s full use of the Service and to allow this Agreement to be fulfilled. Debitoor ensure that sufficient security of Personal Data is maintained at all times.

Both parties confirm their Authority to sign the Agreement by so doing.


Data Processor Responsibilities:

The Data Processor must handle all personal data on behalf of the Data Controller and following their instructions. By entering into this Agreement, Debitoor (and any sub-processors whom the Data Processor has legal agreement for services with) is instructed to process Personal Data of the Customer:

  1. In accordance with all national and European laws
  2. To fulfil its obligations under the Terms for the Service Application
  3. as further instructed by the Data Controller
  4. as described in this Agreement

As part of providing the Application, the Data Processor is required to always provide the Customer with adequate solutions to accompany continued development of their business by using the service. The Data Processor tracks how the Customer use the Application in order to make the best suggestions, to provide relevant services at all times and to engage in sending the most accurate communications to aim towards continued ease of use and satisfaction. As far as the processing of personal data from the Application form part of this, they are processed only in accordance with this DPA and applicable law and are shared only as required to provide a better experience for the Customer.

Taking into account the available technology and the cost of implementation, as well as the scope, context and purpose of the Processing, the Data Processor is required to take all reasonable measures, including technical and organizational measures, to ensure a sufficient level of security in relation to the risk and the category of Personal Data to be protected. The Data Processor shall assist the Data Controller with appropriate technical and organizational measures as required and taking into account the nature of the treatment and the category of information available to the Data Processor to ensure compliance with the Data Controllers obligations under applicable Data Protection laws. The Data Processor shall notify the Data Controller without undue delay if the Data Processor becomes aware of a security breach.

In addition, the Data Processor shall, as far as possible and legally, inform the Data Controller if a request for information on data held is requested (Data Access Request) by any bodies to whom they should provide it. The Data Processor will respond to such requests once authorized by the Data Controller to do so. The Data Processor will also not disclose information about this Agreement unless the Data Processor is required by law to do so, such as by court order.

If the Data Controller requires information or assistance regarding the security of data, documentation or information about how the Data Processor processes Personal Data generally, they can request this information of the Processor.

The data processor, its employees and any Affiliates, shall ensure confidentiality in relation to Personal Data processed under the Agreement. This provision continues to apply after termination of the Agreement, regardless of the cause of termination.


Data Controller Responsibilities:

The Data Controller confirms, by signing this agreement, that they shall, when using the Application, be able to freely process their data once in line with all Data Protection legal requirements including GDPR. They are giving explicit consent to the processing of their Personal Data at all times when using the Service.

The Data Controller can revoke this consent at any stage, but by doing so terminates the Agreement in place and the Data Processor will no longer be able to provide Service.

The Customer has a legal basis for processing the Personal Data with the Data Processor (including any sub-processors) with the use of Debitoor’s services.

The Data Controller is responsible at all times for the accuracy, integrity, content and reliability of the Personal Data Processed by the Data Processor. They have fulfilled all mandatory requirements in relation to notification to, or obtaining permission from, the relevant public authorities regarding the Processing of Personal Data. They have further fulfilled their disclosure obligations to the relevant authorities regarding the processing of Personal Data in accordance with all applicable data protection legislation.

The Data Controller must have an accurate list of the categories of Personal Data it processes, particularly if such processing differs from the categories listed by the Data Processor in Appendix A.


Agreement to Data Transfer and the Use of Subcontractors:

In order to provide the service to the Data Controller, the Data Processor uses subcontractors. These subcontractors can be third party suppliers both within and outside the EU / EEA. The data processor ensures that all subcontractors satisfy the obligations and requirements within this agreement, specifically that their level of data protection meets the standard required under relevant Data Protection laws. If a jurisdiction falls outside of EU / EEA and is not on the European Commission approved listing of satisfactory data protection levels under GDPR, then specific agreement is entered into between Debitoor and such subcontractor to assure they will maintain all Personal Data in line with the requirements under current EU Data Protection laws.

The data provider's subcontractors are listed in the attached list of subcontractors.

This Agreement constitutes the Data Controllers prior specific and explicit consent to the Data Processor's Use of subcontractor Data Processors which may at times be based outside the EU / EEA or territories approved by the European Commission.

The Data Controller can revoke this consent at any stage, but by doing so terminates the Agreement in place and the Data Processor will no longer be able to provide Service.

If a Subdirector is established or stores Personal Data outside of the EU / EEA or European Commission approved territories, the Data Processor has the responsibility to ensure a satisfactory basis for transferring Personal Data to a third country on behalf of the Data Controller, including the use of the EU Commission Standard Contracts or specific measures which have been pre-approved with the EU Commission.

The Data Controller must be informed before the Data Processor replaces its Subcontractors. The Data Controller can then object to a new Sub-Processor who processes their Personal Data on behalf of the Data Processor, but only if the Sub-Processor do not process data in accordance with relevant data protection legislation. The Data Processor can demonstrate compliance by providing the Data Controller with access to the data protection assessment conducted by the Data Processor.

If the Data Controller still objects to the use of the Subcontractor, they may terminate their subscription to the Service, without the usual notice period required, then ensuring that their Personal Data is not processed by the non-preferred subcontractor.


Duration of the Agreement:

The agreement remains valid as long as the Data Processor processes Personal Data with the Data Processor’s use of the Service Application and unless it is replaced by another signed DPA which communicates its precedence over this Agreement.


Termination of the Agreement:

Upon termination of any subscription the data controller can also delete all his account’s data. Upon the execution of the data deletion procedure initiated by the data controller, the Data Processor deletes all Personal Data, except that which they are required to retain under any applicable legal requirements and in such case will be held in accordance with the technical and organizational safeguards within Debitoor.

The Data Controller has full capability to retrieve all of their Personal Data within the Service Application. If the Data Controller requests data retrieval assistance, the associated costs shall be determined in agreement between the Parties and shall be based on the complexity of the requested process and the time to fulfil it in the chosen format.


Changes to the Agreement:

Changes to the Agreement must be enclosed in a separate Annex to the Agreement. If any of the provisions of the Agreement are deemed invalid, this does not affect the remaining provisions. The parties shall replace invalid provisions with a legal provision that reflects the purpose of the invalid provision.


Audits:

The Data Controller is entitled to initiate a review of the Data Processor's obligations under the Agreement once a year. If the Data Processor is required to do so under applicable legislation, audits may be repeated once a year. A detailed audit plan must be provided detailing the scope, duration and start date at least four weeks prior to the proposed start date. The Parties decide together if a third party should conduct the audit. However, the Data Controller may allow the Data Processor to have the security review by a neutral third party of the Data Processor's choice, if it is a processing environment where multiple data controller data is processed.

If the proposed scope of the audit follows an ISAE, ISO or similar certification report conducted by a qualified third-party auditor within the previous twelve months and the Data Processor confirms that there have been no material changes in the measures under review, this will satisfy any requests received within such time frame. Audits may not unreasonably interfere with the Data Processor's business as usual activities. The Data Controller is responsible for all costs associated with their request for audit review.


Responsibilities and Jurisdictions:

Liability for actions arising from breach of the provisions of this Agreement is governed by liability and compensation provisions in the Subscription Terms at section 13. This also applies to any violation by the Data Processor Sub-Processors. This Agreement is governed by the Courts of the United Kingdom who shall have exclusive jurisdiction to determine any dispute concerning same.


Appendix A - Categories of Personal Information and Usual Processing Categories

A. Categories of Personal Information (list is non-exhaustive)

  1. Name
  2. Address
  3. Telephone number(s)
  4. Email address(es)
  5. Address(es)
  6. Any account numbers and/or bank details

B. Usual Processing Categories (list is non-exhaustive)

  1. The Data Controller’s Employees
  2. The Data Controller’s Contacts (telephone/email/addresses/etc)
  3. The Data Controller’s Customers
  4. The Data Controller’s Banking information
  5. Their Customer’s Employees
  6. Their Customer’s Contacts (telephone/email/addresses/etc)
  7. Their Customer’s Customers
  8. Their Customer’s Customers Banking information