Privacy Policy

Data protection and data security have first priority for Debitoor. We process and use personal data only to the extent necessary in order to provide our services. We kindly ask you to carefully read our Terms & Conditions and this data privacy statement.

Privacy Policy

Data protection and data security have first priority for Debitoor. We process and use personal data only to the extent necessary in order to provide our services. We kindly ask you to carefully read our Terms & Conditions, our data privacy statement, and the Data Processing Agreement (“DPA”) which form part of our agreement with you.

Data privacy statement

We, Debitoor UK Ltd, 1st Floor Healthaid House, Marlborough Hill, Harrow, Middlesex, HA1 1UD, United Kingdom are the operator of the website debitoor.de as well as the service provider of the Debitoor iOS and Android App, including the other services that are provided via the websites (e.g. app.debitoor.com) and the Debitoor App. We are responsible for the collection, processing, and use of personal data according to all Data Protection legislation -specifically the General Data Protection Regulation (“GDPR”).

You, the Customer, are the Data Controller and Debitoor, the Service Provider, is the Data Processor on your behalf. We only use your data under consideration of the relevant data protection legislation. Debitoor also have an appointed Data Protection Officer (“DPO”) who can be contacted by letter or by email to [email protected].

With this data privacy statement we want to inform you which of your personal data is collected and saved when you visit our website or use our website offered services. Furthermore, you will receive information about how we use your data and which rights you have regarding the use of your data. This data privacy statement also applies for the access and use of the Debitoor App as well as the other available services.

1. Data security

In order to protect your data, all the data you provide us with is encrypted according to the security standard TLS (Transport Layer Security). TLS is a secure and tested standard, that is used, for instance, for online banking. You can recognize the secure TLS connection, for example from the “s” after the “http” in the URL shown in your browser (thus https://..), or from the lock symbol depicted in the browser tab.

We also take technical and organisational suitable security measures, in order to protect your data against random or deliberate manipulations, partial or complete losses, destruction and/or against unauthorized access. In order to avoid loss of data, we run a mirrored database setup which means that your data is always stored in two separate locations. Additionally, we update and store the data every hour in an Off-Site backup, and in line with high risk analysis we continuously run safety tests on our infrastructure. Your password is stored through a safe encrypted process. We will never ask you for your password, neither via email nor over the phone. If you happen to forget your password, we can reset it for you. Our security measures are continuously improved according to the technological development.

The personal data that we collect is stored in a secure environment within the EU, and treated confidentially. Access to this data is limited to selected Debitoor Group employees and suppliers. We adhere to Data Protection legislative requirements at all times.

We do our utmost to secure your data in the best possible way, but we cannot guarantee the safety of your data when transferred over the Internet. When data is transferred over the Internet, there is a certain risk that others can access the data illicitly. In other words, the safety of your data transfer is your own responsibility as the Data Controller.

2. Collection and storage of personal data, and nature and purpose of its use

a) If you visit our website

You can visit the Debitoor website without disclosing your identity. Your browser only sends automatically collected information to the servers of our website. This information is temporarily stored in a so called logfile. This is the information which is automatically collected and stored until the automatic deletion:

  • IP-Adress of the requesting computer
  • Date and time of the access
  • Name and URL of the accessed data
  • Website, from which the access came (Referrer-URL),
  • Browser in use, and if necessary, the operating system of your computer as well as the name of your access provider

This data is collected and processed for the purpose of making our website use (connection establishment) possible, for the purpose of guaranteeing the security and stability of our system, as well as for the purpose of technical administration of the network infrastructure. We do not draw any conclusions about you as a person.

Furthermore, we use cookies as well as Web analytic and marketing tools. You can find more information on this topic in paragraphs 3 to 5.

b) If you register for our online services

On our website we offer services for online invoicing and accounting. In order to use these services, you have to first register. When you register, you have to enter an email address and create a password, so we can create an account for you and you can log in. In order to use country specific features, you have to select the country where your business is located.

In order to use our services to its full extent, it might be necessary to enter more personal data. For example, in order to create a legal invoice it is necessary to enter your business name, address, invoice number and payment information etc.

We also use your name and your contact data:

  • To know who our contracting party is
  • For the justification, structure, processing and changes of the contractual relationship with you about the use of our services
  • To verify the plausibility of the entered data
  • If necessary, to contact you

c) If you register for our newsletter/infomail

If you have agreed to receive our newsletter/infomail we can use your email address to send you regular newsletters, as well as information about our services. In order to receive the newsletters, we must first gain consent from you agreeing to such communication. This consent can be chosen during sign up. You can revoke your consent to receiving such communications at any time, either within your account, opting out of the emails[s2] or by emailing us to request that you no longer wish to receive such communications.

You can also opt out of the newsletters at anytime, for example by clicking the opt out link at the bottom of the newsletter. Alternatively, you can also send us an email to [email protected].

If you cancel your subscription to the newsletter/infomail, we will keep your email address on record only to ensure that you will no longer receive these emails.

d) Developer, customer, supplier, accountant, and team

With our services you have the possibility to enter data of third-parties, to give third-parties access to your account, to connect your account with third-parties and to offer third-parties your own applications or use applications of third-parties. Of course we respect the data privacy also regarding data of third-parties, which we can access through the use of our service through you. Sometimes this can require a separate contract with you. If you think this is the case, please contact us.

According to our terms and conditions you have no right to share your login data with third-parties, and you are obliged to treat your data with due care. Furthermore, you are responsible for the data of third-parties that you enter in Debitoor. Please note that we have no influence on the compliance with data protection and security standards outside of our website, the Debitoor App or the services provided by us. In such cases, you - or the third-party that you have granted access to your data - are responsible.


We transmit your personal data to third-parties if you order us to do so (for example when you send an invoice electronically or if you declare your VAT to the financial authorities), only if you have given your explicit consent or if there are legislative obligations to do so.

A transfer of personal data to third-parties for other purposes does not take place. Your data is not disclosed to any third-party without your permission, unless legislative authorities require that they be delivered, and even then only to the extent necessary.

Debitoor maintain the right to share data within their Group of Companies, SumUp S.A.R.L, as required to provide services to you. Debitoor may also, from time to time, require to share data with a sister company, for example, to allow the billing of your account from a different Debitoor entity. Security of data is assured at all times. By signing up with Debitoor, you are giving your consent to the processing of your data.

You are also giving explicit consent to the sharing of your data with any third-parties as required to allow us to provide our service to you. We confirm that we share your data only with third-parties whom we are satisfied in maintaining your data at a standard which is acceptable to us and the standard required under all Data Protection legislation.

Specifically, when we share data with territories outside the EU/EEA or to one not under the approved EU Commission listing, we fully satisfy ourselves with their data security and confidentiality standards and are assured that they maintain all shared data in a manner which is acceptable to EU standards. We are required to make available, upon request, evidence of - or reference to - the appropriate safeguards, and can do so following receipt of a request received to Debitoor either in writing or by email.

You retain the right at any time to withdraw your consent to the processing and/or sharing of your data by either closing down your account, which has immediate effect, or by contacting us to request closure, at which stage we will do so as soon as is practicable. After your relationship with Debitoor ends, we maintain, only the minimum data that we are required to hold to satisfy all legal requirements, and only for the minimum period required.

If you have any queries about the processing of your personal data, or you would like to make a data access request, the Data Protection Officer can be contacted at [email protected] or by writing to the DPO at the previously stated address. If you are not satisfied, you have the right to lodge a complaint with the relevant data protection authority. Debitoor will cooperate fully with any such investigation and endeavour to satisfy all queries as fully as possible. The relevant authority for each country can be found on the European Commission website: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080[s4]


4. Cookies

Our website uses cookies. Cookies are small files, that are created automatically by your browser and are stored on your device (laptop, tablet, smartphone etc.), when you visit a page. Cookies do no harm to your device, and they do not contain viruses, trojans or other malware.

The cookies store information in relation to your specific device. However, this does not mean that we receive any detailed knowledge about your identity.

The use of cookies serves the purpose of creating a more pleasant use of our services. Therefore, we are using so called session cookies, to recognize if you have visited single pages of our website before or if you have already created a customer account. They will be deleted automatically deleted by your browser once they expire.

For usability purposes we are using temporary cookies, that are stored on your device for a specific time duration. If you visit our website again to use our services, it will be recognized that you have already visited our website before and which settings and actions you have performed, in order for you to not have to perform them again.

We also use cookies to statistically track the use of our website and to optimize our offering for you (s. 4.), as well as to show you specifically tailored information (s. 5.). When you visit our website again, these cookies make it possible for us to automatically recognize that you have already visited our website before. After a defined period of time the cookies will be automatically deleted.

Most of the browsers accept cookies automatically. You can configure your browser in a way so that no cookies are saved on your computer or so that a warning will always appear before a new cookie is created.

However, please note that the complete deactivation of cookies can also lead to a limited functionality of our website.


5. Web analysis

To design and continuously optimize our sites we are using various web analysis services. Therefore we create anonymous user profiles and use cookies (s. chapter 4).

Below you can find further information about our web analysis services and further deactivation options:

a) Google Analytics

We are using Google Analytics. This is a web analysis service by Google Inc. The information about your use of our website (including your IP address) that is collected via a cookie, is transferred to a Google server in the US and is stored there. IP addresses are anonymized, therefore it is not possible to assign it to you (IP masking). The information is used to analyse the use of our website, to create reports about website activities for us and to provide us with further services that are connected with the use of our website and internet. The data you have entered while using our service will not be merged with other data that is collected via Google in any way.

The transfer of information by Google to third-parties will only be carried out if it is legally required or if third-parties are processing the data on their behalf.

Furthermore we are using Google Optimize. This is a web analysis service by Google Inc, which is integrated in Google Analytics. Google Optimize enables us to do A/B- and multivariate-testing. Thereby we can find out, which version of our website is preferred by the users. Here you can find further information about this service.

You can prevent the data collection, that is carried out via the cookie, as well as the data processing of Google by downloading and installing a browser-add-on here. As an alternative to the browser-add-on, especially for browsers on mobile devices, you can prevent the data collection of Google Analytics, by clicking on this link. An opt-out-cookie will be placed, that prevents the future collection of data when visiting this website. The opt-out-cookie is valid only in this browser and for our website, and will be archived on your device. If you delete the cookie in your browser, you will have to place the opt-out-cookie again.

You can find further information about data protection in conjunction with Google Analytics in Google Analytics help.

Furthermore we are using Google Cloud Vision-API. The OCR (Optical Character Recognition)-tool serves the purpose of optical character recognition and allows the automatic recognition and analysis of letters as well as the categorisation of documents. You can find further information about this service here. The character recognition based on Cloud Vision-API is essential for the use of our services. If you don’t want Cloud Vision-API to be used, you have the possibility to create expenses without uploading documents. In this case you cannot use the services of Debitoor to their full extent.

Here you can find further information about data protection by Google: https://www.google.com/policies/privacy/

b) Mixpanel

Additionally we use Mixpanel. This is a web analysis service by Mixpanel Inc. The service is used to provide statistical data regarding the use of our website, the Debitoor-App as well as the offered services.

You can find further information about data protection by Mixpanel in their data privacy statement.

c) Intercom

Finally we are using Intercom by Intercom Inc. in the context of customer support, in order to manage customer requests.

In this connection, data is transferred to Intercom and statistically analysed. You can find more about data protection of Intercom in their privacy policy.


6. Targeting

We are using targeting-technologies of Google Inc. (e.g. Doubleclick, AdSense, AdWords) on our website. These technologies allow us to address you with individual interest based advertising. For this purpose, we collect and evaluate information about your user behaviour on our website via the use of cookies.

The collection and evaluation is carried out anonymously and doesn’t allow us to identify you. In particular we don’t connect this information with your personal data. If you don’t want to receive interest based advertising, you can prevent that via the relevant cookie settings in your browser.

You can change the settings for the display of interest based advertising via the advertising settings manager.

You can find further information as well as the data privacy regulations concerning advertising and Google here: Data privacy statement & terms of use of Google.


7. Facebook tracking

We are not using the Social Plugins of Facebook or other social networks. In connection with our Facebook advertising, we are using a pixel based tracking mechanism. This is a web analysis service provided by Facebook Ireland Ltd. The information is used to track conversions coming from the Facebook platform.

This service is provided by Facebook Ireland Ltd. for which the data privacy law of the European Union applies. We do not share any data that you enter while using our service with Facebook.

Please look into the data protection information of Facebook for more information about purpose and extent of the data collection, and the processing and use of the data by Facebook, as well as your rights and setting options for privacy protection.


8. Information, correction, blocking, and deletion

You have an information right concerning the personal data of you that we store, and a right to correct or amend wrong data as well as a right to block and delete it.

As Data Controller, you are responsible for the content you publish. You have the right to rectify, block or erase any of your data at any time. We may decide to remove content published by you on your request, but we maintain our right not to remove content which is already published or which we are required to maintain to satisfy legal requirements. For information about your personal data, for correction of wrong data or for the blocking or deletion as well as for further questions about the use of your personal data please send an email to [email protected].

Furthermore, you can look into and change the data that is stored in your account by logging into our website via your login data. You can delete your data on your account at all times. This can be done by use of the relevant option in your account. We are pointing out that if you delete your data, you will not be able to make use of our service to full extent or at all.


9. Changes to this data privacy statement

This data privacy statement is currently effective and has been last updated in April 2018.

Due to further development of the website, the Debitoor-App, or any other Debitoor service, or due to the change of legal or regulatory requirements it can become necessary to change this data privacy statement from time to time. Our data privacy statement can be accessed and printed out at all times on our website: Privacy Policy.

Questions? Get in touch.

Email us at: [email protected]