Privacy

2.1. App Hosting

Data Collected And Processed

• Technical information such as an IP address
• Device information
• User behaviour relevant to error analysis

Legal Basis

• (Pre-)contractual obligations based on Art. 6(1)(b) GDPR

Our Processors

• Render Services, Inc., United States

Further Information

• Location of the infrastructure used for the service: Frankfurt am Main, Germany.

2.2. Provision Of The Offered Service

Through the use of our application, we provide the following service:

Data Collected And Processed

• Account and configuration data
• Document data
• Invoice-related metadata
• Email metadata
• Connected mailbox and export configuration data
• AI-related information required for the provision of the service

Legal Basis

• (Pre-)contractual obligations based on Art. 6(1)(b) GDPR
• Data Privacy Framework
• Standard contractual clauses

Our Processors

• Vercel Inc., United States
• Render Services, Inc., United States
• Amazon Web Services, Inc. / affiliated AWS entities
• Clerk, Inc., United States
• OpenAI Ireland Ltd., Ireland
• Anthropic, PBC, United States
• Langfuse GmbH, Germany
• S.A.S.U PDFShift, France
• Better Stack, Inc., United States
• Resend, United States

Further Information

• Documents are stored in infrastructure located in Frankfurt am Main, Germany.
• Email inboxes may be connected by the user through third-party providers such as Google or Microsoft.
• OpenAI is used with EU processing and zero data retention according to our current contractual setup.
• Anthropic is used on the basis of Anthropic's commercial terms, including its DPA with standard contractual clauses.

2.3. Use Of Google API Services

When you connect a Google account to Presto, we access your Google data through Google API Services in order to find and download invoices and accounting documents from your inbox, and to export processed invoices to your Google Drive.

Data Collected And Processed

• Google account profile information (email address, profile name) via the userinfo.email and userinfo.profile scopes, used to identify your connected Google account.
• Gmail message content, headers, and attachments via the gmail.readonly scope, used to identify emails containing invoices and to download invoice PDF attachments.
• Google Drive folders and files that Presto itself creates, or that you explicitly select via Google's Drive folder picker, via the drive.file scope, used to create a Presto folder, organise subfolders by date or supplier, and upload invoice PDFs.

Legal Basis

• (Pre-)contractual obligations based on Art. 6(1)(b) GDPR
• Consent of the data subject pursuant to Art. 6(1)(a) GDPR, granted via the Google OAuth consent screen
• Data Privacy Framework
• Standard contractual clauses

Our Processors

• Google LLC / Google Ireland Limited (source of the data)
• Render Services, Inc., United States (application hosting; orchestrates OAuth, retrieves Gmail messages and attachments)
• Amazon Web Services, Inc. (storage of extracted PDFs in Frankfurt am Main, Germany)
• OpenAI Ireland Ltd., Ireland (processes Gmail-derived email content and PDF text to extract structured invoice data; see further information below)

Further Information

• We use Google user data solely to provide the invoice extraction, organisation, and export features described in this privacy notice.
• Email content and PDF text derived from your Gmail inbox are processed by OpenAI for the purpose of identifying invoices and extracting structured invoice data. OpenAI operates under a zero-data-retention agreement with us and does not use this data to train its models.
• Google user data is not sent to Anthropic. Anthropic is used elsewhere in Presto only for features that do not involve Google user data.
• Google OAuth refresh tokens are encrypted at rest. The drive.file scope only grants Presto access to files and folders that Presto itself creates or that you explicitly select via the Drive folder picker; Presto cannot read any other content in your Google Drive.
• We do not sell Google user data to any third party.
• We do not use Google user data for advertising, retargeting, credit-worthiness assessment, or any purpose unrelated to the user-facing features described in this notice.
• We do not use Google user data to train or improve generalised AI or machine-learning models, whether our own or those of any third party.
• You can disconnect your Google account at any time from Presto's settings, which deletes the stored refresh token immediately. You can also revoke Presto's access directly at https://myaccount.google.com/permissions.
• To request deletion of data extracted from your Google account, contact info@prestoinvoices.com.
• Presto's use of information received from Google APIs adheres to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements.

2.4. Customer Registration

Data Collected And Processed

• Identification data
• Contact details
• Authentication data

Legal Basis

• (Pre-)contractual obligations based on Art. 6(1)(b) GDPR

Our Processors

• Clerk, Inc., United States

Further Information

• Customer registration and authentication are handled through our authentication provider.

2.5. Processing Payments And Invoicing

We use Stripe to process payments and manage subscriptions.

Data Collected And Processed

• Payment data
• Billing data
• Technical information

Legal Basis

• Fulfilment of a legal obligation based on Art. 6(1)(c) GDPR
• (Pre-)contractual obligations based on Art. 6(1)(b) GDPR
• Data Privacy Framework
• Standard contractual clauses

Our Processors

• Stripe Technology Europe, Limited, Ireland

Further Information

• Depending on the processing context, Stripe may also act as an independent controller.

2.6. Error Detection And Correction

Data Collected And Processed

• Error-related technical data
• Data on user behaviour and interactions
• Application logs

Legal Basis

• Legitimate interest based on Art. 6(1)(f) GDPR
• Data Privacy Framework
• Standard contractual clauses

Our Processors

• Sentry, United States
• Better Stack, Inc., United States

Further Information

• Legitimate interest: Ensuring stability, security and error correction of our services.

3.1. Transfer Of Data To Third Countries And The Data Privacy Framework

Further Information

• Where we use service providers outside the EEA, data transfers take place only on the basis of appropriate safeguards.
• This may include an adequacy decision pursuant to Art. 45 GDPR, in particular for companies certified under the EU-US Data Privacy Framework.
• It may also include standard contractual clauses.

3.2. Cookies And Local Storage

Further Information

• This website stores personal data and information in cookies, session storage and local storage.
• The processing is carried out on the legal basis specified for the respective service.
• How your browser handles cookies and local storage, which storage processes are permitted or rejected, and for how long data is processed, can be determined in your browser settings.

3.3. Storage Duration

Further Information

• We store your personal data only for as long as is necessary to fulfil the above-mentioned purposes or as long as contractual or statutory retention periods exist.

3.4. Data Disclosure

Further Information

• We only pass on your personal data to third parties if this is legally required, if it is necessary for the provision of our services, or if you have consented to the transfer.
• We do not sell your data to third parties.

3.5. Protection Of Personal Data

Further Information

• We protect personal data by means of appropriate technical and organisational measures in line with current industry practice.
• This includes, where possible, in particular encryption of personal data during transmission and storage.

3.6. Withdrawal Of Consent

Further Information

• If you have given consent to the processing of your personal data for a specific purpose on the basis of Art. 6(1)(a) GDPR, you can withdraw this consent at any time.
• The lawfulness of the processing up to the withdrawal is not affected.

3.7. Mandatory Data Provision And Consequences Of Non-Provision During Website Visit

Further Information

• The provision of personal data for visiting our website is neither legally nor contractually required.
• Non-provision of personal data is possible if a visit to the website is omitted.
• For certain functions on the website, non-provision means that these functions cannot be used.

3.8. Mandatory Data Provision And Consequences Of Non-Provision When Using Our Services

Further Information

• The provision of certain personal data is necessary to use our services.
• Without the required data, the affected services or functions may not be available.