Ensight – Privacy Policy

Note: This is an informal English translation for reference only. The German version is legally binding.

§ 1 Controller

The controller within the meaning of the GDPR and other data protection laws is:

Entropy Software & Consulting
Bastian Entrup
Mühlenstieg 19
37181 Hardegsen
Germany
Email: info@entropy-zero.de

For privacy-related inquiries, please contact us by email at the address above.

§ 2 Scope

This Privacy Policy applies to the use of Ensight DMS in all its forms:

Web application at entropy-zero.de/ensight/
Mobile app for Android (Google Play Store)
Mobile app for iOS (Apple App Store)

Ensight DMS is a cloud-based document management system for automated capture, analysis, archiving, and search of business documents, aimed exclusively at businesses (B2B).

§ 3 Data Collected and Processing Purposes

3.1 Account Access Data

Data: Email address, company name (tenant name)

Purpose: Setup and management of the user account, authentication, communication regarding the contractual relationship (e.g. invoices, status messages)

Legal basis: Art. 6(1)(b) GDPR (performance of contract)

Retention: For the duration of the contractual relationship; deletion within 30 days of contract termination

3.2 Uploaded Documents

Data: Invoices, receipts, and other business documents transmitted via the app or email import, plus automatically extracted metadata (merchant name, address, amount, date, IBAN, line items)

Purpose: Provision of the core service — archiving, AI-assisted data extraction, full-text search

Legal basis: Art. 6(1)(b) GDPR (performance of contract). The customer is responsible for the lawfulness of the personal data of third parties (e.g. business partners, employees) contained in documents.

Retention: For the duration of the contractual relationship; deletion of database, document storage, and search index within 30 days of contract termination. Backups are automatically deleted after 90 days.

3.3 Access and Log Data

Data: IP address, timestamp, accessed endpoints, HTTP status codes, device and operating system used (user agent)

Purpose: Operation, security, and error analysis of the service; prevention of abuse

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in system security)

Retention: Up to 30 days, then automatic deletion

3.4 Payment Data

Payment processing is handled exclusively by Stripe Payments Europe, Ltd. Credit card data and other payment information is processed and stored by Stripe — we do not receive or store complete payment data. Stripe's privacy policy applies (stripe.com/de/privacy).

3.5 Mobile App – Device Permissions

The mobile app for Android and iOS requires the following permissions:

Camera – for photographing and directly uploading receipts
Storage / Media library – for selecting and uploading existing documents
Internet connection – for communication with the Ensight backend

The app transmits camera and file content exclusively upon your explicit action (upload action). No automatic, continuous monitoring or transfer of device data takes place.

§ 4 Recipients and Processors

We use the following service providers as data processors, with whom data processing agreements pursuant to Art. 28 GDPR have been concluded:

Provider	Purpose	Location
Hetzner Online GmbH	Server infrastructure, hosting, backup storage	Germany (EU)
Anthropic, Inc.	AI-assisted document analysis (optional, only when AI feature is enabled)	USA ¹
Stripe Payments Europe, Ltd.	Payment processing (subscription)	Ireland (EU)

¹ Third-country transfer (Anthropic): Transfer to the USA is based on EU Standard Contractual Clauses (SCCs) pursuant to Implementing Decision (EU) 2021/914. Anthropic does not use transmitted document content for training AI models (per Anthropic's API usage policy). The AI feature is optional and can be disabled in settings.

No disclosure of personal data to other third parties takes place, unless we are legally required to do so.

§ 5 Data Security

We implement technical and organizational measures to protect your data against unauthorized access, loss, or manipulation:

Encrypted transmission of all data via TLS/HTTPS
Tenant isolation: each customer receives their own isolated database instance
Server-side disk encryption (Hetzner, ISO 27001-certified)
Automated daily backups with 90-day retention
Access to production systems restricted to authorized personnel

§ 6 Your Rights

As a data subject, you have the following rights against the controller:

Right of access (Art. 15 GDPR) – you can request information about the data stored about you.
Right to rectification (Art. 16 GDPR) – you have the right to correct inaccurate or incomplete data.
Right to erasure (Art. 17 GDPR) – you can request deletion of your personal data, provided no statutory retention obligations apply.
Right to restriction of processing (Art. 18 GDPR) – under certain conditions you can request restriction of the processing of your data.
Right to data portability (Art. 20 GDPR) – you have the right to receive your data in a structured, commonly used format. Ensight provides a ZIP export function for this purpose.
Right to object (Art. 21 GDPR) – you can object to processing of your data based on legitimate interests (Art. 6(1)(f) GDPR).

To exercise your rights, please contact: info@entropy-zero.de

§ 7 Right to Lodge a Complaint

You have the right to lodge a complaint with the competent data protection supervisory authority. The supervisory authority responsible for us is:

Die Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstraße 5
30159 Hannover
www.lfd.niedersachsen.de

§ 8 Changes to this Privacy Policy

We reserve the right to update this Privacy Policy when the service or legal requirements change. The current version is always available at entropy-zero.de/en/ensight/datenschutz.html. Registered users will be informed by email of material changes.