HEINI
DE Book demo Choose plan
Start Features
Solutions Managing directorsCFO & financeIT leadershipTax advisorsTradesFreight & logisticsAll industriesEnterprise
Pricing Integrations
Customers All customersPSE TechnikKnowledge staysSupplier with HeiniGroup & holdingAgencies & partners
Resources All resourcesFAQBlogCustomers & casesStories
Login Book demo Choose plan
Legal

Privacy Policy

Version 2.1 · as of 16 June 2026. The German version is legally binding; this English translation is for convenience. For commissioned processing the DPA under Art. 28 GDPR (Annex A) applies; for AI functions the AI Usage Terms — BETA (Annex C).

1. Controller

HEINI Operations UG (haftungsbeschränkt), Wierling 19, 48301 Nottuln, Germany, Managing Director: Daniel Heinen. General email: hallo@heini.app · Privacy: datenschutz@heini.app.

Where HEINI processes data on a customer’s behalf (AI colleague, entered content), the respective customer is the controller and HEINI the processor (Art. 28 GDPR, Annex A). This policy covers the processing for which HEINI is itself the controller (website, contract handling, billing).

2. Hosting and server location

The standard processing location for website, storage and backup is the Hetzner Online GmbH data centre in Falkenstein (FSN1), Germany — an isolated stack per customer (single-tenant). Hetzner is ISO 27001:2022 certified.

A deviating hosting region is agreed exclusively at the express request of an Enterprise customer in the individual contract (DPA no. 7.2); without such agreement all processing remains in Falkenstein/Germany.

For visits to this marketing website (Umami, Hetzner Falkenstein) there is no third-country transfer in standard operation. For use of the heini.app SaaS platform (especially AI inference) separate sub-processors based in the EU may be engaged whose parent companies may be located in third countries; this is listed in DPA no. 7.

3. Processing in detail

3.1 Website visit. Purpose: provision, security, stability. Data: IP address, time, user agent, referrer, requested URL. Legal basis: Art. 6(1)(f) GDPR. Storage: 14 days (security logs). Recipient: Hetzner (Falkenstein/DE, DPA).

3.2 Cookies (§ 25 TTDSG). Strictly necessary cookies (login session, CSRF protection, language) without consent (§ 25(2) no. 2 TTDSG). Functional/statistical/marketing cookies only after active consent; revocable any time. Web analytics via Umami (cookieless, self-hosted, no persistent identifiers, no third-country transfer).

3.3 Account and contract handling. Purpose: initiation, conclusion, performance. Data: company, name, role, business email, phone, address, VAT ID, payment data. Legal basis: Art. 6(1)(b) and (c) GDPR. Storage: contract term plus statutory retention (10 years, § 257 HGB, § 147 AO).

3.4 AI interaction (AI colleague). Purpose: providing the AI service on the customer’s behalf. Data: inputs (prompts, documents), output, technical logs. Legal basis: Art. 28 GDPR in conjunction with the DPA. Sub-processors: see DPA no. 7 (Hetzner Falkenstein/DE; AI provider per order confirmation). Customer data is not used for model training (§ 6.2 Terms). BYOK: if the customer brings its own AI model/provider, inference runs via the provider chosen by the customer; its selection and data-protection responsibility lie with the customer (§ 6.2a Terms, DPA no. 7.3a).

3.5 Billing. Purpose: invoicing, payment, accounting. Legal basis: Art. 6(1)(b) and (c) GDPR. Storage: 10 years (§ 257 HGB, § 147 AO). Recipients: the customer’s tax advisor, payment service provider (see DPA). HEINI only prepares postings and provides no tax advice within the meaning of §§ 2–5 StBerG (§ 6.7 Terms).

3.6 Marketing/newsletter. Only with express consent (Art. 6(1)(a) GDPR, § 7(2) UWG); revocable any time via the unsubscribe link or hallo@heini.app.

4. Recipients and third-country transfer

4.1 Recipients: Hetzner Online GmbH (location Falkenstein/FSN1, Germany; deviating region only at Enterprise request — DPA no. 7.2), engaged AI providers (list DPA no. 7; with BYOK the provider chosen by the customer), the customer’s tax advisor, payment service provider, authorities where legally required.

4.2 Where a third-country transfer occurs in SaaS use, it relies on the bases in DPA no. 7.5 (adequacy decision, EU Standard Contractual Clauses 2021 with TIA, DPF). For visits to this marketing website there is no third-country transfer in standard operation.

5. Encryption and security

Customer data is protected with a per-account key (envelope encryption). On contract end the key is destroyed; the data becomes irreversibly unreadable (crypto-shredding, Art. 17 GDPR). Transport via TLS 1.3, storage encrypted (AES-256). HEINI reports personal-data breaches without undue delay, at the latest within 48 hours of becoming aware (§ 9.2 Terms).

6. Storage period

Personal data is deleted once the purpose ceases and no statutory retention obligation applies. After contract end: 30-day export window (CSV/JSON), then deletion from production systems; backups are overwritten in the rotation cycle (max. 90 days). Commercial/tax retention obligations (§ 257 HGB, § 147 AO) remain unaffected.

7. No automated individual decisions (Art. 22 GDPR)

HEINI makes no solely automated decisions with legal effect on data subjects. The AI colleague prepares and proposes — approval and decision rest with a human (human-in-the-loop).

8. Your rights

You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20) and objection (Art. 21 GDPR), and the right to lodge a complaint with a supervisory authority (Art. 77). Contact datenschutz@heini.app.

9. Status

Version 2.1 — as of 16 June 2026. This policy is updated when processing or the legal situation changes; the current version is available at /en/legal/privacy/.