XInvoice
Language DE EN
Login Register

Legal document

Privacy Policy for XInvoice

Version: v2026-04-13

Download PDF

Privacy Policy for XInvoice

Version date: 2026-04-13

1. Controller

The controller responsible for data processing in connection with the XInvoice service is:

Vent.Net Web-Software Andreas Vent-Schmidt
Kieselbach 7c
04746 Hartha
Germany
Phone: +49 34321 63 59 77
Email: xrechnung@vent.net

2. General information

We only process personal data to the extent necessary to provide our website, web frontend, customer portal, API, and related contractual or legal obligations.

Personal data means any information relating to an identified or identifiable natural person.

3. Purposes and legal bases

We process personal data in particular for the following purposes:

  • provision of the website and technical delivery
  • IT security, abuse detection, and system stability
  • registration and management of customer accounts
  • authentication and access protection
  • operation of the web validator
  • provision and operation of the API
  • processing of invoice and usage data within the selected functions
  • handling of support requests
  • proof of legal acceptances and contract confirmations
  • compliance with statutory retention and documentation duties

Processing is carried out in particular on the basis of:

  • Art. 6(1)(b) GDPR where processing is necessary for pre-contractual measures or contract performance
  • Art. 6(1)(c) GDPR where we are legally required to process data
  • Art. 6(1)(f) GDPR where processing is necessary for our legitimate interests, especially IT security, abuse prevention, stability, and efficient service operation
  • Art. 6(1)(a) GDPR where consent has been given

4. Website access and server logs

When our website is accessed, the browser transmits technically necessary data to our servers. This may include in particular:

  • IP address
  • date and time of access
  • requested URL
  • referrer URL
  • browser type and browser version
  • operating system
  • user agent
  • hostname of the accessing computer

This processing is necessary to deliver the website, ensure stability and security, and detect attacks or misuse.

The legal basis is Art. 6(1)(f) GDPR.

5. Technically necessary cookies and sessions

We use technically necessary cookies and session mechanisms required for the operation of the website and customer area. This includes in particular:

  • session management
  • login status
  • form protection and CSRF protection
  • security-related application functions

The legal basis is Art. 6(1)(f) GDPR and, where applicable, Section 25(2) TTDSG.

6. Registration and customer account

If you register a customer account, we process the data you provide, in particular:

  • name
  • email address
  • password in hashed form
  • company and contact details
  • information about the intended usage model
  • timestamps of registration and account activity

Processing is carried out to create and manage the customer account and to provide the agreed services.

The legal basis is Art. 6(1)(b) GDPR.

7. Authentication and security

To protect customer accounts and the service, we process security-related data, in particular:

  • login attempts
  • timestamps and technical metadata of sign-ins
  • information about activation and use of two-factor authentication
  • recovery codes in a security-appropriate form
  • security-related event and log data

Processing is carried out to ensure integrity, confidentiality, and availability of our systems and to protect your account.

The legal basis is Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

8. Web validator

If you use the web validator, we process the uploaded or pasted data and technical usage metadata to the extent necessary for validation and presentation of results.

This may in particular include:

  • uploaded XML files or pasted XML content
  • validation results
  • technical request metadata
  • assignment to a user account if you are signed in

The legal basis is Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR in the case of anonymous or guest use.

9. API usage and invoice data

If you use the API, we process the data transmitted to us in order to perform the requested functions. This may in particular include:

  • master and contact data contained in invoice data
  • invoice items, service data, and payment data
  • technical request and response data
  • generated invoice documents
  • status, error, and log data
  • API key metadata

Processing is carried out to provide API functionality, validate and generate electronic invoices, deliver results, and ensure security and abuse prevention.

The legal basis is Art. 6(1)(b) GDPR. Where we process personal data on behalf of the customer, this is additionally governed by the data processing agreement concluded between the parties.

10. Support requests

If you contact us through the contact or support form, we process the information you provide, in particular:

  • email address
  • category
  • subject
  • message
  • any further voluntarily transmitted information

The legal basis is Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR.

11. Proof of legal acceptances and contract confirmations

If you accept legal documents during registration or a plan change, we process the required proof data, in particular:

  • document type
  • document version
  • language
  • timestamp of acceptance
  • browser identifier
  • IP address
  • user or account reference
  • technical proof data such as a hash of the accepted document

This processing is carried out to document contract conclusion and compliance with legal documentation obligations.

The legal basis is Art. 6(1)(b), Art. 6(1)(c), and Art. 6(1)(f) GDPR.

12. Abuse prevention and bot protection

Where we use technical mechanisms to protect against abusive use or automated access, we process the data required for that purpose.

This serves to protect our systems, availability of the service, and prevention of unlawful or abusive usage.

The legal basis is Art. 6(1)(f) GDPR.

13. Email validation and external technical services

Where we use external technical services, for example for email validation, bot detection, or transactional email delivery, we process data only to the extent required for the respective purpose.

Depending on the service used, this may in particular include:

  • email address
  • technical usage data
  • IP address
  • browser or device information

The legal basis is Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR.

14. Recipients of personal data

We only disclose personal data where this is legally permitted or necessary.

Recipients may in particular include:

  • hosting and infrastructure providers
  • technical service providers for security or verification mechanisms
  • email service providers for transactional communication
  • other processors engaged to provide our services
  • public authorities where we are legally obliged to do so

15. Transfers to third countries

Personal data is transferred to countries outside the European Union or the European Economic Area only where a valid data protection basis exists, in particular an adequacy decision or suitable safeguards under the GDPR.

Where transfers to third countries take place in individual cases, we provide relevant information in connection with the respective service.

16. Retention periods

We only retain personal data for as long as necessary for the respective purposes or as required by statutory retention obligations.

In particular:

  • server and security logs are retained only as long as required for operation, security, and abuse detection
  • account data is retained for the duration of the contractual relationship and thereafter only where legal duties or legitimate interests require it
  • support requests are retained for processing and reasonable follow-up documentation purposes
  • records of legal acceptances and contract confirmations are retained as long as required for legal defense, contract documentation, or legal obligations
  • invoice and API data are retained in accordance with the contract, technical requirements, and legal obligations

17. Obligation to provide data

The provision of certain personal data is required for conclusion and performance of the contract. Without this data we cannot provide certain services, in particular registration, login, support, or API usage.

18. Data subject rights

Subject to the statutory requirements, you have the following rights:

  • right of access under Art. 15 GDPR
  • right to rectification under Art. 16 GDPR
  • right to erasure under Art. 17 GDPR
  • right to restriction of processing under Art. 18 GDPR
  • right to data portability under Art. 20 GDPR
  • right to object under Art. 21 GDPR

Where processing is based on consent, you may withdraw that consent at any time with effect for the future.

19. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority regarding our processing of your personal data.

20. Automated decision-making

There is no solely automated decision-making, including profiling, within the meaning of Art. 22 GDPR.

21. Changes to this privacy policy

We reserve the right to update this privacy policy if necessary due to technical developments, changed processes, or legal requirements.

Back to registration