Privacy Policy
Last updated: Februar 2026
This privacy policy explains how we collect, use, and protect your personal data when using FiBuKI.
Data Controller
Infinity Vertigo GmbH Bergwald 43 2812 Hollenthon Austria Commercial Register: FN571837m VAT ID: ATU77919424
Data We Collect
We collect and process the following categories of personal data: • Account data: Name, email address for authentication • Financial data: Bank transactions, receipts, invoices you upload or connect • Email data: Gmail messages and attachments (only with your explicit consent) • Usage data: Interactions with the application for improvements
Legal Basis for Processing
We process your personal data on the following legal bases under Art. 6 GDPR: • Contract performance (Art. 6(1)(b)): Processing necessary for the core functionality of FiBuKI, including transaction management, receipt matching, and AI-powered categorization • Consent (Art. 6(1)(a)): Gmail integration is only activated with your explicit consent. You can revoke this consent at any time by disconnecting your Gmail account • Legitimate interest (Art. 6(1)(f)): Usage analytics and AI quality monitoring to improve the service. You can object to this processing at any time
Third-Party Services
We use the following third-party services to provide our services:
Firebase (Google)
Authentication, database, file storage, and cloud functions. Your data is stored in the EU (europe-west1).
Gmail API (Google)
Email access for receipt search. Only active when you connect your Gmail account via OAuth. You can revoke access at any time.
Google Cloud Vision API
Text recognition (OCR) in uploaded documents for automatic data extraction.
Vertex AI / Gemini (Google)
AI-powered document analysis, categorization, and intelligent matching of receipts.
Anthropic Claude API
AI chat assistant for accounting questions and intelligent support.
TrueLayer
Open Banking access (UK/EU) for securely fetching your account transactions.
LangFuse
Analysis and optimization of AI interactions for quality improvement.
Google User Data
FiBuKI accesses Google user data through the Gmail API to help you find and match receipts and invoices to your bank transactions.
What We Access
• Gmail messages: Subject lines, sender information, dates, and body content of emails that may contain receipts or invoices • Gmail attachments: PDF, image, and document attachments for receipt extraction • Google account profile: Name and email address for authentication
How We Use This Data
• Receipt search: We scan your emails for receipts and invoices matching your bank transactions • Data extraction: We extract amounts, dates, and vendor information from email content and attachments • Matching: Extracted data is compared against your bank transactions for automatic matching
Limited Use Disclosure
FiBuKI's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: • We only use Google user data for the purposes described in this privacy policy • We do not transfer Google user data to third parties, except as necessary to provide or improve the service, or as required by law • We do not use Google user data for serving advertisements • We do not allow humans to read Google user data, except with your affirmative consent, for security purposes, to comply with applicable law, or for internal operations where the data has been aggregated and anonymized
Revoking Access
You can revoke FiBuKI's access to your Google data at any time: • In FiBuKI: Go to Settings > Integrations and disconnect your Gmail account • In Google: Visit your Google Account permissions at myaccount.google.com/permissions When you revoke access, all stored email data and OAuth tokens are deleted within 24 hours.
International Data Transfers
Your data is primarily stored within the European Union (Google Cloud, region europe-west1). However, some processing involves transfers to the United States: • Anthropic (Claude AI): Your chat messages and accounting queries are processed by Anthropic's servers in the US. This transfer is based on standard contractual clauses (SCCs) pursuant to Art. 46(2)(c) GDPR • Google Cloud AI (Vertex AI, Cloud Vision): Document analysis may be processed in Google's global infrastructure, covered by Google's Data Processing Amendment and SCCs All international data transfers are protected by appropriate safeguards as required by Chapter V of the GDPR.
Data Protection Mechanisms
We implement comprehensive security measures to protect your data: • Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 • Encryption at rest: All data stored in our databases (Google Cloud Firestore) and file storage (Google Cloud Storage) is encrypted using AES-256 • Access controls: Your data is only accessible to you via your authenticated account. Our team does not access your personal data except for technical support when explicitly requested by you • Infrastructure security: Our services run on Google Cloud Platform, which maintains SOC 2, ISO 27001, and other security certifications
Email Data (Gmail Integration)
When you connect your Gmail account: • We access only email metadata and attachments relevant to receipts and invoices • Email content is processed to extract transaction-relevant information (amounts, dates, vendors) • We do not store full email content; only extracted data is retained • You can disconnect your Gmail account and delete all associated data at any time
Data Retention & Deletion
• Your data is retained while your account is active • You can delete individual files, transactions, or connected accounts at any time • You can delete your account via Settings > Sign-in & Security > Delete Account • Account deletion includes a 30-day grace period during which you can cancel the request • After the grace period, all associated data is permanently removed • OAuth tokens for connected services (e.g., Gmail) are revoked and cannot be recovered • Database backups are retained for up to 90 days for disaster recovery, after which they are automatically purged
Automated Processing
FiBuKI uses automated processing, including AI and machine learning, for the following purposes: • Receipt matching: Automatically matching uploaded receipts to bank transactions based on amounts, dates, and vendor information • Categorization: AI-powered categorization of transactions and receipts • Partner detection: Automatic identification of business partners from transaction descriptions and documents • Scoring: Confidence scores for suggested matches between files and transactions These automated processes are designed to assist you and do not produce decisions with legal or similarly significant effects. All suggested matches and categorizations can be reviewed, corrected, or rejected by you at any time.
Your Rights
Under GDPR, you have the following rights: • Right of access (Art. 15): You can request information about your stored data • Rectification (Art. 16): You can have incorrect data corrected • Erasure (Art. 17): You can request deletion of your data • Restriction (Art. 18): You can request restriction of processing • Data portability (Art. 20): You can receive your data in a common format • Objection (Art. 21): You can object to processing • Automated decisions (Art. 22): You have the right not to be subject to purely automated decisions with legal effect To exercise your rights, contact us at privacy@fibuki.com. You also have the right to lodge a complaint with the Austrian Data Protection Authority: Österreichische Datenschutzbehörde Barichgasse 40–42 1030 Vienna, Austria https://dsb.gv.at
Contact
For privacy questions, contact us at: Infinity Vertigo GmbH Bergwald 43 2812 Hollenthon Austria Email: privacy@fibuki.com