1. Controller and roles
Service provider: R. Redivo, dynafis / General Informatics
Registered business address: Fijewo 58a, 14-260 Lubawa, Poland
German office: Am Sandfeld 11, 76149 Karlsruhe, Germany
Email: support@dynafis.com
Website: dynafis.com
VAT ID: to be published after allocation
The provider named above is the controller for website, account, contract, payment, support and security data. For invoice, client, receipt and export data that customers process in dynafis, dynafis usually acts as a processor under Article 28 GDPR and processes those data only on documented customer instructions.
2. Purposes of processing
We process personal data to provide the website, demo functions, user accounts, uploads, OCR and invoice extraction, review workflows, monthly processes, export packages, client features, support, billing, security logs and legally required evidence.
3. Data categories
Depending on use, we process master data, contact data, login and session data, contract, payment and billing data, support content, technical logs, client, supplier, invoice, receipt, export and audit data. Invoice documents may contain personal data of contacts, sole traders, employees, customers, suppliers or other third parties.
- Account and organisation data such as name, company, email, role, plan, add-ons and permissions
- Invoice and receipt data such as supplier, customer, amounts, tax amounts, service dates, payment references, partial IBAN information, attachments and processing status
- Usage and security data such as IP address, device information, timestamps, login, API, audit and error events
- Support and communication data including voluntarily submitted error descriptions, screenshots or attachments
4. AI, OCR and automation
dynafis may use AI models, OCR, parsers, rules and plausibility checks to extract invoice information, flag risks, detect missing documents, prepare monthly analyses, structure export data or generate response suggestions. AI outputs are decision-support information and do not replace human review.
Where external AI, OCR or infrastructure providers are used, this is based on appropriate contracts, technical safeguards and, where required, suitable safeguards for international transfers. Providers are configured where possible so that customer data is not used to train general models.
5. Legal bases
Legal bases include Article 6(1)(b) GDPR for contract performance and pre-contractual steps, Article 6(1)(c) GDPR for legal obligations, Article 6(1)(f) GDPR for security, abuse prevention, product improvement, B2B communication and legal claims, and Article 6(1)(a) GDPR for consent-based cookies or optional functions. Processor activities are additionally based on the data processing agreement and documented customer instructions.
6. Recipients and subprocessors
Data may be disclosed to carefully selected service providers where necessary for hosting, databases, storage, email delivery, payment processing, support, monitoring, security, OCR, AI functions or export and integration services. Subprocessors are contractually bound and used only for defined purposes.
7. International transfers
Processing primarily takes place in the EU or EEA. If individual providers process data outside the EU/EEA, we use appropriate safeguards such as EU Standard Contractual Clauses, adequacy decisions, additional technical safeguards or other legally provided transfer mechanisms.
8. Cookies and local storage
Necessary technologies are used for language, session, security, login, consent status and core functions. Optional analytics and product improvement technologies are activated only after consent. Consents can be changed or withdrawn at any time through Cookie Consent in the footer.
9. Retention and deletion
Data is stored only as long as required for contract performance, security, evidence, statutory retention duties or legitimate interests. Customers can delete content through product features or request deletion unless statutory retention, billing or defence obligations prevent this. Logs and backups are reduced or deleted according to defined periods.
10. Security
dynafis uses technical and organisational measures including tenant isolation, role-based permissions, access controls, transport encryption, audit logs, secret protection, backup and recovery processes and security reviews. No system can guarantee absolute security; security incidents are assessed and reported according to legal requirements.
11. Data subject rights
Data subjects have GDPR rights to access, rectification, erasure, restriction, portability, objection and withdrawal of consent. Requests can be sent to support@dynafis.com. There is also a right to lodge a complaint with a competent supervisory authority.
12. Updates
We update this Privacy Policy when functions, providers, legal bases or legal requirements change. Before production use with sensitive finance data, the final version should be legally reviewed and aligned with the actual provider, subprocessor and hosting structure.