fakturqaBack to home

Privacy Policy

Last updated: May 7, 2026

This document describes how Fakturqa handles personal data of users of the service at fakturqa.com. Treat it as informative; for disputes, contact the controller at info@fakturqa.com.

1. Data Controller

The data controller is Peter Buchlák, sole trader, business ID (IČO): 87549301, registered office Na Zlaté stoce 1886/5A, 370 05 České Budějovice, Czech Republic. Contact e-mail info@fakturqa.com.

2. Data we process

  • Account identification: name, e-mail address, hashed password.
  • Organization billing details: business name, business ID, VAT ID, address (we use the public Czech ARES registry to auto-fill).
  • Invoice content: PDF attachments and images you upload or forward to your unique @mail.fakturqa.com address, plus structured data extracted from them (supplier, amount, VAT, due date, line items, etc.).
  • Operational data: IP address at sign-in, timestamps, action logs (invoice issued, synced).
  • Payment data: payment history (amount, date, status). We never see card numbers — payments are processed by Stripe (web) or Apple (iOS app, In-App Purchase). For Apple payments we store only the original transaction ID needed to identify your subscription and track its lifecycle (active, renewed, cancelled, refunded).

3. Purpose and legal basis

  • Performance of contract (Art. 6(1)(b) GDPR) — providing OCR, accounting integrations, subscription billing, issuing tax invoices.
  • Legal obligations (Art. 6(1)(c) GDPR) — retaining tax invoices for the period required by Czech VAT and accounting law (10 years).
  • Legitimate interest (Art. 6(1)(f) GDPR) — service security, abuse prevention, OCR quality improvements (data is anonymized and stays within our infrastructure).

4. Recipients

We share your data with the following processors:

  • Stripe Payments Europe, Ltd. — payment processing on the web (Ireland / EU).
  • Apple Distribution International Ltd. — payment processing and subscription management in the iOS app (In-App Purchase, Ireland / EU). Apple sends subscription lifecycle notifications (renewal, cancellation, refund) to our servers; these notifications contain no payment details, only status and transaction identifiers.
  • Resend, Inc. — transactional e-mail delivery (USA, Standard Contractual Clauses).
  • Anthropic, PBC — OCR via the Claude API (USA, SCC). Invoice content is sent only for extraction and is not used to train models per our agreement with Anthropic.
  • Solitea, a.s. (iDoklad) — if you connect an iDoklad account, invoices and tax documents are pushed to their system (Czech Republic).
  • Hetzner Online GmbH — database and application hosting (Germany / EU).
  • ARES (Czech Ministry of Finance) — public IČO lookup; no personal data is sent.

User-controlled accounting systems (Fakturoid, Flexibee, etc.) receive invoice data only if you explicitly connect them. You can disconnect any of them at any time in Settings.

5. Retention

  • Account and user data: for the lifetime of the account + 30 days after deletion (technical backup).
  • Tax invoices and billing records: 10 years from the end of the relevant tax period per § 35 of the Czech VAT Act.
  • Security logs: 12 months.

6. Your rights

As a data subject you have the right to:

  • Access your data.
  • Rectification of inaccurate data.
  • Erasure ("right to be forgotten") — provided we are not required by law to retain it.
  • Restrict processing.
  • Data portability — we will export your data in a machine-readable format.
  • Object to processing.
  • Lodge a complaint with the Czech Office for Personal Data Protection (uoou.cz).

To exercise your rights, write to info@fakturqa.com. We respond within 30 days.

7. Cookies and tracking

We only use technical cookies required for sign-in. We do not use third-party advertising or analytics cookies. If we add analytics in the future, we will ask for your consent.

8. Security

Passwords are stored as bcrypt hashes, OAuth tokens for accounting systems are encrypted with AES-256-GCM. Communication with the application is HTTPS-only. The database is hosted in the EU with regular backups.

9. Changes to this policy

We will announce changes to this policy by e-mail at least 30 days before they take effect. The current version is always available at fakturqa.com/en/privacy.