Legal

Privacy policy

Version 0.9 (draft pending counsel review) · July 2026

1. Controller

Annexa is operated by Markus Niemeier, [street address to be added], Munich, Germany (hello@annexa.eu), who is the controller for personal data processed through this website and the client portal. See also the Impressum.

2. What we process, and why

DataPurposeLegal basis (GDPR)
Account data (name, business email, company, password hash) Providing the client portal, authenticationArt. 6(1)(b) — contract
Submitted documents (formulas, supplier declarations) and generated workbooks Performing the engaged review serviceArt. 6(1)(b) — contract
Billing dataInvoicing, accountingArt. 6(1)(c) — legal obligation
Technical logs (IP, timestamps)Security, abuse preventionArt. 6(1)(f) — legitimate interest
CorrespondenceSupport, engagement communicationArt. 6(1)(b), (f)

Submitted documents typically contain business data rather than personal data; where personal data appears incidentally (e.g. a signatory's name on a supplier certificate), it is processed only as part of the document for the purposes above.

3. What we do not do

4. Recipients & transfers

Processing occurs on EU infrastructure (see Data & trust for the complete sub-processor list: AWS eu-central-1 for hosting; Stripe for billing). No transfers to third countries are made for document processing.

5. Retention

Submissions and uploaded documents: 90 days after delivery of the workbook, then deleted, unless you request earlier deletion or extended retention (e.g. for portfolio re-runs). Account data: for the duration of the account plus statutory retention periods for invoices. Logs: 30 days.

6. Your rights

You have the rights of access, rectification, erasure, restriction, portability and objection (Art. 15–21 GDPR), and the right to lodge a complaint with a supervisory authority — in Bavaria: BayLDA. Contact for all requests: hello@annexa.eu.

7. Cookies

The website sets no cookies. The client portal sets one strictly-necessary session cookie (HttpOnly) after login. No consent banner is required because nothing non-essential is stored.

This policy is a working draft prepared for launch and will be finalised with counsel (entity details, DPO designation if required) before commercial operation.