Version 0.9 (draft pending counsel review) · July 2026
Annexa is operated by Markus Niemeier, [street address to be added], Munich, Germany (hello@annexa.eu), who is the controller for personal data processed through this website and the client portal. See also the Impressum.
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Account data (name, business email, company, password hash) | Providing the client portal, authentication | Art. 6(1)(b) — contract |
| Submitted documents (formulas, supplier declarations) and generated workbooks | Performing the engaged review service | Art. 6(1)(b) — contract |
| Billing data | Invoicing, accounting | Art. 6(1)(c) — legal obligation |
| Technical logs (IP, timestamps) | Security, abuse prevention | Art. 6(1)(f) — legitimate interest |
| Correspondence | Support, engagement communication | Art. 6(1)(b), (f) |
Submitted documents typically contain business data rather than personal data; where personal data appears incidentally (e.g. a signatory's name on a supplier certificate), it is processed only as part of the document for the purposes above.
Processing occurs on EU infrastructure (see Data & trust for the complete sub-processor list: AWS eu-central-1 for hosting; Stripe for billing). No transfers to third countries are made for document processing.
Submissions and uploaded documents: 90 days after delivery of the workbook, then deleted, unless you request earlier deletion or extended retention (e.g. for portfolio re-runs). Account data: for the duration of the account plus statutory retention periods for invoices. Logs: 30 days.
You have the rights of access, rectification, erasure, restriction, portability and objection (Art. 15–21 GDPR), and the right to lodge a complaint with a supervisory authority — in Bavaria: BayLDA. Contact for all requests: hello@annexa.eu.
The website sets no cookies. The client portal sets one strictly-necessary session cookie (HttpOnly) after login. No consent banner is required because nothing non-essential is stored.