PRIVACY POLICY YOURBEEZ OS
Last updated: 23.06.2026
1) Introduction and Controller
1.1 This privacy policy informs you about the processing of personal data when using the yourBeez OS app (hereinafter the "App"). It applies exclusively to the App. A separate privacy policy applies to our website.
1.2 The controller within the meaning of the General Data Protection Regulation (GDPR) – insofar as we decide on the purposes and means of processing (see Section 2) – is yourBeez GmbH, Prinzenstraße 2A, 42697 Solingen, Germany, e-mail: ask@yourbeez.com. The controller responsible for the processing of personal data is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.
2) Our role: controller and processor
yourBeez OS is software for businesses (B2B). In processing data, we act in two different roles:
2.1 As a processor (Art. 28 GDPR): For all content data that the using business (our customer) enters into the software – in particular data of its customers, members, prospects and employees, documents as well as accounting and POS data – we act on behalf of and under the instructions of the business. In this relationship, the business is the controller; we process this data exclusively on the basis of a data processing agreement (DPA). Data subjects should direct any requests regarding this data to the respective business.
2.2 As a controller: For the processing about which we ourselves decide – in particular the provision, operation and security of the App, the management of access accounts as well as error analysis – we are the controller within the meaning of Section 1.
3) What data is processed
When using the App, the following categories of data may in particular be processed:
User account data: name, e-mail address, login credentials
Customer data, member data, prospect data of the business
Employee data of the business
Documents (e.g. contracts, consent forms, house rules, SEPA mandates)
Images (profile pictures, company logos, item images)
Customer cards / barcodes
Accounting and POS data
Communication data within the software
4) Purposes and legal bases
We process personal data for the following purposes and on the following legal bases:
4.1 Provision and operation of the App, management of access accounts, performance of the contract with the business – Art. 6(1)(b) GDPR.
4.2 Processing of the content data entered by the business – on behalf of the business (Art. 28 GDPR); the legal basis is determined by the business.
4.3 Compliance with legal obligations, in particular the German Cash Register Security Ordinance (KassenSichV/TSE) and tax retention obligations – Art. 6(1)(c) GDPR.
4.4 IT security, stability and error analysis of the App – Art. 6(1)(f) GDPR (legitimate interest in a secure, functioning service).
5) Special categories of personal data (Art. 9 GDPR)
The processing of special categories of personal data is not intended.
However, the software provides free-text fields, notes and labels into which users can enter content on their own. In doing so, special categories of personal data may technically also be recorded (e.g. a health-related note such as "knee injury"). Such use is not an intended purpose of the software. Responsibility for the permissibility of such entries – including any legal basis required under Art. 9 GDPR – lies with the using business as the controller.
6) Service providers used
To provide the App, we use carefully selected service providers who act as processors or sub-processors on our behalf:
Supabase – hosting, database and file storage
Stripe – payment processing and operation of the card terminals
fiskaly – technical security system (TSE) pursuant to KassenSichV
Resend – sending of e-mails (e.g. system and transactional e-mails)
Sentry – error analysis and monitoring (diagnostic/crash data)
The data protection agreements required with these service providers are in place.
7) Hosting and storage location
The data is hosted via Supabase on AWS infrastructure in the Frankfurt (EU) region. Database content is stored in the Supabase database; documents, images, logos and other files are stored in Supabase Storage.
8) Transfer to third countries
Primary data storage takes place within the EU (Frankfurt). Individual service providers used (see Section 6) may be companies with their registered office or processing activities outside the EU/EEA. Insofar as personal data is transferred to a third country, this is carried out on the basis of appropriate safeguards within the meaning of Art. 44 et seq. GDPR, in particular on the basis of standard contractual clauses.
9) App permissions
The App only requests the permissions required for the respective function:
Camera: for scanning barcodes and QR codes as well as for taking pictures.
Files / photos: for uploading documents as well as for profile pictures, company logos and item images.
Location: No GPS tracking takes place. Only the company address is stored during the initial setup.
Notifications: In-app notifications exist. Classic operating-system push notifications are not intended.
10) Payments and digital signatures
Payments are processed via Stripe; Stripe terminals can be used for this. Digital signatures are possible directly on the device as well as via supported Stripe terminals. The data processed in payment transactions is additionally subject to Stripe's privacy terms.
11) Authentication
Initial login is carried out via e-mail address and password. The App can subsequently be used via PIN. No biometric authentication takes place.
12) Data security
We take technical and organizational measures to protect the data:
Encrypted data transmission
Encryption of data at rest
Access only for authorized users in accordance with their roles and permissions
13) Storage period and deletion
13.1 Content data of the business: After termination of the contractual relationship, the data entered by the business is generally retained for a further 30 days and then deleted, unless statutory retention obligations (in particular tax and commercial law obligations, e.g. under the German Fiscal Code (AO)/Commercial Code (HGB) and KassenSichV) prevent this.
13.2 User accounts: User accounts can be either archived or deleted by an authorized person of the business. When archiving, access is blocked; the data is retained as long as there is a legal basis for doing so (e.g. ongoing retention obligations or legitimate interests of the business). When deleting, the personal data of the account (in particular name, e-mail address, phone number, address and profile picture) is deleted or irreversibly anonymized, unless a statutory retention obligation prevents this. Records linked to the account (e.g. booking and transaction data) are retained in anonymized form that can no longer be attributed to an identifiable person.
13.3 Records subject to statutory retention obligations (in particular tax- and cash-register-relevant records under AO/HGB and KassenSichV) are not deleted and not altered, but restricted in processing (blocked) for the duration of the respective retention period and deleted after the period expires.
14) Tracking and advertising
No advertising tracking takes place in the App. No personalized advertising occurs. A request under the App Tracking Transparency framework (ATT) is not required as long as no tracking across third-party apps or websites takes place. Newsletters are not part of the App.
15) Data export
The App provides export functions, in particular for POS data, DATEV and other business data. Responsibility for handling exported data lies with the exporting business.
16) Rights of data subjects
Data subjects have, in accordance with the GDPR, the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and objection (Art. 21).
Insofar as the data concerned is content data that a business has entered into the software (see Section 2.1), that business is the controller; corresponding requests should be directed to the respective business. For processing for which yourBeez is the controller, the rights can be exercised using the contact details specified in Section 1.
17) Right to lodge a complaint with a supervisory authority
Data subjects have the right to lodge a complaint with a data protection supervisory authority. For yourBeez, this is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW).
18) Changes to this privacy policy
We will amend this privacy policy if the processing changes or if legal requirements make this necessary. The current version available in the App or at the stored address shall apply in each case.
