BISpicy Inventory Management - Cloud Software
Data Controller within the meaning of the General Data Protection Regulation (GDPR):
(1) This Privacy Policy informs you about the type, scope, and purpose of the processing of personal data within our software "BISpicy Inventory Management" and the associated online services.
(2) Legal basis:
What data is collected?
Legal basis: Art. 6(1)(b) GDPR (contract performance)
Storage period: Until account deletion + 30 days
What data is processed?
Note: This data is processed on behalf of the customer (data processing agreement pursuant to Art. 28 GDPR).
Device purchase (§25a German VAT Act / margin scheme): When purchasing used devices (e.g. in a phone shop), in order to fulfil the statutory recording obligation (purchase ledger pursuant to §25a UStG in conjunction with the German Anti-Money Laundering Act) we store the seller's data – name, address, ID number and telephone number – as well as the device data (IMEI/serial number, purchase and sale price). Legal basis: Art. 6(1)(c) GDPR (compliance with a legal obligation). Access is restricted to authorised employees.
(1) Principle: Your data will only be disclosed to third parties if:
(2) Data recipients:
| Recipient | Purpose | Location | Legal Basis |
|---|---|---|---|
| DigitalOcean LLC | Hosting (BIS ERP, database, cloud backups in Spaces) | Frankfurt (EU) | Art. 6(1)(b) GDPR |
| Stripe Payments Europe Ltd. | Payment processing for software licenses | Dublin (EU) | Art. 6(1)(b) GDPR |
| Shipping carriers (DHL, DPD, GLS, Hermes, UPS, FedEx) | Shipping label creation, track & trace | EU | Art. 6(1)(b) GDPR |
| Marketplaces and shops (Amazon, eBay, Etsy, Shopify, Magento, WooCommerce, Shopware) — only when enabled | Order and article synchronization | EU / worldwide | Art. 6(1)(b) GDPR (upon the Controller's instruction) |
| Google LLC (Firebase Cloud Messaging) | Push notifications to connected POS devices (no personal content) | EU/USA (Standard Contractual Clauses) | Art. 6(1)(f) GDPR |
| Anthropic PBC (only when AI features are used) | AI-assisted recognition of incoming invoices, AI article creation, AI repricing (not used for model training) | USA (Standard Contractual Clauses) | Art. 6(1)(b)/(f) GDPR in conjunction with Art. 46 GDPR |
| Fiskaly GmbH (only when POS integration is active) | TSE cloud signing (KassenSichV / RKSV) | Germany / Austria | Art. 6(1)(c) GDPR (legal obligation) |
The full list of processors and sub-processors with locations and processing purposes can be found in the Data Processing Agreement (DPA).
We have implemented extensive technical and organizational measures:
For questions about data protection, please contact:
Last Updated: May 25, 2026