This Privacy Policy explains how Causa Prima Germany GmbH (“Causa Prima”, “we”, “us”) processes personal data in connection with Scribo, a free, conversational, EN 16931-compliant e-invoicing tool operated by Causa Prima at https://scribo.causaprima.ai (the “Service”).
1. Controller
Causa Prima Germany GmbH
Leopoldstraße 31, 80802 München, Germany
Registered with the Local Court Charlottenburg under HRB 286382 B
Managing Director: Philip Stanislaus
E-mail: security@causaprima.ai
2. Categories of personal data we process
Depending on how you interact with us, we may process the following:
- Account and login data — name, work e-mail, role, authentication identifiers, login timestamps.
- Profile and contact data — business contact details you provide when signing up, contracting, or contacting support.
- Service-usage data — actions you take in the Service (inputs, sessions, outputs you create or save), session and device metadata, IP address, browser/OS.
- Content data — invoices, billing records, transactional and financial metadata that you or your colleagues upload to or generate in the Service.
- Communication data — e-mails, support tickets, scheduled-call notes.
- Website-visit data — pages viewed, referrers, approximate location (country/city derived from IP), cookies and similar identifiers (see §10).
3. Purposes and legal bases
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing and operating the Service | Art. 6(1)(b) — contract performance |
| Account creation, authentication and access control | Art. 6(1)(b) |
| Communicating with you about your account, contracts, support and incidents | Art. 6(1)(b) and Art. 6(1)(f) — legitimate interests in customer communication |
| Security, abuse prevention, fraud detection and audit logging | Art. 6(1)(f) — legitimate interests in securing the Service |
| Billing, invoicing and statutory record-keeping | Art. 6(1)(c) — legal obligation (HGB, AO); Art. 6(1)(b) |
| Service analytics, product improvement and benchmarking (on aggregated, de-identified data) | Art. 6(1)(f) — legitimate interests in improving the Service |
| Direct B2B marketing to business contacts who requested information or are existing customers | Art. 6(1)(f); §7 UWG where applicable |
| Use of cookies and similar technologies on the Scribo website | §25 TTDSG and Art. 6(1)(a) where consent is required; see the Cookie consent page |
4. Processing of personal data on behalf of customers
When a Scribo user uses the Service, the user is the Controller of the personal data processed within their workspace (including end-users' identifiers and any content uploaded). Causa Prima acts as Processor on the user's documented instructions, as set out in the Causa Prima Data Processing Agreement (“DPA”). Our DPA is available to users and prospective users on request via security@causaprima.ai. End-users whose personal data is processed in this capacity should direct data-subject requests to the relevant user; we will support our users in responding.
5. AI Features & Disclaimer
Where the Service includes AI features, those features are delivered via third-party large-language-model (“LLM”) providers, and user inputs and intermediate outputs may be sent to those providers for inference.
AI outputs are probabilistic and may be inaccurate. AI outputs are provided for informational purposes only and do not constitute legal, tax, accounting, investment or other professional advice. The Service is designed for human-in-the-loop use: users are expected to review AI outputs before relying on them for material decisions, financial reporting or external communication. The Service does not make decisions that produce legal effects concerning users or significantly affect them in a similar way without human review within the meaning of Art. 22 GDPR.
6. Recipients and sub-processors
We share personal data with the following categories of recipients:
- Sub-processors — the current list is available on request via security@causaprima.ai.
- Other recipients — tax and statutory authorities where we are legally required to disclose, professional advisers under confidentiality (lawyers, auditors, accountants), and acquirers in connection with a merger, reorganisation or sale of all or substantially all of our assets.
We do not sell personal data and do not disclose personal data to advertising networks for cross-site targeting.
7. Transfers outside the EEA
Some of our sub-processors are established outside the European Economic Area (EEA), in particular in the United States. For each such transfer we rely, in order of preference, on:
- an adequacy decision of the European Commission, where available;
- the EU-US Data Privacy Framework, where the recipient is certified;
- the EU Standard Contractual Clauses 2021/914 in the appropriate module, supplemented by a transfer impact assessment.
The applicable mechanism for each sub-processor is set out in that sub-processor's own DPA and transfer documentation, provided alongside the sub-processor list on request (§6 above).
8. Retention
We retain personal data only as long as necessary for the purposes set out in §3, and in any event:
- Account and Service-usage data — for the duration of the customer contract, then deleted or returned in accordance with the DPA.
- Billing and tax records — for the statutory retention periods under German tax and commercial law (HGB and AO), typically 6 or 10 years from the end of the calendar year of creation.
- Marketing data — until you object or withdraw consent.
- Server and security logs — typically 12 months; longer where required to investigate a specific incident.
- Support correspondence — typically 24 months after closure of the matter.
9. Your rights
Under the GDPR you have the rights to:
- access your personal data (Art. 15);
- rectification (Art. 16);
- erasure / “right to be forgotten” (Art. 17);
- restriction of processing (Art. 18);
- data portability (Art. 20);
- object to processing based on legitimate interests (Art. 21);
- withdraw consent at any time, where processing is based on consent (Art. 7(3)) — withdrawal does not affect the lawfulness of processing before withdrawal.
To exercise these rights, contact us at security@causaprima.ai. We will respond without undue delay and in any event within one month.
10. Cookies and similar technologies
Cookies and similar technologies on the Scribo website are governed by our Cookie consent page, accessible via the cookie banner on each visit. Strictly necessary cookies (e.g. session, security, load-balancing) are set on the basis of §25(2) TTDSG; all others are set only with your prior consent under §25(1) TTDSG.
11. Source of personal data not collected from you
Where we receive your personal data from a source other than yourself (e.g. from a customer who has authorised you as a user of the Service, or from a publicly accessible business directory), the categories of data, purposes and legal bases are the same as set out above. The source is typically the customer or business contact who introduced us.
12. Recipients of invoices (business partners)
This section is for you if you have received an invoice generated with Scribo. The person or business that issued the invoice to you (the sender) provided your details to us so we could generate it. For purpose 2 below we are the controller within the meaning of the GDPR.
Data we process: name or company name, address, tax or VAT ID, contact e-mail (if provided), and the content of the invoice addressed to you.
Purposes and legal basis (Art. 6(1)(f) GDPR — legitimate interests):
- Generating, storing and delivering the invoice the sender asked us to create.
- Maintaining the sender's business-partner record so they can see their relationship with you and pre-fill future invoices. Your data stays scoped to that sender.
Source of your data: we received your data not from you but from the sender (Art. 14 GDPR). Because we cannot always contact you directly, we make this information publicly available (Art. 14(5)(b) GDPR).
Your rights as a recipient: independently of the sender, you may request access (Art. 15), rectification (Art. 16), erasure (Art. 17) and restriction (Art. 18), and you may object to the processing at any time (Art. 21). Contact us at security@causaprima.ai.
Erasure and objection: on your request we delete or anonymise your business-partner record and your contact details. The issued invoice itself is kept for the statutory retention period below — German law requires this and overrides the erasure right for that record (Art. 17(3)(b) GDPR). If you object to the processing, we stop using your data going forward. Audit logs that must remain unalterable are not deleted but are redacted at the display layer.
Retention of recipient data: we keep your business-partner record while the relationship with the sender is active and delete it on request; the issued invoice itself is kept for the sender's statutory retention period — typically 6 or 10 years from the end of the calendar year of its creation under German tax and commercial law — which we cannot shorten on request.
No credit or financing assessment: we do not use your data to assess your creditworthiness or to make financing decisions about you.
13. Changes to this Policy
We may update this Privacy Policy from time to time. The current version is indicated by the “Last updated” date at the top. Material changes will be communicated through the Service or by e-mail to registered users where appropriate.