Sign inTry free

Privacy Policy

As of: May 12, 2026 — Version 1.1

Translation notice. This is a translation of the German privacy policy for convenience. In case of any discrepancy or interpretation question the German original (/legal/datenschutz) applies. The English version is pending review by a German privacy lawyer.

Version: 1.2  |  Last updated: May 24, 2026

1. Introduction and contact information of the controller

1.1 Thank you for visiting our website mainledger.eu and the associated SaaS application. Below we inform you about how we handle your personal data. Personal data is any data with which you can be personally identified.

1.2 The controller for data processing under the GDPR is:

Bastian Deppisch
MainLedger Inh. Bastian Deppisch
Am Schäfergarten 3
97753 Karlstadt
Germany
Email: info@mainledger.eu

2. Data collected when visiting our website

2.1 When you use our website for informational purposes only — i.e. when you do not register or otherwise transmit information to us — we collect only the data your browser sends to the server (so-called server log files). The data we collect for technical reasons is:

  • Page visited
  • Date and time of access
  • Volume of data sent in bytes
  • Source / referrer that led you to the page
  • Browser and operating system used
  • IP address (anonymized after 7 days)

Processing takes place under Art. 6(1)(f) GDPR on the basis of our legitimate interest in the stability and functionality of our website. No transfer to third parties or other use of the data occurs. We reserve the right to review server log files retroactively if there are concrete indications of unlawful use.

2.2 For security reasons and to protect the transmission of personal data, this website uses TLS encryption. You can identify the encrypted connection by the "https://" prefix and the lock icon in your browser's address bar.

3. Hosting

For hosting our website and SaaS application we use a VPS at Hostinger International Ltd. (server location: Frankfurt am Main, Germany; exclusively within the EU). All data collected on our website is processed on these servers. We have a data processing agreement (DPA) with Hostinger ensuring the protection of our visitors' data and prohibiting unauthorized disclosure to third parties.

4. Cookies and consent tool

To make our website attractive and to enable certain features, we use cookies — small text files stored on your device. With your consent we use cookies for anonymized statistics (PostHog, EU), marketing conversion measurement (Google Ads) and session recording for UX improvement. Necessary cookies remain always active. You give your consent through our cookie consent banner; processing is based on Art. 6(1)(a) GDPR. You can withdraw your consent at any time via the "Cookie preferences" footer link.

  • NEXT_LOCALE — stores the chosen language (DE/EN). Category: necessary. Expires: 1 year.
  • mainledger.session_token — session cookie for logged-in users (HttpOnly, Secure, SameSite=Lax). Required for authentication. Category: necessary. Expires: 30 days after last activity.
  • __Host-better-auth.csrf-token — CSRF protection for forms in the SaaS app. Category: necessary. Expires: session.
  • consent_state — stores your cookie preferences, HMAC-signed. Category: necessary. Expires: 12 months.
  • ph_<api_key>_posthog — anonymous distinct ID for usage statistics (PostHog Inc., EU Cloud). Category: statistics (consent required). Expires: 12 months.
  • ph_<api_key>_posthog_session — session tracking for PostHog. Category: statistics (consent required). Expires: session.
  • Session Replay (memory) — anonymized session recording with masked input (PostHog Inc.). Category: session recording (consent required). Retention: 30 days server-side.
  • _gcl_aw, _gcl_dc — conversion measurement Google Ads (Google Ireland Ltd.). Category: marketing (consent required). Expires: up to 90 days.

Cookies marked as "necessary" are essential for operating the website and the login. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in a functioning website) or Art. 6(1)(b) GDPR (performance of a contract). For all other cookies the legal basis is your consent (Art. 6(1)(a) GDPR).

You can configure your browser to inform you of cookies being set and to decide individually or to refuse them entirely. Without the necessary cookies, logging into the SaaS app is not possible.

5. Contact

When you contact us (e.g. via email to info@mainledger.eu) personal data is collected. The data collected in the case of using a contact form is apparent from the respective form. This data is stored and used exclusively to respond to your inquiry. The legal basis is our legitimate interest in responding to your inquiry under Art. 6(1)(f) GDPR. If your contact aims at concluding a contract, an additional legal basis is Art. 6(1)(b) GDPR. Your data will be deleted after the inquiry has been processed, unless statutory retention obligations apply.

6. Registration and use of the SaaS platform

6.1 You can register on our SaaS platform by providing personal data. The data processed for registration follows from the input mask of the registration and onboarding process. Authentication uses better-auth (self-hosted on our servers in Frankfurt). We use a strict double opt-in procedure to confirm the email address. If confirmation does not occur within 24 hours, the registration token is deleted.

6.2 Mandatory data: During onboarding we collect the following data for contract performance (legal basis: Art. 6(1)(b) GDPR):

  • Email address, name, password hash (for email login)
  • Company name, country, billing address (street, postal code, city), optionally VAT-ID — for issuing platform-side invoices for subscription fees
  • Acceptance of Terms of Service and Privacy Policy (version ID and timestamp) — Art. 7 GDPR evidence requirement

6.3 Storage of contract data: We store your data required for contract performance until you delete your account. After deletion, the retention and deletion rules described in section 13 apply. You can manage and change all entries at any time in the secure customer area.

7. Sign-in with Google (Single Sign-On)

On our SaaS platform you can alternatively sign in via Google Single-Sign-On. Provider: Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). When clicking the "Sign in with Google" button you are redirected to Google. After your express consent under Art. 6(1)(a) GDPR, Google transmits the following data to us: Google account ID, name, email address, profile image (if public). We use this data to set up your user account. We do not transmit any data back to Google.

Data may also be transmitted to Google LLC in the USA. For US data transfers Google has joined the EU-US Data Privacy Framework, which ensures compliance with the European data protection level on the basis of an adequacy decision by the European Commission.

You can disconnect the link to your Google account at any time in your Google account under "Third-party apps". More information: https://business.safety.google/intl/en/privacy/.

8. Transactional and marketing emails (Resend)

8.1 Transactional emails (registration confirmation, invoice emails, sync reports) are sent via Resend. Provider: Resend Inc., 2261 Market Street #4083, San Francisco, CA 94114, USA — processing takes place in the EU region (Frankfurt). We have a DPA with Resend. Legal basis: Art. 6(1)(b) GDPR (contract performance). For US data transfers the provider relies on Standard Contractual Clauses and the EU-US Data Privacy Framework.

8.2 Marketing emails / newsletter: If you expressly consent during onboarding, we send you information about new features and offers from MainLedger. We use a strict double opt-in procedure: only after clicking the confirmation link in a separate confirmation email does your consent take effect and we send marketing content. Legal basis: your consent under Art. 6(1)(a) GDPR. With your consent we store the version ID of the privacy policy and the timestamp for proof of consent (Art. 7 GDPR). You can withdraw consent at any time via the unsubscribe link in each marketing email or by message to info@mainledger.eu with effect for the future.

8.3 Waitlist: If you sign up for our waitlist on the marketing site we process your email address for the purpose of a one-time launch notification and occasional product updates. Registration uses a strict double opt-in procedure: after entering your email you receive a confirmation email; only after clicking the link does your registration take effect. If you do not confirm within 48 hours, the registration is automatically deleted. Legal basis: your consent under Art. 6(1)(a) GDPR. For proof of consent (Art. 7 GDPR) we store IP address, user agent, privacy policy version ID and timestamp of registration. You can unsubscribe at any time via the unsubscribe link in each email or by message to info@mainledger.eu — after that you receive no more emails from us. Retention: until unsubscribe, then audit entry with IP/user agent for up to 12 months (defense against unfounded spam claims).

8.4 Beta tester program: If you accept the beta tester status on the early-access page, we store the timestamp of your consent and your WhatsApp mobile number (mandatory, because the private beta WhatsApp group is the central feedback medium of the beta). We use the number exclusively to add you to the private beta WhatsApp group and to send you setup notifications — no advertising, no sharing with third parties beyond the operator WhatsApp Ireland Ltd. (data processing there: phone number + message content; third-country transfer based on EU standard contractual clauses, see Meta DPA). Legal basis: Art. 6(1)(b) GDPR (contract — beta special conditions per sections 4.7/4.8 of our Terms). Retention period: 90 days after the end of the beta or until your withdrawal, whichever comes first. Withdrawal any time via email to info@mainledger.eu — withdrawal automatically ends the beta special conditions.

8.5 First and last name (tenant creation): When creating your company in the app we process your first and last name to identify the contracting party, to issue invoices and for GoBD-compliant contract documentation. Legal basis: Art. 6(1)(b) GDPR (contract initiation and performance). Retention as for the other tenant data (see section 12).

8.6 Marketing attribution (UTM/gclid): If you come to our site via a Google Ads campaign, we store the parameters contained in the URL (e.g. gclid, utm_source, utm_campaign) for up to 7 days in an HMAC-signed cookie (ml_ads_lead). If you create an account in this period, we persist these parameters in your user record (column signup_attribution) to measure the effectiveness of our advertising per campaign and landing variant. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in marketing effectiveness measurement). Retention: together with your user data, deletion on request.

8.7 Enhanced Conversions to Google Ads: After successful email verification and upon accepting the beta tester status, we send to Google Ads — provided you've consented to the marketing cookie category — the SHA-256 hash of your email address together with the gclid mentioned above, so that Google can correctly attribute the conversion of your campaign (Enhanced Conversions). Without marketing consent we send only an anonymous conversion event without personal data. Recipient: Google Ireland Ltd. (EU data controller); third-country transfer to the USA is based on Google LLC's EU-US Data Privacy Framework certification and EU standard contractual clauses. Legal basis: Art. 6(1)(a) GDPR (your consent via cookie banner). Withdrawal at any time via cookie settings.

9. Payment service provider Mollie (platform subscription)

For handling subscription fees (platform usage) we use the payment service provider Mollie B.V., Keizersgracht 126, 1015 CW Amsterdam, Netherlands. When you load your payment method (SEPA direct debit mandate or credit card) your payment data is transmitted directly to Mollie — we ourselves do not store credit card data or IBANs on our servers. Mollie is certified to PCI-DSS Level 1.

From Mollie we receive only a mandate ID, a customer identifier and status information on payments (successful / failed / chargeback). Legal basis: Art. 6(1)(b) GDPR (contract performance). We have a DPA with Mollie. Processing takes place exclusively in the EU/Netherlands.

Mollie privacy policy: https://www.mollie.com/privacy

10. Accounting integration Lexware Office

The core function of the MainLedger platform is the automated synchronization of your Mollie payment data into your Lexware Office accounting system. Provider of Lexware Office is Haufe-Lexware GmbH & Co. KG, Munzinger Straße 9, 79111 Freiburg, Germany. We do not have a DPA with Lexware (Lexware is not our processor but an independent controller for the accounting data stored with them).

When linking your Lexware account to MainLedger we receive an access token and refresh token via the OAuth 2.0 procedure. These tokens are stored in our database encrypted with AES-256-GCM. We use the tokens exclusively to create, read and synchronize invoices, documents and contacts in Lexware Office on your behalf. Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(a) GDPR (consent at the OAuth connect step).

You can disconnect the link to Lexware Office at any time in your MainLedger settings — the tokens are then immediately invalidated by a token revoke call to Lexware and deleted from our database.

11. Error tracking and logging

11.1 Sentry (Functional Software, Inc., 132 Hawthorne Street, San Francisco, CA 94107, USA) — we use Sentry to track technical errors in our SaaS application. When an error occurs Sentry collects technical data such as browser type, JavaScript stack trace and URL. Personal data is collected only if accidentally part of an error report — we actively filter out tokens, passwords and email addresses before transmission to Sentry. Legal basis: our legitimate interest in a stable and secure application (Art. 6(1)(f) GDPR). Sentry processes exclusively in the EU region. We have a DPA with Sentry.

11.2 Better Stack (BetterStack s.r.o., Štefánikova 836/1, 150 00 Praha 5, Czech Republic) — we use Better Stack for structured aggregation of server logs. Logs contain technical data on requests, webhook events and internal operations. Personal data is filtered out or pseudonymized before transmission to Better Stack (e.g. only the tenant ID is logged instead of the full email). Legal basis: Art. 6(1)(f) GDPR. Processing takes place within the EU.

11.3 PostHog (PostHog Inc., 965 Mission Street #1003, San Francisco, CA 94103, USA — processing takes place exclusively in the EU region Frankfurt) — we use PostHog for anonymous usage statistics, A/B tests and — with your consent — session recording. PostHog records pageviews, clicks, time on page and (with separate consent) anonymized screen content. Input in forms, passwords, email addresses and sensitive areas are masked before transmission to PostHog. IP addresses are anonymized in PostHog. Legal basis: your consent under Art. 6(1)(a) GDPR (for statistics and session recording). We have a DPA with PostHog. Data processing takes place exclusively in the EU region (Frankfurt am Main). Retention: 12 months for statistics events, 30 days for session recordings. PostHog privacy policy: https://posthog.com/privacy

12. Rights of the data subject

12.1 Applicable data protection law grants you the following data subject rights against us as controller:

  • Right of access under Art. 15 GDPR
  • Right to rectification under Art. 16 GDPR
  • Right to erasure under Art. 17 GDPR
  • Right to restriction of processing under Art. 18 GDPR
  • Right to data portability under Art. 20 GDPR
  • Right to withdraw consent under Art. 7(3) GDPR
  • Right to lodge a complaint with a supervisory authority under Art. 77 GDPR. Competent authority for us: Bayerisches Landesamt für Datenschutzaufsicht, Promenade 18, 91522 Ansbach, Germany.

Please direct requests to exercise your rights to info@mainledger.eu. The following self-service functions are also available in the SaaS app:

  • Data export (Art. 15 / Art. 20 GDPR) — all your data as a ZIP, sent by email link
  • Account deletion (Art. 17 GDPR) — soft delete with 30-day grace period, then irreversible deletion

12.2 Right to object

If we process your personal data on the basis of a balancing of interests in our overriding legitimate interest, you have the right at any time, for reasons arising from your particular situation, to object to such processing with effect for the future. If you exercise your right to object, we will cease processing the affected data. Further processing remains reserved if we can demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms, or if processing serves the establishment, exercise or defense of legal claims.

If we process your personal data for the purpose of direct marketing (marketing emails), you have the right at any time to object to processing. You can exercise the objection as described above.

13. Retention period of personal data

The retention period of personal data is determined by the respective legal basis, the purpose of processing and — where applicable — additionally by the respective statutory retention period (commercial and tax retention obligations, usually 6–10 years). For processing based on express consent under Art. 6(1)(a) GDPR, the affected data is stored until you withdraw your consent. For processing based on Art. 6(1)(f) GDPR, the data is stored until you exercise your right to object under Art. 21(1) GDPR, unless we can demonstrate compelling legitimate grounds for processing.

Specifically at MainLedger:

  • Account data: until deletion of your account (soft delete + 30 days grace period)
  • Invoice data and sync logs for accounting documents: 10 years under §147 AO (statutory retention obligation)
  • OAuth tokens (Lexware): until disconnection, then immediate deletion
  • Server logs: 7 days (IP addresses are anonymized afterwards)
  • Sentry error reports: 90 days
  • Marketing consent records: 3 years after withdrawal (statute of limitations under §195 BGB for proof of consent)
  • Consent audit log (cookie banner choice): 12 months from grant — analogous to cookie lifetime

14. Marketing conversion tracking (Google Ads)

Google Ireland Ltd., Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland — with your consent we use Google Ads conversion tracking to measure the effectiveness of our advertising. If you reach our website via one of our ads and perform a conversion (e.g. signing up for the waitlist or starting a trial), an anonymous conversion signal is transmitted to Google. We use Google Consent Mode v2 (Basic) — without your consent no data is sent to Google. Transmission to Google LLC in the USA may occur. For US data transfers Google relies on the EU-US Data Privacy Framework (adequacy decision under Art. 45 GDPR). Legal basis: your consent under Art. 6(1)(a) GDPR. Retention: up to 540 days. Google privacy policy: https://policies.google.com/privacy

15. Reverse proxy / bot defense (Cloudflare)

Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA — processing takes place primarily via the European server network. We use Cloudflare as a reverse proxy and bot defense layer for our marketing website. Cloudflare processes all requests to our website, classifies bot and malicious traffic and filters it out before it reaches our server. IP address, user agent and request headers are temporarily processed. Legal basis: our legitimate interest in the security and availability of our website under Art. 6(1)(f) GDPR. We have a DPA with Cloudflare that secures data transfers via Standard Contractual Clauses and the EU-US Data Privacy Framework. Requests from the EU are processed in EU data centers; transmission to the USA cannot be entirely excluded in individual cases. Cloudflare privacy policy: https://www.cloudflare.com/privacypolicy/