top of page

Privacy Policy for app.getmika.de

Note: This English translation is provided for convenience only. The German version is the legally binding document. By visiting and using app.getmika.de, you agree to this privacy policy. Access to the app is only possible via our website getmika.de.

1. Responsibility and Overview

1.1 Responsible Entity

Get Mika GmbH
Kolonnenstr. 8
10827 Berlin

Phone: +4915901880019
Email: mika@getmika.de

1.2 Note on Responsibility

When using our mika App, this constitutes data processing on behalf of the controller according to Art. 28 GDPR. The following applies:

  • The Customer (user of the mika App) is the "Controller" within the meaning of the GDPR for all data entered into the app or imported via interfaces, particularly for accounting data, receipts, and bank data of their own customers and suppliers.

  • Get Mika GmbH is the "Processor" and processes this data exclusively on behalf of and according to the instructions of the customer.

A corresponding Data Processing Agreement (DPA) is concluded with each customer, regulating the rights and obligations of both parties regarding the handling of personal data.

2. Types of Processed Data

2.1 User Data

When using our app, we collect and process the following data:

  • Master Data: Name, email address, company data

  • Usage Data: Information about your use of the app, including log data, page views, and usage statistics

  • Device Data: Information about the device you are using, browser type, operating system

  • Location Data: General location information based on IP addresses

2.2 Accounting and Financial Data

As part of the accounting functions, we process:

  • Bank Data and Transaction Data: Account numbers, transaction details

  • Financial Data and Accounting Data: Bookings, chart of accounts, VAT returns

  • Document Data: Invoices, receipts, vouchers, and information contained therein

2.3 Third-Party Data

As a customer of the mika App, you can upload or import data from third parties (your own customers, suppliers, and business partners). You are responsible for this data as the controller within the meaning of the GDPR and must ensure that there is a lawful basis for processing.

3. Purposes of Data Processing

We process your data for the following purposes:

  • Provision and Operation of the mika App and its functions

  • Accounting and Financial Management: Enabling accounting and financial management functions

  • Analysis of User Behavior in pseudonymized form to improve the app

  • Error Analysis and Resolution to ensure stability and security

  • Integration of Bank Data via FinAPI

  • Communication with Tax Authorities via Datev

  • Use of AI Models for data processing and automation of accounting processes

4. Legal Bases for Processing

The processing of your data is based on the following legal grounds:

  • Contract Performance (Art. 6(1)(b) GDPR): Processing is necessary for the performance of the contract for using the mika App.

  • Legitimate Interest (Art. 6(1)(f) GDPR): We have a legitimate interest in improving and optimizing our app and ensuring its security and functionality.

  • Consent (Art. 6(1)(a) GDPR): In certain cases, particularly with the integration of third-party services, processing is based on your consent.

  • Legal Obligation (Art. 6(1)(c) GDPR): Some processing is necessary to comply with legal obligations, particularly in the area of accounting and taxation.

5. Data Transfer and Recipients

5.1 Use of Service Providers (Sub-processors)

For the operation of our app, we use the following service providers to whom data may be transferred:

For the mika App:

  • Posthog (EU servers)

    • Purpose: Pseudonymized analysis of user behavior

    • Processed data: Usage data (pseudonymized)

  • Sentry (EU servers)

    • Purpose: Analysis of error data, logging

    • Processed data: Error logs, potentially user data in error logs

  • Amazon Web Services (AWS)

    • Location: Frankfurt am Main (eu-central-1)

    • Purpose: Cloud hosting, data storage, business logic

    • Processed data: All data stored in the app

    • Special features:

      • Amazon Bedrock (AI models, especially Claude)

      • Amazon Textract (text recognition)

  • Google Cloud Platform (GCP)

    • Location: Frankfurt am Main (eu-central-1)

    • Purpose: Special calculations as secondary cloud

    • Processed data: User data and accounting data (no permanent storage)

    • Services used:

      • Google Maps API

      • Google Drive synchronization (optional)

      • Vertex (AI models, especially Gemini)

  • Orq

    • Location: Netherlands

    • Purpose: Abstraction between AI models and code, logging of AI conversations

    • Processed data: User data and accounting data

  • FinAPI

    • Location: Germany

    • Purpose: Connection of bank accounts

    • Processed data: User data, bank data, transaction data

  • Datev

    • Location: Germany

    • Purpose: Communication with tax authorities, accounting

    • Processed data: User data, transaction data, receipts

  • Stripe

    • Location: Stripe, â„… Legal Process, 510, Townsend St., San Francisco, CA 94103, USA

    • Purpose: Payment processing and payment data storage

    • Processed data: Cardholder name, email address, customer number, order number, bank details, credit card data, credit card expiration date, credit card verification number (CVC), date and time of transaction, transaction amount, provider name, location

    We offer the option to process payment through the payment service provider Stripe. This corresponds to our legitimate interest in offering an efficient and secure payment method (Art. 6(1)(f) GDPR). The data transfer takes place to the extent necessary for contract fulfillment (Art. 6(1)(b) GDPR).

    The processing of the specified data is neither legally nor contractually required. However, without the transfer of your personal data, we cannot process a payment via Stripe.

    Stripe assumes a dual role as controller and processor in data processing activities. As a controller, Stripe uses your submitted data to fulfill regulatory obligations. This corresponds to Stripe's legitimate interest (according to Art. 6(1)(f) GDPR) and serves contract execution (according to Art. 6(1)(b) GDPR). We have no influence on this process.

    Stripe acts as a processor to complete transactions within payment networks. As part of the processing relationship, Stripe acts exclusively according to our instructions and has been contractually obligated to comply with data protection regulations in accordance with Art. 28 GDPR.

    Stripe has implemented compliance measures for international data transfers. These apply to all global activities where Stripe processes personal data of individuals in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs).

    For more information on objection and removal options regarding Stripe, please visit: https://stripe.com/privacy-center/legal

    We store your data until the payment process is completed. This includes the period necessary for processing refunds, claims management, and fraud prevention. Beyond this, the statutory retention periods under commercial and tax law apply.

5.2 Data Transfer to Third Countries

Data processing generally takes place within the European Union or the European Economic Area. A transfer to third countries only takes place if it is necessary to fulfill our contractual obligations, you have consented, or an adequate level of data protection is guaranteed.

When using services based in the USA (AWS, Google Cloud), we ensure that appropriate guarantees are in place in accordance with Art. 46 GDPR, in particular by concluding standard contractual clauses and additional technical and organizational measures to protect the data.

6. Storage Duration

We store your data only for as long as necessary to fulfill the purposes mentioned in this privacy policy or as legally required. The specific storage periods are as follows:

  • User Account Data: For the duration of the contractual relationship and beyond in accordance with statutory retention obligations (typically 6-10 years for accounting-relevant data)

  • Accounting Data and Receipts: According to statutory retention obligations (typically 10 years)

  • Usage Data and Analytics: Maximum of 14 months in pseudonymized form

  • Error Logs: 90 days

After termination of the contractual relationship, your data will be deleted or anonymized after the expiration of statutory retention periods, unless there are legitimate reasons for longer storage.

7. Technical and Organizational Measures

We have implemented extensive technical and organizational measures to protect your data:

  • Pseudonymization of data in analytics tools

  • Hosting of data exclusively in the EU

  • Use of EU-compatible cloud services (AWS eu-central-1, GCP with EU compliance)

  • Ensuring confidentiality, integrity, and availability of systems

  • Encrypted data transmission using SSL/TLS technology

  • Ensuring the recoverability of data in case of technical incidents

  • Regular review and assessment of the effectiveness of security measures

  • Access restrictions and strict authentication procedures

  • Regular security audits and penetration tests

8. Cookies and Similar Technologies

Our app uses cookies and similar technologies to ensure functionality and improve the user experience:

8.1 Session Cookies and Local Storage

  • Session Cookies: Temporary cookies stored for the duration of your session and essential for the functionality of the app, particularly for maintaining your login.

  • Local Storage/IndexedDB: We use local storage technologies to store temporary data on your device and improve the performance of the app.

8.2 Analytics Cookies

For analytics purposes, we use cookies from PostHog. These cookies help us understand and improve the use of our app. The data collected is processed in pseudonymized form.

8.3 Cookie Settings

You can configure your browser to refuse cookies or notify you when cookies are set. Please note that some features of our app may not function properly or at all if you disable cookies.

9. Automated Decision-Making

As part of our app, we use AI models and automated processes. These primarily serve for data extraction, text recognition, and support with accounting processes.

We would like to inform you that:

  • Processing is carried out by AI systems (including those based on Amazon Bedrock and Google Vertex)

  • No automated decisions are made that have legal effect or similarly significantly affect you

  • All suggestions and results of automated processing are provided as recommendations and are always subject to human review and final decision

  • The systems analyze patterns in documents and data to extract relevant information and generate suggestions

The ultimate responsibility for all decisions remains with you as the user of the app.

10. Authentication and Login Security

10.1 Login Procedure

We use secure authentication procedures for access to the mika App:

  • Token-based Authentication: After successful login, a secure token is created that is valid for the duration of your session.

  • Secure Cookies: Cookies with the attributes "Secure" and "SameSite" are used to maintain your login.

  • Two-Factor Authentication (2FA): An additional security level can be activated optionally.

10.2 Security Measures

We implement the following security measures to protect your account:

  • Automatic Session Termination after extended inactivity

  • Encrypted Transmission of all login data via HTTPS

  • Password Policies to ensure secure passwords

  • Brute Force Protection by limiting login attempts

  • Continuous Monitoring for suspicious login activities

11. Your Rights as a Data Subject

11.1 Data Subject Rights

As a data subject, you have the following rights:

  • Right to Information (Art. 15 GDPR): You can request information about whether and which data about you is stored with us.

  • Right to Rectification (Art. 16 GDPR): If the data concerning you is not (or no longer) accurate, you can request rectification.

  • Right to Erasure (Art. 17 GDPR): You can request the erasure of your data.

  • Right to Restriction of Processing (Art. 18 GDPR): You can request that the processing of your data be restricted.

  • Right to Data Portability (Art. 20 GDPR): You can request that the data concerning you be transferred to you or a third party in a structured, commonly used, and machine-readable format.

  • Right to Object (Art. 21 GDPR): You can object to the processing of your data.

11.2 Exercise of Your Rights

To exercise your rights, please contact us using the contact details provided above. Please note that for data you enter into our app as a controller (particularly data of your own customers and suppliers), we act merely as a processor. Requests to exercise data subject rights regarding this data must be directed to you as the controller.

11.3 Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data. The competent authority is the supervisory authority in the member state of your residence, workplace, or the place of the alleged violation.

12. Changes to the Privacy Policy

We reserve the right to adapt this privacy policy to ensure that it always complies with current legal requirements or to implement changes to our services in the privacy policy, e.g., when introducing new services. The new privacy policy will then apply to your subsequent visits.

13. Data Processing Agreement (DPA)

When using our mika App, we automatically conclude a Data Processing Agreement (DPA) with you as a customer in accordance with Art. 28 GDPR. This DPA regulates the rights and obligations in the context of processing personal data.

The DPA comes into effect with your acceptance of our General Terms and Conditions and this Privacy Policy. The complete text of the DPA can be viewed in your customer account or sent upon request.

With the DPA, we ensure that we:

  • Process your data only according to your instructions

  • Have implemented appropriate technical and organizational measures to protect the data

  • Transparently disclose sub-processors and safeguard your rights

  • Support you in fulfilling the rights of data subjects

  • Delete or return all data after termination of the contractual relationship

14. Contact

If you have questions about the collection, processing, or use of your personal data, for information, correction, blocking, or deletion of data, please contact:

Get Mika GmbH
Kolonnenstr. 8
10827 Berlin

Phone: +4915901880019
Email: mika@getmika.de

Last updated: April 11, 2025

bottom of page