I. Controller, Scope
B2Brouter is a service provided by INVINET Sistemes 2003 s.l. (hereinafter also referred to as “Provider”), acting as Controller in accordance with relevant data protection provisions. Please find full company and contact details on the website.
The protection of personal data has the highest priority for us. We would therefore like to inform you about which data we collect when, and how we process your personal data. This privacy notice describes the collection and processing of personal data on the website www.b2brouter.net (hereinafter referred to as “Website” or “Platform”).
The Controller offers a service to issue, submit and receive electronic invoices according to the applicable regulatory provisions. The service is only intended for Users acting for business purposes and therefore not qualifying as consumers.
The Controller also processes personal data for statistical and market analysis purposes, e.g. based on User groups, business type and market areas, and evaluates them in an anonymous manner. Please find further details in the relevant sections of this privacy notice.
II. General information about data processing
1. Purposes of processing
In principle, we only process personal data of Users if this is necessary to provide a functional Platform, our contents and services and to close or perform contracts with Users.
2. Legal basis for the processing of personal data
Most often we process personal data according to on one of the following legal bases:
- consent. Whenever we collect the data subject’s consent to the processing of personal data, Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR) serves as the legal basis.
- legal obligation. If the processing of personal data is necessary for compliance with a legal obligation which the Controller is subject to, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
- contract or pre-contractual measures. If the processing of personal data is necessary for the performance of a contract to which the data subject is party, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
- legitimate interests. If processing is necessary for the purposes of the legitimate interests pursued by the Controller or a third party and if such interests are not overridden by the interests, fundamental rights and freedoms of the data subject, Art. 6 para. 1 lit. f GDPR serves as the legal basis.
Unless otherwise specified within this privacy notice, the processing of your personal data is necessary for the performance of a contract with you or in the framework of pre-contractual measures, which take place at your request, and the legal basis for processing is therefore art. 6 para. 1 lit. b) GDPR.
3. Data erasure and retention time
In principle and unless otherwise stated, your personal data will only be stored until the purpose of the collection and storage is achieved. If the storage is based on your consent, personal data can be stored as long as do not revoke such consent.
Furthermore, data may be stored if it is required by European or national legal provisions, laws or regulations which we are subject to. Personal data will be blocked or deleted if the retention period set forth by the any such regulations expires, unless further storage is necessary for the conclusion or fulfilment of a contract.
4. Transfer to third countries
Unless otherwise stated, all data processing operations take place within the EU or the EEA countries.
Data processing operations carried out by third-party providers established outside the mentioned geographical area may be carried out in part or in full in the countries the respective providers are based in, in accordance with the relevant and applicable data protection regulations.
A transfer of personal data outside the EU or the EEA shall only take place on the basis of on an adequacy decision of the European Commission, including the adequacy decision regarding the EU-US Privacy Shield, or subject to appropriate safeguards, such as standard data protection clauses adopted by the European Commission.
A list of current adequacy decisions is available on the European Commission’s website.
Further information about the EU-US Privacy Shield and a list of participating data recipients can be found on the website of the US Department of Commerce.
III. Processing of personal data in general
Regardless of whether you take advantage of any of the Website’s features – such as the creation of User accounts – we automatically collect data about your use of the Website. This includes in particular the accessed URL, access date and time, transferred data volume, http status code of the access reply, web browser and HTTP referrer, as well as IP address. This information is not associated with your person.
We collect and process such data to ensure Website operation and availability. In addition, it is used to analyse, store and evaluate information about User behaviour in an anonymous form and to continuously improve and further develop our service.
We only store your IP address in the log files for a limited period of time, if this is necessary for security purposes.
These purposes constitute our legitimate interest, which justifies data processing pursuant to art. 6 par. 1 lit. f) GDPR.
IV. Data processing when creating a User account and company profiles
When creating a User account, we store the following data: first and last name, e-mail address, language. Your User account will be populated with such data, allowing you to set preferences and keep track of your activity.
The following additional personal data will be collected once the User account has been created in order to create one or more profiles (“Company profile”) and use the electronic invoicing features: first and last name (if natural person), trade name and/or company name (if legal entity), VAT no. and/or other tax identification number, full registered address, first and last name of a reference person, phone number, currency, status as self-employed professional (yes/no).
The provision of all above-mentioned data is required in order to perform the contract we have closed with you and to provide you the relevant service. Failure to provide them so will result in unavailability of our services.
Further data and information may be provided on a voluntary basis.
V. Processing of personal data when issuing or receiving invoices
When issuing invoices through our system you will be required to provide the following data referring to the invoice recipient: country, VAT no. and/or other tax identification number, first and last name (if natural person), trade name and/or company name (if legal entity), full registered address, currency, e-mail address of a contact person.
Further data and information may be provided on a voluntary basis.
Your liability when providing personal data or information referring to third parties to our Platform is governed by the Terms and Conditions of Service of INVINET and by applicable law.
VI. Processing of personal data when receiving support or contact requests
If you submit a support request to us via the Platform, we will only collect such data and information that you will provide when describing the reason for your request. The provision of personal data is not required to this end. Should any personal data be provided, it will only be used to process your request and reply to it.
If you contact us via the contact form available on our website, you will be required to provide the following personal data: name, last name, e-mail address, phone number. This information will only be used to process your inquiry and reply to it.
VII. Processing of data via Processors
In order to provide our services, we may cooperate with selected third-party providers who process data on our behalf (“Processors”). This may for instance be the case whenever we need to send e-mail notifications to Users for contractual purposes. Such e-mail could be managed and sent out via a third-party service.
Similarly, in case the service is provided against a fee, payments shall be processed through one of the Processors we cooperate with. Payment data shall therefore be directly collected and processed by the selected payment service provider, that will then inform us about the payment status. Only in case you choose to pay via direct debit will we collect and store your bank details. In all other cases we do not collect or store any personal data regarding payment methods.
If you choose to take advantage of our factoring services, personal data referring to you and to invoice recipients will be transferred to the factoring service provider we work with. The data transfer shall only take place upon your authorisation.
As far as legally required, we have entered into agreements pursuant to art. 28 GDPR with Processors, including payment service providers, processing your personal data on our behalf.
1. Description and scope of data processing
In order to improve User experience of our Website and to enable selected functions, we implement cookies or other similar technologies (hereinafter jointly referred to as “Cookies”) on various pages. These are small data sets being stored on your device. Some of the Cookies we use expire after the end of the browser session, i.e. after closing your browser (so-called session Cookies). Other Cookies remain on your device and enable us or our partner companies to recognise your browser or device on your next visit (persistent Cookies).
You can set your browser preferences in order to be notified about the setting of Cookies and decide individually about accepting or refusing them in certain cases or generally. You can also manually delete Cookies from your device at any time.
Failure to accept Cookies may however result in limited functionality of our service.
2. Strictly necessary Cookies
Some of the Cookies we use are strictly necessary to allow us to deliver the service you requested or to operate our Website and Platform. Some elements of our Website require that your browser be identified after page changes. Such technical Cookies may collect personal information about you, such IP address, log-in information, etc.
3. Other Cookies
In addition, we use third-party Cookies to monitor and evaluate User behaviour for statistics and market analysis purposes. Such Cookies are provided by third parties and implemented in our Website. Please refer to the following sections for details.
Such Cookies allow us to analyse your use of the Website and improve it continuously. Analytics allow us to offer you a better service that meets your interests better.
Unless otherwise specified, the legal basis of processing through Cookies is your consent pursuant to art. 6 par. 1 lit. a) GDPR.
Hotjar is a service provided by Hotjar ltd., Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta.
AddThis is a service provided by Oracle America, Inc., 500 Oracle Parkway, Redwood Shores, CA 94065 that allows for the sharing of content of our Website within social networks. AddThis uses the information referring to Users to provide and enable sharing features. In addition, AddThis may use pseudonymous User information for marketing purposes. This data is stored on the User’s device.
Google Ads is an advertising, analytics and conversion tracking service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. If you access our Website via a Google ad, Google Ads places a conversion cookie on your device. This cookie expires after 30 days. It doesn’t allow for your identification. If the cookie has not expired when you visit certain pages of our Website, we and Google may recognise that a User clicked on the ad and has been redirected to our Website. Each Google Ads customer is assigned a different cookie. As a result, cookies cannot be tracked across Google Ads customer Websites. The information collected by the conversion cookie is used to generate conversion statistics for Google Ads customers who have opted for conversion tracking. Google Ads customers will know the total number of Users who clicked on their ad and were directed to a page tagged with a conversion tracking tag. However, we will not receive any information that personally identifies Users. If you do not wish to participate in the tracking process, you can also opt out of the cookie-setting process required for this, for example via your browser setting, which generally disables automatic cookie-setting. You can also deactivate cookies for conversion tracking by setting your browser to block cookies from the “googleadservices.com” domain.
IX. Promotional e-mail messages
If we have collected your e-mail address in the context of the purchase of one of our services, we may send you promotional e-mail messages about our own products and service similar to those you’ve already purchased.
You can object to receiving such promotional e-mail messages at any time at no cost by by sending an e-mail to firstname.lastname@example.org. We will inform you about the right of objection when collecting the email address and within each e-mail sent.
The legal basis of data processing is art. 13 par. 2 of dir. 2002/58/EC and the respective implementing provisions in Spanish law.
X. Data Subjects’ rights
As a data subject, you have the following rights pursuant to the GDPR:
Your right of access – You have the right to ask us for copies of your personal information.
Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to notification – If you have exercised your right to have the Controller rectify, erase or limit the processing, the Controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort. You have the right to be informed about those recipients.
Your right to object to processing – You have the right to object to the processing of your personal data in certain circumstances. Please find further details in the box below this section.
Your right to withdraw consent – You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Your right to data portability – You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please reach out for us at the contact details indicated on the Website if you wish to make a request.
How to complain to a data protection authority
You can also complain to a data protection authority if you do not agree on how we have used your data. The competent data protection authority for us is: Agencia Española de Protección de Datos, C/ Jorge Juan, 6. 28001 – Madrid, Tel. +43 901 100 099 – +43 912 663 517.
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time without giving reasons to the processing of the personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
XI. Amendments to this privacy notice
Due to the dynamic development of the Internet, new technologies and possibilities are constantly developing. To enable us to offer you these possibilities and technologies, we reserve the right to change this privacy statement for the future when introducing new, additional or when changing or extending existing services or service elements.
If the change to the privacy statement only affects the use of data in a general form and do not affect the use of data within the scope of a User account, the new privacy statement shall apply from the date of its update on the Website.
A change of the privacy statement, which refers to the use of the data already collected and stored in your User account shall only take place if this is reasonably acceptable for you. If and to the extent that changes to the privacy statement reflect on the use of data already collected and stored in your User account, we will notify you in good time via e-mail, on our Website, or in any other suitable way. You have the right to object to the new privacy statement within six weeks of receiving the notification. In the event of an objection, we reserve the right to delete your User account. If no objection is raised within the aforementioned period, the amended privacy statement shall be deemed accepted by you. We will inform you in the notification of your right to object and the significance of the objection period.