MSPercury
Try Bob free

Last updated: May 20, 2026

Privacy Policy

This Privacy Policy explains how IT Systeme Flores UG (haftungsbeschränkt) (“we”, “us”) processes personal data in connection with the SaaS product MSPercury. Processing takes place under the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the German TDDDG (electronic communications privacy statute, replacing the former TTDSG since 14 May 2024).

1. Data controller

The data controller under the GDPR for all processing on mspercury.com and in the SaaS application is:

IT Systeme Flores UG (haftungsbeschränkt)
Neufeldweg 25a
51427 Bergisch Gladbach
Germany
Represented by: Lucas Flores
Commercial register: Amtsgericht Köln, HRB 111 656
VAT ID: DE355661309
Email: info@mspercury.com

2. Data protection officer

Appointing a formal data protection officer under Art. 37 GDPR / § 38 BDSG is not mandatory for us at our current size. For data-protection matters please still use a single dedicated channel: privacy@mspercury.com. Checked on business days, response within 14 days at the latest.

3. Purposes and legal bases

3.1 Performance of contract (Art. 6(1)(b) GDPR)

To operate your account, run IT Assessments, generate quotes and handle billing (Free / Solo / Team subscriptions), we process the data listed in Section 4, to the extent necessary for the respective feature.

3.2 Legitimate interest (Art. 6(1)(f) GDPR)

On the basis of our legitimate interest in a stable and abuse-free service we process server logs (IP address, user-agent, request path, timestamp) and security-relevant telemetry (failed logins, error rates, rate-limit hits). No profiling or product analytics beyond IT-security hygiene takes place.

3.3 Consent (Art. 6(1)(a) GDPR)

Marketing emails and any optional, non-essential cookies (should they ever be introduced) are sent only based on your prior, explicit opt-in. Consent can be withdrawn at any time with effect for the future.

3.4 Legal obligation (Art. 6(1)(c) GDPR)

Invoicing data is retained for ten years under German commercial and tax law (§ 257 HGB, § 147 AO).

4. Categories of personal data

  • Account data: email, name, company name, password hash (bcrypt), role assignment (admin/user).
  • Product telemetry: we record aggregated usage data (e.g. how many IT Assessments are created, which features are used, session timings) for product improvement and internal statistics. The data is stored at the workspace level and contains no end-customer content (e.g. no IT Assessment answers or quote line items). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in product development and commercial steering). Raw events are deleted after 90 days; only day-aggregated metrics are retained. We do not share this data with any third party.
  • Billing data: billing address, customer VAT ID, tax number (optional), Stripe payment method token (we do not store raw card data), invoice numbers, amounts, timestamps.
  • Usage data: content you enter into the app — your MSP customer roster, project parameters, IT Assessment answers, attached photos (compressed JPEGs), findings, quotes, service catalogue. Used exclusively to operate the service, never for marketing or profiling.
  • Log data: client IP, user-agent, referrer, timestamp, HTTP status. Rotated after 14 days.
  • Support correspondence: emails to support@, privacy@ or info@mspercury.com. Retained until case closure plus six months.

5. Recipients and processors

We only share data with the narrowly defined recipients below, and only under a signed Art. 28 GDPR data-processing agreement:

RecipientPurposeLocationLegal basis
Hetzner Online GmbH, Gunzenhausen VPS hosting (application + PostgreSQL database), mail relay (SMTP via mail.your-server.de), off-site backup (Storage Box). All application and customer data lives exclusively on Hetzner infrastructure in Germany. Germany Art. 28 GDPR + DPA with Hetzner
NinjaOne Inc. Server monitoring + patch management on the Hetzner VPS. Processes system telemetry (CPU/RAM/disk usage, service status, OS update level). No application data, no customer data. USA Art. 28 GDPR + EU-US Data Privacy Framework (NinjaOne is certified)
Stripe Payments Europe, Ltd., Dublin (a) Payment processing for the MSPercury subscription (when you subscribe to Pro): processes your payment method + billing data.
(b) When the Stripe integration is active in your workspace: you connect your own Stripe account with your own API key, and MSPercury pushes customer data and invoices to your Stripe instance. In that case YOU are the controller vis-à-vis Stripe; we merely transport. Stripe Tax handles the VAT logic on your customer invoices. 		Ireland; some support systems in the USA Art. 28 + Art. 46(2)(c) SCCs / Art. 45 EU-US DPF
Anthropic, Inc. / OpenAI, LLC / other AI providers
(only when AI features are configured) 		Bring-your-own-key. If you store an API key for a cloud AI provider under Settings → AI, or configure a self-hosted OpenAI-compatible endpoint (Ollama, vLLM, LiteLLM), the data needed for the request is sent to your configured endpoint whenever you trigger an AI feature (IT Assessment summary, quote drafter, status structurer, etc.). MSPercury does not cache the requests; routing flows directly between our server and your endpoint. Without a stored key all AI features are disabled. variable (USA for Anthropic / OpenAI; local for Ollama / self-hosted) You as operator choose the provider and execute the DPA with that provider directly; we are not the processor of those data, only a data carrier.
Apple Inc. iOS distribution only; no data handed over by MSPercury beyond store use USA Apple Developer Program agreements
Google LLC (Google Ads) Only on the marketing landing page mspercury.com, only after explicit cookie consent. Conversion tracking via gtag.js. No Google services are loaded inside the MSPercury application after login. USA Art. 6(1)(a) GDPR (consent)

We execute a written Art. 28 GDPR processing agreement with every processor before processing begins. Your own DPA with us is available in your account under Settings → Data protection & processing agreement. The list of sub-processors is kept current in this Privacy Policy and updated when any change occurs.

5a. Data flow for BYO-AI features

For transparency, here's exactly what reaches an AI provider when:

  • Executive summary for IT Assessments: findings list (description + priority + effort) + customer industry / size (when set). No customer address, no contact data, no logos.
  • Quote drafter from IT Assessment: findings list + service catalog of the workspace. No customer personal data, no price overrides.
  • Lead outreach drafter: lead email + the three weakest IT Assessment categories. No full answer list, no score, no IP.
  • Quote reply drafter: last ~10 messages in the quote thread.
  • Service-report drafter / status structurer / milestone generator: only the fields visible in the editor at submission time.

For cloud providers like Anthropic or OpenAI their DPA terms apply. For self-hosted endpoints (Ollama on your own server), nothing leaves your network. You can disable AI features any time by setting the provider to "—" in Settings → AI.

5b. AI Assistant (Bob)

Workspace data may be sent to Anthropic's API when you use the in-product AI Assistant ("Bob"). See § 5 of the Terms and the DPA for details on what's transmitted, retention, and your rights. You can disable Bob in Settings → AI Assistant.

6. Third-country transfers

Where data is transferred to the USA or another third country (Stripe support, Apple App Store), the transfer is based on:

  • the European Commission's adequacy decision for the EU-US Data Privacy Framework (Art. 45 GDPR), if the recipient is certified under DPF, or
  • the European Commission's Standard Contractual Clauses (Art. 46(2)(c) GDPR), supplemented by risk-mitigating measures (encryption, pseudonymisation).

Copies of the relevant agreements are available on request.

7. Storage periods

  • Account data: for the duration of the contract. 30 days after termination / account closure for dispute resolution, then irreversible deletion.
  • Invoicing data: 10 years (§§ 147 AO, 257 HGB). Longer only if required by specific law.
  • Server logs: rotated after 14 days.
  • IT Assessment / project content: until you delete it or close the account (see above). Finalised IT Assessments remain as an immutable record in your account until the tenant itself is removed.
  • Support emails: case closure plus six months.

8. Your rights as a data subject

The GDPR grants you the following rights:

  • Right of access to data held about you (Article 15)
  • Right to rectification of inaccurate or incomplete data (Article 16)
  • Right to erasure (“right to be forgotten”, Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability in a structured, machine-readable format (Article 20) — exposed via Settings → Data export (ZIP of JSON + CSV)
  • Right to object to processing based on legitimate interest (Article 21)
  • Right to withdraw consent for the future (Article 7(3))

To exercise these rights, contact privacy@mspercury.com. If your identity is in doubt we may request additional evidence.

Right to lodge a complaint with the supervisory authority (Article 77 GDPR):

Landesbeauftragte für Datenschutz und Informationsfreiheit NRW (LDI NRW)
Kavalleriestraße 2–4, 40213 Düsseldorf
https://www.ldi.nrw.de

9. Cookies & tracking

By default we only set strictly necessary cookies whose use does not require consent under § 25 (2) (2) TDDDG:

  • mspercury_session — authentication (HttpOnly, Secure, SameSite=Lax; 30-day expiry)
  • mspercury_locale — UI language preference (1 year)
  • mspercury_consent — your cookie-banner decision, granted/denied (1 year)
  • mspercury_flash — short-lived action confirmation (30 seconds)

Optional: Google Analytics 4 — landing page only, opt-in

On our public landing page ("/") only, we additionally load Google Analytics 4 after your explicit opt-in via the cookie banner (provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; measurement ID G-XH207QDBRV). It tells us which content earns its place. The authenticated app (dashboard, IT Assessments, quotes) does not load gtag.js — there is no tracking inside the app.

We use Google Consent Mode v2 with ad_storage=denied, ad_user_data=denied, ad_personalization=denied — no data is sent to Google for advertising or personalization purposes. IP anonymization is on. A transfer to the United States cannot be ruled out, but is covered by Standard Contractual Clauses and the EU–US Data Privacy Framework (adequacy decision of 10 July 2023). Legal basis: Art. 6 (1) (a) GDPR and TDDDG § 25 (1).

You can withdraw your consent any time on /legal/cookies with a single click. Fonts (Geist) remain self-hosted; there is no request to Google Fonts or any other CDN. Apart from Google Analytics we do not use any other tracker (no Meta Pixel, no Plausible, no Matomo).

10. PWA & iOS app

MSPercury is installable as a Progressive Web App (PWA). Installing to the home screen registers a service worker that caches static resources (HTML, CSS, JS, images) locally so the app can still launch when offline. Form data and IT Assessment content are not cached offline — all edits require an active connection to our servers.

The iOS app is a Capacitor wrapper around the same web application and transmits no data to Apple, third parties, or the operating system beyond what a plain web app would. Downloads from the App Store are subject to Apple's own privacy terms.

11. Version of this policy

Effective: May 20, 2026. We may update this policy as processing changes or law / case law requires. The current version is always at mspercury.com/legal/privacy.