Last updated: April 25, 2026
Privacy Policy
This Privacy Policy explains how IT Systeme Flores UG (haftungsbeschränkt) (“we”, “us”) processes personal data in connection with the SaaS product MSPercury. Processing takes place under the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the German TTDSG (electronic communications privacy statute).
1. Data controller
The data controller under the GDPR for all processing on mspercury.com and in the SaaS application is:
IT Systeme Flores UG (haftungsbeschränkt)Neufeldweg 25a
51427 Bergisch Gladbach
Germany
Represented by: Lucas Flores
Commercial register: Amtsgericht Köln, HRB XXXXXX
VAT ID: DE XXX XXX XXX
Email: info@mspercury.com
2. Data protection officer
Appointing a formal data protection officer under Art. 37 GDPR / § 38 BDSG is not mandatory for us at our current size. For data-protection matters please still use a single dedicated channel: privacy@mspercury.com. Checked on business days, response within 14 days at the latest.
3. Purposes and legal bases
3.1 Performance of contract (Art. 6(1)(b) GDPR)
To operate your account, run CheckUps, generate quotes and handle billing (including pay-what-you-want contributions and any future subscription), we process the data listed in Section 4, to the extent necessary for the respective feature.
3.2 Legitimate interest (Art. 6(1)(f) GDPR)
On the basis of our legitimate interest in a stable and abuse-free service we process server logs (IP address, user-agent, request path, timestamp) and security-relevant telemetry (failed logins, error rates, rate-limit hits). No profiling or product analytics beyond IT-security hygiene takes place.
3.3 Consent (Art. 6(1)(a) GDPR)
Marketing emails and any optional, non-essential cookies (should they ever be introduced) are sent only based on your prior, explicit opt-in. Consent can be withdrawn at any time with effect for the future.
3.4 Legal obligation (Art. 6(1)(c) GDPR)
Invoicing data is retained for ten years under German commercial and tax law (§ 257 HGB, § 147 AO).
4. Categories of personal data
- Account data: email, name, company name, password hash (bcrypt), for Microsoft 365 SSO the Object-ID and tenant-ID, role assignment (admin/user).
- Billing data: billing address, customer VAT ID, tax number (optional), Stripe payment method token (we do not store raw card data), invoice numbers, amounts, timestamps.
- Usage data: content you enter into the app — your MSP customer roster, project parameters, CheckUp answers, attached photos (compressed JPEGs), findings, quotes, service catalogue. Used exclusively to operate the service, never for marketing or profiling.
- Log data: client IP, user-agent, referrer, timestamp, HTTP status. Rotated after 14 days.
- Support correspondence: emails to support@, privacy@ or info@mspercury.com. Retained until case closure plus six months.
5. Recipients and processors
We only share data with the narrowly defined recipients below, and only under a signed Art. 28 GDPR data-processing agreement:
| Recipient | Purpose | Location | Legal basis |
|---|---|---|---|
| Hetzner Online GmbH, Gunzenhausen | VPS hosting, mail relay (SMTP), off-site backup (Storage Box) | Germany | Art. 28 GDPR |
| Stripe Payments Europe, Ltd., Dublin | Payments (Stripe Checkout + Stripe Tax) | Ireland; some support systems in the USA | Art. 28 + Art. 46(2)(c) SCCs / Art. 45 EU-US DPF |
| Microsoft Ireland Operations Ltd. / Microsoft Corporation | Only when M365 single sign-on is actively used: authentication via Entra ID | Ireland; some systems in the USA | Art. 28 + Art. 46/45 for third-country transfers |
| Apple Inc. | iOS distribution only; no data handed over by MSPercury beyond store use | USA | Apple Developer Program agreements |
We execute a written Art. 28 GDPR processing agreement with every processor before processing begins. Your own DPA with us is available in your account under Settings → Data protection & processing agreement.
6. Third-country transfers
Where data is transferred to the USA or another third country (Stripe support, Microsoft Entra ID, Apple App Store), the transfer is based on:
- the European Commission's adequacy decision for the EU-US Data Privacy Framework (Art. 45 GDPR), if the recipient is certified under DPF, or
- the European Commission's Standard Contractual Clauses (Art. 46(2)(c) GDPR), supplemented by risk-mitigating measures (encryption, pseudonymisation).
Copies of the relevant agreements are available on request.
7. Storage periods
- Account data: for the duration of the contract. 30 days after termination / account closure for dispute resolution, then irreversible deletion.
- Invoicing data: 10 years (§§ 147 AO, 257 HGB). Longer only if required by specific law.
- Server logs: rotated after 14 days.
- CheckUp / project content: until you delete it or close the account (see above). Finalised CheckUps remain as an immutable record in your account until the tenant itself is removed.
- Support emails: case closure plus six months.
8. Your rights as a data subject
The GDPR grants you the following rights:
- Right of access to data held about you (Article 15)
- Right to rectification of inaccurate or incomplete data (Article 16)
- Right to erasure (“right to be forgotten”, Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability in a structured, machine-readable format (Article 20) — exposed via Settings → Data export (ZIP of JSON + CSV)
- Right to object to processing based on legitimate interest (Article 21)
- Right to withdraw consent for the future (Article 7(3))
To exercise these rights, contact privacy@mspercury.com. If your identity is in doubt we may request additional evidence.
Right to lodge a complaint with the supervisory authority (Article 77 GDPR):
Landesbeauftragte für Datenschutz und Informationsfreiheit NRW (LDI NRW)Kavalleriestraße 2–4, 40213 Düsseldorf
https://www.ldi.nrw.de
9. Cookies & tracking
We only use strictly necessary cookies whose use does not require consent under § 25(2)(2) TTDSG:
mspercury_session— authentication (HttpOnly, Secure, SameSite=Lax; 30-day expiry)mspercury_locale— UI language preference (1 year)mspercury_flash— short-lived action confirmation (30 seconds)
We do not run Google Analytics, Meta Pixel, Plausible, Matomo, or similar. Fonts (Geist) are self-hosted; there is no request to Google Fonts or any other CDN. Should this change, this policy will be updated and consent will be requested explicitly via a cookie banner.
10. PWA & iOS app
MSPercury is installable as a Progressive Web App (PWA). Installing to the home screen registers a service worker that caches static resources (HTML, CSS, JS, images) locally so the app can still launch when offline. Form data and CheckUp content are not cached offline — all edits require an active connection to our servers.
The iOS app is a Capacitor wrapper around the same web application and transmits no data to Apple, third parties, or the operating system beyond what a plain web app would. Downloads from the App Store are subject to Apple's own privacy terms.
11. Version of this policy
Effective: April 25, 2026. We may update this policy as processing changes or law / case law requires. The current version is always at mspercury.com/legal/privacy.