Privacy Policy

Last updated: May 2026

1. Introduction

Restio ("we", "us", or "our") operates the Restio mobile application (the "App") and the website restio.io (the "Website"). This Privacy Policy informs you of our policies regarding the collection, use, and disclosure of personal data when you use our services.

2. Data Controller

The data controller within the meaning of Art. 4(7) GDPR is:

Hamed Ghaderipour
Senefelderstr. 38
73760 Ostfildern
Germany
Email: info@restio.io

Full provider identification per § 5 DDG: /en/legal/imprint/

3. Data We Collect

3.1 Account Data

  • Email address
  • Authentication data (encrypted)

3.2 Financial Data

  • Expense and income entries (amount, description, date, category)
  • Tax-relevant information
  • Tax profile (tax class, income, employment status, etc.)

3.3 Media

  • Receipt photos and scanned documents
  • Photographed letters (e.g., from the Finanzamt)

3.4 Chat and AI Data

  • Messages sent to the AI-powered chat function
  • Profile data and preferences extracted from conversations (AI memory)

3.5 Technical Data

  • Device type and operating system
  • App usage data (anonymized)
  • Error reports (anonymized)

3.6 Website Data

  • The website restio.io does not use cookies and does not collect personal data
  • Standard server log data is collected when visiting the website (IP address, timestamp, page visited)

4. Purpose of Data Processing

We process your data for the following purposes:

  • Providing and managing your account
  • Storing and managing your expense and income entries
  • AI-powered tax information and refund estimates
  • Monitoring tax-relevant thresholds and deadlines
  • Receipt capture via OCR recognition
  • Generating reports and analytics
  • Improvement of our services based on aggregated, non-personal usage data
  • Customer service and support

5. Legal Basis

Processing is based on:

  • Art. 6(1)(b) GDPR (Contract performance)
  • Art. 6(1)(a) GDPR (Consent)
  • Art. 6(1)(f) GDPR (Legitimate interests)

6. Data Storage

6.1 Storage Location

Your data is stored on Google Cloud (Google Ireland Limited) servers in the European Union.

6.2 Retention Period

  • Account data: until account deletion
  • Expense and income data: until manual deletion by you or until account deletion
  • Receipt photos and documents: until manual deletion or until account deletion
  • Chat history: until manual deletion or until account deletion
  • AI memory (memory events): active events until consolidation; consolidated events between 30 and 90 days depending on importance, or, for durable profile facts, indefinitely; superseded events 30 days for audit traceability

Data no longer required for the purpose of processing is deleted or anonymized (Art. 5(1)(e) GDPR).

7. Data Sharing with Processors

To provide the Restio service, we engage external service providers as data processors within the meaning of Art. 28 GDPR. They process your data only on our instructions and under signed data processing agreements.

7.1 Categories of recipients

  • Cloud infrastructure and authentication — Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Processing in the EU; data processing agreement concluded under the Google Cloud Terms of Service.
  • AI-powered request processing — external AI provider for answering tax questions, recognizing and analyzing receipts, and personalizing responses. Requirements see § 7.2. Current provider: see List of subprocessors.
  • Subscription management — provider for managing in-app subscriptions. Current provider: see List of subprocessors.
  • Email delivery — provider for transactional and informational emails. Current provider: see List of subprocessors.
  • Advertising tracking — TikTok Business SDK (see § 10a; processing only after your explicit consent).
  • Disclosure to authorities, where legally required.

7.2 Requirements for external AI providers

We only engage AI providers that meet the following conditions:

  • Data processing agreement under Art. 28 GDPR
  • Contractual exclusion of using user data for training or model improvement
  • Processing within the EU/EEA, or, for third-country transfers, reliance on the EU-US Data Privacy Framework (DPF) or Standard Contractual Clauses under Art. 46 GDPR
  • Encryption in transit (TLS) and at rest

7.3 Updates and provider changes

The current list of our data processors with name, registered office, processing purpose, and third-country safeguards is available at /en/legal/subprocessors/ or on request at info@restio.io. We occasionally change providers when this is beneficial from a data protection, quality, or commercial perspective. Material changes will be announced in this Privacy Policy at least 30 days before taking effect.

8. Your Rights

You have the following rights:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)

To exercise your rights, contact us at info@restio.io.

9. Data Security

We implement technical and organizational measures:

  • Encrypted data transmission (TLS/SSL)
  • Encrypted data storage
  • Access control and authentication
  • Regular security audits

10. Cookies and Tracking

The Website does not use cookies or tracking. Within the App, we use the TikTok Business SDK described under section 10a to measure the effectiveness of our advertising. You can disable this processing at any time in the App's Settings under Profile → Privacy → "Ad Tracking".

10a. TikTok Business SDK

Our App integrates the TikTok Business SDK provided by TikTok Technology Limited (10 Earlsfort Terrace, Dublin, D02 T380, Ireland). We use it to measure the effectiveness of our TikTok advertising, optimize delivery to relevant audiences, and produce reach and conversion statistics. For this purpose, device and usage data (including advertising ID, hashed user identifiers, and in-app events such as registration or purchase) is transmitted to TikTok.

TikTok and Restio are joint controllers within the meaning of Art. 26 GDPR; the joint controller agreement is available here. Transmission to third countries (in particular the US and China) cannot be ruled out; TikTok relies on Standard Contractual Clauses for this purpose.

The legal basis is your consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG (formerly TTDSG), which you may revoke at any time in the app under Profile → Privacy → "Ad Tracking". TikTok's Privacy Policy: tiktok.com/legal/privacy-policy.

11. Minors

Our services are not intended for persons under 16 years of age. We do not knowingly collect data from minors.

12. Changes

We reserve the right to update this Privacy Policy. Material changes will be communicated through the App and on the Website.

13. Contact

For privacy-related questions, contact us at:
info@restio.io

14. Right to Complain

You have the right to lodge a complaint with a data protection supervisory authority.