Legal bases for processing (Art. 6 & Art. 9)
Every processing operation Buronia runs is mapped to a specific lawful basis. We do not "rely on whatever the data lets us." Below is the full mapping.
Effective 2026-04-30.
Art. 6 (general personal data)
| Operation | Lawful basis | Why this basis |
|---|---|---|
| Account creation, sign-in, draft generation, draft storage, OCR, AI assistance, draft download | Art. 6(1)(b) — performance of contract | You ask us to draft an application; we cannot do that without processing the data you give us. |
| Stripe payment of the unlock fee | Art. 6(1)(b) — performance of contract | Required to deliver the paid service. |
| Stripe payment-record retention beyond your account life | Art. 6(1)(c) — legal obligation (EU/Member-State accounting law) | 10-year retention is mandated by tax/accounting statutes; overrides erasure (Art. 17(3)(b)). |
| Security & abuse logging (IP, user-agent, throttling) | Art. 6(1)(f) — legitimate interest | Operating a public-facing application without attack-mitigation logging would be reckless. Balanced against the user's interest by 14-day retention and pseudonymisation. |
| Email-delivery logging (bounce / failure debugging) | Art. 6(1)(f) | Limited retention (30 days) and aggregated where possible; necessary to deliver the contracted service reliably. |
| WhatsApp conversation when you opt in | Art. 6(1)(b) for support delivery + Art. 6(1)(a) for the channel | You explicitly opted in to WhatsApp as the channel; we use the message content to answer your question. |
| Address autocomplete (Google Places) | Art. 6(1)(a) — explicit consent (transmitted only while the field is focused; you can type the address manually to opt out) | Documented in Cookies and International transfers. |
| Pending-application records (unverified inline form) | Art. 6(1)(b) — pre-contractual measures | 30-day automatic deletion if you never click the magic link. |
Art. 9 (special-category data)
| Data | When collected | Lawful basis |
|---|---|---|
| Disability / care-need status | Care-related benefits (DE Pflegegrad, ES IMV mobility uplift) | Art. 9(2)(a) — explicit consent specific to drafting the application; revocable at any time |
| Health-status fields on care benefits | Same context | Art. 9(2)(a) explicit consent + 9(2)(h) where the controller is a health/social-care institution |
| Family / household data including children | Family-benefit applications (Kindergeld, IMV) | Art. 6(1)(b) for adults; Children's data for minors |
Legitimate-interest assessments (LIAs)
Where we rely on Art. 6(1)(f), we have written a legitimate-interest assessment balancing the legitimate interest, necessity, and the data subject's interests and fundamental rights. Summaries are available on request via the DPO.
What we never do
- We do not rely on Art. 6(1)(a) "consent" as the basis for the core service — consent is reserved for special-category data and the Google address-autocomplete feature.
- We do not bundle consent for marketing into the service contract.
- We do not change the legal basis of processing after collection without informing you.