BuchhaltGenie: AI-First Accounting Platform for Austrian SMBs
Own product: AI-powered accounting software for Austrian sole traders and SMBs. Compliance-first architecture, Sophie AI as embedded RAG agent, OCR pipeline with 3-tier fallback.
Live
buchhaltgenie.at · Compliance-first architecture · 12 Austrian laws
Context
Austrian sole traders and SMBs face a specific problem with accounting: Austrian tax and bookkeeping law is complex, and most accounting software on the market is either oriented towards Germany or neglects Austrian specifics (Kleinunternehmer rules, mandatory fields under UStG §11, retention periods under BAO §132, FinanzOnline XML export).
BuchhaltGenie is a personal product project with the goal of closing this gap: an AI-first accounting platform that treats Austrian compliance as a core architectural concern from day one, not as a retrofitted add-on.
Compliance Scope
The platform covers 12 Austrian laws:
- UStG §11 (mandatory invoice fields), UStG (tax rates 20/13/10/0%)
- BAO §132 (7-year retention requirement)
- DSGVO (General Data Protection Regulation)
- UGB (Commercial Code)
- FinanzOnline (XML export for the tax authority)
- RKSV (cash register security regulation)
- Kleinunternehmer threshold (€55,000 gross from 2025)
- and further applicable legal bases
Architecture Approach
Compliance-first, not compliance-later: Rather than treating compliance as a plugin or post-hoc validation, the legal requirements are embedded in the data model and server actions. An invoice cannot leave the platform without satisfying all UStG §11 mandatory fields.
Three-Table User System: The user data model intentionally separates Supabase Auth (auth.users), extended user data (public.users for 2FA and GDPR consent), and profile data (public.profiles for the waitlist flow) into three tables. This enforces clean separation of responsibilities.
100% RLS Tenant Isolation: Every database operation runs through Row-Level Security policies that enforce tenant access at the database layer. No application code can access another tenant's data, even through programming errors.
Server Actions instead of API routes for mutations: All write operations use Next.js Server Actions. API routes are reserved exclusively for webhooks, OAuth, and public APIs. This significantly simplifies the CSRF protection model.
Sophie AI: Embedded RAG Agent
Sophie is the platform's AI assistant. Primary model: Claude Sonnet 4.5 via Vercel AI SDK. The RAG system (Retrieval-Augmented Generation) loads Austrian compliance context (UStG, BAO, DSGVO) as a vector store and makes it available for each query.
Sophie can answer questions like "Which tax rates apply to my service?" or "Am I still below the Kleinunternehmer threshold?" based on current legal requirements, not on training data.
OCR Pipeline: 3-Tier Fallback
Document capture uses a tiered OCR pipeline:
- Gemini 2.0 Flash (primary) on EU servers (DSGVO Art. 44 compliant)
- Claude Vision (fallback 1) on timeout or error
- HuggingFace (fallback 2) as last resort
The tiered architecture ensures the platform continues to function even when one provider is unavailable.
Architecture Decisions (ADR Summary)
| Decision | Chosen | Alternative | Rationale |
|---|---|---|---|
| BaaS | Supabase | Own PostgreSQL instance | Built-in auth, RLS, storage, real-time subscriptions out of the box |
| Primary AI model | Claude Sonnet 4.5 | GPT-4o | Better instruction-following quality for structured tasks |
| EU-hosting-first | Gemini EU servers as primary OCR | US servers | DSGVO Art. 44 (third-country transfer) as architectural requirement |
| Mutations pattern | Server Actions | API routes | Simplified CSRF protection, no separate API layer for internal operations |
| Compliance layer | Database model + server-action validation | Frontend validation | Compliance cannot be bypassed via UI |
Result
BuchhaltGenie is live at buchhaltgenie.at. The platform was built as a solo project, from architecture to compliance implementation.
Lessons
Compliance-by-design is more work upfront but more robust overall. Adding compliance as an afterthought typically costs more than planning it from the start. Late-stage changes to data models and validation logic are expensive.
RAG is not a silver bullet. For Austrian tax law, which changes annually (the Kleinunternehmer threshold changed from net to gross in 2025), there needs to be a defined update process for the vector store. Stale RAG knowledge is worse than no RAG.
Solo platform builds require clear priorities. Not every feature can be built simultaneously. The decision to prioritise compliance and security ahead of features slowed early development but created a stable foundation.