Legal
Privacy Policy
Last updated: 5 June 2026
We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR). This policy explains what we collect, why, and your rights.
Data Controller
The data controller for vatnode is:
- Company
- TMI Iurii Rogulia
- VAT ID
- FI29845875
- Address
- Vanhanpellonkatu 5, 53850 Lappeenranta, Finland
- Location
- Finland, European Union
- Privacy contact
- [email protected]
Introduction
vatnode ("we", "our", "us") is committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act (Tietosuojalaki 1050/2018).
This Privacy Policy explains what personal data we collect, on what legal basis, how we use it, and your rights as a data subject. It applies to all users of vatnode.dev and the vatnode API.
Required data. Providing your email address is required to create an account and use the Service. Without it, we cannot provide access. Your name is optional.
We have assessed that appointment of a Data Protection Officer is not mandatory under Art. 37 GDPR for our current processing activities.
If you have concerns about how we handle your data, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu) at tietosuoja.fi or with your local EU supervisory authority (Art. 13(2)(d) GDPR).
UK and Northern Ireland.This Privacy Policy is also written to satisfy the equivalent requirements of the UK GDPR and the UK Data Protection Act 2018 for data subjects in the United Kingdom (including Northern Ireland). UK data subjects have the same substantive rights described here and may lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
Information you are receiving (Arts. 13 & 14 GDPR). This Privacy Policy is the notice through which we satisfy our information obligations to data subjects under Art. 13 GDPR (data collected directly from you) and Art. 14 GDPR (data we receive from third parties such as VIES, national registries, or Stripe). The identity of the controller, contact details, processing purposes, legal bases, recipients, retention periods, data sources, and your rights are all disclosed in the relevant sections below.
Information We Collect
3.1 Account Information
- Email address (required to use the Service)
- Name (optional)
- Password (stored as a bcrypt hash — never in plaintext)
- IP address at registration and at each login, stored in our security events log
3.2 Payment Information
Payment information is processed directly by Stripe. We never see or store your payment card details. We receive from Stripe only: Stripe customer ID, subscription plan and status, and invoice history.
3.3 API Usage Data
We log each API request to the VAT validation endpoint. Each log record includes:
- The VAT number queried — a business identifier that may constitute personal data where it identifies a sole trader (see §3.9)
- Timestamp of the request
- API key identifier used
- Response outcome (valid/invalid, source, response time)
3.4 Automatically Collected Data
- Browser type and version
- Operating system
- Referring website
- Pages viewed (aggregate analytics only)
3.5 Account Activity and Audit Logs
We maintain a comprehensive audit log of account and security-related events. For each recorded event we store the event type, timestamp, IP address of the actor, and relevant metadata (for example, which API key was created or deleted, which email address was changed). The following events are recorded:
- Login events — timestamp, IP address, user agent
- API key events — creation, deletion, and revocation of API keys
- Account change events — email address changes, password changes, plan changes, webhook configuration changes, and account deletion requests
The legal basis for this processing is our legitimate interests (Art. 6(1)(f) GDPR) in maintaining security, preventing fraud, and enabling customers to demonstrate compliance in their own audit trails. We have assessed that this interest outweighs the minimal privacy impact given the limited scope and duration of data collected.
3.6 Onboarding Survey Responses
When you first log in to the vatnode dashboard, you may be shown an optional one-time welcome survey. The survey asks about your role, team size, use case, current VAT validation approach, and what brought you to vatnode. All fields are entirely optional; you may skip the survey at any time.
If you choose to answer any questions, your responses — together with your account email address and display name — are sent by email to the vatnode founder via Resend (our transactional email provider). Survey responses are not stored in the vatnode database. The only database record created is a timestamp indicating that you have seen the modal, so it is not shown again.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Our interest is in understanding who uses vatnode so we can prioritise product improvements. Participation is voluntary, the data is used only for internal product decisions, and you may skip without any effect on your access. To object or request deletion, contact [email protected].
3.7 Your EU VAT Number (Requester Setting)
Through the Account Settings page, you may optionally provide your own EU VAT registration number. This enables vatnode to submit your VAT number as the "requester" identifier in calls to the VIES system, which causes VIES to return a consultation number (a reference issued by the European Commission confirming the validation was performed). This feature is designed for businesses that need to demonstrate they performed a valid VIES check at a specific point in time for EU VAT zero-rating purposes.
When set, vatnode stores your country code and VAT number in your account profile. This data is used exclusively to populate the requester field in outbound VIES API calls made by your account.
Personal data consideration: If you are a sole trader (natural person), your EU VAT number may constitute personal data under Art. 4(1) GDPR. If you are a legal entity, your VAT number is business identifier data and generally does not constitute personal data.
Legal basis: Contract (Art. 6(1)(b) GDPR) — processing is necessary to provide the consultation number feature you have requested. You may clear your requester VAT at any time through Account Settings.
3.8 VIES Consultation Numbers
When your account has a requester VAT number configured (see §3.7) and you perform a VAT validation, VIES returns a requestIdentifier — a consultation number issued by the European Commission. This consultation number is stored alongside the validation record in your VAT check history.
The consultation number is a reference that proves a specific validation was performed by a specific requester at a specific time. It is retained as part of your validation audit log and is included in any data export you request. Consultation numbers are issued and controlled by the European Commission; vatnode stores them solely to make them available to you.
Legal basis: Contract (Art. 6(1)(b) GDPR) — retention is necessary to provide the audit-log feature of the Service.
3.9 Company Enrichment Data from National Registries
When validating a VAT number, vatnode may retrieve additional company information from national business registries of EU member states. This enrichment data may include: legal form, industry description, national registry code, and company registration date. This data originates from official national registries and is returned to you in the API response.
Important — controller / processor roles. Where the validated VAT number belongs to a sole trader or individual entrepreneur (a natural person), the enrichment data — including their business name, address, legal form, and registration details — may constitute personal data within the meaning of Art. 4(1) GDPR.
- You (the API customer) are the data controller — you determine the purposes and means of processing this personal data within your application.
- vatnode acts as your data processor — we retrieve and transmit this data on your behalf in accordance with your API request.
As the data controller, you are responsible for ensuring you have a valid legal basis under Art. 6 GDPR for retrieving and processing this enrichment data, and for complying with all applicable data protection obligations in relation to your end users.
The Data Processing Agreement (DPA) governs vatnode's role as your data processor. By using the vatnode API, you agree to the terms of the DPA.
Legal Basis for Processing (GDPR Art. 6)
| Processing Activity | Legal Basis |
|---|---|
| Account creation and authentication (email, OAuth provider IDs, passkey credentials)Necessary to provision and secure your account and to authenticate you on each session. | Contract (Art. 6(1)(b)) |
| Payment processing and billing (Stripe customer ID, invoice records)Contract for executing the subscription; legal obligation for tax and accounting retention under Finnish law. | Contract + Legal obligation (Art. 6(1)(b), (c)) |
| VAT check logs (queried VAT ID, country code, validation result, timestamp)Contract for delivering the validation result; legitimate interests in service operation, fraud detection, and providing an operator-side audit trail. Balancing test performed; minimal personal data involved. | Contract + Legitimate interests (Art. 6(1)(b), (f)) |
| API key usage tracking (last_used_at, source IP, user-agent)Our interest in detecting abuse, compromised keys, and providing usage telemetry to the customer. Limited retention and scope; outweighs minimal user impact. | Legitimate interests (Art. 6(1)(f)) |
| Fraud prevention and rate limitingOur interest in preventing abuse does not override your rights given the minimal data involved. | Legitimate interests (Art. 6(1)(f)) |
| Transactional emails (welcome, billing receipts, security alerts, password resets)Necessary to operate the account you have asked us to provide. We do not send marketing emails or newsletters. | Contract (Art. 6(1)(b)) |
| Accounting and tax record retentionFinnish Accounting Act (Kirjanpitolaki 1336/1997) requires 7-year retention of invoice records. | Legal obligation (Art. 6(1)(c)) |
| Website analytics — self-hosted Umami (no cookies, no cross-site identifiers)Aggregate-only, runs on our own EU infrastructure, no cookies set in the default configuration; balancing test concludes minimal impact. | Legitimate interests (Art. 6(1)(f)) |
| Third-party analytics (Google Analytics, Microsoft Clarity)Loaded only after you opt in through the cookie banner on first visit. You can change or withdraw your consent at any time on the Cookie Policy page (/legal/cookies); withdrawal also deletes the cookies these providers set in your browser. | Consent (Art. 6(1)(a)) |
| Security audit logging and account activity monitoringOur interest in security, fraud prevention and compliance assistance outweighs the minimal impact on users given the limited scope of data collected. | Legitimate interests (Art. 6(1)(f)) |
| Onboarding survey response forwardingVoluntary, categorical responses only; opt-out via Skip button available at any time. | Legitimate interests (Art. 6(1)(f)) |
| Storing requester VAT numberNecessary to provide the consultation number feature. | Contract (Art. 6(1)(b)) |
| Storing VIES consultation numbersNecessary to provide the validation audit-log feature. | Contract (Art. 6(1)(b)) |
| Processing enrichment data from national registriesProcessed as data processor on customer’s behalf; see DPA. | Contract (Art. 6(1)(b)) |
Data Sharing & Subprocessors
We do not sell, rent, or trade your personal data. To deliver specific operations that we cannot reasonably perform in-house — payment processing, transactional email, and server hosting — we engage a small number of carefully selected sub-processors. Each is bound by a written data processing agreement that imposes, at minimum, the obligations required by Art. 28 GDPR.
5.1 Categories of sub-processors
The table below summarises the categories of sub-processors and the data they receive. The complete and current list — with legal entity names, addresses, and processing details — is maintained at vatnode.dev/legal/subprocessors. That page is the authoritative source and supersedes any summary here in case of discrepancy.
| Category | Data processed | Location | Safeguard |
|---|---|---|---|
| Hosting & database (e.g. Vultr Holdings LLC) | All personal data stored by vatnode (account, API keys, check history, subscriptions) | Frankfurt, Germany (EU) | No transfer outside EEA — no Chapter V safeguard required |
| Payment processing (e.g. Stripe Payments Europe Ltd. / Stripe, Inc.) | Email, billing name, Stripe customer ID, invoice records | Ireland (EU) with US access by Stripe, Inc. | SCCs (Commission Decision 2021/914), Module 2 — Controller-to-Processor |
| Transactional email (e.g. Resend, Inc.) | Email address, display name, message contents (incl. onboarding survey answers when submitted) | USA | SCCs (Commission Decision 2021/914), Module 2 — Controller-to-Processor |
5.2 International transfers and safeguards
Our primary hosting is in Frankfurt, Germany — inside the EEA — so no international transfer occurs for the bulk of your data. Where a sub-processor accesses personal data from the United States (currently the Stripe US arm and Resend), the transfer is covered by the European Commission's Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, Module 2 (Controller-to-Processor), as adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021. We have performed a transfer impact assessment for each US-based recipient. Copies of the executed SCCs are available on request from [email protected]. See also Section 6 below for additional detail on transfer mechanisms.
5.3 Change notification and right to object
We will give all active customers at least 14 days' advance notice — sent to the email on your account — before engaging a new sub-processor or replacing an existing one. The same notice will be reflected on the public sub-processor list at /legal/subprocessors.
Customers who have entered into our Data Processing Agreement may object to any such change by emailing [email protected] within the notice period. We will work with you in good faith to address the objection; if no resolution is reached, you may terminate the affected portion of the Service without penalty. Continued use of the Service after the notice period expires constitutes acceptance of the new sub-processor.
5.4 VIES and national tax authority recipients
When validating VAT numbers, we transmit the queried VAT number — and, where you have configured it, your requester VAT number — to the European Commission's VIES service and, where applicable, to national tax authority and company registry APIs of covered EU member states. These entities act as independent data controllers, not as sub-processors of vatnode. VAT numbers are business identifiers and generally do not constitute personal data, except where they identify a sole trader as a natural person.
We may also disclose data to law-enforcement or other public authorities when required by Finnish or EU law (Art. 6(1)(c) GDPR).
International Data Transfers
Our primary infrastructure — server, database, API, and web hosting — is hosted by Vultr Holdings LLC in Frankfurt, Germany (EU). As this location is within the European Economic Area, no international transfer of personal data occurs for these processing activities.
We use Stripe for payment processing and Resend for transactional email. Stripe processes EU customer payments primarily through Stripe Payments Europe Ltd. (Ireland), an EU entity, though data may be accessed from the US. Transfers to US-based processors are governed by Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c) (Commission Implementing Decision 2021/914 of 4 June 2021), Module 2 (Controller-to-Processor).
Copies of the applicable SCCs are available on request by contacting [email protected].
Data Retention
| Data type | Retention |
|---|---|
| Account data (email, name) | Until account deletion + 30-day recovery window. After deletion, email is retained indefinitely in anonymised form for audit integrity; it is no longer linked to any identifiable person. |
| VAT check history (checkId, verifiedAt, subject VAT, validation result, optional consultation number, enrichment fields) | Stored in full for as long as your account is active and is deleted within 30 days of account deletion. In addition, after 5 years from the date of each check — aligned with standard EU VAT audit retention — the record is anonymised: the identifying fields (the queried VAT number, company name and address, registry code and name, and any industry description) are removed. The remaining non-identifying information — country code, date of the check, and validity result — is kept indefinitely as anonymised, aggregated usage statistics that can no longer be linked to any identifiable person. |
| Requester VAT number (your own EU VAT, if set in Settings) | Until you clear it from Settings or delete your account. Deleted within 30 days of account deletion. |
| API request logs (IP, key, timestamp) | 1 year. IP address anonymised after 30 days. |
| Audit logs (login events, account changes, key management) | 1 year. |
| Email change history | Indefinitely. No personal data is retained after anonymisation. |
| Payment and invoice records | 7 years (Finnish Accounting Act, Kirjanpitolaki 1336/1997). |
| Website analytics / auto-collected data | Session duration; aggregates retained indefinitely (no personal data after anonymisation). |
Your Rights (GDPR)
As a data subject in the EU/EEA, you have the following rights under GDPR Arts. 15–22. Contact us at [email protected] — we will respond within 30 days (extendable to 90 days for complex requests per Art. 12(3)).
You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu) at tietosuoja.fi or with your local EU supervisory authority (Art. 13(2)(d) GDPR).
Access (Art. 15)
Request a copy of your personal data
Rectification (Art. 16)
Correct inaccurate or incomplete data
Erasure (Art. 17)
Request deletion of your data
Restriction (Art. 18)
Request that we restrict processing
Portability (Art. 20)
Receive your data in machine-readable format
Object (Art. 21)
Object to processing based on legitimate interests
Withdraw Consent (Art. 7(3))
We do not currently rely on consent as a legal basis. If we add consent-based processing in the future, you may withdraw consent at any time.
Supervisory Authority Complaint (Art. 77)
Lodge a complaint with the Finnish Data Protection Ombudsman at tietosuoja.fi or your local EU supervisory authority.
Data Security
We implement appropriate technical and organisational measures, including:
- HTTPS/TLS encryption for all connections
- Passwords stored as bcrypt hashes
- API keys stored as HMAC-SHA-256 hashes
- Database encrypted at rest
- Access to production systems restricted to authorised personnel
- Comprehensive audit logging of account and security events (see §3.5)
In the event of a personal data breach, we will notify the Finnish Data Protection Ombudsman within 72 hours and affected users without undue delay, as required by GDPR Arts. 33–34.
Automated Processing
We use automated processes for operational purposes that are necessary for the performance of our contract with you (Art. 6(1)(b) GDPR):
- Quota enforcement — API access is automatically suspended when the monthly request limit for your plan is reached.
- Rate limiting — requests exceeding per-second thresholds are automatically rejected to protect service availability.
- Account suspension — accounts may be automatically suspended after a payment grace period expires.
Quota enforcement and rate limiting are operational controls that do not produce legal effects or similarly significant effects on you as a person within the meaning of Art. 22 GDPR. They reflect the technical boundaries of your chosen subscription plan.
Account suspension decisions that significantly affect your access to the Service may be reviewed by a human. To request such a review, contact [email protected].
No profiling. We do not perform automated profiling of users for marketing, scoring, or behavioural analysis purposes.
Cookies
We use only essential cookies required for the Service to function:
- Session cookie — maintains your login state
- CSRF token — protects against cross-site request forgery
We do not use advertising cookies, tracking pixels, or third-party analytics scripts that set cookies. No consent banner is required.
Children's Privacy
Our Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us at [email protected] and we will delete it promptly.
Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you via email at least 14 days before the changes take effect. The updated date at the top of this page reflects the last revision.
Contact
For privacy-related questions, to exercise your rights, or to request a Data Processing Agreement (DPA) for your organisation:
We aim to respond within 30 days. For complex requests we may extend to 90 days and will notify you of the extension (Art. 12(3) GDPR).