Legal
Privacy Policy
Last updated: 23 April 2026
We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR). This policy explains what we collect, why, and your rights.
Data Controller
The data controller for vatnode is:
- Company
- Tmi Iurii Rogulia
- VAT ID
- FI29845875
- Address
- Vanhanpellonkatu 5, 53850 Lappeenranta, Finland
- Location
- Finland, European Union
- Privacy contact
- [email protected]
Introduction
vatnode ("we", "our", "us") is committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act (Tietosuojalaki 1050/2018).
This Privacy Policy explains what personal data we collect, on what legal basis, how we use it, and your rights as a data subject. It applies to all users of vatnode.dev and the vatnode API.
Required data. Providing your email address is required to create an account and use the Service. Without it, we cannot provide access. Your name is optional.
We have assessed that appointment of a Data Protection Officer is not mandatory under Art. 37 GDPR for our current processing activities.
If you have concerns about how we handle your data, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu) at tietosuoja.fi or with your local EU supervisory authority (Art. 13(2)(d) GDPR).
Information We Collect
3.1 Account Information
- Email address (required to use the Service)
- Name (optional)
- Password (stored as a bcrypt hash — never in plaintext)
- IP address at registration and at each login, stored in our security events log
3.2 Payment Information
Payment information is processed directly by Stripe. We never see or store your payment card details. We receive from Stripe only: Stripe customer ID, subscription plan and status, and invoice history.
3.3 API Usage Data
We log each API request to the VAT validation endpoint. Each log record includes:
- The VAT number queried (public business data, not personal data)
- Timestamp of the request
- IP address of the requesting client (anonymised after 30 days)
- API key identifier used
- Response outcome (valid/invalid, source, response time)
3.4 Automatically Collected Data
- Browser type and version
- Operating system
- Referring website
- Pages viewed (aggregate analytics only)
3.5 Account Activity and Audit Logs
We maintain a comprehensive audit log of account and security-related events. For each recorded event we store the event type, timestamp, IP address of the actor, and relevant metadata (for example, which API key was created or deleted, which email address was changed). The following events are recorded:
- Login events — timestamp, IP address, user agent
- API key events — creation, deletion, and revocation of API keys
- Account change events — email address changes, password changes, plan changes, webhook configuration changes, and account deletion requests
The legal basis for this processing is our legitimate interests (Art. 6(1)(f) GDPR) in maintaining security, preventing fraud, and enabling customers to demonstrate compliance in their own audit trails. We have assessed that this interest outweighs the minimal privacy impact given the limited scope and duration of data collected.
3.6 Onboarding Survey Responses
When you first log in to the vatnode dashboard, you may be shown an optional one-time welcome survey. The survey asks about your role, team size, use case, current VAT validation approach, and what brought you to vatnode. All fields are entirely optional; you may skip the survey at any time.
If you choose to answer any questions, your responses — together with your account email address and display name — are sent by email to the vatnode founder via Resend (our transactional email provider). Survey responses are not stored in the vatnode database. The only database record created is a timestamp indicating that you have seen the modal, so it is not shown again.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Our interest is in understanding who uses vatnode so we can prioritise product improvements. Participation is voluntary, the data is used only for internal product decisions, and you may skip without any effect on your access. To object or request deletion, contact [email protected].
3.7 Your EU VAT Number (Requester Setting)
Through the Account Settings page, you may optionally provide your own EU VAT registration number. This enables vatnode to submit your VAT number as the "requester" identifier in calls to the VIES system, which causes VIES to return a consultation number (a reference issued by the European Commission confirming the validation was performed). This feature is designed for businesses that need to demonstrate they performed a valid VIES check at a specific point in time for EU VAT zero-rating purposes.
When set, vatnode stores your country code and VAT number in your account profile. This data is used exclusively to populate the requester field in outbound VIES API calls made by your account.
Personal data consideration: If you are a sole trader (natural person), your EU VAT number may constitute personal data under Art. 4(1) GDPR. If you are a legal entity, your VAT number is business identifier data and generally does not constitute personal data.
Legal basis: Contract (Art. 6(1)(b) GDPR) — processing is necessary to provide the consultation number feature you have requested. You may clear your requester VAT at any time through Account Settings.
3.8 VIES Consultation Numbers
When your account has a requester VAT number configured (see §3.7) and you perform a VAT validation, VIES returns a requestIdentifier — a consultation number issued by the European Commission. This consultation number is stored alongside the validation record in your VAT check history.
The consultation number is a reference that proves a specific validation was performed by a specific requester at a specific time. It is retained as part of your validation audit log and is included in any data export you request. Consultation numbers are issued and controlled by the European Commission; vatnode stores them solely to make them available to you.
Legal basis: Contract (Art. 6(1)(b) GDPR) — retention is necessary to provide the audit-log feature of the Service.
3.9 Company Enrichment Data from National Registries
When validating a VAT number, vatnode may retrieve additional company information from national business registries of EU member states. This enrichment data may include: legal form, industry description, national registry code, and company registration date. This data originates from official national registries and is returned to you in the API response.
Important — controller / processor roles. Where the validated VAT number belongs to a sole trader or individual entrepreneur (a natural person), the enrichment data — including their business name, address, legal form, and registration details — may constitute personal data within the meaning of Art. 4(1) GDPR.
- You (the API customer) are the data controller — you determine the purposes and means of processing this personal data within your application.
- vatnode acts as your data processor — we retrieve and transmit this data on your behalf in accordance with your API request.
As the data controller, you are responsible for ensuring you have a valid legal basis under Art. 6 GDPR for retrieving and processing this enrichment data, and for complying with all applicable data protection obligations in relation to your end users.
The Data Processing Agreement (DPA) governs vatnode's role as your data processor. By using the vatnode API, you agree to the terms of the DPA.
Legal Basis for Processing (GDPR Art. 6)
| Processing Activity | Legal Basis |
|---|---|
| Account creation and authentication | Contract (Art. 6(1)(b)) |
| Payment processing and billing | Contract + Legal obligation (Art. 6(1)(b)(c)) |
| API request logging and quota enforcement | Contract (Art. 6(1)(b)) |
| Fraud prevention and rate limitingOur interest in preventing abuse does not override your rights given the minimal data involved. | Legitimate interests (Art. 6(1)(f)) |
| Service communications (transactional) | Contract (Art. 6(1)(b)) |
| Accounting and tax record retention | Legal obligation (Art. 6(1)(c)) |
| Website analyticsAggregate-only, anonymised within 30 days; no impact on individual rights. | Legitimate interests (Art. 6(1)(f)) |
| Security audit logging and account activity monitoringOur interest in security, fraud prevention and compliance assistance outweighs the minimal impact on users given the limited scope of data collected. | Legitimate interests (Art. 6(1)(f)) |
| Onboarding survey response forwardingVoluntary, categorical responses only; opt-out via Skip button available at any time. | Legitimate interests (Art. 6(1)(f)) |
| Storing requester VAT numberNecessary to provide the consultation number feature. | Contract (Art. 6(1)(b)) |
| Storing VIES consultation numbersNecessary to provide the validation audit-log feature. | Contract (Art. 6(1)(b)) |
| Processing enrichment data from national registriesProcessed as data processor on customer’s behalf; see DPA. | Contract (Art. 6(1)(b)) |
Data Sharing & Subprocessors
We do not sell, rent, or trade your personal data. We share data only with the following subprocessors, each bound by GDPR-compliant data processing terms:
| Subprocessor | Purpose | Location | Safeguard |
|---|---|---|---|
| Vultr Holdings LLC | Server infrastructure (database, API, and web hosting) | Frankfurt, Germany (EU) | None required — processor in EU/EEA |
| Stripe Payments Europe Ltd. / Stripe, Inc. | Payment processing | Ireland (EU) / USA | SCCs (Module 2) for US transfers |
| Resend, Inc. | Transactional email (service notifications, onboarding survey forwarding) | USA | SCCs (Module 2) |
VAT validation data recipients.When validating VAT numbers, we transmit the queried VAT number to the European Commission's VIES service and, where applicable, to national tax authority databases (Romania, Czech Republic, Denmark, Finland, France, Poland, Sweden, Germany). These entities act as independent data controllers for such processing. VAT numbers are business identifiers and generally do not constitute personal data, except where they identify a sole trader as a natural person.
We may also disclose data to legal authorities when required by Finnish or EU law.
International Data Transfers
Our primary infrastructure — server, database, API, and web hosting — is hosted by Vultr Holdings LLC in Frankfurt, Germany (EU). As this location is within the European Economic Area, no international transfer of personal data occurs for these processing activities.
We use Stripe for payment processing and Resend for transactional email. Stripe processes EU customer payments primarily through Stripe Payments Europe Ltd. (Ireland), an EU entity, though data may be accessed from the US. Transfers to US-based processors are governed by Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c) (Commission Implementing Decision 2021/914 of 4 June 2021), Module 2 (Controller-to-Processor).
Copies of the applicable SCCs are available on request by contacting [email protected].
Data Retention
| Data type | Retention |
|---|---|
| Account data (email, name) | Until account deletion + 30-day recovery window. After deletion, email is retained indefinitely in anonymised form for audit integrity; it is no longer linked to any identifiable person. |
| VAT check history (checkId, verifiedAt, subject VAT, validation result, optional consultation number, enrichment fields) | 5 years from the date of the check — aligned with standard EU VAT audit retention. Stored for as long as your account is active; deleted within 30 days of account deletion unless a legal obligation requires longer retention. |
| Requester VAT number (your own EU VAT, if set in Settings) | Until you clear it from Settings or delete your account. Deleted within 30 days of account deletion. |
| API request logs (IP, key, timestamp) | 1 year. IP address anonymised after 30 days. |
| Audit logs (login events, account changes, key management) | 1 year. |
| Email change history | Indefinitely. No personal data is retained after anonymisation. |
| Payment and invoice records | 7 years (Finnish Accounting Act, Kirjanpitolaki 1336/1997). |
| Website analytics / auto-collected data | Session duration; aggregates retained indefinitely (no personal data after anonymisation). |
Your Rights (GDPR)
As a data subject in the EU/EEA, you have the following rights under GDPR Arts. 15–22. Contact us at [email protected] — we will respond within 30 days (extendable to 90 days for complex requests per Art. 12(3)).
You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu) at tietosuoja.fi or with your local EU supervisory authority (Art. 13(2)(d) GDPR).
Access (Art. 15)
Request a copy of your personal data
Rectification (Art. 16)
Correct inaccurate or incomplete data
Erasure (Art. 17)
Request deletion of your data
Restriction (Art. 18)
Request that we restrict processing
Portability (Art. 20)
Receive your data in machine-readable format
Object (Art. 21)
Object to processing based on legitimate interests
Withdraw Consent (Art. 7(3))
We do not currently rely on consent as a legal basis. If we add consent-based processing in the future, you may withdraw consent at any time.
Supervisory Authority Complaint (Art. 77)
Lodge a complaint with the Finnish Data Protection Ombudsman at tietosuoja.fi or your local EU supervisory authority.
Data Security
We implement appropriate technical and organisational measures, including:
- HTTPS/TLS encryption for all connections
- Passwords stored as bcrypt hashes
- API keys stored as HMAC-SHA-256 hashes
- Database encrypted at rest
- Access to production systems restricted to authorised personnel
- Comprehensive audit logging of account and security events (see §3.5)
In the event of a personal data breach, we will notify the Finnish Data Protection Ombudsman within 72 hours and affected users without undue delay, as required by GDPR Arts. 33–34.
Automated Processing
We use automated processes for operational purposes that are necessary for the performance of our contract with you (Art. 6(1)(b) GDPR):
- Quota enforcement — API access is automatically suspended when the monthly request limit for your plan is reached.
- Rate limiting — requests exceeding per-second thresholds are automatically rejected to protect service availability.
- Account suspension — accounts may be automatically suspended after a payment grace period expires.
Quota enforcement and rate limiting are operational controls that do not produce legal effects or similarly significant effects on you as a person within the meaning of Art. 22 GDPR. They reflect the technical boundaries of your chosen subscription plan.
Account suspension decisions that significantly affect your access to the Service may be reviewed by a human. To request such a review, contact [email protected].
No profiling. We do not perform automated profiling of users for marketing, scoring, or behavioural analysis purposes.
Cookies
We use only essential cookies required for the Service to function:
- Session cookie — maintains your login state
- CSRF token — protects against cross-site request forgery
We do not use advertising cookies, tracking pixels, or third-party analytics scripts that set cookies. No consent banner is required.
Children's Privacy
Our Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us at [email protected] and we will delete it promptly.
Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you via email at least 14 days before the changes take effect. The updated date at the top of this page reflects the last revision.
Contact
For privacy-related questions, to exercise your rights, or to request a Data Processing Agreement (DPA) for your organisation:
We aim to respond within 30 days. For complex requests we may extend to 90 days and will notify you of the extension (Art. 12(3) GDPR).