Legal
Privacy Policy
Last updated: 26 March 2026
We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR). This policy explains what we collect, why, and your rights.
Data Controller
The data controller for vatnode is:
- Company
- Tmi Iurii Rogulia
- VAT ID
- FI29845875
- Address
- Vanhanpellonkatu 5, 53850 Lappeenranta, Finland
- Location
- Finland, European Union
- Contact
- privacy@vatnode.dev
Introduction
vatnode ("we", "our", "us") is committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act (Tietosuojalaki 1050/2018).
This Privacy Policy explains what personal data we collect, on what legal basis, how we use it, and your rights as a data subject. It applies to all users of vatnode.dev and the vatnode API.
We have assessed that appointment of a Data Protection Officer is not mandatory under Art. 37 GDPR for our current processing activities.
Information We Collect
3.1 Account Information
- Email address
- Name (optional)
- Password (stored as a bcrypt hash — never in plaintext)
3.2 Payment Information
Payment information is processed directly by Stripe. We never see or store your payment card details. We receive from Stripe only: Stripe customer ID, subscription plan and status, and invoice history.
3.3 API Usage Data
We log each API request to the VAT validation endpoint. Each log record includes:
- The VAT number queried (public business data, not personal data)
- Timestamp of the request
- IP address (anonymized after 30 days)
- API key identifier used
- Response outcome (valid/invalid, source, response time)
3.4 Automatically Collected
- Browser type and version
- Operating system
- Referring website
- Pages viewed (aggregate analytics only)
Legal Basis for Processing (GDPR Art. 6)
| Processing Activity | Legal Basis |
|---|---|
| Account creation and authentication | Contract (Art. 6(1)(b)) |
| Payment processing and billing | Contract + Legal obligation (Art. 6(1)(b)(c)) |
| API request logging and quota enforcement | Contract (Art. 6(1)(b)) |
| Fraud prevention and rate limitingOur interest in preventing abuse does not override your rights given the minimal data involved. | Legitimate interests (Art. 6(1)(f)) |
| Service communications (transactional) | Contract (Art. 6(1)(b)) |
| Accounting and tax record retention | Legal obligation (Art. 6(1)(c)) |
| Website analyticsAggregate-only, anonymized within 30 days; no impact on individual rights. | Legitimate interests (Art. 6(1)(f)) |
Data Sharing & Sub-processors
We do not sell, rent, or trade your personal data. We share data only with the following sub-processors, each bound by GDPR-compliant data processing terms:
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Stripe, Inc. | Payment processing | USA | SCCs |
| Vultr Holdings LLC | Server infrastructure | EU (Amsterdam) | EU hosting |
| Resend, Inc. | Transactional email | USA | SCCs |
| Vercel, Inc. | Web application hosting | USA / EU edge | SCCs |
We may also disclose data to legal authorities when required by Finnish or EU law.
International Data Transfers
Our primary infrastructure (database and API server) is hosted in the EU (Amsterdam). Some sub-processors are headquartered in the United States. Transfers to these processors are governed by Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c) (Commission Implementing Decision 2021/914 of 4 June 2021), Module 2 (Controller-to-Processor) for Stripe, Resend, and Vercel.
Data Retention
| Data type | Retention |
|---|---|
| Account data | Until deletion, +30 days for recovery |
| API request logs | 90 days (IP anonymized after 30 days) |
| Payment and invoice records | 7 years (Finnish Accounting Act) |
| Security logs | 30 days |
| Website analytics / auto-collected data | Session duration; aggregates retained indefinitely (no personal data after anonymization) |
Your Rights (GDPR)
As a data subject in the EU/EEA, you have the following rights. Contact us at privacy@vatnode.dev — we will respond within 30 days (extendable to 90 days for complex requests per Art. 12(3)).
Access (Art. 15)
Request a copy of your personal data
Rectification (Art. 16)
Correct inaccurate or incomplete data
Erasure (Art. 17)
Request deletion of your data
Restriction (Art. 18)
Request that we restrict processing
Portability (Art. 20)
Receive your data in machine-readable format
Object (Art. 21)
Object to processing based on legitimate interests
Withdraw Consent (Art. 7(3))
We do not currently rely on consent as a legal basis. If we add consent-based processing in the future, you may withdraw consent at any time.
You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu) at tietosuoja.fi or with your local EU supervisory authority.
Data Security
We implement appropriate technical and organisational measures, including:
- HTTPS/TLS encryption for all connections
- Passwords stored as bcrypt hashes
- API keys stored as SHA-256 hashes
- Database encrypted at rest
- Access to production systems restricted to authorised personnel
In the event of a personal data breach, we will notify the Finnish Data Protection Ombudsman within 72 hours and affected users without undue delay, as required by GDPR Art. 33–34.
Automated Decision-Making (Art. 22)
We use automated processes for: quota enforcement (cutting off API access when the monthly limit is reached), account suspension after payment grace period expires, and rate limiting. These decisions are necessary for the performance of the contract (Art. 22(2)(a)).
You may request human review of any automated decision that significantly affects you by contacting privacy@vatnode.dev.
Cookies
We use only essential cookies required for the Service to function:
- Session cookie — maintains your login state
- CSRF token — protects against cross-site request forgery
We do not use advertising cookies, tracking pixels, or third-party analytics scripts that set cookies. No consent banner is required.
Children's Privacy
Our Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us at privacy@vatnode.dev and we will delete it promptly.
Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you via email at least 14 days before the changes take effect. The updated date at the top of this page reflects the last revision.
Contact
For privacy-related questions, to exercise your rights, or to request a Data Processing Agreement (DPA) for your organisation:
We aim to respond within 30 days. For complex requests we may extend to 90 days and will notify you of the extension.