Privacy Policy

1. Who We Are

Vatidator is a product of Vatidator OÜ ("Vatidator", "we", "us", or "our"), a private limited company registered in Estonia (registry code: 17526048), with its registered address at Sepapaja tn 6, 15551 Tallinn, Estonia.

We develop and operate VAT Compliance Suite and Privacy & GDPR Suite, ERP-native compliance automation products for Microsoft Dynamics 365 Business Central, Salesforce, and other ERP platforms, available at vatidator.com.

For any privacy-related questions or requests, contact us at: privacy@vatidator.com

2. Scope of This Policy

This policy covers:

1. Website visitors, data collected when you visit vatidator.com
2. Prospective and current customers, data collected during sales, onboarding, and support interactions
3. Subscription customers, data processed in connection with your purchase and use of our products

Important, ERP extension users: When our products are installed in your ERP system (Business Central, Salesforce), we act as a data processor on your behalf. Your organisation remains the data controller for the business data processed within your ERP environment. Please refer to Section 4 for details.

3. Data We Collect and Why

3.1 Website Visitors

We currently do not use analytics cookies, advertising pixels, or behavioural tracking on this website.

We may introduce privacy-respecting, cookie-free analytics in the future to understand aggregated website usage. If we do, we will use a service that does not use cookies or track individuals across sites, and this policy will be updated accordingly.

What we do collect:

• Information you voluntarily submit via our contact, demo request, or support forms (name, business email, company name, message content). These submissions are processed through our forms provider.
• Limited technical data (such as IP address and browser type) that our hosting and security provider, Cloudflare, processes at the network edge to serve the website and protect it against abuse. We do not operate our own server-side visitor logging or analytics for this website; this technical processing is governed by Cloudflare's own policies and retention periods.

Legal basis: Legitimate interest (Article 6(1)(f) GDPR) for the technical data processed by our hosting and security provider; your consent and contract performance (Article 6(1)(a) and (b)) for form submissions.

3.2 Demo Requests and Sales Interactions

When you request a demo or contact our sales team, we collect your name and business email address, company name and ERP platform, and the content of your enquiry. We use this to respond to your request, schedule demonstrations, and, with your permission, follow up regarding our products.

Legal basis: Legitimate interest and pre-contractual steps (Article 6(1)(b) and (f) GDPR). Retention: Up to 2 years from last contact, or until you request deletion.

3.3 Subscription Customers

When you purchase a subscription, payment and billing is handled by our Merchant of Record payment provider, who acts as the data controller for your payment and invoice data. We receive only your business email address and company name, your subscription tier and status, and the license key associated with your subscription. We use this to provision access, send product-related communications, and provide support.

Legal basis: Contract performance (Article 6(1)(b) GDPR). Retention: Duration of your subscription plus 5 years for legal and tax record-keeping obligations.

4. Our Role as a Data Processor for ERP Extension Users

When our products are installed and used within your ERP environment:

• You are the data controller. Your organisation determines what business data is entered into your ERP system and how our products interact with it.
• We are the data processor. Our software and API infrastructure process data (such as VAT registration numbers and company names of your customers and vendors) solely to provide the validation, audit, and compliance services you have subscribed to.

The data processed through our ERP extensions includes VAT registration numbers of your customers and vendors, company names and addresses as stored in your ERP, and validation results, proof identifiers and audit log entries.

This data is processed in accordance with our standard Data Processing Agreement (DPA), which forms part of our Terms of Service. If you require a signed DPA for enterprise or regulatory purposes, please contact privacy@vatidator.com.

Our API infrastructure (hosted on Microsoft Azure, within the EU) temporarily processes VAT numbers to query official registries (VIES, HMRC, and others) and returns validation results. We do not sell, share, or use this data for any purpose other than providing the service to you.

5. Cookies

We do not use non-essential cookies. Our website may use strictly necessary session cookies for functional purposes. No consent is required for strictly necessary cookies. We do not use advertising, tracking, or analytics cookies.

6. Data Sharing and Third-Party Processors

We share personal data only with trusted third-party processors where necessary to provide our services: a Merchant of Record payment provider (payment processing, subscription management, invoicing), Microsoft Azure (API and infrastructure hosting, EU West Europe region), Cloudflare (DNS, DDoS protection for the marketing site), and Formspree (contact-form submissions on the marketing site). A full, current list is maintained on our Sub-processor Disclosure. We do not sell personal data to third parties and we do not use personal data for advertising profiling.

7. International Data Transfers

Our API infrastructure is hosted within the European Union (Microsoft Azure, West Europe). Where data is transferred to processors outside the EU, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) or adequacy decisions under GDPR Article 46.

8. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or United Kingdom, you have the rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent regarding your personal data.

To exercise any of these rights, contact us at privacy@vatidator.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority. In Estonia, this is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at aki.ee.

9. Data Security

We implement appropriate technical and organisational security measures to protect personal data against unauthorised access, loss, or disclosure. Our API uses TLS encryption in transit; validation proof records use hash-chain integrity verification; access to production systems is restricted to authorised personnel only.

10. Data Retention

• Edge security/technical data (Cloudflare), per Cloudflare's retention policy
• Contact / demo enquiries, 2 years from last contact
• Customer account data, duration of subscription + 5 years
• VAT validation audit logs (in your ERP), controlled by you as data controller
• Billing records, 5 years (legal obligation)

11. Children's Privacy

Our products and website are directed exclusively at businesses and professionals. We do not knowingly collect personal data from individuals under the age of 18.

12. Changes to This Policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify active customers by email.

13. Contact

Data Controller:
Vatidator OÜ
Sepapaja tn 6, 15551 Tallinn, Estonia
Registry code: 17526048

Privacy enquiries: privacy@vatidator.com
General enquiries: info@vatidator.com
Support: support@vatidator.com