Privacy Policy

Last updated: February 19, 2026

1. Introduction

VIESAC ("we", "us", "our") operates the VIESAC service: EU VAT validation via VIES, audit trail storage, certificates, API, and related features. We take your privacy seriously and comply with the EU General Data Protection Regulation (GDPR) and applicable EU data protection laws. Our servers are located in the European Union (Germany, Nuremberg). We do not transfer personal data outside the EU except where necessary for specific services (e.g. payment processing) with appropriate safeguards.

2. Data We Collect and Process

2.1 Account and Profile Data

When you register and use your account, we process:

  • Name, first name, last name, email address
  • Password (stored in hashed form)
  • Company name, company number (VAT), address, phone (optional)
  • Language and timezone preferences
  • If you sign in via OAuth (Google, Microsoft, etc.): provider ID, avatar URL

Purpose: Account creation, authentication, personalisation, support. Legal basis: Contract performance (Art. 6(1)(b) GDPR).

2.2 VAT Numbers You Add

We store your company VAT numbers (country code + VAT number) that you add in your profile for use as requester VAT in validations.

Purpose: VAT validation requests, audit trail. Legal basis: Contract performance (Art. 6(1)(b) GDPR).

2.3 Validation and Audit Trail Data

For each VAT validation you perform, we store:

  • Validated VAT number and country, company name and address (from VIES or fallback)
  • Order number, invoice number, comment (if you provide them)
  • Requester VAT (optional), validation result, status, method (manual, API, WooCommerce, etc.)
  • Consultation number, reference number, PDF certificate path, technical XML from VIES

Purpose: Audit trail, compliance, certificate download, history. Certificates and audits are stored for 10+ years for regulatory compliance. Legal basis: Contract performance (Art. 6(1)(b) GDPR); legitimate interest in compliance records (Art. 6(1)(f) GDPR).

Note: You are the data controller for the VAT numbers and business data you submit for validation; we act as processor when storing and processing this data for the service.

2.4 API Keys and Usage

If you create API keys, we store a hashed version and usage metadata (last used, totals). We do not store the full API key in plain text.

Purpose: API authentication, usage limits, security. Legal basis: Contract performance (Art. 6(1)(b) GDPR).

2.5 Payment Data

Payment and subscription data are processed by Stripe. We store Stripe customer ID, subscription ID, plan, and subscription end date. We do not store full card numbers or payment details; Stripe handles these on its secure infrastructure. Stripe's privacy policy: stripe.com/privacy.

Purpose: Billing, subscription management. Legal basis: Contract performance (Art. 6(1)(b) GDPR).

2.6 Support Requests

When you contact support, we process your email, question type, subject, message, and any attachments. This data is sent by email to our support team.

Purpose: Responding to your enquiries. Legal basis: Legitimate interest (Art. 6(1)(f) GDPR); pre-contractual steps if applicable (Art. 6(1)(b) GDPR).

2.7 Technical and Log Data

We collect session data (e.g. login state), IP addresses, browser type, and similar technical data for security, fraud prevention, and service operation. See our Cookie Policy for cookies we use.

Purpose: Security, troubleshooting, compliance. Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).

2.8 Company Enrichment (Optional)

When the EU VIES system returns placeholder data (e.g. "---") for company name or address, we may use a third-party service to enrich this data. Such processing is limited to non-personal business identifiers and supports the audit trail.

Purpose: Improving audit trail completeness. Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).

3. Recipients and Transfers

We may share data with:

  • Hosting and infrastructure — EU (Germany, Nuremberg)
  • Stripe — Payment processing; Stripe is based in the US and relies on appropriate safeguards (e.g. Standard Contractual Clauses) for transfers
  • Mail providers — For transactional and support emails
  • EU VIES — Official EU VAT validation; we send VAT numbers for validation
  • OAuth providers (if you sign in with Google, Microsoft, etc.) — Only what is necessary for authentication

We do not sell your personal data. We do not transfer data outside the EU except as stated above and with appropriate safeguards where required.

4. Retention

We retain data only as long as necessary:

  • Account data — Until you delete your account, plus a short period for backups and legal obligations
  • Audit trail and certificates — 10+ years for compliance
  • Support correspondence — As long as needed to resolve your request and for legitimate business purposes
  • Logs and technical data — Typically up to a few months, unless longer retention is required for security or legal reasons

5. Security

We use industry-standard measures to protect your data: encryption in transit (TLS/HTTPS) and at rest, secure authentication, access controls, and regular security practices. Data is stored on servers in the EU (Germany, Nuremberg).

6. Your Rights (GDPR)

Under GDPR, you have the right to:

  • Access — Obtain a copy of your personal data
  • Rectification — Correct inaccurate data
  • Erasure — Request deletion ("right to be forgotten"), subject to legal retention requirements
  • Restriction — Limit processing in certain circumstances
  • Data portability — Receive your data in a structured, machine-readable format
  • Object — Object to processing based on legitimate interests
  • Withdraw consent — Where processing is based on consent

To exercise these rights, contact us at legal@viesac.eu. We will respond within one month. You also have the right to lodge a complaint with a supervisory authority in your country of residence.

7. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

8. Changes

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the latest version. Material changes will be notified via email or prominent notice. Continued use after changes constitutes acceptance.

9. Controller and Contact

Data controller: Comet Group OÜ (registry code 12568148), Ida-Viru maakond, Narva linn, P. Kerese tn 5, 20309, Estonia. VAT: EE101678030. e-Business Register.

For privacy and data subject requests and legal matters: legal@viesac.eu.