Privacy Policy
Last updated: 12 April 2026
vatverify ("we", "us") provides a VAT validation API for developers. This policy describes what information we collect, why, and the rights you have as a customer. If you have questions, email privacy@vatverify.dev.
What we collect
- Account data — your email address and, if you provide one, a name, so we can issue API keys and contact you about the service.
- API keys (hashed) — we store SHA-256 hashes of your keys, not the raw keys. We cannot recover a key if you lose it.
- Usage metadata — per-request metrics (timestamp, latency, status code, anonymised request identifiers) for rate-limiting, debugging, and abuse prevention.
- VAT queries — the VAT numbers you validate are cached for up to 25 days alongside the corresponding registry response. These are business identifiers, not personal data.
We do not track you across the web, we do not set marketing cookies, and we do not sell or share data with advertisers.
Lawful basis
Under UK and EU GDPR, our lawful basis for processing this data is a mix of:
- Contract performance — to provide the API service you sign up for.
- Legitimate interest — for security, abuse prevention, and debugging. We balance this against your interests and keep logs short-lived.
Where your data is stored
All customer data is stored in the European Union. Specifically:
- Application hosting — Railway (Netherlands, europe-west4).
- Primary database — Supabase (EU region).
- Cache and rate-limit counters — Upstash Redis (Ireland, eu-west-1).
Each sub-processor is bound by its own GDPR-compliant data processing agreement. We can provide the list of sub-processors on request.
Who we share data with
To validate a VAT number, we forward the country code and number to the relevant government registry (VIES, HMRC, the Swiss BFS UID register, or Brønnøysund). We do not share who you are with those registries — the query contains only the VAT number. We do not share any customer data with third parties for marketing.
How long we keep it
- Account data: for the life of your account, plus 30 days after closure.
- Request logs: 30 days.
- VAT cache entries: up to 25 days, then purged automatically.
- Revoked API keys: marked revoked immediately; row deleted after 90 days.
Your rights
Under GDPR you have the right to:
- Ask what personal data we hold on you (right of access).
- Correct anything that is wrong (rectification).
- Delete your account and associated data (erasure).
- Export your data in a machine-readable format (portability).
- Object to processing (where based on legitimate interest).
- Complain to a data protection authority — UK ICO or your country's equivalent.
To exercise any of these rights, email privacy@vatverify.dev. We respond within 30 days.
Security
All data is encrypted in transit (TLS) and at rest. API keys are stored hashed. Application secrets are stored in encrypted environment variables. We follow standard security practices and run automated security scans against our API. To report a vulnerability, email security@vatverify.dev.
Changes
We will notify you of material changes to this policy by email at least 30 days before the change takes effect, and update the date at the top of this page.