Privacy Policy
Last updated: 29 April 2026
1. Introduction
This Privacy Policy explains how vatverify handles personal data when you use our VAT validation service at vatverify.dev and api.vatverify.dev (the “Service”).
We process personal data in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR) where applicable. This Policy includes the information required under Articles 13 and 14 of the UK GDPR and should be read alongside our Terms of Service.
2. How to reach us
For any enquiry relating to this Policy or your personal data, please use the appropriate contact email:
- General enquiries: hello@vatverify.dev
- Privacy and data-protection requests: privacy@vatverify.dev
- Security incidents and vulnerability reports: security@vatverify.dev
A postal address for service of notices is available on request. We have not appointed a Data Protection Officer as we are not required to do so under Article 37 of the UK GDPR.
3. Definitions
- “Personal data” has the meaning given in Article 4 of the UK GDPR.
- “Processing” has the meaning given in Article 4 of the UK GDPR.
- “You” means the natural person who registers for or uses the Service, whether acting individually or on behalf of a legal entity.
- “VAT data” means VAT registration numbers and corresponding company name, address, and registration status obtained from authoritative third-party registries as described in section 7.
4. Categories of personal data we collect
4.1 Account data
- Name or display name (optional; you may remain anonymous)
- Email address
- Chosen plan tier and billing status
- Date of account creation and last login timestamp
4.2 Authentication data
- API keys are stored only as SHA-256 cryptographic hashes. The raw key is shown to you once at issuance and is not recoverable thereafter.
- The first twelve characters of each key (e.g.
vtv_live_8f) are retained in plain text to assist identification in logs and in your dashboard.
4.3 Technical and usage data
- IP address, user agent, request method, path, timestamp, response status, and response latency for each request made to the API
- Per-key request counters used for rate limiting and quota enforcement
- Unique request identifiers (e.g.
req_…) associated with each API call - For requests to our marketing website by automated AI crawlers (e.g. ClaudeBot, GPTBot), we log the user-agent string, IP address, country and approximate region, and path requested, for the security and abuse-detection purposes set out in section 5.
4.4 Query content
When you call the API, we process the VAT numbers you submit. VAT numbers are business identifiers and do not, on their own, identify natural persons. Where a VAT number corresponds to a self-employed trader, the resulting VAT data may constitute personal data under Article 4 of the UK GDPR. We process such data only in accordance with this Policy.
4.5 Billing data
Billing data (payment method metadata, invoice history, and tax identification) is processed by our payment processor and shared with us in minimal form (e.g. last four digits of a payment card). We do not store full payment card numbers.
5. Legal basis for processing
We rely on the following lawful bases under Article 6(1) of the UK GDPR:
| Purpose | Lawful basis |
|---|---|
| Providing the Service to you | Article 6(1)(b): performance of a contract |
| Rate limiting, fraud prevention, abuse detection | Article 6(1)(f): legitimate interest (service stability and security) |
| Transactional messages (e.g. plan changes, security alerts) | Article 6(1)(b): performance of a contract |
| Occasional product updates and service announcements | Article 6(1)(f): legitimate interest, with opt-out on request |
| Compliance with tax, accounting, and anti-fraud laws | Article 6(1)(c): legal obligation |
Where we rely on legitimate interest, we have performed a balancing test and concluded that our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interest at any time (see section 11).
6. How we use your data
- Providing and maintaining the VAT validation API service
- Processing payments and managing subscriptions
- Preventing abuse and enforcing rate limits
- Sending transactional emails about your account or service changes
- Improving the reliability and performance of our service
We do not sell, rent, or trade your personal data to any third party. We do not use your data for advertising, profiling, or any purpose other than providing and improving the Service. We do not send marketing emails without your explicit consent.
We do not use personal data to make automated decisions that produce legal or similarly significant effects concerning you.
7. Recipients and sub-processors
We do not sell personal data. We share personal data only with the following categories of recipients:
7.1 Infrastructure sub-processors
- Railway (Netherlands, EU): Application hosting. DPA in place.
- Supabase (EU region): PostgreSQL database hosting. DPA in place.
- Upstash (Ireland, EU): Redis cache and rate-limit counters. DPA in place.
- Vercel (EU region for storage, global edge): Marketing website hosting. DPA in place.
- Cloudflare (global edge): DNS, email routing, and Turnstile bot-protection on the sign-in and sign-up forms. DPA in place.
- Umami (EU region): privacy-focused web analytics for the marketing website, including the automated-crawler events described in section 4.3. DPA in place.
Each sub-processor is bound by a data processing agreement compliant with Article 28 of the UK GDPR. The list is kept up to date and is available on request.
7.2 Government VAT registries
To validate a VAT number, we forward the country code and VAT identifier (but no information about you) to the relevant authoritative registry:
- VIES: operated by the European Commission (DG TAXUD) for EU-27 and Northern Ireland VAT numbers
- HM Revenue & Customs: for Great Britain (GB) VAT numbers
- Swiss Federal Statistical Office UID Register: for Swiss and Liechtenstein entities
- Brønnøysundregistrene: for Norwegian organisations
These registries process queries subject to their own terms and privacy arrangements. We do not share your identity with them.
7.3 Legal and regulatory
We may disclose personal data where required by law, to comply with a binding order of a court or competent regulator, or to enforce or defend our legal rights. Where permitted, we will notify you before disclosing.
8. International transfers
Personal data is stored and processed within the European Economic Area. Limited transfers of technical metadata may occur through globally distributed content delivery and DNS networks; such transfers are protected by the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, and/or the UK Addendum, as applicable. We do not transfer personal data to jurisdictions without an adequacy decision unless adequate safeguards are in place.
9. Retention
| Category | Retention period |
|---|---|
| Account data | For the duration of the account plus thirty (30) days after closure |
| Request logs | Thirty (30) days |
| Cached VAT registry responses | Up to thirty (30) days |
| Revoked API key records | Ninety (90) days, then deleted |
| Invoices and tax records (where applicable) | As required by applicable tax law (typically 6–10 years) |
At the end of the applicable retention period, personal data is deleted or irreversibly anonymised.
10. Security measures
- Encryption of personal data in transit using TLS 1.2 or higher;
- Encryption of personal data at rest, including AES-256 encryption provided by our database sub-processor;
- One-way cryptographic hashing of API keys using SHA-256, such that the raw key cannot be recovered from our systems;
- Strict HTTP security headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy) on all responses;
- Application-restricted OAuth 2.0 client credentials for server-to-server authentication with HMRC;
- Role-based access to infrastructure consoles, protected by multi-factor authentication;
- Automated security testing covering authentication bypass, path traversal, HTTP verb tampering, and common OWASP categories;
- Secret management via encrypted environment variables; credentials are never stored in source control.
11. Your rights
Under the UK GDPR and EU GDPR you have the following rights in respect of your personal data:
- Right of access (Article 15): to obtain confirmation of whether we process your data and a copy of it;
- Right to rectification (Article 16): to have inaccurate data corrected;
- Right to erasure (Article 17): commonly referred to as the “right to be forgotten”;
- Right to restrict processing (Article 18);
- Right to data portability (Article 20): to receive your data in a structured, commonly used, machine-readable format;
- Right to object (Article 21), including objection to processing based on legitimate interest;
- Right not to be subject to automated decision-making (Article 22).
To exercise any of these rights, please contact privacy@vatverify.dev. We respond within one month of a valid request, as required by Article 12 of the UK GDPR. We may ask you to verify your identity before disclosing personal data.
12. Complaints
You have the right to lodge a complaint with a supervisory authority. In the United Kingdom the competent authority is the Information Commissioner's Office (ICO), ico.org.uk. You may also approach the supervisory authority in the EU/EEA Member State of your habitual residence or place of alleged infringement. We encourage you to contact us first so we may attempt to resolve the matter directly.
13. Personal data breach notification
Where a personal data breach is likely to result in a risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 of the UK GDPR, and we will notify the competent supervisory authority within seventy-two (72) hours of becoming aware of the breach in accordance with Article 33. You may report a suspected security incident at security@vatverify.dev at any time.
14. Children
The Service is directed at developers and businesses. It is not intended for use by children under the age of sixteen (16). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact privacy@vatverify.dev and we will promptly delete it.
15. Cookies and similar technologies
Our marketing website does not set advertising or tracking cookies. The Service (API) does not use cookies. The sign-in and sign-up pages embed Cloudflare Turnstile, which may store a short-lived strictly-necessary cookie or local-storage value to verify that a request originates from a real browser; this is not used for tracking and is removed when the verification token expires. We do not engage third-party advertising networks. If we introduce additional cookies in the future, we will update this Policy and, where required, obtain your consent in accordance with the Privacy and Electronic Communications Regulations 2003 (as amended).
16. Changes to this Policy
We may update this Policy from time to time. For material changes we will provide at least thirty (30) days' advance notice by email to the address associated with your account, and we will update the effective date at the top of this page. Your continued use of the Service after the effective date of a change constitutes your acceptance of the revised Policy, without prejudice to your rights under applicable law.
© 2026 vatverify. All rights reserved.