Privacy Policy

VATHack is an EU VAT compliance tool operated as a software-as-a-service product. Our service allows businesses to upload sales data, calculate VAT obligations across EU markets, and generate compliance reports.

For the purposes of GDPR, VATHack acts as a data controller for account data (name, email) and as a data processor for any sales data you upload for analysis.

Account data: your name and email address, obtained via Google Sign-In through Firebase Authentication. We do not store passwords.

Usage data: upload timestamps and file names, stored server-side to enforce plan limits and display your upload history.

Payment data: billing details are handled entirely by Stripe. VATHack never sees or stores your card number or full payment information.

Sales data (CSV uploads): your uploaded files are processed in server memory to calculate VAT and are never written to a persistent database. Results are stored only in your own browser's localStorage — not on our servers.

Technical data: IP address (used for rate limiting only, not stored long-term), browser type, and error logs via Sentry (anonymised where possible).

To provide the service: account data is required to authenticate you and associate results with your account.

To enforce plan limits: upload counts are stored server-side to apply free-plan restrictions accurately.

To process payments: Stripe requires billing information to charge for paid plans.

To improve reliability: error logs help us identify and fix bugs. We do not use your sales data for any analytical or training purposes.

Legal basis (GDPR Article 6): processing is necessary for the performance of a contract (Article 6(1)(b)) and our legitimate interests in operating a secure service (Article 6(1)(f)).

Account data: retained for as long as your account is active. Deleted within 30 days of account deletion.

Upload history (file names and timestamps): retained for 12 months, then automatically purged.

Sales data (CSV content): never persisted — processed in memory and discarded immediately after the analysis response is returned.

Payment records: retained by Stripe per their own retention policy (typically 7 years for legal compliance). VATHack retains only a Stripe customer ID.

Error logs: retained for 90 days via Sentry, then deleted automatically.

Firebase (Google): handles authentication. Your email and display name are stored in Firebase Auth.

Stripe: handles payment processing. Subject to Stripe's own Privacy Policy.

Sentry: receives anonymised error reports to help us fix bugs.

Vercel: hosts the application. Processes request data (IP, headers) in transit but does not store your sales data.

We do not sell, rent, or share your personal data with any third party for marketing purposes.

Right of access: you can request a copy of all personal data we hold about you.

Right to rectification: you can ask us to correct inaccurate data.

Right to erasure: you can request deletion of your account and associated data.

Right to restriction: you can ask us to limit how we process your data.

Right to data portability: you can request your data in a machine-readable format.

Right to object: you can object to processing based on legitimate interests.

To exercise any of these rights, email us at privacy@vathack.com. We will respond within 30 days.

We use browser localStorage (not cookies) to store your VAT analysis results locally on your device. This data never leaves your browser.

Firebase Authentication uses session cookies to maintain your login state. These are strictly necessary and cannot be disabled while using the service.

We do not use advertising cookies, tracking pixels, or third-party analytics.

Firebase (Google) and Sentry may process data outside the EEA. Both operate under Standard Contractual Clauses (SCCs) approved by the European Commission.

Stripe is certified under the EU-US Data Privacy Framework.

We have configured our Firebase project to use the EUR3 (europe-west) region as the primary data location.

We may update this Privacy Policy from time to time. We will notify you of material changes by email (if you have an account) or by posting a notice on the site.

Continued use of VATHack after changes are posted constitutes acceptance of the updated policy.

For any privacy questions or to exercise your rights, contact us at privacy@vathack.com.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK, or your national DPA within the EU).