Privacy Policy
Last updated: 7 July 2026
This Privacy Policy explains how VATHack collects, uses, and protects your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable EU privacy law.
Who we are
VATHack is an EU VAT compliance tool operated as a software-as-a-service product. Our service allows businesses to upload sales data, calculate VAT obligations across EU markets, and generate compliance reports.
For the purposes of GDPR, VATHack acts as a data controller for account data (name, email) and as a data processor for any sales data you upload for analysis.
What data we collect
Account data: your name and email address, obtained via Google Sign-In through Firebase Authentication. We do not store passwords.
Usage data: upload timestamps and file names, stored server-side to enforce plan limits and display your upload history.
Payment data: billing details are handled entirely by Stripe. VATHack never sees or stores your card number or full payment information.
Sales data (CSV uploads): your uploaded files are processed in server memory and raw transaction rows are never stored. A compliance grade and aggregate country totals derived from your upload are retained server-side as part of your upload history. Analysis results are also stored locally on your own device, tied to your account, erased automatically on sign-out, and expire after 90 days.
Technical data: IP address (used for rate limiting only, not stored long-term), browser type, and error logs via Sentry (anonymised where possible).
Why we collect it
To provide the service: account data is required to authenticate you and associate results with your account.
To enforce plan limits: upload counts are stored server-side to apply free-plan restrictions accurately.
To process payments: Stripe requires billing information to charge for paid plans.
To improve reliability: error logs help us identify and fix bugs. We do not use your sales data for any analytical or training purposes.
Legal basis (GDPR Article 6): processing account and usage data is necessary for the performance of a contract (Article 6(1)(b)); operating a secure service is our legitimate interest (Article 6(1)(f)); where you have opted in to analytics, processing is based on your consent (Article 6(1)(a)).
Data retention
Account data: retained for as long as your account is active. Deleted within 30 days of account deletion.
Upload history (file names, timestamps, and compliance summary): retained for as long as your account is active. Deleted within 30 days of account deletion.
Sales data (CSV content): raw transaction rows are never persisted — processed in memory and discarded after the analysis completes. Derived aggregates (compliance grade, country totals) are retained as part of your upload history.
Payment records: retained by Stripe per their own retention policy (typically 7 years for legal compliance). VATHack retains only a Stripe customer ID.
Error logs: retained for 90 days via Sentry, then deleted automatically.
Who we share data with
Firebase (Google): handles authentication. Your email and display name are stored in Firebase Auth.
Stripe: handles payment processing. Subject to Stripe's own Privacy Policy.
Resend: delivers transactional emails (e.g. VAT report emails you request). Your email address and report content are transmitted to Resend solely to fulfil the delivery. Email content is subject to Resend's own retention practices and your recipient's mailbox; VATHack does not control Resend's server-side retention.
Sentry: receives anonymised error reports to help us fix bugs.
PostHog: provides product analytics and session replay. Analytics are consent-gated — only activated if you accept tracking. All input fields and on-screen text are masked in session recordings; no sales data is transmitted. PostHog may store a pseudonymous user identifier.
Vercel: hosts the application. Processes request data (IP, headers) in transit but does not store your sales data.
We do not sell, rent, or share your personal data with any third party for marketing purposes.
Your rights under GDPR
Right of access: you can request a copy of all personal data we hold about you.
Right to rectification: you can ask us to correct inaccurate data.
Right to erasure: you can request deletion of your account and associated data.
Right to restriction: you can ask us to limit how we process your data.
Right to data portability: you can request your data in a machine-readable format.
Right to object: you can object to processing based on legitimate interests.
Right to withdraw consent: where processing is based on your consent (e.g. analytics), you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email us at privacy@vathack.org. We will respond within 30 days.
Cookies and local storage
We use browser localStorage (not cookies) to store your VAT analysis results locally on your device. Results are tied to your account, erased on sign-out, and expire automatically after 90 days. This data never leaves your browser.
Firebase Authentication uses session cookies to maintain your login state. These are strictly necessary and cannot be disabled while using the service.
If you accept analytics tracking, we use PostHog to collect anonymised product analytics and session replay. All input fields and rendered text are masked in recordings. You may withdraw consent at any time via the cookie banner. We do not use advertising cookies or tracking pixels.
Data transfers outside the EEA
Firebase (Google), Sentry, and PostHog may process data outside the EEA. Each operates under Standard Contractual Clauses (SCCs) approved by the European Commission.
Stripe is certified under the EU-US Data Privacy Framework.
We have configured our Firebase project to use the EUR3 (europe-west) region as the primary data location.
Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email (if you have an account) or by posting a notice on the site.
Where a material change affects processing that requires consent, we will seek fresh consent before continuing that processing.
Contact & complaints
For any privacy questions or to exercise your rights, contact us at privacy@vathack.org.
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Data Protection Commission (DPC), the supervisory authority for Ireland (dataprotection.ie), or your local data protection authority within the EU.