Privacy Policy

Last updated: March 30, 2026

1. Who We Are

EuroValidate is an API service operated from Portugal that validates European business data (VAT numbers, IBANs, EORI numbers, and company information). This policy explains how we handle data when you use our service.

2. Data We Collect

We collect the minimum data necessary to provide and improve our service:

Account data: Email address and app/company name provided during registration.
API usage logs: Request timestamps, endpoints called, response status codes, and response times. We do not log full IBANs, full API keys, or other sensitive values.
Billing data: Stripe customer ID and subscription status. Payment details (card numbers) are handled entirely by Stripe and never touch our servers.

3. Data We Do Not Collect

We do not store personally identifiable information (PII) beyond your email address.
We do not track you across websites.
We do not sell or share your data with third parties for marketing purposes.

4. How We Use Your Data

To authenticate your API requests and enforce rate limits.
To send transactional emails (verification, key delivery, billing).
To monitor service health and debug issues.
To bill for usage via Stripe Billing Meters.

5. Caching

We cache validation results from upstream government APIs to improve performance and reliability:

VAT and EORI results: cached for 24 hours.
IBAN validation results: cached for 1 hour.
Company data (GLEIF): cached for 7 days.

Cached data is automatically purged after expiry. You may request immediate purge by contacting us.

6. Data Storage and Security

All data is stored on servers located in the European Union (Hetzner, Germany). API keys are stored as SHA-256 hashes. All connections use TLS 1.2+.

7. Third-Party Services

Stripe: Payment processing. See Stripe's Privacy Policy.
Cloudflare: CDN and DDoS protection. See Cloudflare's Privacy Policy.
Resend: Transactional email delivery.

8. Your Rights (GDPR)

As an EU-based service, we comply with GDPR. You have the right to:

Access (Art. 15) — obtain a copy of the personal data we hold about you.
Rectification (Art. 16) — correct inaccurate data.
Erasure (Art. 17, “right to be forgotten”) — request deletion of your account and cached identifiers.
Portability (Art. 20) — export your data in a machine-readable JSON format.
Restriction & Objection (Art. 18, 21) — restrict or object to certain processing.
Withdraw consent at any time (where processing is based on consent).
Lodge a complaint with your national Data Protection Authority. In Portugal this is the Comissão Nacional de Proteção de Dados (CNPD).

8a. How to Exercise Your Rights (DSAR Process)

You have two ways to submit a Data Subject Access Request (DSAR):

Self-service API — authenticated customers can call:
- GET /v1/gdpr/export to download all data held for their account.
- DELETE /v1/gdpr/data to purge a single cached identifier (VAT/IBAN/EORI/company).
- DELETE /v1/gdpr/account to permanently deactivate the account.
Email — send your request to [email protected]. Include enough information for us to identify your account (registered email, account name, or an API key prefix). We may ask for additional verification to protect against fraudulent requests.

We respond to all DSARs within 30 calendar days (GDPR Art. 12). Complex requests may be extended by a further 60 days with notice. DSARs are free of charge for the first request; repeated or manifestly unfounded requests may incur a reasonable fee.

If you are unhappy with our response, you may escalate to the CNPD or your local DPA.

9. Data Retention

Account data is retained while your account is active. After account deletion, we remove personal data within 30 days. Anonymized usage statistics may be retained indefinitely.

10. Changes to This Policy

We may update this policy from time to time. Significant changes will be communicated via email to registered users.

Contact

For privacy-related inquiries: [email protected]