PRIVACY

Privacy Policy

Last updated: April 2026

Who We Are

InvoicePeppol is operated by New Start Enterprises. We provide a web-based service that converts PDF invoices into structured e-invoice XML formats compliant with the EU EN 16931 standard.

Contact: [email protected]
Website: https://invoicepeppol.com

For GDPR purposes: Processor for invoice data, Controller for account/billing data.

What Data We Collect

Invoice Data (Short-Lived): Text extracted from PDFs (names, addresses, VAT numbers, IBAN/BIC, line items). Original PDFs are processed in memory and never stored. Parsed invoice data is retained for 1 hour after conversion to allow re-download from your dashboard, then permanently and automatically deleted.
Account Data: Email address and hashed password, auth session tokens.
Billing Data: Payment transaction references and subscription status. Card details handled entirely by Razorpay — never seen or stored by us.
Technical Data: IP address and browser user agent (security/rate limiting), session cookies (Secure, HttpOnly, 24-hour expiry).

How We Use Your Data

Purpose	Data Used	Legal Basis
Invoice conversion	Transient invoice content	Performance of contract (Art. 6(1)(b))
Account management	Email, password hash	Performance of contract (Art. 6(1)(b))
Payment processing	Email, transaction references	Performance of contract (Art. 6(1)(b))
Security and abuse prevention	IP address, session data	Legitimate interest (Art. 6(1)(f))
Legal and tax obligations	Billing records	Legal obligation (Art. 6(1)(c))
Website analytics	Anonymous usage data via Google Analytics 4	Consent (Art. 6(1)(a))

We do not use your data for profiling, automated decision-making, or marketing purposes.

Third Parties and Sub-processors

Provider	Purpose	Location
Vultr	Server hosting	Frankfurt, Germany (EU)
Cloudflare	CDN, DDoS protection, edge security	Global (EU primary); EU SCCs in place
Anthropic (Claude API)	AI-assisted data extraction from invoices	United States; EU SCCs in place
Razorpay	Payment processing	India; EU SCCs in place
Brevo	Transactional email delivery	France (EU)
Google LLC (GA4)	Website analytics (with cookie consent)	United States; EU SCCs in place

We will notify you at least 30 days in advance of any changes to this list. Full details are available in our Data Processing Agreement.

International Data Transfers

Invoice content transmitted to Anthropic's API (US) for AI extraction. Encrypted via TLS, processed transiently (not stored by Anthropic beyond API request), covered by SCCs. Payment processing via Razorpay (India), also covered by SCCs. Razorpay handles card data directly — we do not transmit card details.

Data Retention

Invoice PDFs: Never stored. Processed in memory and discarded immediately after conversion.
Parsed invoice data: Retained for 1 hour after conversion to allow re-download from your dashboard, then automatically and permanently deleted. We retain conversion metadata (filename, date, format, status) as part of your account history; this metadata contains no invoice content, customer details, or financial figures.
Account data: Retained while account active. Deleted within 30 days of account closure.
Billing records: Retained for period required by tax/accounting law (typically 7 years in Belgium).
Technical logs: Retained up to 90 days for security purposes.

Your Rights

Under GDPR, you have the right to: access, rectify, erase, restrict, port, object, and withdraw consent. Contact [email protected] — we will respond within 30 days.

Note: because we don't store invoice content, we cannot fulfil access/portability requests for already-processed invoice data.

Cookies

Cookie	Purpose	Duration
sessionid	User authentication	24 hours
csrftoken	CSRF protection	Session
cookie_consent	Records your cookie consent preference	1 year
_ga, _ga_*	Google Analytics 4 — anonymous usage statistics (only set if you accept cookies)	Up to 14 months

Analytics cookies (Google Analytics 4) are only placed after you give explicit consent via our cookie banner. If you decline, no analytics cookies are set. GA4 uses IP anonymization by default and we do not collect any personally identifiable information through analytics. Data retention in GA4 is set to 14 months. You can opt out at any time by clearing your cookies — the consent banner will reappear on your next visit.

Account Deletion

Request deletion at [email protected]. Account permanently deleted within 30 days, except billing records we are legally required to retain.

Children

This is a business service, not directed at individuals under 16. We do not knowingly collect data from children.

Changes to This Policy

Material changes will be communicated via email at least 30 days before taking effect.

Supervisory Authority

Belgian DPA: https://www.autoriteprotectiondonnees.be

Contact

InvoicePeppol — New Start Enterprises
Email: [email protected]