Privacy Policy

Last updated: March 16, 2026

1. Who We Are

Vatly is a product of De Jongh Software Development (KVK 84251352), a sole proprietorship registered in the Netherlands. References to "we", "us", or "our" in this policy refer to De Jongh Software Development, trading as Vatly. We act as the data controller for personal data processed through our API service for validating VAT and GST numbers. We are established in the European Union and subject to EU data protection law, including the General Data Protection Regulation (GDPR).

Contact us at hello@vatly.dev for any privacy-related questions.

2. What Data We Collect

Account data

When you create an account, we collect your name and email address through our authentication provider, Clerk. If you sign in with Google or another OAuth provider, we receive the profile information you authorize.

Billing data

If you subscribe to a paid plan, payment information is collected and processed directly by Stripe. We do not store credit card numbers or bank account details. We receive your billing email, subscription status, and payment history from Stripe.

API usage data

We log API requests including the endpoint called, the VAT number queried, your API key identifier (not the key itself), response status, and timestamp. API keys are stored as SHA-256 hashes.

Analytics data

We use Vercel Analytics to collect anonymized usage data about how you interact with our website and dashboard. This includes page views, device type, and approximate location. No personally identifiable information is collected through analytics.

3. Why We Collect It

We process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR): To provide and maintain your account, process payments, and deliver the API service you signed up for.
  • Legitimate interest (Art. 6(1)(f) GDPR): To prevent abuse, enforce rate limits, improve our service, and maintain security. Our legitimate interest does not override your fundamental rights.

4. How We Use Your Data

  • Providing and maintaining the VAT validation API service
  • Processing payments and managing subscriptions
  • Preventing abuse and enforcing rate limits
  • Sending transactional emails about your account or service changes
  • Improving the reliability and performance of our service

We do not sell, rent, or trade your personal data to any third party. We do not use your data for advertising, profiling, or any purpose other than providing and improving the Service. We do not send marketing emails without your explicit consent.

5. Data Retention

  • Account data: Retained for as long as your account is active. When you delete your account, all account data is immediately and irreversibly deleted.
  • Validation history and API usage data: Retained for as long as your account is active. When you delete your account, all validation history and usage records are immediately and irreversibly deleted.
  • Billing records: Retained as required by applicable EU tax law (typically 7 years). Billing data is stored and managed by Stripe. Deletion of your Vatly account does not affect records that Stripe is legally required to retain.

6. Account Deletion

You can delete your account at any time from your dashboard settings. When you delete your account, the following happens immediately and irreversibly:

  • Your account information is permanently deleted.
  • All API keys are deactivated and their records are permanently deleted.
  • All VAT validation history is permanently deleted.
  • All usage records are permanently deleted.
  • Any active Stripe subscription is cancelled automatically.

This action cannot be undone. We recommend exporting your data before deleting your account (see Section 9).

7. Third-Party Processors

We use the following third-party services to operate Vatly:

  • Clerk (US): Authentication and user management. DPA in place.
  • Stripe (US): Payment processing and subscription management. DPA in place.
  • Vercel (US): Hosting, serverless functions, and analytics. DPA in place.
  • Neon (US): PostgreSQL database hosting. DPA in place.

8. International Data Transfers

Some of our processors are based in the United States. We ensure appropriate safeguards are in place for international data transfers, including Standard Contractual Clauses (SCCs) as approved by the European Commission.

9. Your Rights

Under the GDPR (Articles 15 through 22), you have the following rights regarding your personal data:

  • Access (Art. 15): Request a copy of the personal data we hold about you.
  • Rectification (Art. 16): Request correction of inaccurate data.
  • Erasure (Art. 17): Request deletion of your personal data. You can delete your account and all associated data directly from your dashboard settings (see Section 6).
  • Portability (Art. 20): Request your data in a structured, machine-readable format. You can export all your data as a JSON file directly from your dashboard settings. The export includes your account information, API key identifiers, full validation history, and usage records.
  • Restriction (Art. 18): Request that we limit processing of your data.
  • Objection (Art. 21): Object to processing based on legitimate interest.

To exercise any of these rights, contact us at hello@vatly.dev. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

10. Cookies

Vatly uses only essential cookies required for authentication (provided by Clerk). We do not use marketing cookies, tracking cookies, or third-party advertising cookies. No cookie consent banner is required because we only use strictly necessary cookies.

11. Security

We take the following measures to protect your data:

  • API keys are stored as SHA-256 hashes, never in plain text.
  • All data in transit is encrypted via HTTPS/TLS.
  • All data at rest is encrypted by our database provider.
  • Access to production systems is restricted and logged.

12. Changes to This Policy

We may update this privacy policy from time to time. If we make material changes, we will notify you by email or by placing a notice on our website at least 30 days before the changes take effect.

13. Contact

For any questions about this privacy policy or our data practices, contact us at hello@vatly.dev.