VAT Ai (hereinafter referred to as “we” or “us” or “our”) respect and protect the privacy and personal information of all users (hereinafter referred to as “you” or “your”), and will treat them with high diligence and prudence.
Your trust is very important to us. As such, we will take appropriate security measures in accordance with the General Data Protection Regulation (hereinafter referred to as the “GDPR”) and other applicable laws and regulations to provide maximum protection for the security and confidentiality of your information.
This policy will help you understand the options provided by us for you to access, update, control and protect your information as well as how we may collect, use, store and share your information when you use our products or services.
Please carefully read and fully understand and accept this Privacy Policy before use of our products or services. By using our products or services, you agree to our collection, use, storage and sharing of your information as stated in this Privacy Policy.
This Privacy Policy will help you understand:
Data controller
Scope
Information We May Collect (including Personal Data)
Why do We Process your Personal Data, what are the Legitimates Basis and what are the Storage periods for the processing of your personal data?
How We Store Your Information
Who is hosting your Personal Data
How We Protect Your Information
What are Your Rights
Sharing and External Provision of Information
Sensitive Information
Changes to this Policy
How to Contact Us
Your personal data are processed by VATAI Technology SRL(“VATAi” or “VAT Ai”), whose registered office is located at 56 Avenue Franklin Roosevelt 1050, Bruxelles, Belgium.(hereinafter referred to as “we” or “us” or “our”).
VATAi is mainly engaged in providing one-stop compliance services, including but not limited to those necessary or desirable for the making of registration and reporting pursuant to VAT, EPR and other compliance requirements, through our web applications and related software.
This Privacy Policy applies to all products and services provided by us, which include page view and website login services, VAT, EPR and other relevant services provided through the applications or software developed by us, and other services to be offered and upgraded by us in the future, and also include the foregoing services (i.e. advertising services) that are provided on other products or websites, but exclude the products and services subject to separate privacy policies (not incorporated into this Privacy Policy).
In order to provide you with platform-related services and ensure service quality, we may collect the following information provided and authorized by you when you register for, purchase and use our products and services or generated as a result of your use of our products and services:
User data: Including, without limitation, the name, email address, phone number, contact address and other information provided by you.
Enterprise information: Including, without limitation, the general information (enterprise name, address, registration number, payment information, etc.) of your enterprise and the information (name, phone number, contact address, etc.) of the legal representative of your enterprise provided by you, the data processed, stored, uploaded, downloaded and otherwise acquired or processed when you register for, purchase and use our products and services, and other enterprise information provided by you.
Device or software information: We may collect information specific to your devices or software (e.g. hardware model, operating system version, unique device identifier and mobile network information including phone number), and we may associate your device identifier or phone number with your account.
Log information: We may automatically collect and store in server logs certain information when you use our services or view the contents provided by us. This may include details of how you used our services, e.g. the contents you searched for and inquired, computer log information, phone log information, etc.
IP address and device event information: Such as crashes, system activities, hardware settings, browser type, browser language, date and time of your requests and referral URL, and the Cookies that may uniquely identify your browser or account.
If you are an individual in the European Economic Area (EEA), the personal data you provide to VATAi may be processed for the purposes listed below and on the legal basis indicated.
VATAi ensure that the processing of your personal data is organized in a lawful manner and in accordance with article 6 of the GDPR.
Your personal data are stored for as long as is necessary to achieve the purpose for which they were collected and, in any case, until the expiry of the legal retention periods, in particular for tax and accounting purposes and until the end of the limitation period for contractual liability.
We will delete your information in our possession upon your request, or anonymize your information in accordance with the applicable laws, regulations and standards, if :
they are no long necessary for the purpose for which they were collected; or;
you have validly exercised your right to erasure; or
you have withdrawn your consent, when the processing is based on the consent as legal basis.
Below we detail the specific legitimate basis and the storage periods of personal data in relation to those legitimate basis:
We will share your information with our suppliers, service representatives, or tax officials in order for us to provide services for you, provided that the security of information is guaranteed.
The legal basis of this processing is: the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (art. 6.1.b GDPR).
This data is kept until the end of the period of prescription of the obligations in relation to the contract.
If the data subject is not party to the contract (for ex. in the case of an employee of a user), the legal basis of this processing is: the legitimate interests pursued by the controller or by a third party (art. 6.1.f GDPR). It is the legitimate interest of VATAi to be able to provide the requested services.
We will use your information for identity authentication, customer services, security protection, fraud monitoring, archiving, backup and other purposes in the course of provision of services to ensure the security of the products and services we provide for you.
The legal basis of this processing is: the legitimate interests pursued by the controller or by a third party (art. 6.1.f GDPR). It is the legitimate interest of VATAi to be able to ensure the security of its business operations.
This data is kept for 10 years.
We will use your information to help us improve existing products and services, develop new functions and provide you with better services; and to enable us to better understand your personalized demands and provide you with customized services
The legal basis of this processing is: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (art. 6.1.f GDPR). It is VATAi’s legitimate interest to collect personal data necessary for analytical purposes to improve your experience.
This data is kept for 10 years.
We may combine your information from a service with the information from other services provided by us in order to provide you with more comprehensive and better services and products.
The legal basis of this processing is: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (art. 6.1.f GDPR). It is VATAi’s legitimate interest to collect personal data necessary to enhance its services and products.
This data is kept for 10 years.
We will use your information to recommend products and services to you, conduct market investigations and analyze information and data.
The legal basis of this processing is: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (art. 6.1.f GDPR). It is VATAi’s legitimate interest to collect personal data necessary for analytical purposes to improve your experience and market VATAi’s products and services.
This data is kept for 10 years.
In order for the provision of better experience to you, improvement of our services or any other purpose consented to by you, we may use the information collected from one or several service to other services provided us in the form of aggregated or depersonalized information, subject to compliance with the GDPR and other relevant laws and regulations.
The legal basis of this processing is: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (art. 6.1.f GDPR). It is VATAi’s legitimate interest to collect personal data necessary for analytical purposes to improve your experience.
This data is kept for 10 years.
Local storage: we may collect and use mechanisms such as browser web storage (including HTML 5) and application data cashes to locally store the information (including personal information) that are on your devices and that are provided to us by you when you use our products or services.
Cookie and anonymous identifier: we and our partners use various technologies to collect and store your information when you use our services, and this may include sending one or more cookies or anonymous identifiers to your device. We will use cookies or anonymous identifiers when you interact with the services we provide for
Cloud syncing service: This Privacy Policy is also applicable to your use of our products, services and websites capable of cloud syncing. Through our cloud syncing function, you may use certain internet services, including storing on your compatible device and computer and making accessible the contents you synchronized to the cloud. Once you enable cloud syncing function, the contents you synchronized to the cloud will be automatically sent to us for storage. Then you may access these contents or wirelessly push them to your other devices or computes in which cloud syncing function is enabled. You understand and agree that we may collect, use, store and share your information through cloud service in accordance with the conditions set forth in this Privacy Policy, provided that we guarantee the security of your information.
Your personal data is hosted by VATAi, which may itself use a qualified subcontractor with servers located within the European Economic Area (EEA). VATAi uses the service of AWS in Germany (Amazon Web Services).
These hosting solutions offer security to guarantee the confidentiality, availability and integrity of the data. The chosen subcontractor also undertakes, under the same conditions, to carry out or have carried out a backup of your data in conditions that guarantee its security and integrity, and to protect it from any damage that may occur on the servers.
We use various security technologies and procedures to protect your information against loss, misuse, as well as unauthorized access or disclosure. For example, we use encryption technologies (e.g. SSL) to protect your information in certain services.
We develop a special management system, process and organization to protect information security. For example, we strictly restrict the scope of personnel having access to information, require the personnel to comply with the obligations of confidentiality and audit their compliance.
We develop contingency plans for cyber security incidents related to information security and timely respond to system vulnerability, computer virus, cyber attack,
cyber intrusion and other security risks. In case of disclosure and loss or threatened disclosure and loss of information, we will:
immediately take remedial measures and timely inform the users of the handling of the information security incident in accordance with the laws and regulations and the requirements of regulatory authorities;
immediately initiate the contingency plan for the cyber security incident, investigate and evaluate the incident, and take technical and other necessary measures to eliminate potential security risks and prevent further risks; and
timely inform the affected data subjects of the incident through email, letter, telephone, push notification or otherwise. When it is not easy to inform the data subjects respectively, we will reasonably and effectively issue a warning related to the public.
We take reasonably practical measures to avoid collection of irrelevant information and retain your information for the minimum period that is necessary for the purpose of this Privacy Policy, unless a longer period is required or permitted by law.
When your data need to be transferred to a third party in any other country or region as required by our business and as a result, some privacy and data protection regulations of the local government need to be observed, we will strictly follow the data export standard and requirements and sign a data protection agreement with the third party to protect your data and privacy.
But please understand that due to technical limitations and various possible malicious methods, information security cannot be fully guaranteed in the internet industry even if security measures are strengthened to the maximum extent possible. So you should understand that the systems and communication networks used by you to access our services may fail due to factors beyond our control.
According to the chapter 3 of GDPR, when applicable, you are entitled to :
withdraw your consent from the personal data processing at any time ;
access to the information processed ;
rectify the inaccurate personal data without undue delay ;
erase all your personal data processed without undue delay ;
restrict the processing of personal data ; (vi)exercise the right to data portability ;
object to the processing of your personal data;
not be the object of automated individual decision-making.
When the processing is based on our legitimate interest for direct marketing purposes, you have the right to object at any time to the processing of personal data.
To exercise your rights, please contact us at +49 160 6395108 or send your demand to our postal address : 56 Avenue Franklin Roosevelt 1050, Bruxelles.
We try to respond to all legitimate requests within thirty (30) days and will contact you if we need additional information from you in order to honor your request. Occasionally it may take us longer than thirty (30) days, taking into account the complexity and number of requests we receive. We will inform you in such case and the deadline of our response will be extended by a maximum of two (2) months.
Where requests are manifestly unfounded or excessive, in particular because of their repetitive nature, we may :
charge a reasonable fee which takes into account the administrative costs incurred in providing the information, making the communication or taking the action requested; or
refuse to comply with such requests.
The onus is on us to demonstrate that your request is manifestly unfounded or excessive.
If you contact us, we will need sufficient information from you to establish your identity and to verify your access request, and also to assist us inenable us to handlinge your requests.
You may also contact the competent Data Protection Authority if you consider that the processing of your personal data by VATAi is not compliant with data protection rules.
You may find the Data Protection Autorities of your country on the website of the European Data Protection Board (EDPB): https://edpb.europa.eu/about-edpb/about-edpb/members_en#member-be.
You understand and agree that we may share with, transfer to or disclose to our partners and/or third parties your information under the following circumstances:
We may share your information with partners and third-party service providers, contractors and agents for:
providing our and our partners’ products and services to you;
carrying out the purposes described in Section of this Privacy Policy;
performance of our obligations and exercise of our rights under this Privacy Policy; and
understanding, maintenance and improvement of our services.
You know and understand that your information may be transferred outside Germany, but we will take necessary measures in strict accordance with the GDPR and the requirements of relevant national laws and regulations to guarantee that the recipient processes your information at the level of protection required in this Privacy Policy and the relevant laws and regulations. Any transfer of personal data to a third party outside the EU/EEA will be made to a country benefitting from and adequacy decision by the European Commission or, if this is not the case, will be made on the basis of the EU model clauses or similar safeguards such as binding corporate rules.
We may carry out consolidation, acquisition, asset assignment or similar transactions as we continue to develop our business. Your information may be transferred as part of such transactions, but prior to the transfer, we will notify you and will require the recipient to continue to be bound by this Privacy Policy or obtain your authorization and consent with respect to the transfer.
We may also, and you understand and agree that we do not need to obtain your authorization and consent before we retain, keep, share, transfer or disclose your information for:
compliance with the GDPR and other laws and regulations relating to data protection;
compliance with any court judgement, verdict or other legal procedure;
compliance with the requirements of the relevant government agencies; and
other purposes reasonably necessary for the compliance with applicable laws and regulations, protection of social and public interests, or protection of personal and property safety or legitimate rights and interests of our customers, other users or employees.
Without disclosing the privacy data of any single user or with prior authorization of the relevant users, we and (or) our partners are entitled to carry out deduction, calculation, analysis, combing and mining to the whole user database, and use the user database for commercial purposes based thereon. We warrant that we will not make publicly available or provide any third party with the registration information of any user and the non-public contents that any user provides for and are stored by us as part of the user’s use of our network services, unless with prior consent of the user.
Subject to your prior consent, we may share your personal information with our partners and/or third parties.
We will limit your information that we share with our partners and/or third parties to that required by them to provide services, and will protect the security of your information through encryption, anonymization or otherwise.
Some of your information may be deemed as sensitive personal information because of its particularity, such as your race, religious belief, political views, labor union membership, health and medical information, bank account, property information, credit information, ID number, transaction information, etc., which require stricter protection than other information. We will strictly follow the rules and requirements of the GDPR concerning processing of sensitive information. We will share with other persons your sensitive personal information only with your express consent or in conformity with our legal obligations and try the best to make sure the recipient is fully capable of guaranteeing the security of your information.
Revisions may be made to the terms of this Privacy Policy at such time as we deem appropriate, which will form part of this Privacy Policy.
We will notify you of any revision prior to the effective date thereof by posting a notice at a prominent position of the home page on our website or sending to you an
email or a private message or otherwise. Your continued use of our services means that you agree to be bound by the revised Privacy Policy.
If you have any question, comment,suggestion or complaint about this Privacy Policy or our data processing, you may contact us according to the contact information below:
We will generally reply to you within thirty days upon receipt of your question, comment or suggestion (see clause VIII.b).