Privacy Policy

Last updated: 29 April 2026

This policy explains how PayVAT collects and uses your personal data, your rights, and how to contact us about either. We've written it in plain English. If anything is unclear, email privacy@payvat.ie.

1. Who we are

PayVAT is operated by the entity trading as PayVAT (the "data controller"), based in Ireland. References to "we", "us", and "our" mean PayVAT.

For privacy questions or to exercise any of your rights, contact us at privacy@payvat.ie.

2. What we collect and why

Account data

When you sign up we collect your email address and the name and VAT number of the business you represent. We use this to create and operate your account, send service notifications, and identify you when you sign in.

Legal basis: performance of the contract you enter into when you create an account.

Documents you upload

When you upload invoices, receipts, bank statements, or other documents, we store them in encrypted cloud storage scoped to your organisation. We process them with AI extraction services to read the figures and assign them to the right VAT3 box.

These documents may contain personal data of your customers and suppliers (names, addresses, transaction amounts). Where they do, you remain the data controller for that data — we act as your data processor.

Legal basis: performance of contract; for the embedded third-party data, you are responsible for the lawful basis under which you collected it from your customers.

Usage and security data

We log sign-in events, IP address at sign-in, and a hash-chained audit trail of every state change in your account. This is primarily a security and audit feature — it lets us (and you) prove who did what, when.

Legal basis: legitimate interest in protecting your account and our service.

Banking metadata (when you connect a bank feed)

If you connect your bank via TrueLayer, we store the encrypted OAuth token, the bank's account identifier, and the imported transaction lines. We do not see or store your online banking password or card numbers.

Legal basis: performance of contract.

Payment data

Subscription payments are handled by Stripe. PayVAT does not store your card number — Stripe holds that under their own privacy policy. We receive a token from Stripe to identify your subscription state.

Legal basis: performance of contract.

Communications

If you email us, we keep that correspondence so we can respond and follow up.

3. Sub-processors

We use a small number of carefully chosen sub-processors to deliver the service. Each is contracted under terms equivalent to our own, including the EU Standard Contractual Clauses where the processor is outside the EEA.

  • Vercel Inc. (United States) — application hosting and edge delivery.
  • Supabase Inc. (United States) — database, file storage, and authentication.
  • Anthropic PBC (United States) — AI document extraction. Documents are sent to Anthropic for processing and are not used to train their models (per their commercial API terms).
  • Mindee SAS (France) — secondary AI extraction tier (when activated).
  • Stripe Payments Europe Ltd. (Ireland, with processing in the United States) — subscription payments.
  • Resend Inc. (United States) — transactional email (welcome, account notifications).
  • Sentry Inc. (United States) — error monitoring (only when you've consented via the cookie banner).
  • Upstash Inc. (United States) — rate-limit state.
  • TrueLayer Ltd. (United Kingdom, regulated by the FCA) — open-banking connections, when you opt in.

We will give you 30 days' notice before adding a new sub-processor that has access to your documents. If you object, you can terminate your subscription with no penalty.

4. International transfers

Some of our sub-processors are based outside the European Economic Area, primarily in the United States. Where this is the case, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where available, the EU-US Data Privacy Framework, to provide an equivalent level of protection for your data.

5. How long we keep your data

  • Account data — for as long as your account is active, plus 30 days after closure.
  • Documents and the audit trail — Irish Revenue requires VAT records to be kept for 6 years. We retain documents for at least this period regardless of whether you close your account (because Revenue may audit historic returns).
  • Backups — encrypted database backups are retained on a 30-day rolling window.
  • Communications — emails to/from support are retained for 3 years.

6. Your rights

Under GDPR you have the right to:

  • Access the personal data we hold about you (Article 15).
  • Correct inaccurate data (Article 16).
  • Erase your data (Article 17). Note that documents covered by the 6-year Revenue retention are kept even if you ask for erasure — this is a statutory exception.
  • Port your data to another controller in a machine-readable format (Article 20).
  • Restrict or object to processing in certain circumstances (Articles 18, 21).
  • Not be subject to fully automated decisions with legal effect (Article 22). Our AI extraction is review-and-approve — every figure is presented to you for confirmation before it lands in the VAT3 — so this article isn't engaged in normal use.
  • Withdraw consent for any processing that relies on consent (e.g. error-monitoring cookies) at any time.

To exercise any of these, email privacy@payvat.ie. We'll respond within 30 days.

7. Right to complain

If you believe we've handled your data unlawfully, you have the right to lodge a complaint with the Irish Data Protection Commission. We'd appreciate the chance to fix any issue first — please contact us before going to the regulator.

8. Security

We use industry-standard security controls: TLS in transit, AES-256 encryption at rest, OAuth tokens encrypted with AES-256-GCM, row-level security on every database query, a hash-chained tamper-evident audit log, and least-privilege access controls for our team. We also run automated tests on every deployment to verify these controls.

9. Children

PayVAT is a B2B service intended for businesses. We do not knowingly collect personal data from children under 18.

10. Changes to this policy

We may update this policy from time to time. If we make a material change, we'll notify you by email at least 30 days before the change takes effect.

11. Contact

Questions or requests: privacy@payvat.ie.