Privacy Policy
Last updated: May 10, 2026
1. Who we are
TaxID ("we", "us", "our") provides an EU VAT number validation API service. We operate under EU data protection law (GDPR) and take the privacy of our users and their customers' data seriously.
Data controller: TaxID
Contact: privacy@taxid.dev
2. Data we collect
Account data
When you sign up, we collect: name, email address, and authentication provider (Google or email/password). This data is stored in Firebase Authentication and Firestore.
Usage data
We collect aggregate usage statistics: number of API requests per month, requests by endpoint, requests by country code. We do not log individual VAT numbers you validate beyond what is necessary for caching and rate limiting.
VAT validation data
VAT validation requests are hashed (SHA-256) before caching in Redis. The plaintext VAT number is transmitted to the EU VIES system (operated by the European Commission) for validation, but is not stored permanently in our database.
Payment data
Payment processing is handled by Stripe. We store only your Stripe Customer ID and subscription status. We never store card numbers or full payment details.
Analytics
We use Plausible Analytics, a privacy-first analytics provider that does not use cookies and does not collect personal data or persistent identifiers. No consent banner is required.
3. Legal basis for processing
- Contract performance: Processing your account data to provide the API service
- Legitimate interests: Aggregate usage analytics to improve the service
- Legal obligation: Retaining billing records as required by tax law
4. Data retention
- Account data: Retained while your account is active, deleted within 30 days of account deletion
- Redis cache (VAT hashes): 24–hour TTL, auto-expired
- Usage stats: Retained for 12 months in Firestore
- Billing records: 7 years as required by EU accounting law
5. Your GDPR rights
Under GDPR, you have the right to:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate data
- Erasure: Delete your account and associated data
- Portability: Receive your data in a machine-readable format
- Objection: Object to processing based on legitimate interests
To exercise any right, email privacy@taxid.dev. We will respond within 30 days.
6. Third-party processors
| Provider | Purpose | Location |
|---|---|---|
| Firebase (Google) | Auth + Firestore database | EU (belgium-west1) |
| Upstash | Redis caching | EU (Frankfurt) |
| Stripe | Payment processing | US (with EU DPA) |
| Resend | Transactional email | US (with EU DPA) |
| Vercel | Hosting + CDN | US / EU edge |
| Plausible Analytics | Privacy-first analytics | EU (Estonia) |
7. Cookies
We use a single HttpOnly session cookie (__session) to maintain your login state. This cookie contains only your Firebase User ID — no personal data. Plausible Analytics does not use cookies. No cookie consent banner is required.
8. Changes to this policy
We will notify active users of material changes to this policy by email. Continued use of the service after changes constitutes acceptance of the updated policy.
9. Contact
For privacy questions or to exercise your rights:
privacy@taxid.dev