Privacy Policy
Last updated: 15 May 2026
⚠️ Draft — not yet in force. This Privacy Policy is a work in progress and has not been finalised. It does not constitute a legally binding document at this time.
1. Who We Are
Peppolpdf ("we", "us", "our") is a trade name operated by two individuals based in Belgium. You can reach us at hello@peppolpdf.eu.
We are the data controller for account and usage data, and act as a data processor for PEPPOL XML content submitted via the API.
This policy applies to users of www.peppolpdf.eu and the Peppolpdf API.
2. What Data We Collect
Account data (controller)
- Contact name (optional) and email address collected at registration
- API key(s) issued to your account
Usage data (controller)
- API request logs: timestamp, endpoint called, response status, request size
- Request volume per API key, stored for rate limiting and billing purposes
- Error traces for debugging (via Sentry)
Submitted documents (processor)
- The original submitted PEPPOL XML and the full generated PDF are never stored. They are processed in memory and the PDF is returned directly in the API response.
- A PII-redacted copy of each generated PDF is stored for 3 days for quality assurance and internal debugging. Before storage, the following fields are replaced with anonymised placeholders: party names, postal addresses, VAT and company registration numbers, contact names, phone numbers, email addresses, bank account numbers, card numbers, and free-text description fields. Non-personal data is retained in the redacted copy: amounts, dates, currency codes, country codes, and document reference IDs.
- If a submitted XML fails validation, a copy of the invalid XML may be retained for up to 3 days to allow investigation of processing errors.
Contact and enquiry data (controller)
- When you submit the contact form or request-access form on our website, we collect your name, email address, company name (optional), and the content of your message or use case description.
- This data is transmitted via email to our internal address and is not stored in a database. It is used solely to respond to your enquiry.
- No third-party marketing platforms receive this data.
3. Legal Basis for Processing (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Providing the API service | Performance of a contract (Art. 6(1)(b)) |
| Billing and invoicing | Legal obligation (Art. 6(1)(c)) |
| Storing redacted PDFs for quality assurance | Legitimate interest (Art. 6(1)(f)) |
| Infrastructure security and log retention | Legitimate interest (Art. 6(1)(f)) |
| Error monitoring (Sentry) | Legitimate interest (Art. 6(1)(f)) |
| Processing contact and enquiry form submissions | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications (if any) | Consent (Art. 6(1)(a)) |
As a processor of submitted document content, we rely on the contractual relationship with you (the controller) under Art. 28 GDPR.
4. Data Retention
| Data type | Retention period |
|---|---|
| Account data | Duration of contract + 7 years (Belgian accounting law) |
| API request logs (Railway) | 7 days |
| Error traces (Sentry) | 30 days |
| Usage/billing counters | Duration of contract |
| Redacted PDFs | 3 days, then automatically deleted |
| Failed validation XMLs | 3 days, then automatically deleted |
| Original submitted XML | Not retained — never stored |
| Full PDF with personal data | Not retained — never stored |
5. Sub-processors
We use the following sub-processors to deliver the service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Account data, API key management, redacted PDF storage | EU |
| Sentry | Error monitoring | EU |
| Railway | Infrastructure hosting and logging | EU |
All sub-processors are bound by data processing agreements and operate within the EU/EEA.
6. Your Rights
Under GDPR and Belgian law (Wet van 30 juli 2018), you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate data
- Erase your data (right to be forgotten), subject to legal retention obligations
- Restrict processing in certain circumstances
- Data portability of your account data
- Object to processing based on legitimate interest
- Withdraw consent at any time where processing is consent-based
To exercise any of these rights, contact us at hello@peppolpdf.eu. We will respond within 30 days.
You also have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données):
- Website: www.dataprotectionauthority.be
- Address: Rue de la Presse 35, 1000 Brussels
7. Security
We implement appropriate technical and organisational measures including API key authentication, HTTPS/TLS encryption in transit, rate limiting, and access controls. Original XML documents and full PDFs are processed exclusively in memory and are never written to disk. Redacted copies stored in Supabase are accessible only to authorised internal systems.
8. Cookies
We use the following cookies and similar technologies on our website:
- Session and authentication cookies (Supabase SSR) — strictly necessary for login and session management. Essential to the operation of the dashboard and cannot be disabled.
- UI preference cookie (
banner-dismissed) — stores whether you have dismissed the announcement banner. Expires after 1 year. Contains no personal data. - Vercel Analytics — a cookieless, privacy-first analytics service. It does not set cookies and uses aggregated, anonymised traffic data (page views, referrers). No personal data beyond what your browser transmits in a standard HTTP request (IP address, user-agent) is processed. See Vercel's Privacy Policy for details.
No tracking, advertising, or profiling cookies are used. Under Belgian law, a cookie consent banner is not required for strictly necessary cookies or cookieless analytics.
9. Changes to This Policy
We may update this policy. Material changes will be communicated by email to registered users at least 30 days before taking effect.