Skip to content
Legal

Privacy Policy

Last updated: 2026-06-20

1. Controller

The controller of your personal data is E-invoice BV, the legal entity operating peppol.sh. For any privacy question or request, contact us at hello@peppol.sh.

2. What we collect

We collect only what we need to run the service:

  • Email address. Provided at signup. Used to identify your account, send transactional email, and contact you about your account.
  • Name, email, and avatar from Google OAuth. When you sign in with Google we receive your profile name, email, and avatar URL. Used to identify you in the dashboard.
  • IP address. Stored in our request log for security, abuse prevention, and debugging.
  • Document payloads. The UBL invoice content you send through the API. We process and transmit these to deliver them over the Peppol network — they are the core payload of the service.
  • Stripe customer and payment metadata. When you purchase credits, Stripe creates a customer record and shares limited metadata (customer ID, payment status, billing country, last 4 digits of the card) with us. We never see your full card number.
  • Workspace, company, and audit-log records. Workspace name, company VAT and Peppol identifiers, team membership, and a security audit log of authentication and access-key events.

3. Legal bases (Art. 6 GDPR)

  • Performance of a contract — creating and maintaining your account, processing payments, and sending Peppol documents on your behalf.
  • Legitimate interest — keeping request logs and a security audit log to operate the service, prevent abuse, debug incidents, and meet our security obligations.
  • Consent — product analytics, when and if enabled. Consent is opt-in and can be withdrawn at any time.
  • Legal obligation — retaining Stripe-related billing records to comply with Belgian bookkeeping and tax law.

4. Retention

  • Account data — for the lifetime of your account, plus 12 months after deletion to handle reactivation and dispute windows.
  • Request logs (including IP) — 30 days.
  • Document payloads — retained per your service agreement and applicable archival rules.
  • Security audit log — 2 years.
  • Stripe-required billing records — 7 years, as required by Belgian tax and accounting law.

5. Sub-processors

We use the following sub-processors to run the service. Each is bound by a data processing agreement.

  • CloudflareWorkers (compute), D1 (database), R2 (object storage), Email, Analytics Engine, Turnstile. Residency: EU. Traffic is kept within Cloudflare's EU enclave per their EU data residency configuration.
  • e-invoice.bePeppol access point provider that transmits documents over the Peppol network. Residency: Belgium (EU).
  • StripePayment processing for credit top-ups and invoicing. Residency: Ireland (EU) with parent processing in the United States. Transfers governed by Standard Contractual Clauses and the EU–US Data Privacy Framework.
  • GoogleOAuth identity provider for sign-in. We receive your name, email, and avatar. Residency: United States. Transfers governed by Standard Contractual Clauses and the EU–US Data Privacy Framework.
  • Cloudflare Email ServiceTransactional email (verification, receipts, notifications). Residency: EU.
  • PostHog (planned)Product analytics. Not currently enabled. When introduced, it will be gated on explicit consent. Residency: EU region (planned).

6. International transfers

Most processing happens within the EU. Two sub-processors (Google and Stripe) involve transfers to the United States. These transfers are governed by the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework. We rely on the safeguards published by each provider and review them periodically.

7. Your GDPR rights

You have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your data (subject to legal retention obligations).
  • Restrict or object to certain processing.
  • Receive your data in a portable, machine-readable form.
  • Withdraw consent at any time, where consent applies.
  • Lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit) at gegevensbeschermingsautoriteit.be.

To exercise any of these rights, email hello@peppol.sh. We respond within 30 days.

8. Cookies and tracking

Today we use only strictly-necessary cookies (session, authentication, CSRF, and the Cloudflare Turnstile challenge). No third-party analytics or advertising cookies are set. Product analytics via PostHog is planned; if and when it is introduced it will require your explicit consent before any analytics event is collected.

9. Security

Data is encrypted at rest in Cloudflare D1 and R2 and in transit over TLS. API keys are stored hashed; we never store them in plaintext. Authentication events, key creation, and other security-relevant actions are recorded in an audit log you can review from the dashboard.

10. Children

peppol.sh is a business-to-business service. It is not directed at children, and we do not knowingly collect personal data from anyone under 16.

11. Changes to this policy

We may update this policy as the service evolves. Material changes will be emailed to account holders before they take effect. The "Last updated" date at the top of this page always reflects the current version.

12. Contact

Questions, requests, or complaints about this policy or how we handle your data: please email hello@peppol.sh.

See our Terms of Service for service terms.