Need a Data Processing Agreement (DPA)? Contact us at support@vatdb.com →
1. General Information
This Privacy Policy explains how Nineties Engineering OÜ ("we", "our", "us") collects, uses, and protects personal data when you use vatdb.com, api.vatdb.com, and related services.
Data controller: Nineties Engineering OÜ, Sepapaja 6, 15551 Tallinn, Estonia.
2. EU Hosting and Data Residency
The VatDB API is hosted only in ISO 27001-certified data centers located in the European Union. API request and response data is processed and stored within the EU, and does not leave the EU.
3. Data We Collect
Depending on how you use the Service, we may collect:
- Account data such as name, email address, and company details
- Billing and subscription metadata provided during checkout (we do not store payment card numbers; these are handled directly by Stripe)
- API and audit data, including VAT numbers submitted, request metadata, and validation responses
- Contact form data such as name, email, phone (optional), and message content
- Technical and security data, including server logs and anti-abuse/captcha verification data
4. How We Collect Data
We collect personal data:
- Directly from you when you sign up, contact us, or use the API
- Automatically through service logs, cookies, and security systems
- From payment and infrastructure providers where necessary to deliver the Service
5. Legal Bases for Processing (GDPR)
We process personal data under one or more of these legal bases:
- Performance of a contract (providing your account, subscriptions, and API access)
- Legitimate interests (security, abuse prevention, service reliability, analytics)
- Legal obligations (tax, accounting, regulatory compliance)
- Consent, where required (for example, optional marketing communications)
6. How We Use Your Data
We use personal data to:
- Provide, operate, and maintain the Service
- Authenticate users and secure accounts
- Process payments and manage subscriptions
- Provide support and respond to requests
- Monitor reliability, detect abuse, and improve product performance
- Meet legal and regulatory obligations
8. Data Retention
We retain personal data only for as long as needed for the purposes described in this policy. Specific retention periods are:
- Account data (name, email, company details): duration of your account plus 30 days
- API and audit logs: duration of your account plus 30 days
- Billing and payment records: 7 years, as required by Estonian accounting law
- Server and security logs: 1 year
9. Security
We use technical and organizational safeguards designed to protect personal data from unauthorized access, disclosure, alteration, and destruction, including:
- Encryption in transit
- Access controls and least-privilege practices
- Monitoring and anti-abuse protections
- Secure infrastructure and operational controls
10. Cookies
We use only essential cookies for session management and authentication. Our analytics provider (Plausible) does not use cookies or collect personal data. You can control cookie settings through your browser.
11. Your Rights
Under GDPR, you may have the right to:
- Access your personal data
- Correct inaccurate or incomplete data
- Request deletion of your data
- Restrict or object to certain processing
- Request data portability
- Withdraw consent where processing is based on consent
You also have the right to lodge a complaint with your local supervisory authority. To exercise your rights, contact us using the details below.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Any updates will be posted on this page with a revised "Last updated" date.
13. Contact
If you have questions about this Privacy Policy or want to exercise your data protection rights, please contact us:
- Nineties Engineering OÜ
- Sepapaja 6, 15551 Tallinn, Estonia
- Email: privacy@vatdb.com
- Reg. No: 16206643
- VAT: EE102380424