Privacy Policy

Effective date: 1 February 2026

1. Introduction

PepCerto ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application and services (the "Service").

This policy is designed to comply with the EU General Data Protection Regulation (GDPR).

2. Our role: controller vs. processor

It is important to understand our role in relation to your data.

  • You as controller: For personal and financial data you enter about your business and your clients (for example names, addresses, and contact details on invoices), you are the data controller. You are responsible for having a lawful basis to collect and process that data.
  • Us as processor: When we process the data you provide, we act as a data processor on your behalf. We only process that data in line with your instructions, which arise from your use of the Service.

For data we collect directly from you to create and manage your user account (for example your name and email address), we act as the data controller.

3. Information we collect

We collect the following types of information:

  • a) Personal data for account management: Information you provide when you register, such as your name, email address, company name, and payment information.
  • b) User-generated content: All data you enter into the Service, including invoice details, client information, product descriptions, and financial data.
  • c) Automatically collected data: We may automatically collect information about your device and use of the Service, including IP address, browser type, operating system, and pages visited. This is used for security, analytics, and service improvement.

4. Legal basis for processing

We only process your data when we have a lawful basis under the GDPR:

  • Performance of our contract with you: We process account management data and user-generated content to provide, maintain, and bill for the Service as described in our Terms and Conditions.
  • Legitimate interests: We process technical and usage data for legitimate interests such as network security, service improvement, analytics, and fraud prevention, where those interests are not overridden by your rights.
  • Consent: If we send you marketing communications, we will do so only with your explicit consent. You may withdraw consent at any time.
  • Legal obligation: We may process certain data to comply with legal, regulatory, or tax obligations.

5. How we share your information (sub-processors)

We do not sell your personal data. We only share it with trusted third parties that act as sub-processors to help us provide the Service. These include:

  • Peppol Access Point provider: We must share your invoice data with our certified third-party Access Point to transmit invoices to the Peppol network.
  • Cloud infrastructure: Our application and your data are hosted on servers from cloud providers located within the EEA.
  • Payment processor: We use payment processors for subscription payments. We do not store your full card details.
  • Email service provider: We use a third-party email service for verification emails, password resets, and service notifications.
  • AI provider (Anthropic Claude): For some features we use AI to process text and images, for example to extract data from invoices (e.g. when you use "AI Genereren" or PDF upload) or from receipt photos. Personal data (such as client names, email addresses, VAT numbers, addresses, and invoice numbers) is anonymised before being sent to the AI provider where technically feasible. Product or line descriptions are not necessarily personal data and may be sent as provided. For receipt photos, the image is sent to the AI service for extraction. We have a data processing agreement with this provider (see their privacy policy).

An up-to-date list of sub-processors can be provided on request. We have data processing agreements in place with our sub-processors.

6. International transfers

Most of your data is processed and stored on servers within the European Economic Area (EEA). Data may be transferred to providers outside the EEA, including the United States (for example for AI processing). This is done using the EU Commission's Standard Contractual Clauses (SCCs) or other safeguards permitted under the GDPR.

7. Data security

We implement appropriate technical and organisational measures to protect personal information, including encryption at rest and in transit, access controls, and regular security reviews.

8. Data retention

We retain your information for as long as your account is active or as needed to provide the Service. We also retain and use information where necessary to comply with legal obligations, resolve disputes, and enforce our agreements. You may request deletion of your account and associated data at any time.

When you cancel your account, you have a 30-day period to log in and export your data. After that period, your account and associated data are deleted in line with our retention policy. The PEPPOL identifier linked to your account is also deactivated after this period (via our administration).

9. Your rights under the GDPR

You have the following rights regarding your personal data:

  • Access: You can request a copy of your personal data.
  • Rectification: You can ask us to correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten"): You can ask us to delete your personal data.
  • Restriction: You can ask us to limit processing of your data.
  • Data portability: You can ask us to transfer your data to another organisation.
  • Object: You can object to certain processing.

To exercise these rights, contact us at support@pepcerto.com.

10. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by a new effective date. We encourage you to review this policy regularly.

11. Contact

Questions about this Privacy Policy? Contact us at support@pepcerto.com.