Privacy Policy

1. Introduction

This privacy policy explains how Peppol-OK ("we", "us", "our") collects, processes, and protects your personal data when you use our platform at peppol-ok.be. Peppol-OK is a SaaS platform operated by Radom UG (haftungsbeschränkt) that converts PDF invoices into Peppol BIS 3.0 compliant UBL XML files for the Belgian market.

We process personal data in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Belgian Data Protection Act (Kaderwet of 30 July 2018).

2. Responsible Party (Data Controller)

The data controller responsible for processing your personal data is:

3. Data We Collect

3.1 Account Data

When you create an account, we collect your email address, password (stored as a bcrypt hash), and optionally your name and company name.

3.2 Invoice Data

When you upload a PDF invoice for conversion to Peppol BIS 3.0 UBL XML, we process the data contained in that invoice. This may include:

• Invoice numbers and dates
• Amounts, line items, and tax information
• VAT numbers (BTW-nummers)
• Company names and addresses
• Bank account details (if present on the invoice)

3.3 Usage Data

We collect basic usage data such as IP address, browser type, and timestamps of requests for security and service-improvement purposes.

3.4 Payment Data

Payments are processed by Stripe. We do not store your credit card details. We only receive a payment confirmation, subscription status, and a Stripe customer identifier.

4. How We Use Your Data

We process your personal data for the following purposes:

• To provide our core service: converting PDF invoices to Peppol BIS 3.0 UBL XML
• To manage your account and authenticate your sessions
• To process payments and manage subscriptions
• To respond to your support requests
• To comply with legal obligations (e.g., tax and accounting requirements)
• To improve and secure our service

5. Legal Basis for Processing

We process your personal data based on the following legal grounds under the GDPR (Article 6(1)):

• Performance of a contract (Art. 6(1)(b)): Processing invoice data is necessary to provide the conversion service you have requested.
• Legitimate interest (Art. 6(1)(f)): Usage data is processed to maintain, secure, and improve our service.
• Legal obligation (Art. 6(1)(c)): We may retain certain data to comply with tax, accounting, or other legal requirements.
• Consent (Art. 6(1)(a)): Where required, we will ask for your explicit consent before processing data for additional purposes.

6. Third-Party Services

6.1 Azure OpenAI (Microsoft)

We use Azure OpenAI for AI-powered extraction of structured data from your uploaded PDF invoices. This processing takes place on Microsoft Azure servers in the EU (Sweden data center). Invoice content is sent to the Azure OpenAI API for extraction and is not used by Microsoft for model training. Microsoft acts as a data processor under a GDPR-compliant Data Processing Agreement (DPA).

6.2 Stripe

Stripe processes payments on our behalf. Stripe is certified under the EU-U.S. Data Privacy Framework. For details, see Stripe's Privacy Policy.

7. Data Storage and Retention

• Uploaded PDF invoices are processed temporarily and discarded after conversion. When image-based extraction is required, temporary files are created during processing and automatically deleted immediately afterwards. No uploaded files are permanently stored.
• Generated UBL XML files and conversion metadata are automatically deleted after 90 days.
• Account data (email, hashed password, company details) is stored for the duration of your account. Upon account deletion, your data is removed immediately and irrevocably, along with all associated conversions and subscriptions.
• Payment records may be retained for up to 7 years to comply with tax and accounting obligations.

All data is stored on servers located in Germany (European Union).

8. Cookies

Peppol-OK uses only strictly necessary technical cookies:

• Session cookie: Maintains your authenticated session while using the application.
• Authentication token: Securely identifies you across requests.

We do not use any third-party tracking cookies, analytics cookies, or advertising cookies. Because we only use technically essential cookies, no cookie consent banner is required under the ePrivacy Directive.

9. Data Security

We take appropriate technical and organisational measures to protect your personal data, including:

• All data in transit is encrypted using SSL/TLS (HTTPS).
• Passwords are hashed using bcrypt before storage.
• All servers are located in Germany (European Union).
• Access to production systems is restricted and monitored.
• Uploaded invoices are processed temporarily and deleted immediately after conversion completes.

10. Your Rights Under the GDPR

Under the GDPR and the Belgian Data Protection Act, you have the following rights:

• Right of access (Art. 15): Obtain a copy of all personal data we hold about you.
• Right to rectification (Art. 16): Correct any inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
• Right to restriction (Art. 18): Restrict how we process your data in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7(3)): Withdraw consent at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at support@peppol-ok.be. We will respond within 30 days.

11. Supervisory Authorities

If you believe that our processing of your personal data violates data protection law, you have the right to lodge a complaint with a supervisory authority.

Belgian Data Protection Authority

Hessian Data Protection Authority (responsible for the company)

12. Changes to This Policy

We may update this privacy policy from time to time. If we make material changes, we will notify you by email or through a notice on the platform. The date at the top of this page indicates when the policy was last revised.

13. Contact

If you have any questions about this privacy policy or our data practices, please contact us: