Data Privacy Policy (GDPR / DPA 2018)

Last updated: April 1, 2026. Governed by UK Data Protection Act 2018.

At vatcheck.tax, your privacy and data security are engineering priorities. This Privacy Policy outlines our strict boundaries regarding data collection, and rigorously defines our legal role under the General Data Protection Regulation (GDPR).

1. Data Processing Boundaries (Controller vs Processor)

Under GDPR, YOU (the user/company) act as the "Data Controller" when submitting VAT numbers or client details to our forms. vatcheck.tax acts strictly and solely as a "Data Processor". By using our bulk checking or API services, you warrant that you have the lawful basis to process the VAT numbers of your clients/suppliers.

Once a query is resolved against the HMRC/VIES database and your Audit Report is generated, the VAT strings and contextual payload are instantly purged from active memory. We DO NOT serialize, log, or store the VAT subjects you search for in any enduring database. Therefore, we cannot be subpoenaed to produce historical records of your specific queries.

2. Log Files & Essential Metadata

To operate the SaaS infrastructure securely, prevent Distributed Denial of Service (DDoS) attacks, and maintain rate limits, we temporarily collect standard web server metadata:

• Anonymized Internet Protocol (IP) addresses
• Browser User-Agent versions
• Timestamps of API requests
• Credit consumption metrics tied to your account ID
• Authentication states via Firebase Identity

This metadata is strictly infrastructural and is purged periodically. It is definitively NOT linked to the actual VAT numbers or company names you search.

3. Third-Party Sub-Processors

To provide our service, we rely on audited enterprise sub-processors. We use Stripe (for payment processing and billing) and Google Cloud / Firebase (for hosting and encrypted authentication). We do not sell your account data to advertisers or data brokers under any circumstance.

4. GDPR Your Rights