1. Data Controller
The data controller for the personal data processed in connection with the eleata Peppol API service (the "Service") is a sole proprietor established in Italy (EU), trading as eleata.
- Privacy contact: privacy@eleata.io
- Security contact: security@eleata.io
- Postal address: available on written request for verified data subject requests, regulatory inquiries, or contractual purposes
Because the controller is established within the European Union, no Article 27 representative is required.
2. Scope
This Privacy Policy covers data we collect when you visit peppol.eleata.io, sign up for an account, use the API, the SDKs, or the GitHub Action.
3. Data we collect
3.1 Account data
- Email address (for magic-link authentication and billing)
- GitHub user ID and primary email (if you sign in with GitHub)
- Hashed API keys and key prefixes
- Account creation timestamp and last-login timestamp
3.2 Validation data
When you submit an XML invoice for validation, we process the document temporarily to run Schematron rules. We store the following metadata:
- SHA-256 hash of the file (for caching and deduplication)
- File size in bytes
- Format (Peppol BIS 3, XRechnung, Factur-X, or UBL)
- Validation result (valid/invalid + errors list)
- Duration of the validation
- Public report identifier (12-character code)
- Timestamp
The XML payload itself is automatically deleted within 72 hours of validation. Metadata is retained for billing reconciliation and usage statistics.
3.3 Billing data
Payment processing is handled by Stripe. We do not store credit card details. We store:
- Stripe customer ID
- Stripe subscription ID
- Plan tier and status
- Current billing period end date
3.4 Technical data
- IP address (for rate limiting, anti-abuse, and security logging)
- User-Agent string
- Request timestamps and HTTP status codes (audit logs)
4. Legal bases (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Providing the Service (account, validation) | Contract performance (Art. 6(1)(b)) |
| Billing and tax compliance | Legal obligation (Art. 6(1)(c)) |
| Rate limiting and security logging | Legitimate interest (Art. 6(1)(f)) |
| Marketing emails (only if you opt in) | Consent (Art. 6(1)(a)) |
5. Where your data is processed
- Edge / TLS termination: Cloudflare global network, with EU-region edge nodes prioritised for EU traffic (Frankfurt, Amsterdam). Your request is decrypted and proxied to our origin server.
- Validation processing & storage: origin server in Argentina. Argentina is recognised by the European Commission as offering an adequate level of protection for personal data (Commission Decision 2003/490/EC of 30 June 2003, periodically re-confirmed under GDPR Art. 45). Personal data flowing from the EU to Argentina is therefore subject to the same legal regime as transfers within the EU/EEA — no Standard Contractual Clauses are required.
- Some subprocessors are located in the United States. Transfers to those entities are governed by EU Standard Contractual Clauses and (where applicable) the EU-US Data Privacy Framework. See /subprocessors/.
6. Subprocessors
We engage certain third-party data processors to operate the Service. The current list and contractual safeguards are published at /subprocessors/. Subscribers receive 30 days' notice of any new subprocessor through their account email.
7. Retention
- XML payloads: auto-deleted within 72 hours
- Validation metadata: 24 months (billing dispute window + audit)
- Account data: until account deletion + 30 days backup retention
- Billing data: 10 years (tax law)
- Audit logs (auth, API key changes): 12 months
8. Your rights (GDPR Art. 15-22)
- Right to access your data
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object
- Right to lodge a complaint with a supervisory authority
Exercise these rights by emailing privacy@eleata.io. We respond within 30 days.
9. Cookies and tracking
We use no marketing cookies and no third-party trackers. We use server-side analytics (Cloudflare Web Analytics, privacy-first and cookie-free) to measure aggregate usage. We use session cookies only for authentication and cross-site request forgery (CSRF) protection.
10. Security
- TLS 1.2+ enforced for all connections
- HSTS, CSP, and other security headers configured
- API keys stored as bcrypt hashes (never in plaintext)
- XML parsers configured against XXE, billion-laughs, and external DTD attacks
- Stripe webhook signatures verified before processing
- Disk encryption at rest at the data centre level
11. Data breach notification
In the event of a personal data breach affecting you, we will notify you without undue delay and within 72 hours of becoming aware of the breach, in accordance with GDPR Art. 33–34.
12. Contact and complaints
Questions: privacy@eleata.io.
If you believe we have processed your personal data unlawfully, you have the right to lodge a complaint with the data protection authority of your country of residence (e.g. Garante in Italy, CNIL in France, BfDI in Germany, AEPD in Spain).
13. Changes
We will notify subscribers of material changes via email at least 30 days in advance. The version and date at the top of this page indicate the latest revision.