Q2 2026 —

Privacy Policy

Last updated: April 2026

🇩🇪 GDPR-Compliant Data Processing

We process personal data in accordance with the General Data Protection Regulation (GDPR / DSGVO) and applicable German law. Our data controller is based in Hamburg, Germany.

Contents

  1. 1. Data Controller
  2. 2. Data We Collect
  3. 3. Legal Basis (GDPR Art. 6)
  4. 4. How We Use Your Data
  5. 5. Data Sharing & Recipients
  6. 6. Storage, Location & Retention
  7. 7. Cookies & Tracking
  8. 8. AI Chat Widget
  9. 9. Your Rights Under GDPR
  10. 10. Security Measures
  11. 11. Children's Privacy
  12. 12. Changes to This Policy
  13. 13. Contact for Privacy Matters

1. Data Controller

The entity responsible for the collection and processing of your personal data on this website is:

GetMyVAT.com

vertreten durch Shruti Kumawat

Wielandstr. 13

22089 Hamburg

Deutschland

Phone: +49 (0) 176 70176211

Email: info@getmyvat.com

VAT ID: DE324574630

If you have any questions about how we handle your personal data, please contact us directly at the address above.

2. Data We Collect

We only collect data that is necessary for the purposes described in this policy (data minimisation principle, GDPR Art. 5(1)(c)).

Contact Form & Email Enquiries

  • Name and surname
  • Email address
  • Company name (optional)
  • Message content
  • Timestamp of submission

Waitlist Sign-up

  • Email address
  • Timestamp of sign-up
  • Referral source (URL parameter, if present)

AI Chat Widget

  • Conversation messages (text content)
  • IP address (for rate limiting — stored server-side, not linked to personal profile)
  • Name and email address (only if voluntarily provided for human handoff)
  • Timestamp of conversation
  • Session identifier (randomly generated, not linked to identity)

Platform Users (when platform is live)

  • Account registration data: name, email, company name, business address
  • VAT identification numbers and tax registration details
  • Sales transaction data imported from connected channels (Amazon, Shopify, eBay, etc.)
  • Billing and payment details (processed by Stripe — we do not store card data)
  • Documents uploaded for VAT filings
  • Communication with our team and tax advisors

Website Analytics

  • IP address (anonymised)
  • Browser type and version
  • Operating system
  • Pages visited and time on page
  • Referring URL
  • Country/region (derived from anonymised IP)

Automatically Collected Technical Data

  • Server access logs (standard web server logs — retained for up to 7 days for security purposes)
  • Cookie identifiers (see Section 7)

4. How We Use Your Data

Respond to Enquiries: We use contact form data and chat conversations to respond to your questions and requests. We do not use enquiry data for marketing without your separate consent.
Provide VAT Compliance Services: For platform users: we use your transaction data, VAT numbers, and account information to calculate VAT obligations, prepare filings, and coordinate with licensed tax advisors on your behalf.
Waitlist & Pre-Launch Communication: We use your email address to send updates about the platform launch and related information. You can unsubscribe at any time via the link in any email we send.
Platform Improvement: We analyse aggregate, anonymised usage data (not individual profiles) to understand how visitors use the site and improve functionality.
Billing & Subscription Management: We use account information to manage subscriptions. Payment data is processed directly by Stripe — we only receive a confirmation token.
Legal Compliance: We may retain and disclose data to the extent required by German law, including tax record retention obligations under § 147 AO.
Security & Fraud Prevention: Server logs and IP data are used to detect and prevent unauthorised access, abuse, and fraud.
We never sell your personal data to third parties. We do not use your data for targeted advertising or profiling.

5. Data Sharing & Recipients

We share your data only in the following limited circumstances:

Licensed Tax Advisors (VAT Steuerberater)

When you use our full-service or tax advisor coordination features, we share the relevant business and transaction data with the licensed tax advisor appointed to handle your filings. This is necessary for the performance of your service contract. Advisors are bound by professional secrecy obligations (§ 57 StBerG) and a data processing agreement under GDPR Art. 28.

Infrastructure & Hosting Providers

Our website and platform are hosted on Vercel (EU region) and Hetzner (Nuremberg/Falkenstein, Germany). Both process data under GDPR-compliant Data Processing Agreements. Data is stored within the EU/EEA.

Email & Communication Services

We use email service providers (such as Resend) to send transactional emails (e.g. waitlist confirmations). These providers process email addresses only for sending purposes under DPA.

Payment Processing (Stripe)

Subscription payments are processed by Stripe, Inc. Your payment card details go directly to Stripe — we never see or store them. Stripe operates under a DPA and processes data in accordance with GDPR. For details, see Stripe's privacy policy.

Analytics (Google Analytics 4)

If you consent via our cookie banner, anonymised usage data is shared with Google Analytics. IP addresses are anonymised before transmission. You can opt out at any time by withdrawing cookie consent.

AI Services (Anthropic)

Messages sent via our chat widget are processed by Anthropic's Claude API to generate responses. Message content is transmitted to Anthropic's servers for this purpose. We do not send personal identifiers (name, email) to Anthropic unless you voluntarily include them in your chat message. See Anthropic's privacy policy for their data handling practices.

Legal Obligations

We may disclose data to courts, tax authorities, or law enforcement where required by applicable German or EU law.

Third-country transfers: Our primary data storage is within the EU/EEA (Germany). Where service providers (e.g. Stripe, Anthropic, Google) may process data in the US, they do so under Standard Contractual Clauses (SCCs) approved by the European Commission, providing equivalent GDPR protection.

6. Storage, Location & Retention Periods

Data TypeRetention PeriodReason
Contact form messages2 yearsService & follow-up
Waitlist emailsUntil consent withdrawn or platform launched + 1 yearMarketing consent
Chat conversations6 monthsQuality & safety review
IP addresses (rate limiting)24 hours (server memory)Rate limiting only
Platform account dataDuration of account + 3 years after closureContract obligations
VAT transaction records10 years after filing year§ 147 AO (German tax law)
Payment records (via Stripe)10 years§ 147 AO (German tax law)
Server access logs7 daysSecurity monitoring
Analytics data (GA4)14 months (Google default)Analytics with consent

Data is stored on servers in Germany (Hetzner, Nuremberg/Falkenstein) and the EU region of Vercel. No personal data is transferred outside the EU/EEA except where service providers use SCCs as described in Section 5.

7. Cookies & Tracking

We use cookies and similar technologies. Our cookie banner shown on first visit allows you to accept or decline non-essential cookies. You can change your preference at any time via the "Cookie Settings" link in the footer.

Essential Cookies

Always active — no consent required

Examples: Cookie consent status (localStorage), waitlist banner dismissed state

Legal basis: Legitimate interest (site functionality)

Analytics Cookies (Google Analytics 4)

Requires consent

Examples: _ga, _ga_*, _gid — anonymised page views, referral source, device type

Legal basis: Consent (GDPR Art. 6(1)(a))

Marketing / Advertising Cookies

Requires consent

Examples: Currently none set. May be added in future with notice.

Legal basis: Consent (GDPR Art. 6(1)(a))

Most browsers allow you to refuse cookies via browser settings. Note that disabling essential cookies may affect site functionality.

8. AI Chat Widget

Our website features an AI-powered chat assistant. Use of this feature is voluntary. The following applies:

  • When you send a message, the text is transmitted to Anthropic's Claude API to generate a response. Message content may be processed on Anthropic's servers.
  • We log your IP address server-side solely to enforce a rate limit (10 messages per IP per 24-hour period). IP addresses used for rate limiting are not stored beyond that window.
  • If you choose to use the "Talk to a human" handoff feature and provide your name and email, this data is included in the email transcript sent to info@getmyvat.com and stored for up to 6 months.
  • Conversation content is stored for up to 6 months for quality review and safety purposes.
  • Do not include sensitive personal data (passport numbers, bank details, VAT passwords) in chat messages.
  • Legal basis: Consent (you initiate the chat). Art. 6(1)(a) GDPR.

9. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights. To exercise any of them, contact us at info@getmyvat.com. We will respond within 30 days.

Right of Access (Art. 15): You may request a copy of all personal data we hold about you, including information about how it is used and shared.
Right to Rectification (Art. 16): You may request that we correct any inaccurate or incomplete personal data we hold about you.
Right to Erasure — 'Right to Be Forgotten' (Art. 17): You may request deletion of your personal data where it is no longer necessary for the purpose it was collected, or where you have withdrawn consent. This right is subject to our legal retention obligations (e.g. 10-year tax record retention under § 147 AO).
Right to Data Portability (Art. 20): Where processing is based on consent or contract, you may request your data in a structured, machine-readable format (e.g. JSON or CSV) so you can transfer it to another provider.
Right to Restrict Processing (Art. 18): You may ask us to pause the use of your data — for example, while we verify the accuracy of data you have disputed.
Right to Object (Art. 21): You may object to processing based on legitimate interest. If you object, we must stop unless we have compelling legitimate grounds that override your interests.
Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal. To unsubscribe from our waitlist or marketing emails, use the unsubscribe link in any email or contact us.
Right to Lodge a Complaint with the Supervisory Authority: If you believe we are processing your data unlawfully, you may lodge a complaint with the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI): https://datenschutz.hamburg.de

10. Security Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or disclosure (GDPR Art. 32):

  • TLS/SSL encryption for all data in transit (HTTPS enforced)
  • Encryption at rest for database storage
  • Access controls — data access limited to personnel with operational need
  • Regular security updates applied to all infrastructure components
  • Secure hosting providers with ISO 27001 certification (Hetzner)
  • No storage of payment card data — handled entirely by Stripe PCI-DSS certified infrastructure
  • API rate limiting to prevent abuse

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where required, notify affected individuals without undue delay.

11. Children's Privacy

Our services are directed at business users (B2B) and are not intended for children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 16 without appropriate consent, we will delete it promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or data processing practices. The "Last updated" date at the top of this page indicates when the policy was last revised. For significant changes affecting how we process your data, we will notify you by email (if we hold your address) or via a prominent notice on the website. Continued use of our services after changes take effect constitutes acceptance of the updated policy.

13. Contact for Privacy Matters

For all data protection enquiries, subject access requests, or to withdraw consent, please contact us:

GetMyVAT.com — Shruti Kumawat

Wielandstr. 13, 22089 Hamburg, Deutschland

Email: info@getmyvat.com

Phone: +49 (0) 176 70176211

You also have the right to lodge a complaint with:
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI)
Ludwig-Erhard-Str. 22, 7. OG, 20459 Hamburg
datenschutz.hamburg.de