Pactaro./Legal
DRAFT — NOT YET BINDING. These terms are under legal review. They are based on open-source templates and have not been reviewed by a qualified attorney for your jurisdiction. Do not rely on this document until it is finalized and the DRAFT banner is removed. Contact hello@pactaro.eu with questions.

Privacy Policy

Last updated 2026-05-25 (DRAFT)

Who We Are and What This Policy Covers

We are Pactaro B.V. (KvK 73428109, VAT NL864729135B01), located at Prinsengracht 412, 1016 HP Amsterdam, Netherlands. We operate Pactaro, an EU e-invoicing compliance service that reads invoices from your accounting software, converts them to the required EU electronic format, delivers them through the appropriate national network, and stores them for the legally required retention period.

This Privacy Policy applies to information we collect when you use our website (pactaro.eu), our web application, and related services (collectively, the “Services”). It does not apply to third-party services you connect to Pactaro (like QuickBooks Online or Xero), which have their own privacy policies.

Our privacy principles: we collect only what we need, we store it only as long as required, and we never sell your personal data.

Information We Collect

Information You Provide to Us

  • Account information: Your name, work email address, company name, and registered country when you create an account.
  • Billing information: Payment details processed by Stripe (Ireland). We do not store raw card data.
  • Communications: When you contact us for support, we retain a copy of that communication.

Information We Collect Automatically

  • Log information: IP address, browser type, operating system, pages visited, and timestamps when you use our Services.
  • Usage information: Actions taken within the application (for example, connecting an accounting integration, viewing an invoice).
  • Cookies and similar technologies: See our Cookie Policy for details.

Information from Third-Party Integrations

When you connect QuickBooks Online or Xero via OAuth, we receive an OAuth access token and refresh token, which we use to read invoice data from your accounting software on your behalf. We request read-only scopes only — we never write back to your accounting software.

Categories of Personal Data

We process the following categories of personal data:

  • Business contact information: Names, email addresses, company names, business addresses of our customers and their staff.
  • VAT identification numbers: Your company VAT ID and those of your invoice counterparties, required for EU e-invoicing compliance.
  • Invoice data: Line items, amounts, buyer and seller details. B2C invoices (required notably in Italy) may contain the personal data of individual consumers — including their name and address.
  • OAuth refresh tokens: Encrypted at rest using pgsodium (libsodium) via Supabase. These tokens grant read-only access to your accounting software.
  • Technical identifiers: IP addresses, device information, session cookies (Supabase sb-* cookies).

How and Why We Use Information

  • To provide the Services: Authenticating your account, reading invoices from your accounting integration, converting them to the required EU format, delivering them through national networks (Peppol, SDI, Chorus Pro, etc.), and storing them in the compliant archive.
  • To maintain and improve the Services: Monitoring performance, fixing bugs, adding support for new EU country mandates.
  • To communicate with you: Sending transactional emails (account confirmation, invoice delivery failures), billing notifications, and — with your consent — product updates.
  • To comply with legal obligations: Maintaining invoice archives for legally mandated retention periods (see Legal Retention Exceptions below).
  • To protect our Services: Detecting abuse, unauthorized access, and fraudulent activity.
  • Contract (Art. 6(1)(b)): Processing necessary to perform the subscription contract with you — reading invoices, converting formats, delivering to national networks, providing access to the dashboard.
  • Legal obligation (Art. 6(1)(c)): Retaining invoice records for the periods required by EU and national tax law (see Legal Retention Exceptions).
  • Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, improving service quality — balanced against your privacy interests.
  • Consent (Art. 6(1)(a)): Marketing communications and non-essential cookies, where we ask for your explicit consent.

Sharing Information

We share personal data only as necessary to provide the Services or as required by law. We do not sell personal data.

  • Sub-processors: We use third-party service providers (listed at pactaro.eu/subprocessors) to operate our Services. Each is bound by data processing agreements.
  • National e-invoicing networks: When we deliver an invoice to a national network (for example, the Italian SDI or the Belgian Peppol access point), the invoice data — including buyer and seller personal data — is transmitted to that network operator as required by law.
  • Legal requirements: We may disclose information in response to a court order or other governmental request under applicable EU or Netherlands law.
  • Business transfers: If Pactaro B.V. is acquired or merges with another entity, your data may be transferred as part of that transaction, subject to equivalent privacy protections.

How Long We Keep Information

We retain your account information for as long as your account is active, and for a reasonable period thereafter to handle billing disputes or legal claims.

We retain invoice data for the legally required retention period applicable in each country (generally 10 years in the EU). See the section below.

Server logs are retained for approximately 90 days. Support communications are retained for 3 years.

Legal Retention Exceptions

Your right to erasure under GDPR Article 17 does not apply to invoice data that we are legally required to retain. Specifically:

  • EU Council Directive 2010/45/EU (the VAT Directive) requires member states to ensure that invoices are stored for a minimum of 10 years from the date of issue, or longer where national law requires.
  • German GoBD and applicable national tax law (for invoices delivered to Germany) require retention for 10 years.
  • Italian SDI regulations and Italian tax code require retention for at least 10 years.
  • Other EU member states impose equivalent minimum retention periods under their national implementations of the VAT Directive.

When you request erasure of your data, we will erase all personal data we are not legally required to retain. Invoice records subject to statutory retention periods will be marked as “account closed” and restricted from processing for any purpose other than fulfilling the legal retention obligation.

After the applicable retention period expires, all stored invoice data is permanently deleted.

QuickBooks Online and Xero OAuth Access

When you connect QuickBooks Online or Xero, we request OAuth scopes limited to reading invoice and customer data. Specifically:

  • QuickBooks Online: We request the com.intuit.quickbooks.accounting scope with read-only access to invoices, customers, and company information. We never request write access.
  • Xero: We request the accounting.transactions.read and accounting.contacts.read scopes. We never request write access.

OAuth refresh tokens are encrypted at rest using pgsodium and stored in our EU-hosted database. You can revoke our access at any time from within your QuickBooks or Xero account settings, or by disconnecting the integration from your Pactaro settings page.

Security

We use TLS 1.3 for data in transit. Data at rest is encrypted at the database level. OAuth tokens are additionally encrypted using pgsodium. Our infrastructure is hosted in Frankfurt, Germany (Supabase eu-central-1 region), and data does not leave the EU.

We conduct periodic security reviews. An ISO 27001 audit is planned for Q3 2026. If you discover a security vulnerability, please report it to hello@pactaro.eu.

Your Rights Under GDPR

If you are located in the EU/EEA, you have the following rights regarding your personal data, subject to applicable exemptions:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate data.
  • Right to erasure (Art. 17): Request deletion of your data, subject to the legal retention exceptions described above.
  • Right to restriction (Art. 18): Request that we limit processing of your data in certain circumstances.
  • Right to data portability (Art. 20): You can export your full invoice archive as a ZIP file at any time from your account settings.
  • Right to object (Art. 21): Object to processing based on legitimate interests.

To exercise any of these rights, contact us at dpo@pactaro.eu. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

Cookies

We use a small number of cookies necessary to operate the Services. See our Cookie Policy for a full list.

Contact and Data Protection Officer

Pactaro B.V.
Prinsengracht 412, 1016 HP Amsterdam, Netherlands
KvK: 73428109  ·  VAT: NL864729135B01

General inquiries: hello@pactaro.eu
Data protection: dpo@pactaro.eu

These terms are governed by the laws of the Netherlands. Disputes are subject to the exclusive jurisdiction of the courts of Amsterdam.

This Privacy Policy is adapted from Automattic's open-sourced Privacy Policy, available under the Creative Commons Attribution-ShareAlike 4.0 license.