Privacy Policy
Last updated: March 27, 2026
VatCalc ("the Service", "we", "us", "our") is operated by the entity identified in our Legal Notice (Imprint), registered in Romania.
We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Romanian data protection legislation. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have.
1. Data Controller
The data controller responsible for your personal data is the entity identified in our Legal Notice (Imprint).
If you have any questions about how we handle your data, please contact us using the details provided there.
2. What Data We Collect
The data we collect depends on how you use VatCalc:
a) Using VatCalc Without an Account
If you use the free calculator without creating an account, we do not collect any personal data. The calculations are performed without storing any information that could identify you.
b) Creating an Account
If you register for an account to access additional features, your authentication is managed by Clerk (Clerk, Inc.), a third-party authentication provider. Through this process, the following data is collected and processed:
- Email address — required to create and manage your account, and to communicate with you about the Service.
- Password — stored in encrypted (hashed) form by Clerk. We do not have access to your plaintext password at any point.
- Authentication metadata — Clerk may collect additional technical data related to your sessions, such as IP address, device type, and browser information, for security and fraud prevention purposes. For details, see Clerk's Privacy Policy.
- Subscription and billing data — if you subscribe to the paid tier, payment processing is handled by our third-party payment provider. We do not store your full credit card number or payment details on our servers. We may receive and store a transaction reference, subscription status, and billing history for our records.
c) Contact Form
If you contact us through the contact form, we collect:
- Email address — so we can respond to your inquiry.
- Message content — the text of your inquiry.
- Name (if voluntarily provided).
d) Technical Data
When you visit VatCalc, our hosting provider Vercel (Vercel, Inc.) may automatically collect minimal technical data necessary for the operation, performance, and security of the Service, such as IP addresses, request metadata, and edge network logs. We do not use this data for tracking or profiling purposes. Vercel's infrastructure may process requests through edge nodes located globally, including outside the EEA. For details, see Vercel's Privacy Policy.
3. How We Use Your Data
We process your personal data for the following purposes:
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Providing and managing your account | Performance of a contract (Art. 6(1)(b)) |
| Processing payments for the paid tier | Performance of a contract (Art. 6(1)(b)) |
| Responding to your contact form inquiries | Legitimate interest (Art. 6(1)(f)) |
| Sending essential service communications (e.g., password resets, billing notices, material changes to Terms) | Performance of a contract (Art. 6(1)(b)) |
| Ensuring the security and integrity of the Service | Legitimate interest (Art. 6(1)(f)) |
We do not use your data for profiling, automated decision-making, or marketing purposes unless you explicitly opt in.
4. Cookies and Similar Technologies
VatCalc currently uses only strictly necessary cookies — specifically, session and authentication cookies set by our authentication provider Clerk to manage your login state and protect your account. These cookies are essential for the Service to function and do not require your consent under EU law.
Clerk may set the following types of strictly necessary cookies:
- Session tokens — to keep you logged in across page loads.
- CSRF protection tokens — to protect against cross-site request forgery attacks.
- Device/browser identifiers — for security and fraud detection purposes.
We do not use:
- Analytics cookies
- Advertising or tracking cookies
- Third-party tracking technologies
If we introduce non-essential cookies in the future (such as analytics or preference cookies), we will update this Privacy Policy and implement a cookie consent mechanism in compliance with the ePrivacy Directive (Directive 2002/58/EC) before any such cookies are deployed. You will be asked for your explicit consent before any non-essential cookies are placed on your device.
Your Cookie Rights
You can control and delete cookies through your browser settings at any time. Please note that disabling essential cookies may affect the functionality of the Service for logged-in users.
5. Data Sharing
We do not sell, rent, or trade your personal data to third parties.
We may share your data only in the following limited circumstances:
- Clerk (authentication provider). User account data, including email address, password (hashed), and session metadata, is processed by Clerk, Inc. (United States). Clerk acts as a data processor on our behalf. See Clerk's Privacy Policy and Clerk's DPA.
- Vercel (hosting provider). The Service is hosted on Vercel, Inc. (United States). Vercel processes technical request data (IP addresses, request logs) as a data processor on our behalf. See Vercel's Privacy Policy and Vercel's DPA.
- Payment processor. If you subscribe to the paid tier, your billing information is processed by our third-party payment provider, which acts as an independent data controller for payment data. Their processing is governed by their own privacy policy.
- Legal obligations. We may disclose personal data if required by law, regulation, or court order.
6. International Transfers
Because we use Clerk (authentication) and Vercel (hosting), both of which are based in the United States, some of your personal data is transferred to and processed in the United States. These transfers are protected by appropriate safeguards as required by the GDPR, including:
- EU-US Data Privacy Framework — both Clerk and Vercel participate in or rely on the EU-US Data Privacy Framework where applicable.
- Standard Contractual Clauses (SCCs) — approved by the European Commission, included in the Data Processing Agreements we have with each provider.
For details, see the DPA of each provider linked in Section 5 above. If additional sub-processors or transfers arise in the future, we will ensure equivalent safeguards are in place before any data is transferred.
7. Data Retention
We retain your personal data only for as long as necessary for the purposes described in this Privacy Policy:
- Account data — retained for the duration of your account. If you delete your account, your personal data will be erased within 30 days, except where retention is required by law (e.g., billing records for tax compliance).
- Contact form inquiries — retained for up to 12 months after the inquiry is resolved, then deleted.
- Server logs — retained for a maximum of 90 days.
- Billing records — retained for the period required under Romanian fiscal legislation (currently 10 years).
8. Your Rights Under GDPR
As a data subject, you have the following rights under the GDPR:
- Right of access — You can request a copy of the personal data we hold about you.
- Right to rectification — You can ask us to correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — You can ask us to delete your personal data, subject to legal retention obligations.
- Right to restriction of processing — You can ask us to restrict processing in certain circumstances.
- Right to data portability — You can request your data in a structured, commonly used, machine-readable format.
- Right to object — You can object to processing based on legitimate interest.
- Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us using the details on our Legal Notice (Imprint). We will respond within 30 days as required by the GDPR.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP):
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336, Bucharest, Romania
Website: www.dataprotection.ro
9. Children's Privacy
VatCalc is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Any material changes will be communicated by updating the "Last updated" date at the top of this page and, where appropriate, by notifying registered users via email. We encourage you to review this page periodically.
11. Contact
For any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us using the details on our Legal Notice (Imprint).