Privacy Policy

For registered users of invoicing services at Peppol.com

When you register as a user at Peppol.com, Bizbrains A/S, CVR-no. 33510837, Havneparken 1, 7100 Vejle ("Bizbrains", "we" or "us") process your personal data as data controller for the purpose of:

  1. registering you as a user and customer with us;
  2. registering you as a participant on the PEPPOL network and in the PEPPOL Directory;
  3. handling payments;
  4. providing customer service;
  5. providing other users of Peppol.com with information pertaining to your company, including company name, line of business, and company registration and VAT-numbers;
  6. adhering to applicable law;
  7. establishing, exercising or defending a legal claim; and
  8. validating company name, address and VAT information through publicly available company registers.

When you use our services, we may collect aggregate data from the invoices you send and receive, for instance the invoice amount and combined invoice volume for the purpose of:

  1. improving our services; and
  2. providing statistical information to the European E-Invoicing Service Providers Association (EESPA).

Legal basis for processing

  • Our legal basis for processing purposes a) through c) is to perform the contract entered into between you and us, see GDPR article 6(1)(b) or - if you are an employee at a business - because it is our legitimate interest to perform the contract entered into between your employer and us, see GDPR article 6(1)(f).
  • Our legal basis for processing purpose d) is because it is our legitimate interest to be able to provide you customer service as a customer with us, see GDPR article 6(1)(f).
  • Our legal basis for processing purposes e) is to perform the contract entered into between you and us according to Clause 2.2 of our terms and conditions, see GDPR article 6(1)(b) or - if you are an employee at a business - because it is our legitimate interest to perform the contract entered into between your employer and us, see GDPR article 6(1)(f).
  • Our legal basis for processing purpose f) is GDPR article 6(1)(c).
  • Our legal basis for processing purpose g) is GDPR article 6(1)(f) because it is our legitimate interest to pursue any legal claim involving us, including defending from such.
  • Our legal basis for processing purpose h) is GDPR article 6(1)(b) because it is necessary for the performance of a contract according to Clause 2.2 of our terms and conditions, and because it is our legitimate interest as an intermediary service to ensure that invoices sent or received through the use of Peppol.com, only contain legitimate and valid information regarding your company (see GDPR article 6(1)(f)).
  • Our legal basis for processing purpose i) through j) is GDPR article 6(1)(f) because it is our legitimate interest to improve our services, because we strictly limit the information collected so that no physical person can be identified from the data collected only.

Recipients of personal data

For handling payments, we transmit your payment information to our payment service provider, Stripe Inc., who, among other, is PCI DSS Level 1-certified and processes your payment information with a high level of security, including AES-256 encryption and storage separation.

When registering you on the PEPPOL network, we transmit your name, contact information as well as your unique identifier to the publicly available PEPPOL Directory, for other PEPPOL participants to find you through the PEPPOL Directory.

During your use of Peppol.com, we may also disclose your company and/or VAT registration ID's to publicly available online company registers, in particular to the VAT Information Exchange System (VIES) through https://ec.europa.eu/taxation_customs/vies/ if you are located within the EEA, or to other publicly available registers if you are located outside the EEA.

Storage period

We store your personal data until you delete your account after which your personal data is deleted, although with the below mentioned exceptions.

After deletion of your account, we may store material to the extent necessary to observe the requirements in the Danish Bookkeeping Act (namely accounting records until 5 years after expiry of the financial year), and the Danish Anti-Money Laundering Act, (namely identification information including if relevant Danish CPR-numbers for up to 5 years). In addition, we may store your personal data relevant to establish, exercise or defend a legal claim between you and us depending on when the claim lapses due to relevant statute of limitations.

Your rights

You have the right to request from us access to and rectification or erasure of your personal data, restriction of processing or to object to processing, including an absolute right to object to processing for the purpose of direct marketing, as well as the right to data portability where applicable.

If you wish to exercise your abovementioned rights, please contact support AT peppol DOT com.

You may at any time lodge a complaint about our processing of your personal data with your local data protection supervisory authority (in Denmark: the Danish Data Protection Agency at www.datatilsynet.dk, tel. +45 33193200, e-mail: dt AT datatilsynet DOT dk).