1. Data Controller
Inverso HUB S.R.L., operating as eleata (the "Operator", "we", "us"), is the data controller for the personal data processed in connection with the eleata Peppol API service (the "Service").
- Legal entity: Inverso HUB S.R.L.
- Registered office: Ciudad Autónoma de Buenos Aires, Argentina
- CUIT: registered (number on request)
- Privacy contact: privacy@eleata.io
- Security contact: security@eleata.io
- EU Representative (GDPR Art. 27): designated — see Imprint for current details
2. Scope
This Privacy Policy covers data we collect when you visit peppol.eleata.io, sign up for an account, use the API, the SDKs, or the GitHub Action.
3. Data we collect
3.1 Account data
- Email address (for magic-link authentication and billing)
- GitHub user ID and primary email (if you sign in with GitHub)
- Hashed API keys and key prefixes
- Account creation timestamp and last-login timestamp
3.2 Validation data
When you submit an XML invoice for validation, we process the document temporarily to run Schematron rules. We store the following metadata:
- SHA-256 hash of the file (for caching and deduplication)
- File size in bytes
- Format (Peppol BIS 3, XRechnung, Factur-X, or UBL)
- Validation result (valid/invalid + errors list)
- Duration of the validation
- Public report identifier (12-character code)
- Timestamp
The XML payload itself is automatically deleted within 72 hours of validation. Metadata is retained for billing reconciliation and usage statistics.
3.3 Billing data
Payment processing is handled by Paddle.com Market Limited (our Merchant of Record). We do not store credit card details. We store:
- Paddle customer ID
- Paddle subscription ID
- Plan tier and status
- Current billing period end date
3.4 Technical data
- IP address (for rate limiting, anti-abuse, and security logging)
- User-Agent string
- Request timestamps and HTTP status codes (audit logs)
4. Legal bases (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Providing the Service (account, validation) | Contract performance (Art. 6(1)(b)) |
| Billing and tax compliance | Legal obligation (Art. 6(1)(c)) |
| Rate limiting and security logging | Legitimate interest (Art. 6(1)(f)) |
| Marketing emails (only if you opt in) | Consent (Art. 6(1)(a)) |
5. Data residency and transfers
Primary processing infrastructure is hosted in the European Union (Hetzner, Falkenstein and Nuremberg, Germany).
Some of our subprocessors are located in the United States. Data transfers to those entities are governed by EU Standard Contractual Clauses (SCCs) and a Transfer Impact Assessment (TIA). See our Subprocessors page for the full list.
6. Subprocessors
We engage certain third-party data processors to operate the Service. The current list and contractual safeguards are published at /subprocessors/. Subscribers receive 30 days' notice of any new subprocessor through their account email.
7. Retention
- XML payloads: auto-deleted within 72 hours
- Validation metadata: 24 months (billing dispute window + audit)
- Account data: until account deletion + 30 days backup retention
- Billing data: 10 years (Argentine tax law)
- Audit logs (auth, API key changes): 12 months
8. Your rights (GDPR Art. 15-22)
- Right to access your data
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object
- Right to lodge a complaint with a supervisory authority
Exercise these rights by emailing privacy@eleata.io. We respond within 30 days.
9. Cookies and tracking
We use no marketing cookies and no third-party trackers. We use server-side analytics (Cloudflare Web Analytics or Plausible Analytics, both privacy-first and cookie-free) to measure aggregate usage. We use session cookies only for authentication and cross-site request forgery (CSRF) protection.
10. Security
- TLS 1.2+ enforced for all connections
- HSTS, CSP, and other security headers configured
- API keys stored as bcrypt hashes (never in plaintext)
- XML parsers configured against XXE, billion-laughs, and external DTD attacks
- Paddle webhook signatures verified (HMAC-SHA256) before processing
- Hetzner-managed disk encryption at rest
11. Data breach notification
In the event of a personal data breach affecting you, we will notify you within 72 hours of becoming aware of the breach, in accordance with GDPR Art. 33–34.
12. Contact and complaints
Questions: privacy@eleata.io.
If you believe we have processed your personal data unlawfully, you have the right to lodge a complaint with the data protection authority of your country of residence. For Argentine residents: Agencia de Acceso a la Información Pública (AAIP). For EU residents: your national supervisory authority (e.g. CNIL in France, BfDI in Germany).
13. Changes
We will notify subscribers of material changes via email at least 30 days in advance. The version and date at the top of this page indicate the latest revision.