Last updated: December 23, 2024
1. Introduction
This Privacy Policy explains how DEMFACT ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our invoicing platform at demfact.com (the "Service").
By using DEMFACT, you consent to the data practices described in this policy. Please read it carefully alongside our Terms of Service.
2. Data Controller
DEMFACT acts as the data controller for personal data processed through our Service.
Camille Vandeloockstraat 14, 1600 Sint-Pieters-Leeuw, Belgium
VAT: BE1005547728
Email: privacy@demfact.com
Support: support@demfact.com
3. Data We Collect
3.1 Account Information
When you register, we collect:
- Email address - for account authentication and communication
- Name - for personalization and account identification
- Password - stored securely using industry-standard hashing (bcrypt)
- Phone number - optional, for account recovery
- Language preference - to provide localized content
3.2 Company Information
When registering a company, we collect:
- Company name and legal form
- VAT number and KBO/BCE number
- Business address - street, number, postal code, city, country
- Contact details - email, phone, website
- Banking information - IBAN, BIC, bank name (stored encrypted)
- Logo - optional, for invoice branding
- Legal declaration acceptance - date, time, and IP address
3.3 Client Data
You may store information about your clients:
- Business or individual name
- Contact information
- Address details
- VAT numbers
- Payment terms and notes
3.4 Invoice Data
We store all invoices you create, including:
- Invoice numbers, dates, and amounts
- Line items and descriptions
- VAT calculations
- Payment status and history
3.5 Technical Data
We automatically collect:
- IP addresses - for security and fraud prevention
- Browser type and version
- Device information
- Access timestamps
- Error logs - for troubleshooting
4. How We Use Your Data
4.1 Service Provision
- Creating and managing your account
- Processing and storing invoices
- VAT validation through EU VIES
- PEPPOL e-invoicing transmission
- Payment processing through Stripe
4.2 Communication
- Account verification and security notifications
- Service updates and changes
- Invoice and payment notifications
- Support responses
- Legal and compliance notices
4.3 Security and Fraud Prevention
- Detecting unauthorized access
- Preventing fraudulent company registrations
- Logging legal declarations with IP addresses
- Monitoring for suspicious activity
4.4 Legal Compliance
- Tax and accounting record retention
- Responding to legal requests
- Anti-money laundering compliance
5. Legal Basis for Processing
Under GDPR, we process your data based on:
| Purpose | Legal Basis |
|---|---|
| Account creation and service delivery | Contract performance (Art. 6(1)(b)) |
| VAT validation and invoice compliance | Legal obligation (Art. 6(1)(c)) |
| Security and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Tax record retention | Legal obligation (Art. 6(1)(c)) |
6. Data Sharing
6.1 Third-Party Service Providers
We share data with trusted third parties necessary to provide our Service:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Hetzner Online GmbH | Hosting infrastructure (servers) | All platform data (encrypted at rest) | Germany (EU) |
| EU VIES | VAT number validation | VAT numbers, country codes | European Commission |
| Maventa (Visma Solutions Oy) | E-invoicing delivery and PEPPOL network access | Company information, invoice data, VAT numbers, contact details | Finland (EU) |
| Stripe Inc. | Payment processing | Billing information, transaction data | USA/EU (SCC) |
| Brevo (Sendinblue) | Transactional email delivery | Email addresses, names | France (EU) |
| Backblaze Inc. | Off-site encrypted backups | All data (AES-256 encrypted) | USA (SCC) |
| Google LLC (OAuth) | Login authentication (optional) | Email, name (from Google account) | USA/EU (SCC) |
| Microsoft Corp. (OAuth) | Login authentication (optional) | Email, name (from Microsoft account) | USA/EU (SCC) |
| Microsoft Corp. (Clarity) | Anonymous session recordings & heatmaps (consent-based) | Anonymous interaction data (no PII) | USA/EU (SCC) |
| Google LLC (Analytics/Ads) | Aggregated analytics & ad conversion (consent-based) | Anonymous visitor metrics | USA/EU (SCC) |
| Meta Platforms (Pixel) | Ad attribution (consent-based) | Anonymous conversion events | USA/EU (SCC) |
| Anthropic PBC | AI assistant (DemBot) — invoice scanning, financial insights | Selected invoice/text data processed on request | USA (SCC) |
- Purpose: Sending and receiving e-invoices via the PEPPOL network
- Data processed: Company information, invoice data, VAT numbers, contact details
- Location: EU/EEA (Finland)
- Sub-processors of Maventa: See Visma Trust Centre
- Note: Maventa uses Twilio (Sendgrid) in the USA under EU Standard Contractual Clauses (SCCs) for email/SMS notification services
6.2 Legal Disclosure
We may disclose your data when required by:
- Court orders or legal process
- Belgian tax authorities (SPF Finances / FOD Financien)
- Law enforcement with valid legal basis
- Regulatory authorities investigating fraud
6.3 What We Do NOT Do
- We do NOT sell your personal data
- We do NOT share data for third-party marketing
- We do NOT use data for profiling or automated decision-making
7. Data Security
We implement robust security measures:
- Encryption in transit - All connections use TLS 1.3
- Encryption at rest - Database encryption for sensitive data
- Password security - Bcrypt hashing with salt
- Two-factor authentication - Optional TOTP-based 2FA
- Access controls - Role-based permissions
- Audit logging - Security event tracking
- Regular backups - Encrypted, off-site backups
- Server security - Firewall, intrusion detection, regular updates
8. Data Retention
We retain data for the following periods:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 1 year | Service provision |
| Invoices and financial records | 10 years from creation | Belgian tax law requirement |
| Security logs | 2 years | Fraud prevention |
| Legal declarations | 10 years | Legal compliance |
| Support communications | 3 years | Service improvement |
9. Your Rights (GDPR)
Under GDPR, you have the following rights:
9.1 Right of Access (Art. 15)
You can request a copy of all personal data we hold about you. We will provide this within 30 days.
9.2 Right to Rectification (Art. 16)
You can correct inaccurate data directly in your account settings or by contacting us.
9.3 Right to Erasure (Art. 17)
You can request deletion of your data. Note that we must retain certain data (invoices, tax records) for legal compliance.
9.4 Right to Restriction (Art. 18)
You can request that we limit processing of your data in certain circumstances.
9.5 Right to Data Portability (Art. 20)
You can request your data in a machine-readable format (JSON/CSV) for transfer to another service.
9.6 Right to Object (Art. 21)
You can object to processing based on legitimate interests or for direct marketing.
9.7 Right to Withdraw Consent
Where processing is based on consent, you can withdraw it at any time without affecting prior processing.
9.8 How to Exercise Your Rights
To exercise any of these rights, contact us at support@demfact.com. We may need to verify your identity before processing your request.
10. International Data Transfers
Your data is primarily stored on servers located in the European Union (Germany - Hetzner). When data is transferred outside the EU:
- We ensure adequate safeguards (Standard Contractual Clauses)
- We only use services that comply with GDPR
- Stripe and Google have valid data protection mechanisms
11. Cookies
DEMFACT uses cookies in three categories:
11.1 Essential cookies (always active)
- Session management - Keeping you logged in
- CSRF protection - Security tokens
- Language preference - Remembering your language choice
- Remember me token - Optional long-lived session (30 days)
11.2 Analytics cookies (with consent)
- Google Analytics 4 (
_ga,_ga_*) - Aggregated visitor statistics, 2 years - Microsoft Clarity (
_clck,_clsk) - Anonymous session recordings and heatmaps to improve UX, 1 year
11.3 Marketing cookies (with consent)
- Google Ads - Conversion tracking for paid campaigns
- Meta (Facebook) Pixel (
_fbp,_fbc) - Ad attribution, 2-3 months
Analytics and marketing cookies are only activated after you give explicit consent via our cookie banner. You can change your preferences at any time through the "Manage cookies" link in the footer. For detailed information, see our Cookie Policy.
12. Children's Privacy
DEMFACT is not intended for users under 18 years of age. We do not knowingly collect data from minors. If you believe a minor has provided us with personal data, please contact us.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Email notification
- Prominent notice on the platform
The "Last updated" date at the top indicates when the policy was last revised.
14. Complaints
If you believe your data protection rights have been violated, you can:
- Contact us at support@demfact.com
- Lodge a complaint with the Belgian Data Protection Authority:
Rue de la Presse 35 / Drukpersstraat 35
1000 Bruxelles / Brussel
Belgium
www.dataprotectionauthority.be
15. Contact Us
For questions or concerns about this Privacy Policy or our data practices:
- Email: support@demfact.com
- Website: https://demfact.com
Your privacy matters. DEMFACT is committed to transparent and responsible data handling.