SP
Smart PEPPOL

Privacy Policy

Your privacy is important to us. This policy explains how we handle your data.

Last updated: January 2026

Quick Summary

  • We only collect data necessary to provide our invoicing service
  • Your data is stored securely within the European Union
  • We never sell your personal data to third parties
  • You have full control over your data under GDPR

1. Introduction

Smart PEPPOL ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our invoicing platform and mobile applications (collectively, the "Service").

We are based in Belgium and comply with the General Data Protection Regulation (GDPR) and applicable Belgian data protection laws. By using our Service, you agree to the collection and use of information in accordance with this policy.

2. Data Controller

The data controller responsible for your personal data is:

Smart PEPPOL - NEO COMPANY SRL
Grand Place 24
7100 La Louvière
Belgium
support@smartpeppol.be

3. Information We Collect

3.1 Information You Provide

Account Information: Name, email address, password, and profile information when you create an account.
Organization Data: Company name, VAT number, enterprise number, address, and PEPPOL participant ID.
Invoice Data: Customer information, supplier information, invoice details, line items, and payment information.
Communication Data: Information you provide when contacting our support team or submitting feedback.

3.2 Information Collected Automatically

Device Information: Device type, operating system, unique device identifiers, and mobile network information.
Usage Data: Pages visited, features used, time spent on the Service, and interaction patterns.
Log Data: IP address, browser type, access times, and referring URLs.
Push Notification Tokens: If you enable push notifications, we collect device tokens to deliver notifications.

3.3 Information from Third Parties

PEPPOL Network: When you send or receive documents via PEPPOL, we process the transaction data exchanged through the network.
Belgian Crossroads Bank for Enterprises (CBE): We may retrieve publicly available company information to facilitate client creation.

4. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our Service
  • Process and transmit invoices via the PEPPOL network
  • Generate PDF invoices and send them via email
  • Authenticate users and manage accounts
  • Send transactional notifications
  • Respond to support requests
  • Comply with legal obligations
  • Detect, prevent, and address fraud
  • Analyze usage patterns to improve UX

5. Legal Basis for Processing

Under the GDPR, we process your personal data based on the following legal grounds:

Contract Performance

Processing necessary to provide our Service as agreed in our Terms of Service.

Legal Obligation

Processing required to comply with Belgian and EU laws (e.g., tax retention requirements).

Legitimate Interests

Processing for fraud prevention, security, and service improvement.

Consent

Where you have given explicit consent (e.g., marketing communications).

6. Data Sharing and Disclosure

We may share your information with:

PEPPOL Access Point Providers: To transmit documents through the PEPPOL network.
Service Providers: Third-party vendors who assist in operating our Service (hosting, email delivery, payment processing).
Business Partners: With your consent, to facilitate integrations with accounting software or other services.
Legal Authorities: When required by law, court order, or to protect our legal rights.
Business Transfers: In connection with a merger, acquisition, or sale of assets.

We do not sell your personal data to third parties.

7. Data Retention

We retain your personal data for as long as necessary to:

  • Provide our Service to you
  • Comply with legal obligations (invoices must be retained for 7 years under Belgian law)
  • Resolve disputes and enforce our agreements

When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

🔒

Encryption

Data encrypted in transit (TLS) and at rest

🔐

Authentication

Secure authentication mechanisms

🛡️

Security Audits

Regular security assessments and updates

👥

Access Controls

Limited data access to authorized personnel

🇪🇺

EU Hosting

Secure infrastructure within the EU

9. Your Rights (GDPR)

Under the GDPR, you have the following rights:

Access

Request a copy of your personal data

Rectification

Request correction of inaccurate data

Erasure

Request deletion of your data ("right to be forgotten")

Restriction

Request limitation of processing

Data Portability

Receive your data in a machine-readable format

Objection

Object to processing based on legitimate interests

Withdraw Consent

Withdraw consent at any time

To exercise these rights, contact us at . We will respond within 30 days.support@smartpeppol.be

10. International Data Transfers

Your data is primarily stored and processed within the European Union. If we transfer data outside the EU/EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

11. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on this page and updating the "Last Updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

Questions about this policy?

Smart PEPPOL - NEO COMPANY SRL
Grand Place 24
7100 La Louvière, Belgium
support@smartpeppol.be

File a complaint

You have the right to lodge a complaint with the Belgian Data Protection Authority:

Autorité de protection des données
Rue de la Presse 35 / Drukpersstraat 35
1000 Brussels, Belgium
www.dataprotectionauthority.be