Skip to main content
ARVELEHT

Legal · Privacy notice

What we store, why, and for how long.

Draft, pre-launch. A DPO-reviewed privacy notice is being finalised and will replace this page at launch. Until then, this page describes current practice honestly.

01 · Who is the controller

Arveleht OÜ, Tallinn, Estonia. Contact the data protection lead at hello@arveleht.eu.

02 · What we collect

Account
Your email address (for magic-link sign-in) and organisation name. Optional: Smart-ID authentication uses your personal code and a signed certificate; we retain the certificate hash, not the document itself.
Invoice content
The invoice data you submit: parties, line items, amounts, VAT, dates, and any uploaded PDF. This is processed to produce the rendered XML and transmit it to the buyer-side channel you select.
Audit trail
A tamper-evident SHA-256 hash chain of every state transition per invoice (draft → validated → rendered → submitted → delivered). Required by several buyer jurisdictions for acceptance evidence.
Enrichment cache
Public registry lookups (VIES, Äriregister) are cached for 24 hours by VAT/registration code. This cache contains no user-private data — only open-registry extracts.

03 · Lawful basis

Processing is based on the contract between you and Arveleht OÜ (Art. 6(1)(b) GDPR) for delivery of the service, and on legitimate interest (Art. 6(1)(f)) for fraud prevention and security logging. We do not rely on consent for operational processing, because consent would be meaningless — you cannot use the service without sending an invoice through it.

04 · Sub-processors

  • DigitalOcean, Inc. — managed Postgres, Redis, object storage, application hosting (Frankfurt region, EU)
  • Peppol provider — only after Peppol relay is enabled for a customer-selected country
  • Resend — transactional email for magic-link sign-in and buyer-side delivery
  • Stripe — payment processing for paid plans
  • Sentry — error telemetry; IP addresses are scrubbed before storage

05 · Retention

Invoices and their audit chain are retained while your account is active, plus the seven years required by Estonian bookkeeping law (Raamatupidamise seadus § 12). You can export everything as JSON + CSV at any time.

06 · Your rights

Access, correction, erasure, and portability requests go to hello@arveleht.eu. We answer within 30 days. Complaints can be lodged with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

Need a signed DPA? Data processing agreement →