Privacy Policy
Last updated: April 2026This policy explains what personal data Versys collects, why we collect it, how long we keep it, and what rights you have under the General Data Protection Regulation (GDPR).
1. Who we are
Versys ("we", "us", "our") is the operator of versys.io, a SaaS platform providing VAT number validation, IBAN verification, and payment card BIN lookup services for businesses and developers. Versys is the data controller for the personal data described in this policy.
We do not yet have a registered postal address. For all data protection enquiries, contact us at: privacy@versys.io.
2. What data we collect and why
Anonymous users (no account)
When you use Versys without creating an account, we collect the minimum data necessary to operate the service securely:
- IP address — logged for rate limiting purposes to prevent abuse of the free validation tier. IP addresses are not linked to any other personal identifier and are not used for tracking or profiling. Lawful basis: legitimate interests (Article 6(1)(f) GDPR) — specifically, protecting the integrity and availability of the service.
- Check results — the outcome of each VAT, IBAN, or card format check (e.g. "valid", "invalid", country code) is stored in an audit log without any personally identifiable information. The number you checked is not stored in association with your IP address beyond the immediate rate-limiting window.
Registered users (account holders)
If you create a Versys account, we collect:
| Data field | Required? | Purpose |
|---|---|---|
| Email address | Yes | Account authentication, transactional emails (password reset, credit alerts) |
| Password (bcrypt hash) | Yes | Authentication — we store only an irreversible hash, never the plaintext password |
| Full name | Optional | Personalising the account interface |
| Business name | Optional | Displaying on invoices or API responses where relevant |
| Business address | Optional | Invoicing and account records |
| Business VAT number | Optional | B2B invoicing and EU VAT compliance for the subscription |
| Check history | Automatic | Stored with your user_id in PostgreSQL so you can review past lookups |
| Credits balance and ledger | Automatic | Tracking your VIES/API credit allowance and usage history |
Lawful basis for account data: performance of a contract (Article 6(1)(b) GDPR) — processing is necessary to provide the service you have signed up for.
Validation and registry lookup data. When you submit a VAT number, IBAN, card BIN, business name, or business address through Versys, we process that information to return the validation result you asked for. For authenticated users, our lawful basis is performance of a contract (Article 6(1)(b) GDPR), because the lookup is a core part of the service you requested. For unauthenticated users using the free public tools, our lawful basis is legitimate interests (Article 6(1)(f) GDPR), namely operating and securing a proportionate public validation service that users reasonably expect when they submit a lookup.
This includes transmitting submitted VAT numbers and related business identity data to official or public validation sources where needed, such as the EU VIES service or HMRC's VAT APIs, and storing the returned validation result in your check history if you are signed in. We do not use this data for advertising, profiling, or unrelated marketing.
We do not collect payment card details directly. If we introduce paid plans, payment processing will be handled by a PCI-DSS-compliant payment processor (such as Stripe) acting as a separate data controller for card data.
3. Cookies
Versys uses one strictly necessary cookie. We use no analytics cookies, no marketing cookies, no tracking pixels, and no third-party advertising scripts.
| Cookie name | Type | Purpose | Duration |
|---|---|---|---|
session (JWT auth token) |
Strictly necessary | Maintains your authenticated session after login. Set with HttpOnly, Secure, and SameSite=Strict flags to prevent cross-site access. |
Session / until logout |
Because the only cookie we set is strictly necessary for the service to function, we do not display a cookie consent banner — no consent is required for strictly necessary cookies under the ePrivacy Directive. If you log out, the session cookie is cleared immediately.
4. How long we keep your data
| Data category | Retention period |
|---|---|
| Account data (email, name, business details, password hash) | While your account is active, plus 30 days after account deletion (to handle any disputes or final billing) |
| Check history and credit ledger (registered users) | Same as account data — deleted with the account |
| Anonymous check audit logs (no PII) | 12 months from the date of the check |
| IP addresses (rate limiting logs) | Automatically purged after 24 hours via Redis TTL |
| VIES API response cache | 24 hours (Upstash Redis, EU region) |
| HMRC VAT lookup cache | 24 hours for successful lookups, 1 hour for "not found" results, to reduce duplicate requests and improve reliability |
When you delete your account, all personal data associated with it — including email address, name, business details, and check history — is permanently and irreversibly removed from our systems within the 30-day grace period. Anonymous audit log entries (which contain no PII) are not affected by account deletion.
5. Who we share data with
We do not sell your data. We do not share your data with advertisers or data brokers. The only third parties who receive or process your data are service providers and official validation recipients necessary to operate the service:
| Recipient | Role | Data processed | Location |
|---|---|---|---|
| Neon (neon.tech) | PostgreSQL database hosting | All account data, check history, credit ledger | EU region (AWS eu-central-1) |
| Upstash (upstash.com) | Redis cache (rate limiting & VIES response caching) | IP addresses (rate limiting), hashed check keys (VIES cache) — no PII in cache values | EU region |
| Vercel (vercel.com) | Serverless hosting and edge network | HTTP request data (IP address, headers) processed transiently; no persistent storage by Vercel | Primarily EU; edge requests may be processed in non-EU regions (see Section 7) |
| HMRC (hmrc.gov.uk) | Official UK VAT validation source for GB VAT numbers | Submitted GB VAT numbers and, where applicable, related business identity data needed to perform the validation you requested | United Kingdom |
| European Commission VIES (europa.eu) | Official EU VAT validation source for EU VAT numbers | Submitted EU VAT numbers and related validation metadata returned as part of the lookup response | European Union |
Each sub-processor is bound by a Data Processing Agreement (DPA) with Versys and processes data only on our documented instructions.
HMRC and the European Commission are not Versys infrastructure providers. They are independent public-sector recipients of the validation data you ask us to submit in order to complete the lookup you requested.
We only send the minimum lookup data needed for the requested validation. We do not send your account password, payment information, or unrelated profile data to HMRC or VIES.
We may disclose data if required to do so by applicable law, court order, or to protect the rights, property, or safety of Versys or others — but only to the minimum extent required.
6. Your rights under GDPR
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights regarding your personal data:
To exercise any of these rights, email privacy@versys.io. We will respond within 30 days. We may need to verify your identity before fulfilling a request.
Where we rely on legitimate interests, you also have the right to object to that processing. If you object, we will assess whether we have compelling legitimate grounds to continue. This does not affect processing that is necessary to provide a service you have specifically requested under a contract.
We do not use automated decision-making or profiling of any kind. We do not send marketing emails. There is nothing to opt out of beyond the service itself.
If you are dissatisfied with how we handle your data, you have the right to lodge a complaint with your national data protection authority. In the EU, a list of supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu.
7. Data transfers outside the EEA
Our primary data stores (Neon PostgreSQL and Upstash Redis) are hosted in EU regions and your data at rest does not leave the EEA.
Vercel operates a global edge network. When you make a request to versys.io, Vercel's infrastructure may route that request through a server outside the EEA (for example, in the United States) for performance reasons. This is a transient processing operation — no personal data is persisted by Vercel outside the EEA. Vercel's Standard Contractual Clauses (SCCs) and supplementary technical measures govern these transfers.
We do not knowingly transfer and store personal data in any country outside the EEA that lacks an adequacy decision or appropriate safeguards under Article 46 GDPR.
8. Changes to this policy
We may update this privacy policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where we hold your email address and the change affects you significantly, notify you by email.
Continued use of Versys after a policy update constitutes acceptance of the revised policy. We encourage you to review this page periodically.
9. Contact us
For any questions about this policy or about how we handle your personal data, please contact us at:
Email: privacy@versys.io
Website: versys.io
We aim to respond to all privacy enquiries within 5 business days and will always respond within the 30-day period required by GDPR.
Summary: what we do not do
We do not sell your data. We do not run advertising. We do not track you across the web. We do not use analytics cookies. We do not send marketing emails. We do not make automated decisions about you. We do not process sensitive personal data (health, financial account numbers, biometrics, etc.).