Legal
Privacy Notice
Who we are
Eitoo is operated by Itay Kahan, a natural person. There is no registered legal entity. Contact: privacy@eitoo.eu.
Eitoo provides an automated EU VAT refund processing service under Council Directive 2008/9/EC.
What data we collect and why
| Data | Purpose | Lawful basis |
|---|---|---|
| Email address | Account authentication (magic link) | Art. 6(1)(b) — contract |
| Company name, country, VAT ID | VIES validation & VAT refund eligibility | Art. 6(1)(b) — contract |
| NACE code (auto-derived) | Business activity classification for deductibility rules | Art. 6(1)(b) — contract |
| Invoice / receipt content — authenticated /scan (vendor, amounts, dates) | AI-assisted extraction, VAT calculation, compliance audit | Art. 6(1)(b) — contract |
| Invoice / receipt content — public /recover demo (vendor, amounts, dates) | AI-assisted extraction and VAT recovery estimate | Art. 6(1)(a) — consent (collected at the dropzone before upload) |
| Invoice / receipt content — public /analyze tool (vendor, amounts, dates, your selected country, optional VAT ID) | AI-assisted compliance analysis and refund eligibility check | Art. 6(1)(a) — consent (collected via checkbox before upload) |
We do not process special-category data (Art. 9) and do not make decisions based solely on automated processing that produce legal effects (Art. 22).
Who processes your data
| Sub-processor | Role | Data location |
|---|---|---|
| Supabase Inc. | Authentication, database hosting | EU / US (see Supabase DPA) |
| Anthropic PBC | AI-assisted extrapolation of invoice data for VAT recovery analysis. Vendor name, country, invoice date, VAT amount, total amount, refundable amount, and expense category are sent to Anthropic's Claude API. | United States (Anthropic's default region) |
| Google LLC (Document AI) | OCR / document extraction | EU / US (see Google DPA) |
| Render Services Inc. | Backend API hosting | US |
| Vercel Inc. | Frontend hosting | US / Edge |
| Functional Software (Sentry) | Error tracking & telemetry | US |
| Upstash Inc. | Rate limiting (Redis) | EU / US |
Where data is transferred outside the EU/EEA, transfers are covered by Standard Contractual Clauses (SCCs) or an EU adequacy decision.
For the public /recover demo and /analyze tool: Eitoo's Vercel proxy processes your upload in memory and does not persist the invoice. The invoice content is forwarded to the processing backend (Google Document AI for OCR, Anthropic Claude for classification) and may be retained by Anthropic for up to 30 days under their standard API tier (see sub-processors above). Eitoo retains nothing beyond the request lifecycle.
Anthropic data retention. Eitoo currently uses Anthropic's standard API tier and does not have a Zero Data Retention agreement in place. Under Anthropic's standard policy, API inputs and outputs may be retained by Anthropic for up to 30 days for trust & safety and abuse-monitoring purposes. This means the invoice fields listed in the Anthropic row above may be retained by Anthropic for up to 30 days, after which they are deleted by Anthropic per their policy. We do not control this retention window.
How long we keep your data
We retain your account data and processed invoice results for as long as your account is active. If you delete your account, we erase your personal data within 30 days, except where retention is required by law (e.g. tax/accounting obligations).
Raw invoice images sent for AI extraction are not persistently stored beyond the processing session.
Your rights
Under the GDPR you have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data ("right to be forgotten", Art. 17)
- Restrict processing (Art. 18)
- Data portability — receive your data in a structured, machine-readable format (Art. 20)
- Object to processing (Art. 21)
To exercise any right, email privacy@eitoo.eu. We will respond within 30 days.
You also have the right to lodge a complaint with your local supervisory authority (list: EDPB member authorities).
The public /recover demo & /analyze tool
Withdrawing consent. If you provided consent at the public /recover demo or /analyze tool, you may withdraw at any time by emailing privacy@eitoo.eu. Because the demo does not retain a persistent identifier linked to your upload, withdrawal after processing is largely informational — we will confirm in writing that no data linked to you remains.
Voluntariness. Providing an invoice at /recover or /analyze is entirely voluntary. The only consequence of not providing one is that no estimate can be generated.
How the estimate is computed. The estimate is generated by sending the invoice image to a large language model (Anthropic Claude), which extracts the vendor, invoice date, line items, VAT amount, and total. Those fields are then run through 15 compliance gates derived from EU Council Directive 2008/9/EC to determine whether the VAT is refundable. The output is an estimate, not a guaranteed refund amount, and no refund is filed on your behalf.
Cookies & tracking
We use only strictly necessary cookies for authentication session management. We do not use advertising or analytics cookies. Sentry collects anonymous error telemetry to improve service reliability.
Disclaimer
Eitoo is an estimation tool, not a tax filing service. Estimates may be inaccurate or incomplete. Nothing on this site constitutes tax, legal, or financial advice. Consult a qualified professional before acting on any output. See our Terms of Use for full disclaimers.
Changes to this notice
We may update this notice to reflect changes in our processing. We will notify you by email of any material changes before they take effect.