How it works Pricing Blog About
Sign in Get started
Privacy

Privacy Policy

Last updated: 10 July 2026

1. Who we are

Vatlio is operated by Talivio Technology OÜ (registry code 16991406), Ahtri tn 12, Kesklinna linnaosa, Tallinn, Harju maakond, 15551, Estonia ("Talivio", "we", "us"). For the purposes of the EU General Data Protection Regulation ("GDPR"), Talivio Technology OÜ is the data controller for your account data and, in respect of the order data you connect, acts as a processor on your instructions (see section 4). You can reach us at [email protected].

2. Data we process

  • Account data: your name, email address, hashed password, country of establishment, language preference, and subscription plan.
  • Billing data: your subscription status and invoicing records. Card details are collected and processed directly by Stripe, our payment provider — we never see your full card number.
  • Store and transaction data: order records retrieved from the sales channels you connect (Shopify, Etsy, eBay, WooCommerce) or upload as CSV — order values, currencies, destination countries, VAT amounts and related metadata. This data is processed for one purpose: generating your OSS/IOSS return summaries and the audit records the OSS rules require. The API credentials used to connect a store are stored encrypted.
  • Technical data: session cookies, access logs and IP addresses, used for security, abuse prevention and troubleshooting.

3. Purposes and legal bases

We process your data on the following legal bases under Article 6(1) GDPR: to create and manage your account and subscription, and to generate your OSS/IOSS return summaries and exports — performance of a contract (Art. 6(1)(b)); to meet our own accounting and bookkeeping obligations — compliance with legal obligations (Art. 6(1)(c)); and to secure the service, prevent abuse and troubleshoot problems — our legitimate interest (Art. 6(1)(f)) in keeping the service safe and reliable. We do not use your data for advertising or profiling, and we do not make automated decisions with legal effect about you.

4. Buyer data in your orders — our role

The order data you connect or upload may include personal data of your buyers (for example destination country, order references or amounts). For that data, you — the seller — are the data controller and we act as your processor: we handle it only to produce your OSS/IOSS summaries and record-keeping exports, following your instructions, and never for our own purposes. We will, on request, enter into a GDPR Article 28 data processing agreement with business customers; our standard DPA is available at [email protected].

If you are a buyer of a shop that uses Vatlio: your order details are processed here only so that the seller can summarise its VAT obligations. To access, correct or delete your data, contact the seller you bought from; if you contact us instead, we will pass your request on to them.

5. Who we share data with

We never sell your data, and we do not share it with anyone for advertising or marketing. We rely on a small number of recipients, in two distinct roles:

Processors that act on our behalf under GDPR-compliant agreements and only on our instructions:

  • Our hosting provider and our own email infrastructure, which store data and deliver messages for us. We host within the European Union and do not transfer your personal data outside the EEA ourselves.

Independent controllers that act on their own account, each under its own privacy terms:

  • Stripe, our payment provider, which processes subscription payments and is an independent controller for the payment data it needs. We do not sign a controller-processor DPA with Stripe for the payment flow.
  • The sales channels you connect (Shopify, Etsy, eBay, WooCommerce) are your own data sources and independent controllers of the data held on their platforms. On your instruction we retrieve your order data from them through their official APIs — we do not send your data to them.

Vatlio does not transmit anything to any tax authority. The summaries and exports it produces are downloaded by you or your accountant, and filing them is entirely in your hands.

6. Where your data lives

Vatlio is hosted on infrastructure located in the European Union, and your data is stored and processed there. We do not transfer your personal data outside the EEA ourselves. Where an independent controller you use (such as Stripe or a connected sales channel) processes data outside the EU, that transfer is governed by that provider's own safeguards, such as an adequacy decision or the European Commission's standard contractual clauses.

7. Retention

While your account is active, your account, store and transaction data stay available to you, so that your OSS/IOSS summaries and the ten-year record-keeping trail under Article 63c of the VAT Implementing Regulation remain at hand. That VAT record-keeping obligation is yours as the seller — and the exact period can differ across the EU Member States you sell into — so export your records before you leave; a self-service export is available in your account.

When you delete your account, your personal, store and transaction data are deleted, and in any event within 90 days, except where a legal retention obligation applies. In particular, we keep the minimal billing and accounting records that the Estonian Accounting Act requires us to retain for seven years from the end of the financial year. Backups are purged on our ordinary rotation.

8. Your rights

Under the GDPR you have the right to:

  • access the personal data we hold about you,
  • have inaccurate data corrected,
  • have your data erased ("right to be forgotten"), subject to legal retention duties,
  • restrict or object to processing based on legitimate interests,
  • receive your data in a portable format,
  • lodge a complaint with a supervisory authority — for us that is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, www.aki.ee) — or the authority in your own country.

You can export your data and delete your account yourself at any time from your account settings. For anything else, email [email protected]. Where we act as a processor for your buyer data (see section 4), we will forward requests from your buyers to you.

9. Cookies

Vatlio uses only strictly necessary first-party cookies: a session cookie that keeps you signed in (your language choice is stored in the same session), a CSRF cookie that protects forms against abuse, and — if you choose "remember me" — a persistent sign-in cookie. We use no advertising, tracking or third-party analytics cookies; if that ever changes, we will add a consent banner before doing so.

10. Security

Passwords are stored using a one-way hashing algorithm and are never visible to us. Store connection credentials are encrypted at rest. All traffic is encrypted in transit (HTTPS), database access is restricted to authorised personnel, and store connections use the platforms' official APIs with the minimum scopes needed to read order data.

11. Changes to this policy

We may update this policy from time to time. The date at the top shows when it last changed; material changes will be announced in the app or by email.

This policy is provided for transparency and is not legal advice. If you have questions about how a specific obligation applies to your business, consult your own advisor.