Vatrax
Privacy Policy
Last updated: 14 April 2026
Short version: your transactions, receipts and Revenue correspondence belong to you. We only process them to run the service. We never sell data. You can export or delete everything you put in.
1. Who is the data controller
Vatrax is the data controller for the personal data you give us through the app. Email [email protected] for any privacy question.
2. What we collect
| Category | Examples | Why |
|---|
| Account | Name, email, password hash, login history | Run your account, send receipts and reminders |
| Business | Business name, VAT number, mode, registered address | Compute VAT, corporation tax and filing deadlines |
| Transactions | Income and expense lines, supplier, amount, VAT, category | Classify, forecast and pre-fill returns |
| Documents | Receipts, invoices, Revenue letters, audit packs | 6-year Irish retention and audit readiness |
| Bank metadata | Institution, IBAN, transaction descriptions via PSD2 | Automatic bank classification |
| Revenue correspondence | Emails, ROS messages, call notes, next actions | Your Revenue CRM timeline |
| Technical | IP address, user agent, error logs | Security, anti-abuse, debugging |
3. Why we process it (legal bases)
- Contract — to deliver the features you pay for.
- Legal obligation — to meet Irish tax, financial-record and accounting rules (including the 6-year retention window).
- Legitimate interest — product reliability, security, fraud prevention, improving classifications.
- Consent — for optional things like marketing emails or connecting a bank via Open Banking. You can withdraw consent at any time.
4. Who sees your data
Only the Vatrax engineers that need to, plus a small set of trusted sub-processors that power parts of the service:
- Vultr — EU cloud hosting for the app and database.
- GoCardless Bank Account Data (Nordigen) — PSD2 Open Banking.
- OpenAI, Anthropic, Google — LLM classifications and article generation. We only send the minimum context needed.
- Emailit — transactional email.
- PayPal and Stripe — subscription billing.
We do not sell, rent or share your data for advertising.
5. How long we keep it
- Documents classified as accounting records are kept for at least 6 years after the tax year they relate to — this is a legal requirement under Irish tax law.
- Account data is kept while your subscription is active, plus 30 days after cancellation for recovery.
- You can always export everything or ask us to delete everything not required by law.
6. Your GDPR rights
You can ask us to:
- Show you a copy of everything we hold about you (access).
- Correct anything wrong (rectification).
- Delete everything not required by law (erasure).
- Stop certain kinds of processing (restrict / object).
- Export a machine-readable copy (portability).
- Complain to the Data Protection Commission (dataprotection.ie).
Email [email protected] and we'll handle it within one calendar month.
7. Cookies
We only use first-party cookies required to keep you signed in and remember which business you are viewing. No third-party advertising or tracking cookies.
8. Changes
If we change this policy we'll email you and show a notice in the app at least 14 days before the change takes effect.