Who we are
SAFTCheck is an independent SaaS project registered and operated from Portugal. Primary contact: [email protected].
The operator behind saftcheck.com is the data controller for personal data processed through this service. The full registered identity (legal name, Portuguese ENI registration details) is disclosed on request to any data subject exercising rights under Articles 15–21 of the GDPR — write to the address above and we respond within 30 days. This policy explains what we collect, why, and what your rights are under the GDPR (Regulation (EU) 2016/679) and the Portuguese Data Protection Law (Lei n.º 58/2019).
What we collect
1. Files you upload
- SAF-T XML files uploaded for validation. These contain customer data, supplier data, invoices, and tax identifiers. We treat the contents as confidential.
- Edits you apply: if you use the inline editor (paid feature) to patch a NIF, ATCUD or header date, the new value is written to the same uploaded file in our temporary storage and is subject to the same 60-minute deletion window. The original pre-edit version is overwritten and not retained.
- Retention: uploaded files are stored on our server only as long as required to validate them, offer the auto-fix download and accept inline edits. Files are automatically deleted within 60 minutes via a scheduled purge job.
- What we keep after deletion: only validation metadata for signed-in users (filename, NIF in the file, fiscal year, error counts, file SHA-256 hash, file size). The XML contents are never persisted.
2. Account data
- Email address (required to receive magic-link sign-in).
- Sign-in timestamps and IP address (for fraud and abuse prevention).
- Validation history rows (filename, NIF, error counts, timestamps) for the dashboard.
3. Billing data
- Payments are processed by Paddle, our Merchant of Record. We do not store credit card details. Paddle's privacy notice applies to payment data: paddle.com/legal/privacy.
- We retain transaction IDs, invoice references, and subscription status received from Paddle.
4. Technical data
- Server logs: IP address, user agent, request paths, response codes. Retained 30 days.
- Cookie: a session cookie for authenticated users; a locale preference cookie. No third-party analytics or advertising trackers by default.
Why we process your data — legal bases
- Contract performance (Art. 6(1)(b)) — to validate the SAF-T file you submit and to deliver paid features.
- Legitimate interest (Art. 6(1)(f)) — to keep server logs for security, prevent abuse, and improve the service.
- Legal obligation (Art. 6(1)(c)) — to retain billing records for the period required by Portuguese tax law.
- Consent (Art. 6(1)(a)) — for any optional cookie or feature that explicitly asks for it.
Sub-processors
Our infrastructure stack:
- Hetzner Online GmbH (Germany) — application hosting and database.
- Paddle.com Market Limited (UK) — payments and Merchant of Record.
- Postmark / Resend — transactional email (sign-in links, receipts).
All sub-processors are bound by their own GDPR-compliant terms.
Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your account and all associated data ("right to erasure").
- Export your data in a portable format.
- Withdraw consent for any processing based on consent.
- Lodge a complaint with the Portuguese Data Protection Authority (CNPD): cnpd.pt.
You can exercise the right to deletion directly inside your account at https://saftcheck.com/account. For all other requests, email [email protected] — we respond within 30 days.
International transfers
Our hosting (Hetzner) is in the EU. Some sub-processors (e.g. Postmark) are US-based and rely on the EU–US Data Privacy Framework or Standard Contractual Clauses for transfers.
Changes to this policy
If we make material changes, we update the "Last updated" date and notify signed-in users by email.