1. Who we are
BelgiumInvoice is a Belgian API service for parsing and validating structured e-invoices (Peppol UBL-XML, Factur-X, and PDF). The service is operated by X3I Inc., Leuven, Belgium. For privacy enquiries, contact us at privacy@belgiuminvoice.be.
2. What data we process
When you call our API, we receive:
- The invoice document you upload (XML or PDF)
- Your API key (used to authenticate and count usage)
- Standard HTTP metadata: IP address, user-agent, timestamp
The invoice document is processed entirely in-memory. The extracted JSON result (not the original document) may be stored transiently so you can retrieve it via the GET /v1/invoices/{id} endpoint. Document bytes are never written to persistent storage.
3. Legal basis (GDPR Art. 6)
Processing is based on contractual necessity (Art. 6(1)(b) GDPR) — processing your invoice document is the core service you contracted for. Usage metadata is processed under our legitimate interest (Art. 6(1)(f)) in operating and securing the service.
4. Data retention
- Invoice documents: not retained. Processing is in-memory only.
- Extracted JSON results: stored for up to 30 days so you can retrieve them, then permanently deleted.
- Usage records: retained for 13 months for billing reconciliation.
- Account data (API key, email, tier): retained for the duration of your account plus 30 days after deletion.
5. Sub-processors and data location
We use the following sub-processors, all located within the EU/EEA:
- Supabase (EU region) — database for usage records and extracted JSON.
- Google Cloud Run (europe-west1, Belgium) — API compute. Invoice documents are processed here in-memory.
- Stripe — payment processing for paid subscriptions. Stripe is certified under the EU-U.S. Data Privacy Framework.
No invoice document content ever leaves EU territory.
6. Your rights under GDPR
You have the right to access, rectify, erase, or port your personal data, and to restrict or object to processing. To exercise these rights, email privacy@belgiuminvoice.be. We respond within 30 days. You may also lodge a complaint with the Belgian Data Protection Authority (dataprotectionauthority.be).
7. Security
All API traffic is encrypted over TLS 1.2+. API keys are transmitted in headers and never logged. Database connections use SSL. We apply the principle of least-privilege to all infrastructure access.
8. Cookies and website analytics
The belgiuminvoice.com website does not use tracking cookies or third-party analytics. We do not use Google Analytics, Meta Pixel, or similar tools. No personal data is collected by visiting the website.
9. Changes to this policy
We will update this page if our data practices change materially. The "last updated" date at the top of this page reflects the most recent revision. Continued use of the API after a policy update constitutes acceptance.
10. Contact
For any privacy-related question or to exercise your data rights, contact us at privacy@belgiuminvoice.be.