Privacy Policy

Last updated: June 14, 2026

1. Introduction

SysWithIT SASU ("we", "our", or "us") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use TIN Validate ("the Service").

We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable French data protection laws.

2. Data Controller

SysWithIT SASU

7 Rue Brulée, 57100 Thionville, France

SIREN: 944 748 771

Email: [email protected]

3. Customer Data and Processing on Behalf of Business Customers

TIN Validate is a business-to-business service. We act as an independent controller for account, billing, security, support, legal compliance, and Service operations data that we decide how and why to process.

Where a business customer submits TINs, country selections, API requests, validation inputs, validation results, or related metadata to the Service for its own business purposes and determines the purposes and means of that processing ("Customer Data"), the customer is the controller and SysWithIT SASU acts as a processor for that Customer Data. This section forms part of our data processing terms for standard use of the Service together with our Terms of Service. If you need a separately signed data processing agreement, contact us at [email protected].

Processing Details

  • Subject matter: Providing TIN validation, account access, API access, usage records, support, security, and related Service functionality.
  • Duration: For as long as the customer uses the Service and for any retention period needed for account administration, security, legal obligations, billing records, dispute resolution, backups, or enforcement.
  • Nature and purpose: Receiving validation requests, validating submitted TIN data, returning validation results, recording usage and validation history, enforcing quotas, preventing abuse, maintaining security, providing support, and operating the Service.
  • Types of personal data: Submitted TIN or tax number values, country selections, validation inputs and outputs, validation timestamps, request channels, API request metadata, account identifiers, guest identifiers where applicable, derived guest fingerprint identifiers where applicable, contact details, support content, and technical logs.
  • Categories of data subjects: The customer's suppliers, clients, employees, contractors, representatives, taxpayers, or other people whose information the customer submits to the Service.

Customer Instructions and Responsibilities

We process Customer Data only on documented customer instructions, including the Terms of Service, this Privacy Policy, the Service interface, API documentation, customer configuration, and support requests, unless applicable law requires otherwise. The customer is responsible for having a valid legal basis, providing required notices, handling its own data subject relationships, and ensuring that Customer Data submitted to the Service is lawful, accurate, and limited to what is necessary.

Confidentiality, Security, and Subprocessors

We restrict access to Customer Data to personnel and service providers who need it for the Service and who are subject to confidentiality obligations. We use appropriate technical and organizational measures designed to protect Customer Data, including access controls, authentication, encryption in transit, logging, monitoring, and operational security controls.

We may use subprocessors and recipients to provide the Service, including hosting and infrastructure providers, security and monitoring providers, Cloudflare Turnstile for bot protection and challenge verification, transactional email providers, support tools, and payment providers where relevant, including Paddle for checkout, billing, and payment-related data. We remain responsible for our subprocessors' performance of their data protection obligations and require materially equivalent data protection commitments from them. We will provide notice of material subprocessor changes where required by law or contract.

Transfers, Deletion, and Assistance

Customer Data may be processed in the European Economic Area and in other countries where our service providers operate. Where required, we use appropriate transfer safeguards such as adequacy decisions, Standard Contractual Clauses, or other lawful transfer mechanisms.

After account deletion, termination, or a verified customer request, we will delete, return, or anonymize Customer Data within a reasonable period, except where retention is required or permitted for legal obligations, billing records, security, backups, dispute resolution, or enforcement. Backup copies are deleted or overwritten according to normal backup rotation.

Taking into account the nature of the Service and the information available to us, we will provide reasonable assistance with data subject requests, security obligations, and privacy compliance requests relating to Customer Data. If we become aware of a personal data breach affecting Customer Data that we process as a processor, we will notify the affected customer without undue delay.

4. Data We Collect

We collect the following types of personal data:

Account Information

  • Email address
  • Password (encrypted)
  • Account preferences

Usage Data

  • Submitted TIN or tax number values
  • Country codes or country selections
  • Validation results, including whether a submitted TIN was reported as valid or invalid
  • Validation timestamps and request channel, such as web interface, REST API, or guest flow
  • Usage and account history, including completed validation records shown in your account where applicable
  • Guest validation usage records, which may include submitted TIN values and guest identifiers where applicable
  • Guest quota records, including generated guest identifiers, derived fingerprint identifiers, last usage date, and usage count
  • API usage statistics
  • Credit consumption history

Completed TIN validation requests are logged in usage records. For registered users, those records can appear in account usage history. Guest validation inputs may also be stored in usage records without a registered user ID, together with guest identifiers where applicable, for quota, abuse prevention, diagnostics, support, and security purposes.

Technical Data

  • IP address
  • Browser type and version, including user agent
  • Device information
  • Access timestamps
  • Security and anti-abuse identifiers, including guest cookie identifiers and derived guest fingerprint identifiers
  • Masked IP-derived and user-agent-derived signals used to create guest fingerprint identifiers for quota and abuse controls
  • Cloudflare Turnstile challenge responses and related bot-protection signals

For guest validation controls, we may create a derived fingerprint identifier from a masked IP address and a shortened user-agent value. The guest quota record stores the derived identifier, identity type, last usage date, and usage count. It does not store the raw masked IP and user-agent pair used to create the identifier, although IP addresses and user agents may appear in ordinary technical logs.

Payment Data

Payment information is processed by our payment provider, Paddle.com. We do not store your credit card details. Please refer to Paddle's Privacy Policy for details on how they handle payment data.

5. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Contract: To provide the Service and fulfill our obligations to you
  • Legitimate Interest: To improve our Service and prevent fraud
  • Legal Obligation: To comply with applicable laws and regulations
  • Consent: For marketing communications (where applicable)

6. How We Use Your Data

  • To provide and maintain the Service
  • To validate submitted TIN or tax number values and return validation results
  • To keep usage and account history for audit, troubleshooting, and account management
  • To process your transactions and manage your account
  • To administer validation credits, subscriptions, API access, and guest validation quotas
  • To send service-related communications
  • To improve and personalize your experience
  • To investigate support requests, technical errors, fraud, abuse, refund requests, billing disputes, and chargebacks
  • To operate rate limiting, bot protection, guest fingerprinting, and other security controls
  • To detect and prevent fraud and abuse
  • To comply with legal obligations

7. Data Sharing

We may share your data with:

  • Paddle.com: Our payment processor and Merchant of Record
  • Cloud Service Providers: For hosting and infrastructure (AWS)
  • Cloudflare Turnstile: For bot protection, challenge verification, rate limiting, abuse prevention, and security controls
  • Email Service Providers: For transactional emails
  • Legal Authorities: When required by law

We do not sell your personal data to third parties.

Submitted TIN values are not part of normal payment processing by Paddle. Where necessary, we may share limited validation, usage, account, or transaction information with service providers, Paddle, legal authorities, or professional advisers to investigate support issues, fraud, abuse, security incidents, refund requests, billing disputes, chargebacks, legal claims, or compliance obligations.

8. International Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions
  • Other legally recognized transfer mechanisms

9. Data Retention

We retain your personal data for as long as necessary to:

  • Provide the Service and maintain your account
  • Comply with legal obligations (e.g., tax records for 10 years)
  • Resolve disputes and enforce agreements

When you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal purposes.

Registered account validation history is retained while your account remains active so that we can provide account usage history, support, auditability, credit accounting, fraud prevention, and dispute handling. This history may include the submitted TIN or tax number value, country code, validation result, validation timestamp, request channel, and related usage metadata.

When a registered account is deleted, account-linked usage records are deleted or anonymized within 30 days. Stored submitted TIN values in account-linked usage metadata are removed or anonymized as part of that process, except where limited retention is required or permitted for legal obligations, billing records, security, fraud prevention, backups, dispute resolution, or enforcement.

Guest validation usage records may be stored without a registered user ID, together with guest identifiers where applicable, for guest quota enforcement, abuse prevention, diagnostics, support, and security. We retain guest validation records only for as long as reasonably necessary for those purposes, then delete or anonymize them. If you ask us to delete guest validation data, we will do so where we can reasonably verify and locate the relevant records.

Guest quota and derived fingerprint records are retained separately from registered account records. They are used to enforce daily guest validation limits, rate limiting, abuse prevention, fraud prevention, and security controls. Daily counts are evaluated by usage date. We retain these records only for as long as reasonably necessary for quota, abuse-prevention, security, diagnostics, dispute, or legal purposes, then delete or anonymize them.

10. Your Rights

Under the GDPR, you have the following rights:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Limit how we process your data
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent at any time

To exercise these rights, please contact us at [email protected].

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Regular security assessments
  • Employee training on data protection

12. Cookies

We use cookies and similar technologies to provide and improve our Service. For detailed information, please see our Cookie Policy.

13. Complaints

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with your local data protection authority. In France, this is the Commission Nationale de l'Informatique et des Libertés (CNIL).

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

Terms of Service | Cookie Policy | Legal Notice