Privacy Policy

Last updated: 11 June 2026

This Privacy Policy explains how IntraVAT ApS (“IntraVAT”, “we”, “us” or “our”) collects, uses, stores, protects and shares personal data when you visit our website, contact us, use our services, or authorise us to process data on your behalf, including through third-party platforms such as Amazon Selling Partner API (“Amazon SP-API”).

We are committed to protecting personal data in accordance with applicable data protection legislation, including the General Data Protection Regulation (“GDPR”), the Danish Data Protection Act and relevant cybersecurity and information security requirements. Our information security practices are designed to support high standards of confidentiality, integrity and availability, including principles reflected in NIS2-related cybersecurity risk management.

1. Data Controller

Unless otherwise stated, the data controller is:

IntraVAT ApS
Torvet 9, 1.
4600 Køge
Denmark
Email: info@intravat.com
Phone: +45 88 63 22 99

For certain services, we may act as a data processor on behalf of our customers. Where we process personal data as a processor, the processing is governed by a separate data processing agreement.

2. Personal Data We Collect

We may collect and process the following categories of personal data:

Contact and business information

This may include name, company name, job title, email address, phone number, address, VAT number, company registration number, customer number and other business contact details.

Communication data

This may include information you provide when contacting us by email, phone, contact forms, meetings, support requests or other correspondence.

Customer and service data

This may include information required to deliver our VAT, compliance, reporting, advisory, registration, fiscal representation, platform, integration or related services.

Transaction and accounting-related data

This may include invoices, purchase and sales documentation, VAT-relevant data, import/export information, order information, marketplace data, payment references and other documentation relevant to tax, VAT or compliance services.

Website and technical data

This may include IP address, browser type, device information, operating system, pages visited, time spent on the website, referring websites and cookie identifiers.

Amazon SP-API and marketplace data

Where authorised by a customer or selling partner, we may process data obtained through Amazon SP-API or other authorised Amazon systems. This may include seller account data, order data, transaction data, product data, settlement data, VAT transaction data, invoicing data and, where strictly necessary and authorised, personal data contained in such records.

3. How We Collect Personal Data

We collect personal data when:

  • you visit our website;
  • you contact us or request that we contact you;
  • you become a customer, supplier or business partner;
  • you provide documentation to us for VAT, tax, compliance or advisory purposes;
  • you authorise us to access data through third-party platforms, including Amazon SP-API;
  • we receive information from public registers, authorities, marketplaces, service providers or business partners;
  • we collect technical data through cookies and similar technologies.

4. Purposes of Processing

We process personal data for the following purposes:

Provision of services

To provide VAT registration, VAT reporting, fiscal representation, import and compliance assistance, advisory services, software, platform services, integrations and related support.

Customer administration

To manage customer relationships, onboarding, identity checks, contracts, invoicing, payment handling, communication and support.

Compliance and legal obligations

To comply with VAT, tax, accounting, anti-fraud, regulatory, reporting, audit, documentation and record-keeping obligations.

Platform and integration services

To operate, maintain, support and secure digital services, integrations, APIs and customer-authorised connections, including Amazon SP-API where applicable.

Security and risk management

To protect our systems, customers, data and services against unauthorised access, misuse, disruption, cyber threats, fraud, data loss and security incidents.

Business development and communication

To respond to enquiries, provide relevant information about our services, improve our website and maintain professional B2B relationships.

Legal claims

To establish, exercise or defend legal claims and protect our legitimate business interests.

5. Legal Basis for Processing

We process personal data on the following legal bases:

Contractual necessity

Where processing is necessary to enter into or perform a contract with you or the company you represent.

Legal obligation

Where processing is necessary to comply with VAT, tax, accounting, reporting, regulatory or other legal obligations.

Legitimate interests

Where processing is necessary for our legitimate interests, including customer administration, service delivery, business communication, security, fraud prevention, documentation and improvement of our services, provided that such interests are not overridden by your fundamental rights and freedoms.

Consent

Where required, for example for certain cookies, marketing communication or specific authorisations. Consent can be withdrawn at any time.

Legal claims

Where processing is necessary for the establishment, exercise or defence of legal claims.

6. Amazon SP-API and Amazon Service Provider Data

Where IntraVAT ApS is authorised by a customer, seller or selling partner to access Amazon data, we process such data only for authorised and legitimate business purposes related to the services requested by the customer.

We may process Amazon data for purposes such as:

  • VAT reporting and reconciliation;
  • invoicing and tax documentation;
  • transaction analysis;
  • compliance support;
  • marketplace reporting;
  • customer-authorised integrations;
  • support and troubleshooting;
  • fulfilment of contractual and legal obligations.

We do not sell Amazon data. We do not use Amazon personal data for unauthorised marketing, profiling, advertising, data enrichment or unrelated purposes.

Access to Amazon data is limited to authorised personnel and systems on a need-to-know basis. Where Amazon data includes personally identifiable information or other sensitive marketplace information, we apply enhanced controls, including access restrictions, encryption, logging, monitoring, retention limits and secure deletion.

We only request access to Amazon SP-API roles and data categories that are necessary for the approved service purpose. If access to restricted data is required, we process such data in accordance with applicable Amazon policies, customer authorisations, contractual obligations and applicable data protection law.

Security incidents involving Amazon data

If we become aware of, or reasonably suspect, any unauthorised access, disclosure, loss, misuse, compromise, vulnerability, cyberattack, data breach or other security incident involving systems, credentials, integrations or data related to Amazon SP-API or Amazon marketplace data, we will activate our internal incident response procedures without undue delay.

Our response will include, where relevant:

  • immediate internal escalation to authorised management and technical personnel;
  • containment measures to prevent further unauthorised access or data exposure;
  • assessment of the scope, affected systems, affected data categories and potential impact;
  • protection, rotation or revocation of affected credentials, tokens, API keys or access rights;
  • preservation of relevant logs and evidence for investigation;
  • remediation of identified vulnerabilities or misconfigurations;
  • communication with affected customers, authorities, Amazon and other relevant parties where required.

Where Amazon data, Amazon SP-API credentials, Amazon systems, selling partner data or Amazon-related integrations may be affected, we will follow Amazon’s applicable policies, security requirements and instructions. We will notify Amazon without undue delay and, where required, no later than 24 hours after confirmation of an incident or within any shorter timeframe required by Amazon’s then-current policies or direct instructions.

We will cooperate with Amazon in relation to the investigation, containment, remediation and documentation of any such incident. This may include providing relevant information about the incident, affected data, root cause, remedial actions, preventive measures and any other information reasonably required under Amazon’s applicable developer, data protection, security or service provider requirements.

We will not delay notification to Amazon solely because a full investigation has not yet been completed, provided that there is a reasonable basis to believe that Amazon data, Amazon SP-API access, Amazon systems or selling partner data may be affected. Where complete information is not yet available, we may provide an initial notification followed by updates as the investigation progresses.

7. Security Measures

We apply technical, organisational and operational security measures designed to protect personal data against unauthorised access, accidental loss, destruction, alteration, disclosure or misuse.

Our security measures include, where appropriate:

  • access control based on least privilege;
  • multi-factor authentication for relevant systems;
  • encryption of data in transit and, where appropriate, at rest;
  • secure storage and backup procedures;
  • monitoring, logging and audit trails;
  • vulnerability management and patching;
  • incident response procedures;
  • employee confidentiality obligations;
  • supplier and processor risk assessments;
  • business continuity and disaster recovery planning;
  • secure development and change management procedures;
  • periodic review of security controls.

Our cybersecurity governance is designed to reflect relevant risk-management principles, including those associated with NIS2, such as risk analysis, incident handling, business continuity, supply chain security, vulnerability handling, cryptography, access management and cybersecurity awareness.

8. Data Sharing and Recipients

We may share personal data with:

  • IT hosting and cloud providers;
  • software and platform providers;
  • email, communication and support providers;
  • accountants, auditors, lawyers and professional advisers;
  • tax authorities, customs authorities, VAT authorities and other public authorities;
  • banks and payment providers;
  • business partners and subcontractors assisting us in delivering services;
  • Amazon or other marketplace/platform providers where required for authorised integrations or support;
  • other recipients where required by law, contract or legitimate business necessity.

We only share personal data where there is a lawful basis and, where required, appropriate contractual safeguards are in place.

9. Processors and Sub-processors

Where we use processors or sub-processors to process personal data on our behalf, we enter into appropriate data processing agreements. Such agreements require processors to process personal data only on documented instructions, protect the data adequately, assist with data subject rights and comply with applicable data protection requirements.

10. International Transfers

We primarily seek to process personal data within the EU/EEA. Where personal data is transferred outside the EU/EEA, we ensure that appropriate safeguards are in place, such as:

  • an adequacy decision by the European Commission;
  • the EU Standard Contractual Clauses;
  • supplementary technical and organisational measures where necessary;
  • other lawful transfer mechanisms under GDPR.

11. Retention of Personal Data

We retain personal data only for as long as necessary for the purposes for which it was collected, including to provide services, comply with legal obligations, document compliance, resolve disputes and enforce agreements.

Retention periods may vary depending on the type of data and applicable legal requirements. Accounting, VAT and tax-related documentation may be retained for the period required under applicable accounting and tax legislation.

Amazon SP-API data and marketplace data are retained only for as long as necessary for the authorised service purpose, legal compliance, audit, reconciliation or documentation requirements, after which the data is securely deleted, anonymised or archived in accordance with applicable requirements.

12. Your Rights

Subject to the conditions set out in applicable data protection law, you have the following rights:

  • the right to access your personal data;
  • the right to rectification of inaccurate personal data;
  • the right to erasure;
  • the right to restriction of processing;
  • the right to object to processing;
  • the right to data portability;
  • the right to withdraw consent where processing is based on consent;
  • the right to lodge a complaint with a supervisory authority.

To exercise your rights, please contact us at info@intravat.com.

We may need to verify your identity before responding to a request.

13. Complaints

If you are dissatisfied with how we process your personal data, we encourage you to contact us first.

You also have the right to lodge a complaint with the Danish Data Protection Agency:

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby
Denmark
Website: www.datatilsynet.dk

14. Confidentiality

We treat customer data, marketplace data, tax information, VAT documentation and business records as confidential. Our employees, consultants and relevant service providers are subject to confidentiality obligations.

15. Data Breaches and Security Incidents

If a personal data breach or security incident occurs, we will assess the incident without undue delay and take appropriate measures to contain, investigate and remediate it.

Where required by law, we will notify the relevant supervisory authority and affected individuals within the applicable statutory deadlines. Under GDPR, this may include notification to the competent supervisory authority within 72 hours after becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Where the incident concerns customer-controlled data, Amazon SP-API data, Amazon marketplace data or third-party platform data, we will also follow applicable contractual, regulatory and platform-specific notification obligations, including any requirement to notify Amazon and cooperate with Amazon in accordance with its applicable policies and instructions.

16. Third-Party Links

Our website may contain links to third-party websites, platforms or services. We are not responsible for the privacy practices, security or content of such third parties. We encourage you to read their privacy policies before providing personal data.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, security practices or business operations.

The latest version will always be available on our website. The date at the top of this policy indicates when it was last updated.

18. Contact

For questions about this Privacy Policy, our processing of personal data or our security practices, please contact:

IntraVAT ApS
Torvet 9, 1.
4600 Køge
Denmark
Email: info@intravat.com
Phone: +45 88 63 22 99

Privatlivspolitik