Privacy Policy
Last updated: February 2026
1. Data Controller
Mandato ("we", "us", "our") operates the getmandato.dev platform and API service. We are the data controller for personal data processed through our services.
2. Data We Collect
We collect the following types of data:
- Account data: Email address, company name, and billing information when you register.
- Invoice data: Invoice content submitted through our API, including supplier/customer names, VAT numbers, and line items.
- Usage data: API call logs, IP addresses, and request metadata for security and analytics.
- Technical data: Browser type, device information when accessing the dashboard.
3. How We Use Your Data
We process your data to:
- Provide and operate the e-invoicing API service.
- Submit invoices to government systems on your behalf.
- Send you service-related communications and notifications.
- Monitor and improve service performance and security.
- Comply with legal obligations (e.g., tax record retention).
4. Data Storage and Security
All data is stored on Hetzner Cloud servers in Nuremberg, Germany. Data never leaves the European Union. We use AES-256-GCM encryption for sensitive credentials and TLS 1.3 for data in transit.
5. Data Retention
Invoice data and audit logs are retained for 10 years to comply with EU tax record-keeping requirements. Account data is retained for the duration of your account plus 30 days after deletion. Usage logs are retained for 90 days.
6. Third-Party Services
We share data only with:
- Government tax authorities (ANAF, SDI, etc.) — as necessary to submit invoices.
- Stripe — for payment processing (governed by Stripe's privacy policy).
- Sentry — for error tracking (no invoice content is sent).
We do not sell your data to third parties.
7. Your Rights (GDPR)
Under the GDPR, you have the right to:
- Access your personal data.
- Rectify inaccurate data.
- Request erasure (subject to legal retention requirements).
- Restrict or object to processing.
- Data portability.
- Lodge a complaint with a supervisory authority.
8. Cookies
Our marketing site (getmandato.dev) does not use tracking cookies or third-party analytics. The dashboard uses strictly necessary session cookies only.
9. Contact
For privacy-related inquiries, contact us at privacy@getmandato.dev.