Privacy Policy
This document has not been reviewed by qualified legal counsel or a data protection specialist. Highlighted items are facts that have not been decided yet - most importantly, retention periods. They are left blank rather than invented.
1. Who controls the data
The service is operated by [OPERATOR TO COMPLETE: legal name of operator (individual / sole proprietor)], an individual (sole proprietor) resident in [OPERATOR TO COMPLETE: UAE emirate of residence], United Arab Emirates. There is no registered company. Contact for any privacy request: [OPERATOR TO COMPLETE: support email address - not yet provisioned].
2. What we actually receive and store
This is the complete list. There is no analytics vendor, no ad pixel, no CRM.
a. Invoice payloads you submit for validation
When you POST an invoice to /v1/validate, we receive the document you send: JSON, an envelope, or UBL 2.1 / PINT AE XML. These payloads routinely contain personal and commercial data - supplier and buyer names, Tax Registration Numbers, addresses, contact names, line items and amounts. We process them for one purpose only: to run the validation rules and return the error list to you.
- We do not sell them, share them, or use them to train models.
- We do not forward them to any tax authority, accredited service provider or third party. The service is preflight validation only - it transmits nothing.
- Retention: [OPERATOR TO COMPLETE: retention period for submitted invoice payloads]. Until this is fixed and published, assume a payload may persist transiently in server memory and in ordinary infrastructure logs; do not submit data you are not comfortable transmitting to us.
- If you need certainty today, redact or synthesise the sensitive fields before validating. Validation rules operate on structure and format, so most checks work on redacted values.
b. API keys and usage metering (MongoDB)
- We store a hash of your API key, never the key itself in plain text.
- We store usage-metering events per key: timestamp, endpoint, whether the request was accepted, and counters used to enforce your plan quota. These are what
GET /usagereports back to you. - We store the email address you gave us (waitlist or account), so we can send you the key and service notices.
- Retention: usage events and request logs - [OPERATOR TO COMPLETE: retention period for request logs and metering events]. Waitlist emails - [OPERATOR TO COMPLETE: retention period for waitlist email addresses].
c. Rate limiting (Redis)
We keep short-lived counters in Redis to enforce rate limits. These are keyed to your API key hash and/or requesting IP address and expire automatically within the rate-limit window. They are not used for profiling.
d. Payments
We never see your card details. Dodo Payments is the merchant of record and processes all payments. Card numbers, CVCs and bank details are collected and stored by Dodo Payments under their own privacy policy, not by us. This website has no payment form. Billing is not live yet, so at present no payment data exists at all.
3. Legal basis and purpose
- Performing the contract: we cannot validate an invoice without receiving it, or meter a plan without counting requests.
- Legitimate interest: rate limiting and abuse prevention, keeping the service up.
- Consent: waitlist and product emails. Every email has a way to stop them.
4. Who else touches the data
Sub-processors used to run the service: our hosting/infrastructure provider, our MongoDB and Redis hosts, our transactional email provider, and Dodo Payments for billing. We do not use advertising or analytics trackers on this site. A definitive named sub-processor list will be published here before billing goes live: [OPERATOR TO COMPLETE: named sub-processor list (hosting, MongoDB host, Redis host, email provider)].
5. Where the data lives
The operator is in the UAE, and infrastructure may be hosted outside the UAE. This means invoice payloads you submit may be processed outside the UAE. [OPERATOR TO COMPLETE: hosting region(s) for API, MongoDB and Redis]. If data residency matters to your compliance position, confirm this before sending real invoices.
6. Your rights
You can ask us what we hold about you, ask for a copy, ask us to correct it, or ask us to delete it - including deleting your key, your usage history and your waitlist entry. Write to [OPERATOR TO COMPLETE: support email address - not yet provisioned]. We will respond within [OPERATOR TO COMPLETE: support response-time commitment]. Deleting your account data does not delete records Dodo Payments must keep as merchant of record for its own tax and accounting obligations.
7. Security
Traffic is served over TLS. API keys are stored hashed. Access to production infrastructure is limited to the operator. We do not claim any security certification - there is no SOC 2, no ISO 27001, and no independent audit of this service.
8. Children
This is a developer tool for businesses. It is not directed at children.
9. Changes
Changes are published on this page with a new effective date. Material changes to how we handle invoice payloads will be emailed to active key holders.
10. Contact
Privacy questions and deletion requests: [OPERATOR TO COMPLETE: support email address - not yet provisioned]. Other channels are on the contact page.
einvoicecheck.ae is a preflight validator. It is not FTA-accredited, it does not transmit legal e-invoices, it does not replace an accredited service provider, and it does not provide statutory archival.