NormaForm

Privacy Policy

Last updated: March 10, 2026

This Privacy Policy explains how NormaForm (“we”, “us”, or “our”) collects, uses, and protects your personal data when you use our e-invoicing service at normaform.eu (the “Service”).

1. Data Controller

NormaForm is the data controller responsible for your personal data. You can exercise your data rights directly through your account settings at normaform.eu/settings.

2. Data We Collect

We collect the following categories of personal data:

2.1 Account Information

  • Email address (for authentication and communication)
  • Password (securely hashed, never stored in plain text)

2.2 Company Information

  • Company name and legal name
  • VAT number
  • Business address
  • IBAN (optional, for invoice payment details)

2.3 Contact Information

  • Your customers' company names and legal names
  • Your customers' VAT numbers
  • Your customers' business addresses
  • Your customers' email addresses (optional)

2.4 Invoice Data

  • Invoice numbers, dates, and amounts
  • Line item descriptions, quantities, and prices
  • VAT rates and calculations
  • Generated XML and PDF files

2.5 Technical Data

  • IP address and browser information (for security)
  • Usage patterns (pages visited, features used)

3. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Contract performance: Processing your company and invoice data is necessary to provide the e-invoicing service you signed up for.
  • Legal obligation: We retain invoice data for 10 years as required by EU VAT Directive (Article 247) for tax compliance purposes.
  • Legitimate interest: We process technical data to maintain security, prevent fraud, and improve our service.

4. How We Use Your Data

We use your personal data to:

  • Provide and operate the e-invoicing service
  • Generate legally compliant e-invoice files (ZUGFeRD, XRechnung, FacturaE)
  • Store and archive your invoices for the required retention period
  • Send transactional emails (account confirmation, password reset)
  • Process subscription payments
  • Provide customer support
  • Improve and secure our service

5. Data Retention

We retain your data as follows:

  • Invoice data: 10 years from creation, as required by EU VAT Directive for tax compliance.
  • Account and company data: Until you delete your account.
  • Technical logs: 90 days for security purposes.

6. Data Hosting and Security

All your data is hosted exclusively within the European Union (Frankfurt, Germany) using Supabase's EU infrastructure. Your data never leaves the EU.

We implement appropriate security measures including:

  • Encryption in transit (TLS) and at rest
  • Row-level security ensuring you can only access your own data
  • Secure password hashing
  • Regular security updates

7. Third-Party Processors

We use the following third-party services to operate NormaForm. All processors are GDPR-compliant and process data within the EU or under appropriate safeguards:

  • Supabase (EU - Frankfurt): Database hosting, authentication, file storage
  • Stripe (EU): Payment processing and subscription management
  • Resend: Transactional email delivery
  • Vercel (EU): Application hosting

8. Your Rights

Under the General Data Protection Regulation (GDPR), you have the following rights:

  • Right of access: View all your data in your account dashboard.
  • Right to rectification: Edit your company and contact information in Settings.
  • Right to erasure: Delete your account and all associated data from Settings.
  • Right to data portability: Export all your data as JSON from Settings.
  • Right to restriction: Contact us to restrict processing of your data.
  • Right to object: Contact us to object to specific processing activities.

You can exercise your rights to access, rectification, erasure, and data portability directly through your account settings.

9. Cookies

We use only essential cookies required for the service to function (authentication session). We do not use tracking or advertising cookies.

10. Children's Privacy

NormaForm is a business service not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a notice on our website. The “Last updated” date at the top indicates when the policy was last revised.

12. Complaints

If you believe we have not handled your data correctly, you have the right to lodge a complaint with a supervisory authority. For users in Spain, this is the Agencia Española de Protección de Datos (AEPD). For users in Germany, contact your state's data protection authority (Landesdatenschutzbehörde).

13. Contact

For any questions about this Privacy Policy or your personal data, please use the contact options available in your account settings or reach out through our website.

This Privacy Policy is governed by Spanish law in accordance with the General Data Protection Regulation (EU) 2016/679.