BetaExpect changes.
SAF-T Validator

Data Protection

Last updated: 23 March 2026

Data Controller

Service: SAF-T Validator (Luxembourg FAIA Validator)

Contact: team@saft-validator.com

SAF-T Validator ("we", "our", or "us") is committed to protecting your privacy and ensuring the security of your personal information in accordance with the General Data Protection Regulation (GDPR) and Luxembourg data protection law. This Data Protection policy explains how we collect, use, store, and protect your data when you use our FAIA XML validation service.

You may browse our website without providing personal data. In this case, only technical information (date, time, browser type, IP address) is collected anonymously to ensure the proper functioning of the website.

Free Tier: Your XML files are validated entirely in your browser and never uploaded to our servers.
Paid Tiers (Standard, Professional & Enterprise): Your XML files are sent to our secure EU servers for comprehensive validation, processed in memory, then permanently deleted. See Section 1.4 for details.

1. Information We Collect

1.1 Account Information

When you sign up for an account, we collect:

  • Name and email address from your professional profile
  • User ID (for authentication purposes)
  • Account creation date and last login timestamp
  • Subscription tier (Free, Standard, Professional, or Enterprise)

1.2 Payment Information

For paid subscriptions, payment processing is handled by our PCI DSS-compliant payment provider. We collect:

  • Payment provider customer ID (to link your account with billing)
  • Subscription status and billing cycle information
  • We do NOT store credit card numbers or payment details. These are handled securely by our PCI DSS-compliant payment provider

1.3 Usage Data

To provide and improve our service, we collect:

  • Validation history (number of validations performed, timestamps)
  • Validation quota usage (for Standard, Professional, and Enterprise tiers)
  • Technical information: browser type, device type, IP address, and access times
  • Feature usage statistics (which features you access)

1.4 XML File Handling (Tier-Specific)

Free Tier: Zero Data Transmission

Your files are validated entirely on your device. We never receive, store, or process your files on our servers. Your sensitive financial data never leaves your device. Only schema validation is performed.

Paid Tiers (Standard, Professional & Enterprise): Secure Server Processing

To provide comprehensive validation with Luxembourg business rules and reference integrity checks, your file is transmitted to our secure European servers. Here's exactly what happens:

  1. Transmission: Your file is sent via encrypted HTTPS connection
  2. Processing: File is loaded into server memory only (never written to disk)
  3. Validation: Business rules validation completes within seconds
  4. Deletion: File is permanently cleared from memory immediately after validation
  5. No Retention: We never log, store, backup, or retain XML file contents
  6. What We Store: Only validation quota usage (e.g., "1 validation used today"). We never store file contents or results

Your Consent: By using paid tier validation, you consent to this secure server processing for validation purposes only.

2. Legal Basis for Processing

Under the GDPR, we process your personal data on the following legal bases:

Contractual Necessity (Art. 6(1)(b) GDPR)

Processing necessary to perform our contract with you: account creation and management, service delivery and validation processing, subscription billing and payment handling, and providing tier-appropriate features.

Legitimate Interest (Art. 6(1)(f) GDPR)

Processing necessary for our legitimate interests: service improvement and usage analytics, fraud detection and platform security, technical infrastructure maintenance, and responding to support inquiries.

Consent (Art. 6(1)(a) GDPR)

Processing based on your explicit consent: non-essential cookie preferences (analytics, marketing), and any future marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.

Legal Obligation (Art. 6(1)(c) GDPR)

Processing required to comply with applicable laws: retention of billing records for Luxembourg tax regulations, and responding to lawful requests from regulatory authorities.

3. How We Use Your Information

We use your personal information for the following purposes:

  • Account Management: To create and manage your account, authenticate your identity, and provide access to your subscription tier
  • Service Delivery: To enforce validation quotas, track usage limits, and provide tier-appropriate features
  • Billing and Payments: To process subscription payments, manage billing cycles, and provide invoices
  • Customer Support: To respond to your inquiries and provide technical support
  • Service Improvement: To analyse usage patterns and improve our validation engine and user experience
  • Fraud Prevention: To detect and prevent misuse, abuse, or unauthorised access to the platform
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes
  • Communications: To send important service updates, security alerts, and subscription notifications (we do not send marketing emails unless you opt in)

4. Data Storage and Security

4.1 Where We Store Data

  • Database Infrastructure: User profiles, authentication data, and subscription information are stored in EU-based servers
  • Payment Provider: Payment and billing data is processed and stored by our PCI DSS-compliant payment provider
  • Free Tier: Validation happens entirely on your device. No server transmission
  • Paid Tiers: Files are processed on our EU servers for validation, then immediately deleted. No permanent storage

4.2 Security Measures

We implement industry-standard security measures including physical, electronic, and procedural safeguards:

  • HTTPS/TLS encryption for all data transmission via certified servers
  • Secure authentication via professional identity provider
  • Password-less authentication (no password storage risks)
  • Regular security audits and updates
  • Access controls and monitoring for our backend systems
  • PCI DSS Level 1 compliant payment processing
  • Technical and organisational measures against unauthorised access, loss, or manipulation of data

5. Third-Party Services

We use the following third-party services to provide our application:

Identity Provider

For secure sign-in via professional identity verification. Collected data: name, email, user ID.

Payment Provider (EU-based)

For secure online payment processing and subscription management. We never store your payment card details.

Database & Authentication Infrastructure

EU-hosted database and authentication infrastructure for secure data storage.

6. Data Sharing & Recipients

Your personal data may be shared with the following categories of recipients, strictly for the purposes described in this policy:

  • IT Infrastructure Providers: Database provider and hosting provider, for system operation and maintenance
  • Payment Provider: PCI DSS-compliant payment processor for secure payment and subscription management
  • Authentication Provider: Professional identity provider for secure sign-in
  • Legal & Regulatory Authorities: When required by Luxembourg law or in response to lawful requests

We do NOT sell, rent, or share your personal data with advertisers, data brokers, or any third parties for marketing purposes. Data is never shared without a lawful basis.

7. Your Rights Under GDPR

As a user in the European Union, you have the following rights under the General Data Protection Regulation (GDPR). To exercise any of these rights, contact us at team@saft-validator.com with your request. We may require identification documentation to verify your identity.

Right to Access (Article 15)

Confirm whether we process your personal data and obtain a copy of all data we hold about you.

Right to Rectification (Article 16)

Request correction of inaccurate or incomplete personal data. You can update most information in your Account Settings.

Right to Erasure / "Right to be Forgotten" (Article 17)

Request deletion of your account and all associated personal data. We may retain certain data for legal compliance (e.g., billing records for tax purposes) as permitted by GDPR Article 17(3).

Right to Restrict Processing (Article 18)

Request limitation of how we process your data, except where required for legal claims or public interest.

Right to Data Portability (Article 20)

Receive your personal data in a structured, commonly used, and machine-readable format to transmit to another controller.

Right to Object (Article 21)

Object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent (Article 7)

Withdraw consent for data processing at any time. Prior processing based on consent remains lawful.

Right to Lodge a Complaint (Article 77)

Lodge a complaint with Luxembourg's supervisory authority if you believe your data protection rights have been violated: Commission Nationale pour la Protection des Données (CNPD)

Response Times: Standard requests within 30 days. Complex requests up to 60 days (with prior notification). Urgent security matters within 72 hours.

8. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy:

Data TypeRetention Period
Active account dataDuration of active membership
Closed account data90 days after deletion, then permanently removed
Billing & financial records10 years (Luxembourg tax retention requirement)
Usage & technical logs12 months for security and debugging
XML files (Paid tiers)Zero retention: deleted immediately after validation
Cookie consent preferencesUntil you clear your browser data or change preferences

9. Cookies and Tracking

We use cookies to ensure the proper functioning of our website. When you first visit, a consent banner allows you to accept, reject, or manage your cookie preferences. You can change your preferences at any time using the "Manage preferences" link in the website footer.

9.1 Essential Cookies (always active)

Required for authentication, session management, and security. Cannot be disabled.

Authentication Token

Authentication

Maintains your signed-in session. Expires after 7 days or on sign out. Secure, encrypted.

Session Token

Application

Application session state. Deleted when you close the browser. Secure, first-party only.

Sign-In Security Token

Sign-in

Temporary security token during sign-in. Expires after 10 minutes or on successful sign-in. Secure, first-party only.

9.2 Cookies We Do NOT Use

  • Advertising Cookies: No targeted advertising or remarketing
  • Analytics Cookies: No Google Analytics, Facebook Pixel, or similar tracking
  • Social Media Cookies: No social media tracking pixels
  • Third-Party Tracking: No third-party advertisers placing cookies on our site

9.3 Third-Party Cookies

When you use certain features, third-party services may set their own cookies:

  • Identity Provider: Authentication cookies governed by the identity provider's cookie policy
  • Payment Provider: Fraud detection cookies governed by the payment provider's cookie policy

9.4 Local Storage

In addition to cookies, we use browser Local Storage for:

  • Validation state (cleared when you close the tab)
  • User preferences (e.g., dark mode)
  • Cookie consent preferences

Local Storage data remains on your device and is never transmitted to our servers.

10. Children's Privacy

Our service is intended for business and professional use and is reserved for adults with legal capacity to contract. We do not knowingly collect personal information from individuals under 18 years of age. If you believe we have inadvertently collected such information, please contact us immediately.

11. International Data Transfers

Your personal data is primarily stored in EU-based servers. Some of our service providers may operate outside the European Economic Area. Where data is transferred outside the EU, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, to guarantee an adequate level of data protection.

12. Changes to This Policy

We may update this Data Protection policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by email or through a prominent notice on our website. We recommend consulting this policy regularly. Your continued use of the service after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Data Protection policy, wish to exercise your data protection rights, or have concerns about cookies or tracking, please contact us:

Contact: team@saft-validator.com

You also have the right to lodge a complaint with Luxembourg's Commission Nationale pour la Protection des Données (CNPD) at cnpd.public.lu if you believe your data protection rights have been violated.