DeterminedVAT — Privacy Policy

Last Updated: April 2026

This Privacy Policy describes how DeterminedAI, LLC, a Delaware limited liability company ("Company", "we", "us", "our"), collects, uses, and protects information when you use the DeterminedVAT tax determination platform ("Service").

1. Information We Collect

1.1 Account Information

When you register for the Service, we collect:

• Company name and business address
• Contact name and email address
• Billing information (processed by our payment provider)
• Tax identification numbers (VAT/GST registration numbers)

1.2 Transaction Data

To perform tax determinations, we process data you submit via the API, including:

• Transaction identifiers and dates
• Seller and customer details (entity names, addresses, country codes, VAT IDs)
• Line item descriptions, amounts, currencies, and product codes
• Product catalog data (descriptions, categories, delivery methods)

1.3 Service Usage Data

We automatically collect:

• API request logs (endpoints called, timestamps, response codes)
• IP addresses and API key identifiers
• Rate limit and usage metrics

1.4 Tax Determination Results

We store the results of every tax determination, including:

• Calculated tax rates, amounts, and treatments
• Supply type classifications (AI-generated and human-approved)
• Place-of-supply determinations
• ERP tax code mappings applied
• Audit trail identifiers

2. How We Use Information

We use collected information to:

(a) Provide the Service — perform tax calculations, classify products, return ERP-formatted results;

(b) Maintain audit trails — retain determination history to support your tax compliance and audit requirements;

(c) Improve the Service — analyze aggregate usage patterns to improve accuracy, performance, and reliability;

(d) Communicate with you — send service notifications, security alerts, and billing information;

(e) Comply with legal obligations — respond to lawful requests from authorities.

We do not use your transaction data to train AI models. Product classifications are generated per-request and cached only for your account.

3. Data Sharing

We do not sell your data. We share information only in the following circumstances:

(a) Service providers — Infrastructure providers (hosting, database, monitoring) who process data on our behalf under contractual obligations;

(b) Legal requirements — When required by law, regulation, legal process, or governmental request;

(c) Business transfers — In connection with a merger, acquisition, or sale of assets, with notice to affected clients;

(d) With your consent — When you explicitly authorize sharing with a third party.

4. Data Retention

| Data Type | Retention Period | |-----------|-----------------| | Tax determination audit logs | 7 years (minimum) | | Product catalog data | Duration of subscription + 30 days | | Account information | Duration of subscription + 30 days | | API request logs | 90 days | | Billing records | As required by applicable law |

After termination of your subscription, you have 30 days to export your data. Following the export period, we delete Client Data except for audit logs retained per our Terms of Service (Section 4.3).

5. Data Security

We implement commercially reasonable security measures to protect your data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• API key authentication for all Service access
• Role-based access controls for internal systems
• Regular security assessments
• Audit logging of administrative access

No method of transmission or storage is 100% secure. We cannot guarantee absolute security but will notify you of any breach affecting your data in accordance with applicable law.

6. International Data Transfers

The Service may process data in jurisdictions outside your country of residence. Where we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not deemed adequate by the European Commission, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Our Data Processing Agreement (available upon request)

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access your personal data held by us
• Correct inaccurate personal data
• Delete your personal data (subject to legal retention requirements)
• Export your data in a portable format
• Object to or restrict certain processing
• Withdraw consent where processing is based on consent

To exercise these rights, contact us at the address below. We will respond within 30 days (or as required by applicable law).

7.1 GDPR (EEA and UK)

For EU/EEA and UK clients: we act as a data processor for transaction data you submit. You are the data controller. Our Data Processing Agreement governs this relationship. For account and usage data, we act as the data controller.

Legal bases for processing:

• Contract performance — Processing transaction data to provide the Service
• Legitimate interests — Service improvement, security, fraud prevention
• Legal obligation — Tax audit trail retention, responding to lawful requests

7.2 California (CCPA/CPRA)

We do not sell personal information. We do not use personal information for cross-context behavioral advertising. California residents may exercise their rights under the CCPA/CPRA by contacting us.

8. Cookies and Tracking

The API Service does not use cookies. If we provide a web dashboard or documentation portal, we may use:

• Essential cookies — Required for authentication and session management
• Analytics cookies — Anonymous usage statistics (only with consent where required)

9. Children's Privacy

The Service is intended for business use. We do not knowingly collect information from individuals under 16.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days before they take effect. The "Last Updated" date at the top reflects the most recent revision.

11. Contact Us

For privacy inquiries, data subject requests, or complaints:

DeterminedAI, LLC — Privacy Email: jbburns@determinedai.co Security disclosures: security@determinedai.co Registered office: c/o Harvard Business Services, Inc., 16192 Coastal Highway, Lewes, DE 19958, United States

For EU/EEA data protection concerns, you also have the right to lodge a complaint with your local Data Protection Authority.

By using DeterminedVAT, you acknowledge that you have read and understood this Privacy Policy.