Privacy Policy for Google Sheets™ Users using the VIES API Add-on

Privacy Policy for Google Sheets™ Users Using the VIES API Add-on

This Privacy Policy details the practices regarding access, use, sharing, storage, and deletion of Google User Data in the context of your use of our Google Sheets™ Add-on (hereinafter referred to as the “VIES API Add-on”). These clauses supplement our general data protection terms and are required under the Google API Services User Data Policy and the Google APIs Terms of Service.

.

Definitions:

Google Sheets – is a web-based application for creating and editing spreadsheets, enabling collaborative work on files in real time. It is part of the Google Workspace suite and allows for data formatting, charting, and formulas, with changes automatically saved in the cloud.
Service – a feature enabling the verification of contractors’ EU VAT numbers in VIES via the viesapi.eu service.
User – a customer with an account on the viesapi.eu system.
Google User Data – this includes Identification Data, Contextual and Transaction Data.
Contextual and Transaction Data – the EU VAT number containing the country prefix and the company’s tax identification number and sheet context.
Identification Data – the User’s email address.
System Logs – logs collected in the viesapi.eu system for evidentiary and audit purposes, enabling documentation of checks performed in the VIES system. VIES System – a system enabling verification of contractors from all European Union countries to determine whether they are active VAT payers: https://ec.europa.eu/taxation_customs/vies/#/vat-validation.
VIES API Add-on – an add-on enabling the Service to be reported by the User via a Google Sheet.

.

§1
Access to Google User Data (Data Accessed)

To provide the core functionality of the VIES API Add-on (validation of EU VAT numbers), we access specific Google User Data, in accordance with the principle of data minimization. This access is only implemented through required OAuth authorization scopes, which the User must explicitly approve.

.

Table 1: Data types and scope of permissions

Data category

Type of information collected/processed

Required scope of authorizations (OAuth Scope)

Authentication Data

User’s Google account email address

https://www.googleapis.com/auth/userinfo.email

Sheet Context, Input/Output Data

Spreadsheet ID/URL, spreadsheet name, cell values ​​(NIP/VAT, country code) from the range specified in the function call, and validation results

https://www.googleapis.com/auth/spreadsheets.currentonly

Displaying dialog boxes and the sidebar

Displaying the content of an external website with documentation, description of functions and configuration of the VIES API Add-on

https://www.googleapis.com/auth/script.container.ui

Connecting to a remote service

Retrieving data from the VIES API remote service, presenting data on a bar, inserting data into the cells of the current sheet

https://www.googleapis.com/auth/script.external_request

Actual access is limited to reading cell values ​​entered by the user as arguments to the validation function and writing validation results back to the target cells. The VIES API add-in does not read or store any other Spreadsheet content.

§2
Purpose and method of using data (Data Usage)

The Google User Data obtained is used only for the explicitly stated purposes, to provide the core functionality of the VIES API Add-on and for administrative purposes, in accordance with transparency requirements.

1. Primary Purpose of the Service: Processing transaction data (EU VAT number) to send a validation request to the external VIES system and saving the returned status (e.g., valid/invalid VAT status, company name) back to the User’s Google Spreadsheet. Access to the Spreadsheet content is solely for the purpose of providing a value-added function for the User and is necessary for the operation of the Add-on.

2. Administrative Purposes: The User’s email address is used solely for account identity verification and to manage the Add-on’s subscription/license.

3. Prohibited Uses: We expressly declare that Google User Data (including email address and spreadsheet content) is not and will never be used for personalized advertising, marketing, profiling, or for purposes unrelated to the provision of the VIES API Add-on service.

.

§3
Sharing data with third parties (Data Sharing)

We clearly disclose the sharing of Google User Data and Transaction Data with third parties, clearly distinguishing between functional and technical processors.

1. Functionally required sharing: To perform validation, Transaction Data (EU VAT number) is transferred to the external VIES system, which acts as an interface to the information systems of the National Tax Administrations of the European Union Member States. Sharing this data is necessary to provide the basic functionality of the VIES API Add-on. Important: The user’s email address or other Google User Data is not transferred to the VIES system.

2. Sharing with processors (Technical Support): We use the hosting services of a trusted processor with whom we have signed DPAs to store system logs and administrative data. This processor processes data solely on our behalf. We assure you that a Data Processing Agreement (DPA) has been concluded with this processor, which guarantees the protection of personal data in accordance with GDPR standards and requires the use of appropriate security measures.

3.No Data Sale: We expressly state that Google User Data is not sold, licensed, or transferred to third parties for commercial or marketing purposes, as permitted by Google Policy..

§4
Data storage & protection

We are committed to maintaining a secure operating environment and using stringent technical and organizational measures to protect Google User Data from unauthorized access, disclosure, alteration, or destruction.

1. Technical Security Measures: All communications, including data transfer between the VIES API Add-on and the Google Sheets™ API, and between the VIES API servers and the VIES system, are conducted using the latest TLS (HTTPS) encryption protocols.

2. Organizational Measures and Security Management: Strict access control policies (TOMs) have been implemented, limiting access to User Data to authorized personnel only. Risk management procedures are regularly reviewed. Furthermore, we maintain incident response procedures, committing to promptly informing users of any incidents affecting their data, in accordance with GDPR requirements.

.

§5
Data retention & deletion

Our data retention policy is limited to the period necessary to fulfill the purposes for which the data was collected. We provide users with a clear and accessible process for managing their data and deleting their accounts.

1. Retention Policy:
○Transaction Data (EU VAT number): This is processed in transit and stored on our servers only for billing purposes.
○Identification Data and System Logs: This is stored for the duration of the service provision and for a period necessary (no longer than 5 years) for auditing, billing, and defense against claims or abuse. After this period, the data is permanently deleted.
2. Data Deletion Process (Accessible Process): The user has the right to request deletion of their data and the account associated with the VIES API Add-on on the viesapi.eu service at any time (the “Right to be Forgotten”).
○Request Fulfillment: Deletion requests should be submitted via the dedicated link to the account deletion form on the website or by email at contact@viesapi.eu.
○Delete Schedule: We will fulfill your request to delete Google User Data within 7 days of confirming your identity and verifying your request.
3. Backup Retention (Secure Deletion): To ensure secure and complete deletion of data and protect against data failures, deleted data may remain in encrypted backup systems (backup storage) for up to 6 months before being permanently and irreversibly deleted from those systems. This is a standard procedure to ensure data integrity during the deletion process.

.

Table 2: Exercising user rights regarding data retention and deletion

User right

Description of the Add-on mechanism

Available fulfillment process

Retention/removal time guidelines

Withdrawal of access

Withdrawal of consent to access Google Sheet data (uninstallation of the Add-on).

Managing permissions in the Google My Account panel..

Immediate suspension of access to Spreadsheet data.

Right to data deletion/account deletion

Permanent deletion of all Google User Data stored by the Add-on (email address, subscription logs).

Application submitted via a dedicated form or email.

Active data is deleted within 30 days. Backups may be retained for up to 6 months.

Right to access and rectification

Obtaining information about stored administrative/licensing data.

Contact via dedicated email address.

Immediate implementation, in accordance with internal procedures..

.