Privacy Policy
Last updated: February 25, 2026
This Privacy Policy describes how Qualia Consultancy ("we", "us", "our") collects, uses, and protects your personal data when you use PepHub ("the Service"). We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Belgian data protection legislation.
1. Data Controller
The data controller responsible for your personal data is:
- Company: Qualia Consultancy
- Address: Terlinckstraat 64, 2600 Antwerpen, Belgium
- VAT number: BE1010531449
- Data protection contact: privacy@pephub.eu
For any questions or requests regarding your personal data, you may contact us at privacy@pephub.eu.
2. Personal Data We Collect
We collect and process the following categories of personal data:
2.1 Account Information
- Email address
- Password (stored only as a bcrypt hash; we never store plaintext passwords)
- Organization name
2.2 HubSpot Connection Data
- HubSpot portal ID and account information
- OAuth access and refresh tokens (encrypted at rest with AES-256-GCM)
- CRM data accessed through the integration: invoices, quotes, line items, companies, and contacts as required to perform the Service
2.3 Invoice and Business Data
- Sender company information (company name, address, VAT number, enterprise number, PEPPOL identifier)
- Invoice data transmitted through the PEPPOL network (invoice numbers, amounts, line item details, buyer and seller information)
- Invoice processing status and timeline events
2.4 Billing Data
- Stripe customer ID and subscription status (payment card details are processed and stored exclusively by Stripe; we do not have access to full card numbers)
- Subscription plan and usage information
2.5 Technical Data
- Session cookies (pephub_session) for authentication
- Cookie consent preference (pephub_cookie_consent)
- Server logs (IP address, request timestamps, user agent)
3. Legal Basis for Processing
We process your personal data on the following legal grounds under Article 6(1) GDPR:
- Article 6(1)(b) — Contract performance: Processing is necessary for the performance of our contract with you, including providing the Service, managing your account, processing invoices through the PEPPOL network, and handling billing.
- Article 6(1)(f) — Legitimate interests: Processing is necessary for our legitimate interests, including maintaining the security of the Service, preventing fraud, improving the Service, and communicating with you about your account. We have assessed that these interests are not overridden by your rights and freedoms.
- Article 6(1)(a) — Consent: Where we rely on your consent (for example, for the placement of non-essential cookies, should we introduce them in the future), you may withdraw that consent at any time.
- Article 6(1)(c) — Legal obligation: Processing is necessary to comply with legal obligations to which we are subject, including tax and accounting requirements under Belgian law.
4. How We Use Your Data
We use your personal data to:
- Provide, operate, and maintain the Service, including sending e-invoices through the PEPPOL network on your behalf.
- Authenticate your identity and manage your account and session.
- Connect to your HubSpot account and retrieve invoice data as configured by you.
- Process subscription payments and manage your billing through Stripe.
- Communicate with you regarding your account, service updates, or support requests.
- Monitor and improve the security, performance, and reliability of the Service.
- Comply with applicable legal and regulatory requirements.
5. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
- Account data: Retained for the duration of your account. Upon account deletion, your data is removed within 30 days, except where retention is required by law.
- Invoice records: Retained for a minimum of 7 years from the date of the invoice to comply with Belgian accounting and tax obligations (Article 60 of the Belgian VAT Code).
- HubSpot OAuth tokens: Revoked and deleted upon disconnection of your HubSpot account. Tokens are encrypted at rest and are never stored in plaintext.
- Session data: Session cookies expire after 24 hours of inactivity.
- Server logs: Retained for up to 90 days for security and debugging purposes.
6. Third-Party Processors
We share your personal data with the following third-party service providers who process data on our behalf. Each processor has been selected for its compliance with applicable data protection standards, and we have entered into data processing agreements with each.
| Processor | Role | Location |
|---|---|---|
| Supabase | Database hosting (PostgreSQL) | EU (eu-west-2) |
| Vercel | Application hosting and edge network | Global (primary EU) |
| Stripe | Payment processing and subscription management | EU / US |
| Recommand.eu | PEPPOL network access point (invoice transmission) | EU (Belgium) |
| HubSpot | CRM integration (user-initiated data access) | EU / US |
We do not sell, rent, or trade your personal data to any third party. Data is shared with the processors listed above only to the extent necessary to provide the Service.
7. International Data Transfers
Some of our third-party processors may transfer or process your personal data outside the European Economic Area (EEA). Where such transfers occur, they are protected by:
- Adequacy decisions: The European Commission has determined that the recipient country ensures an adequate level of data protection (for example, the EU-US Data Privacy Framework).
- Standard Contractual Clauses (SCCs): Where no adequacy decision exists, we rely on European Commission-approved Standard Contractual Clauses to ensure appropriate safeguards for your data.
You may request a copy of the safeguards in place by contacting us at privacy@pephub.eu.
8. Your Rights Under GDPR
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Article 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that data and receive a copy.
- Right to rectification (Article 16): You have the right to request the correction of inaccurate personal data concerning you.
- Right to erasure (Article 17): You have the right to request the deletion of your personal data, subject to legal retention obligations.
- Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
- Right to restriction of processing (Article 18): You have the right to request the restriction of processing of your personal data under certain circumstances.
- Right to object (Article 21): You have the right to object to the processing of your personal data where we rely on legitimate interests as the legal basis.
- Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
- Right to lodge a complaint: You have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / GBA):
Drukpersstraat 35, 1000 Brussels, Belgium
Website: www.gegevensbeschermingsautoriteit.be
Email: contact@apd-gba.be
To exercise any of these rights, please contact us at privacy@pephub.eu. We will respond to your request within 30 days, as required by the GDPR.
9. Cookies
PepHub uses only essential cookies that are strictly necessary for the operation of the Service. We do not use tracking, analytics, or advertising cookies.
| Cookie | Purpose | Duration |
|---|---|---|
| pephub_session | Authentication session identifier. Required to keep you logged in. | 24 hours |
| pephub_cookie_consent | Records your acceptance of our cookie notice. | 1 year |
Because we use only strictly necessary cookies, consent is not legally required under Article 5(3) of the ePrivacy Directive. Nevertheless, we display a cookie notice to inform you about the cookies we set.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption at rest: HubSpot OAuth tokens are encrypted using AES-256-GCM before storage. The encryption key is stored separately from the database.
- Password hashing: User passwords are hashed using bcrypt with a cost factor of 12. We never store or transmit plaintext passwords.
- Encryption in transit: All data transmitted between your browser and our servers, and between our servers and third-party services, is encrypted using TLS (HTTPS).
- Webhook verification: All incoming webhooks from HubSpot, Recommand, and Stripe are cryptographically verified using HMAC signatures or shared secrets with timing-safe comparison.
- Access controls: Database access is restricted by role, and administrative access requires authentication.
While we take all reasonable precautions, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of your data.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we may also notify you by email.
We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data.
12. Contact
If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a complaint about our data processing practices, please contact us:
- Data protection inquiries: privacy@pephub.eu
- General support: support@pephub.eu
- Address: Qualia Consultancy, Terlinckstraat 64, 2600 Antwerpen, Belgium