Privacy policy
Last updated: 24 May 2026
This Privacy Policy explains how VAT EPR EXPERT FRANCE collects and uses personal data through its website, platform, forms, communications and services.
1. Who we are
- Data controller:
- VAT EPR EXPERT FRANCE
- SIREN:
- 920 400 462
- Registered office:
- 223 Avenue Émile Counord, 33300 Bordeaux
- Email:
- contact@veefconsulting.com
For questions about this Privacy Policy or to exercise your rights, contact us at contact@veefconsulting.com.
2. Our role under data protection law
For website visitors, prospects, clients, suppliers and business contacts, VAT EPR EXPERT FRANCE generally acts as data controller. This means we decide why and how personal data is processed for purposes such as responding to enquiries, onboarding clients, performing compliance services, issuing invoices, managing risk and meeting legal obligations.
For certain platform or operational processing activities, we may act as a processor where we process personal data strictly on behalf of a client and under that client's documented instructions. This depends on the service contract, mandate or data processing agreement in place.
Where we act as fiscal representative, authorised EPR representative, filer, agent or compliance provider, we may also process some data as an independent controller because we must meet our own legal, regulatory, tax, accounting, risk management and evidentiary obligations.
If there is a signed agreement with a client, that agreement prevails over this general Privacy Policy for the relevant processing relationship.
3. Personal data we collect
Depending on your relationship with us, we may collect the following categories of data:
Website and contact data
- Name and surname.
- Business email address.
- Telephone number.
- Company name.
- Country.
- Message content.
- Service interest.
- IP address and technical logs.
- Cookie and consent preferences.
Client onboarding data
- Company details.
- Director, officer, shareholder or representative details where needed for onboarding.
- Identity documents where required for representation, authority procedures, KYC, AML or risk checks.
- Mandates, powers of attorney and signed documents.
- Tax identification numbers, VAT numbers, EORI numbers, UIN / IDU numbers and other compliance identifiers.
- Billing and payment information.
- Risk assessment notes.
Compliance service data
- Marketplace exports and transaction data.
- Invoices and credit notes.
- Import and customs documents.
- Product, packaging and EPR classification data.
- Tax authority, customs authority, marketplace and eco-organism correspondence.
- Filing history, declarations, payment references and supporting evidence.
- User actions inside Complypal.
Platform account data
- Login credentials or authentication identifiers.
- User permissions.
- Account activity logs.
- Uploaded files.
- Support requests.
- Security and access logs.
Supplier and partner data
- Contact details.
- Contract information.
- Bank details where required for payment.
- Communication history.
We do not intentionally collect special category data through the public website. If a user submits unnecessary sensitive information, we may delete it or retain it only where required to handle a legal, compliance or evidentiary issue.
4. How we collect personal data
We collect personal data:
- Directly from you, when you submit a form, create an account, contact us, sign a mandate or upload documents.
- From your company, marketplace, accountant, agency, logistics provider or authorised contact.
- From public registers and official databases, where needed for verification.
- From tax authorities, customs authorities, eco-organisms, marketplaces and service providers during the performance of our services.
- Automatically through website logs, security tools and cookies.
5. Why we use personal data
| Purpose | Examples | Legal basis |
|---|---|---|
| Responding to enquiries | Contact forms, quote requests, emails | Legitimate interest or pre-contractual steps |
| Client onboarding | KYC, mandate checks, service eligibility, risk review | Contract, legitimate interest, legal obligation |
| Providing services | VAT registration, fiscal representation, EPR registration, filings, audits, support | Contract, legal obligation, legitimate interest |
| Platform access | User accounts, permissions, uploaded documents, support | Contract, legitimate interest |
| Billing and accounting | Invoices, payment tracking, accounting records | Contract, legal obligation |
| Compliance and risk management | Fraud prevention, solvency checks, evidence files, internal controls | Legal obligation, legitimate interest |
| Authority and third-party correspondence | DGFiP, customs, eco-organisms, marketplaces, logistics providers | Contract, legal obligation, legitimate interest |
| Marketing to business contacts | B2B updates, relevant service information, reactivation emails | Legitimate interest, with opt-out |
| Newsletter | Optional subscription | Consent |
| Analytics and website improvement | Audience measurement, form performance, technical diagnostics | Consent or legitimate interest depending on tool configuration |
| Security | Logs, access control, abuse prevention, incident investigation | Legitimate interest, legal obligation |
6. B2B marketing
We may send relevant business communications to professional contacts where the message relates to their role, company or professional activity.
You can object to B2B marketing at any time by using the unsubscribe link in our emails or by contacting us at contact@veefconsulting.com.
If we send a newsletter based on consent, you can withdraw your consent at any time.
We do not sell personal data to advertisers.
7. Cookies and similar technologies
We may use cookies and similar technologies on the website and platform.
Necessary cookies
These cookies are required for the website or platform to work. They may be used for security, authentication, session management, consent storage, load balancing or remembering interface preferences. They do not require consent when they are strictly necessary.
Analytics cookies
Analytics cookies help us understand website usage and improve content, navigation and conversion. If the analytics setup is not exempt from consent under CNIL rules, we request consent before placing these cookies.
Marketing and tracking cookies
Marketing, retargeting, advertising, social media, tracking pixels, session replay or similar technologies are placed only with prior consent.
Cookie choices
We use strictly necessary cookies and, where applicable, privacy-friendly analytics that are exempt from consent, so we do not display a cookie banner. You can block or delete cookies at any time through your browser settings. If we ever introduce cookies that require consent, we will ask for it first and let you accept or refuse by purpose.
8. Who receives personal data
Personal data may be shared with:
- Internal authorised users.
- Hosting, database, file storage, email, authentication, analytics, CRM, billing, payment and support providers.
- Tax authorities, customs authorities, eco-organisms, ADEME-related services and other competent public bodies.
- Marketplaces, logistics providers, customs brokers and partner agencies where required for the service.
- Professional advisers, insurers, auditors, legal counsel and accounting providers.
- Courts, regulators or authorities where required by law or to defend our rights.
We require service providers to protect personal data and to process it only for authorised purposes.
9. International transfers
Some service providers may process personal data outside the European Economic Area.
Where this happens, we use appropriate safeguards such as an adequacy decision, standard contractual clauses, additional technical and organisational measures, or another lawful transfer mechanism.
10. How long we keep personal data
We keep personal data only as long as necessary for the relevant purpose, legal obligation, limitation period or evidence requirement.
Indicative retention periods:
| Data category | Retention period |
|---|---|
| Website contact requests | 3 years after last contact, unless a client relationship starts |
| B2B prospect data | 3 years after last meaningful contact |
| Client account data | Duration of the relationship, then up to 5 years (commercial limitation period) |
| Compliance files and filing evidence | 10 years, in line with French tax and accounting retention |
| Accounting and invoicing records | 10 years from the end of the financial year |
| Contracts and mandates | Duration of the relationship, then 5 years (French limitation period) |
| Identity and KYC documents | 5 years after the end of the relationship (anti-money-laundering rules) |
| Support tickets | 3 years after closure |
| Security logs | 6 to 12 months, unless needed for an incident |
| Cookie consent records | Up to 6 months, then we ask again |
We may keep certain data longer where required by law, authority request, dispute, audit, tax control, EPR control or to establish, exercise or defend legal claims.
11. Security
We use technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, loss or destruction.
These measures may include:
- Access controls and role-based permissions.
- Authentication and password protection.
- Encryption in transit.
- Logging and monitoring.
- Backups.
- Provider due diligence.
- Internal access restrictions.
- Staff and contractor confidentiality obligations.
No system is perfectly secure. If a personal data breach occurs and notification is legally required, we will notify the competent authority and affected individuals as required by applicable law.
12. Your rights
Subject to legal conditions, you may have the following rights:
- Right of access.
- Right to rectification.
- Right to erasure.
- Right to restriction of processing.
- Right to object.
- Right to withdraw consent where processing is based on consent.
- Right to data portability where applicable.
- Right to define instructions regarding your data after death, under French law.
To exercise your rights, contact us at contact@veefconsulting.com.
We may ask for proof of identity if necessary to process your request securely.
You also have the right to lodge a complaint with the CNIL:
- Authority:
- Commission Nationale de l'Informatique et des Libertés
- Address:
- 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
- Website:
- https://www.cnil.fr
13. Automated decision-making
We do not use personal data collected through the public website to make decisions based solely on automated processing that produce legal effects or similarly significant effects on individuals.
If this changes, we will update this Privacy Policy.
14. Client responsibility for uploaded data
Clients must ensure that any personal data they upload or send to us is lawful, relevant, accurate and necessary for the service.
Clients must not upload unnecessary sensitive data. Where client data includes personal data relating to customers, employees, directors, carriers, suppliers or other third parties, the client is responsible for ensuring that it has the right to share that data with us for the requested service, unless our agreement states otherwise.
15. Changes to this Privacy Policy
We may update this Privacy Policy to reflect changes in our services, tools, providers, legal obligations or internal processes.
The latest version will always be available on this page.