Privacy Policy

Data Controller

Novadesko • Rue de Boussoit 4, 7110 Maurage, Belgium • BE 1018.192.568 • contact: support@novadesko.com

1. Data collected

We only process data necessary for the functioning of the platform.

• Identity & contact: name, surname, company, VAT, email, phone, addresses.
• Accounting & invoicing: invoices, quotes, credit notes, payments, payment methods, IBAN/BIC.
• E-commerce & stocks: products, categories, prices, inventory, orders, returns.
• Documents provided: supporting documents, accounting files, contracts.
• Technical: logs, IP, identifiers, audit events, preferences, cookies.

Sources: user/end clients, imports (CSV/UBL/XML), integrations (banks, Peppol, e-commerce).

2. Purposes

• Provide invoicing/CRM services and modules (Peppol, inventory, reports).
• Account management, support and security.
• Billing, collection, fraud prevention.
• Analytics, reporting, product improvement (aggregated/anonymised data).
• Legal obligations (accounting, tax).

3. Legal bases (GDPR art. 6)

• Performance of the contract (art. 6-1-b): provide the subscribed services.
• Legal obligation (art. 6-1-c): accounting/tax requirements.
• Legitimate interest (art. 6-1-f): security, fraud prevention, service improvement.
• Consent (art. 6-1-a): marketing communications when required.

4. Processing methods

We apply minimisation, integrity and confidentiality principles.

• Role-based access, strong authentication recommended (MFA).
• Encryption in transit (TLS) and at rest when available.
• Logging of accesses and sensitive actions (audit trail).
• Backups and periodic restoration tests.

5. Data retention

Data is kept as long as necessary for the purposes and/or during the legal periods (e.g. accounting records 7–10 years depending on law). Upon account closure, an export is offered; some data may be retained for legal obligations or evidence.

6. Sharing & processors

We use providers to perform certain functions.

• Hosting & cloud (EU/EEA by default); backup & CDN.
• Payment gateways and banks (reconciliation, collection).
• Peppol network / e-invoicing authorities.
• Transactional emailing & support tools.
• E-commerce integrations (Prestashop, WooCommerce, Shopify…).

7. Data transfers outside the EEA

If data is transferred outside the EEA, we apply appropriate safeguards (SCCs, adequacy decisions, complementary measures).

8. Security

• Technical & organisational measures against loss, unauthorised access, alteration.
• Regular tests & updates; vulnerability remediation.
• Least privilege principle and environment segmentation.

On your side, use strong passwords, enable MFA, manage internal access, verify documents before submission, and export/backup regularly.

9. Your rights

• Access, rectification, erasure, restriction, portability, objection.
• Withdrawal of consent where consent is the legal basis.
• Right to lodge a complaint with the competent authority.

Exercise your rights at: support@novadesko.com (proof of identity may be required).

10. Cookies & trackers

We use technical cookies (essential) and, where applicable, analytics or marketing cookies.

• Technical/session: operation, authentication.
• Analytics: audience measurement and improvement.
• Marketing: only with your consent.

You can manage your preferences via the cookie banner or your browser settings.

11. E-invoicing (Peppol)

For e-invoicing, metadata and identifiers may be exchanged via Peppol.

• Processing structured invoices (EN 16931 / Peppol BIS 3.0 – UBL).
• Technical checks and exchange logging.
• Legal retention according to applicable deadlines.

12. Payments & banks

Payment data processed for collection and reconciliation.

• Gateways (card, SEPA, wallets): payment tokens, references.
• Bank reconciliation (IBAN/BIC, labels, amounts, dates).
• No sensitive card data stored when tokenised by PSP.

13. E-commerce integrations

Synchronisation of orders/products depending on activated connections.

• Prestashop, WooCommerce, Shopify: required imports/exports.
• Respect of each third-party platform’s T&Cs.

14. Logging & evidence

Access/event logs are kept for security, support and evidence in case of incident or dispute, for a proportionate duration.

15. Minors

The service is intended for professionals; we do not target minors.

16. Policy changes

We may update this policy; the update date will be shown. Significant changes may be notified.

17. Contact

Novadesko — Rue de Boussoit 4, 7110 Maurage (BE) — BE 1018.192.568 — support@novadesko.com — +32 64 49 62 23

18. Supervisory authority

Data Protection Authority (Belgium) — Rue de la Presse 35, 1000 Brussels — https://www.dataprotectionauthority.be/