© 2025 PatTax Pattax IP. All Rights Reserved. Developed by BeLead.

This Privacy Policy explains how PATTAX ("we", "us", or "our") collects, uses, stores, and protects personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Belgian data protection laws.

Scope

This Policy applies to the processing of personal data by PATTAX in the context of the services offered through its SaaS platform, including:

  • Management of patent annuity payments and renewal instructions;
  • Access and use of the PATTAX Platform by Customers, Managing Users, and Users;
  • Communication with End Clients (via white-label access or otherwise);
  • Preventive monitoring routines and related support services.

Data Controller

The data controller is:

PATTAX SRL
[Legal Address]
VAT: [Insert VAT number]
e-mail:

Data Protection Contact

For all data protection matters, you may contact us at:

e-mail:

PATTAX has assessed its obligations under Article 37 of the GDPR. Given the nature and scale of our data processing activities, we have determined that the appointment of a Data Protection Officer is not mandatory. However, we have designated a data protection contact person who can be reached at the above email address. This assessment is reviewed annually or when significant changes occur in our processing activities.

Data We Collect

We may collect and process the following categories of data:

Customer Data

  • Name, address, and VAT number of the Customer;
  • Managing User and Users' identification and contact information;
  • Billing and payment details (e.g., bank account, credit card information, transaction history);
  • Correspondence, instructions, and contractual documents.

Legal basis: Contractual necessity (Art. 6(1)(b) GDPR) for providing services; Legal obligations (Art. 6(1)(c) GDPR) for invoicing and accounting requirements.

Platform Usage Data

  • Login credentials (e.g., email, username, hashed password);
  • Session logs and access history;
  • IP address, browser type, and technical logs for security purposes.

Legal basis: Contractual necessity (Art. 6(1)(b) GDPR) for login credentials; Legitimate interests (Art. 6(1)(f) GDPR) for session logs, access history, and security-related data (to ensure platform security and prevent fraud).

Patent-Related Data (Non-Personal)

  • Bibliographic patent information;
  • Renewal instructions, deadlines, and jurisdictional information.

Legal basis: Contractual necessity (Art. 6(1)(b) GDPR) for executing renewal instructions and providing patent renewal services.

End Client Data

Only where necessary for the provision of services, we may process personal data related to End Clients (e.g., designated contacts, reminders recipients), based on the Customer's instructions.

Legal basis: Contractual necessity (Art. 6(1)(b) GDPR) based on Customer's instructions as part of service provision.

Processing Within Customer Groups

Where a Customer operates multiple accounts (e.g., for different currencies or billing addresses), personal data may be shared between these accounts for:

  • Unified user access management
  • Consolidated reporting
  • Coordinated reminder routines
  • Overall relationship management

This sharing is based on our legitimate interests in providing efficient service and the Customer's implicit consent through appointing the same Managing User across accounts.

Sources of Personal Data

We collect personal data from:

  • Directly from you: When you register, submit instructions, or communicate with us
  • From your employer: If you are designated as a User by a Customer organization
  • From public sources: Patent office databases for verification purposes (bibliographic data only)
  • From our commercial partners: Payment confirmation data in certain jurisdictions

Legal Basis for Processing

We process personal data on the following legal bases:

  • Contractual necessity (Art. 6(1)(b) GDPR): for providing services to Customers;
  • Legal obligations (Art. 6(1)(c) GDPR): e.g., for invoicing and accounting;
  • Legitimate interests (Art. 6(1)(f) GDPR): to ensure platform security, fraud prevention, or service optimization;
  • Consent (Art. 6(1)(a) GDPR): where applicable, for optional features (e.g., marketing communications).

Where we rely on legitimate interests, we have conducted balancing tests to ensure your interests and fundamental rights do not override our interests. Information about these assessments is available upon request at .

Purposes of Processing

Personal data is processed strictly for the following purposes:

  • Registering and managing Customer accounts;
  • Executing renewal instructions and issuing invoices;
  • Ensuring secure access to the Platform;
  • Sending operational communications and reminders;
  • Performing preventive safety routines (monthly/quarterly);
  • Complying with legal, regulatory, or tax obligations;
  • Sending marketing communications about our services (only with your explicit consent);
  • Analyzing platform usage to improve our services (based on legitimate interests).

Data Sharing and Recipients

We do not sell personal data. We may share data with the following categories of recipients:

Service Providers (Data Processors):

  • Cloud infrastructure: Hetzner (ISO/IEC 27001 certified datacenter) in Falkenstein (Germany – eu-central)
  • Email service providers: [SendGrid / Mailgun / Amazon SES] for transactional emails and reminders
  • Payment processors: [Stripe / PayPal / Adyen] for processing payments
  • Customer support tools: [Zendesk / Intercom] for managing support requests

Commercial Partners (Joint Controllers or Independent Processors):

  • Local payment partners: Authorized commercial partners in specific jurisdictions who facilitate payment processing where direct payment to patent offices is restricted or requires local representation
  • These partners are bound by data processing agreements and only receive the minimum data necessary to execute payment instructions (typically: patent numbers, payment amounts, Customer reference)
  • Countries where we use commercial partners include: [China, Taïwan]

Third Parties (Independent Controllers):

  • Patent offices and intellectual property authorities in relevant jurisdictions
  • Patent agents and local representatives appointed by Customers or required by local law
  • Commercial agents in jurisdictions requiring local payment intermediaries
  • Professional advisors (lawyers, accountants, auditors) under strict confidentiality
  • Belgian tax authorities and other regulatory bodies as required by law

A detailed list of current sub-processors, including their location and function, is available upon request at privacy@pattaxrenewals.com and is updated quarterly.

Joint Controller Arrangements

In certain jurisdictions, we may need to act as joint controllers with local commercial partners for payment processing. Should such arrangements become necessary:

  • We will establish joint controller agreements defining respective responsibilities
  • PATTAX will remain your primary contact for all data protection matters
  • Details of any such arrangements will be made available upon request

Data Retention

We retain personal data for as long as necessary to fulfil the purposes outlined in this Policy, unless a longer retention period is required by law or justified for legal defense purposes. As a rule:

  • Customer account data: retained for 7 years after termination (for legal accounting);
  • Platform logs: retained for up to 12 months for security audits;
  • Renewal instruction records: retained for 5 years unless otherwise agreed.

Children's Data

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will promptly delete such information.

Your Data Protection Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right to Access (Article 15): Obtain confirmation of what data we process about you and receive a copy
  • Right to Rectification (Article 16): Correct inaccurate or incomplete personal data
  • Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten")
  • Right to Restrict Processing (Article 18): Limit how we use your data in certain circumstances
  • Right to Object (Article 21): Object to processing based on legitimate interests or direct marketing
  • Right to Data Portability (Article 20): Receive your data in a structured, commonly used format
  • Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

How to Exercise Your Rights:

  • Submit requests to: privacy@pattaxip.com
  • We will verify your identity before processing any request
  • We respond within one (1) month of receipt. For complex requests, this may be extended by two (2) additional months with notice
  • Requests are generally free of charge. We may charge a reasonable fee or refuse manifestly unfounded or excessive requests

For Customer account data, Managing Users can directly access, export, and update most information through the Platform interface.

Automated Decision-Making

PATTAX does not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. All critical decisions regarding service provision, credit limits, or account management involve human review and intervention.

The Platform uses automation solely for:

  • Calculating renewal fees based on published patent office rates
  • Generating deadline reminders based on official due dates
  • Flagging potential issues in the preventive safety routines

These automated processes are always subject to human verification and override capabilities.

Data Security

We implement data protection by design and by default, including:

  • Data minimization: Only collecting data necessary for specified purposes
  • Purpose limitation: Not using data beyond stated purposes
  • Pseudonymization where possible
  • Regular privacy impact assessments for new features

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • TLS encryption;
  • Access controls and logging;
  • Secure data backups;
  • Incident response procedures.

In the event of a personal data breach, we will:

  • Notify the Belgian Data Protection Authority within 72 hours of becoming aware, unless the breach is unlikely to result in risk to individuals
  • Notify affected Customers without undue delay (within 48 hours) if the breach is likely to result in high risk to their rights and freedoms
  • Document all breaches, including facts, effects, and remedial actions taken
  • Provide Customers with sufficient information to meet their own notification obligations to data subjects

International Data Transfers

As PATTAX provides worldwide patent renewal services, your personal data may be transferred outside the European Economic Area (EEA) to any country where:

  • A patent office requires payment or registration
  • Our service providers or commercial partners are located
  • You have instructed us to manage patent renewals

Types of International Transfers:

Patent Office Transfers (Worldwide):

  • We transfer data to patent offices in 150+ jurisdictions globally
  • Data transferred: Typically limited to patent numbers, applicant names, and payment information
  • Legal basis: Necessary for contract performance (Article 49(1)(b) GDPR) - executing your renewal instructions

Service Provider Transfers:

  • Cloud infrastructure (primarily US-based with EU data centers)
  • Payment processors and commercial partners in various jurisdictions
  • Communication service providers

Safeguards Applied:

For countries WITHOUT an EU adequacy decision:

  • Standard Contractual Clauses (SCCs): EU Commission-approved SCCs (2021/914) for service providers
  • Article 49 Derogations: For patent office transfers (necessary for contract performance)
  • Supplementary measures: Including encryption, access controls, and contractual commitments

For countries WITH an EU adequacy decision (UK, Switzerland, Canada, Japan, South Korea, Israel, New Zealand, etc.):

  • Transfers are permitted without additional safeguards

Your Rights Regarding International Transfers:

  • You may request a list of countries where your specific data has been transferred
  • You may obtain copies of the safeguards applied (where applicable)
  • For patent office transfers, you explicitly instruct us through the Platform which jurisdictions to pay

Contact for specific information about transfers related to your account.

Cookies and Tracking Technologies

Essential Cookies

We use strictly necessary cookies that are essential for the Platform to function:

  • Session cookies: To maintain your login state
  • Security cookies: To prevent CSRF attacks and ensure secure connections
  • Preference cookies: To remember your language and display settings

These cookies are deleted when you close your browser or after 30 days of inactivity.

Optional Cookies

We only use analytics or performance cookies with your explicit consent:

  • Analytics cookies: To understand Platform usage and improve our services
  • Performance cookies: To monitor Platform speed and reliability

You can manage cookie preferences through the cookie banner displayed on first visit or via your account settings.

Third-Party Cookies

We do not allow third-party advertising cookies. Any third-party cookies are strictly limited to essential service providers (e.g., payment processors during checkout).

Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be notified via the Platform and email. Continued use of our services after such updates constitutes acceptance of the revised terms.

Complaints

If you believe your data has been processed unlawfully, you may file a complaint with the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit) at www.dataprotectionauthority.be.