Privacy Policy
1. Introduction
Code200 operates VSMS Connect. This Privacy Policy explains what personal data we collect when you use VSMS Connect, how we use it, and your rights in relation to it. By using the service you agree to the practices described here.
2. Data We Collect
Account Data
• First name, last name, username, email address
• Business name, Tax Identification Number (TIN), and business address
Integration Data
• OAuth access tokens for connected accounting platforms (Xero, Sage, MYOB) — stored encrypted and never accessible to Code200 staff in plain text
• Invoice, payment, and tax rate data imported from your accounting software
Fiscal Data
• Signed fiscal invoices and audit packages transmitted to the Vanuatu TaxCore platform
• Proof of Audit (PoA) responses received from TaxCore
Technical Data
• Log data including IP address, browser or device type, and timestamps
• Error and diagnostic reports used to improve service reliability
3. How We Use Your Data
• To provide the service: importing invoices, generating fiscal requests, submitting signed invoices to TaxCore, and displaying your audit history
• To authenticate you securely and manage your account
• To notify you of important service updates, scheduled maintenance, or compliance issues affecting your business
• To improve the service through anonymised usage analytics
We do not sell, rent, or trade your personal data to third parties for marketing purposes.
4. Data Sharing
Vanuatu DCIR / TaxCore
Fiscal invoice data is transmitted to the Vanuatu Government’s TaxCore platform as required by Vanuatu tax law. This transmission is the core purpose of the service and cannot be opted out of while using VSMS Connect.
Accounting Providers
When you connect an accounting integration, VSMS Connect reads invoice and payment data from your Xero, Sage, or MYOB account via their authorized APIs. We do not write to or modify your accounting data.
Infrastructure Providers
We use cloud infrastructure providers to host and operate the service. These providers act as data processors under our instructions and are bound by data processing agreements that require appropriate security measures.
Legal Requirements
We may disclose your data if required to do so by a court order, regulatory authority, or applicable law.
5. Data Retention
• Account and business data is retained for the duration of your subscription and for 7 years after account closure, as required by Vanuatu tax record-keeping obligations.
• Fiscal records (signed invoices, audit packages, PoA responses) are retained indefinitely as they form part of your business’s permanent tax audit trail.
• OAuth tokens are deleted immediately when you disconnect an accounting integration.
• Technical log data is retained for up to 90 days for security and diagnostic purposes.
6. Security
We protect your data using industry-standard measures including:
• TLS encryption for all data in transit
• Encrypted storage for credentials and authentication tokens
• Role-based access controls limiting staff access to production data
• Regular security reviews and dependency updates
7. Your Rights
Subject to applicable law, you have the right to:
• Access a copy of the personal data we hold about you
• Request correction of inaccurate personal data
• Request deletion of your account (subject to legal retention obligations for fiscal records)
• Object to processing where we rely on legitimate interests as the legal basis
To exercise any of these rights, contact us at:
management@code200.solutions
8. Changes to This Policy
We will notify you of material changes to this Privacy Policy by email or in-app notice before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.
9. Contact
For questions or concerns about this Privacy Policy or how we handle your data, please contact us at:
privacy@code200.solutions
Code200:
management@code200.solutions