General Terms and Conditions

For the purposes of these General Terms and Conditions:

Provider — Kaja Solutions s.r.o., Company No.: 57369186, operator of the ePošťák platform and a certified Peppol Access Point.

User — a legal entity or sole trader who has entered into a Contract with the Provider and uses the Service to send or receive electronic invoices.

Integrator — a legal entity or sole trader who accesses the Service through the Enterprise API on behalf of their clients and is responsible for technical integration of ERP or other third-party systems.

Peppol Network — the international interoperable infrastructure for exchanging electronic business documents operated under the supervision of OpenPeppol AISBL, governed by the Peppol Interoperability Framework (PIF) and Peppol Service Provider Agreement (SPA).

SMP (Service Metadata Publisher) — the register of Peppol participants and their service capabilities, operated in Slovakia by the Financial Directorate of the Slovak Republic (FR SR) acting as the Peppol Authority.

Access Point (AP) — a certified technical node of the Peppol network that sends and receives documents on behalf of Users. The Provider operates an AP certified by OpenPeppol.

Digital Mailbox — a certified delivery service provider under Act No. 222/2004 Coll. on Value Added Tax, as amended by Act No. 385/2025 Coll., authorized to mediate the transfer of tax data documents between taxpayers and the Financial Administration of the Slovak Republic.

E-Invoice — an electronic invoice in a structured format corresponding to the European standard EN 16931 and UBL 2.1 format, sent via the Peppol network.

Tax Data Document — an electronic invoice or other document in the format required by Act No. 222/2004 Coll. on Value Added Tax, as amended, including by Act No. 385/2025 Coll.

FR SR — the Financial Directorate of the Slovak Republic, acting as the national Peppol Authority in Slovakia.

Identifier 0245:[TAX ID] — the standard Peppol participant identifier for Slovakia, where 0245 is the scheme code for the Slovak Tax ID.

GTC — these General Terms and Conditions including Annex No. 1 (DPA).

Service — the ePošťák platform available at epostak.sk, including the web interface and Enterprise API.

Web interface — the user interface of the Service intended for manual or ordinary accounting use, especially receiving, viewing, checking, manually downloading, exporting and sending e-Invoices without programmatic API access.

SMB programs — the Free, Standard and Business programs intended for sole traders, small and medium-sized businesses or accountants who use the Service through the web interface without programmatic API access.

Document — an e-Invoice, corrective invoice, tax data document or other supported electronic business document processed through the Service.

Free program monthly limit — a fixed limit of 500 received Documents and 5 sent e-Invoices per month per one company or Tax ID. After the limit is reached, additional received Documents are archived in the background but are not shown in the interface, and sending additional e-Invoices is suspended until switching to a paid program or until the start of the next monthly period under these GTC.

Contract — the contractual relationship between the Provider and the User arising from registration and acceptance of these GTC.

The Provider undertakes to provide the User with access to the ePošťák platform, which is a certified Peppol Access Point connected to the Peppol network in accordance with the Peppol Interoperability Framework.

Within the Service, the Provider ensures: (a) registration of the User with the centralized SMP operated by FR SR under identifier 0245:[TAX ID]; (b) sending and receiving e-Invoices via the Peppol network; (c) transfer of tax data documents to the FR SR AP in accordance with Act No. 222/2004 Coll. as amended by Act No. 385/2025 Coll.; (d) technical validation of documents according to Peppol BIS Billing 3.0 before sending.

The Provider acts as a technical intermediary — a certified Digital Mailbox. The Provider is not responsible for the tax accuracy, completeness, or substantive correctness of invoices. Liability for compliance of invoice content with tax legislation rests solely with the User.

For Integrators using the Enterprise API, the Provider ensures document transfer via the Peppol network and a permanent content archive (UBL/XML), structured data, and transport metadata during the active subscription — see Article 6.

The Service is operated in accordance with the Peppol Service Provider Agreement (SPA) in the version effective as of the date of these GTC. The User acknowledges that Peppol network rules take precedence over these GTC to the extent they concern technical requirements of the Peppol infrastructure.

The Provider reserves the right to extend, modify, or change Service functionalities while preserving its core purpose, with notification according to Article 11.

The Contract between the Provider and the User is concluded upon completion of registration via the web form at epostak.sk, authentication via Google OAuth, or acceptance of an invite link within the PFS (Partner Flow System), and simultaneously confirming the relevant checkbox expressing consent to these GTC and requesting activation of the Service.

By confirming the checkbox, the User confirms that they have familiarized themselves with the GTC, understood their content, and agree to them within the meaning of Section 263 of Act No. 513/1991 Coll. Commercial Code, as amended. Electronic consent has the same legal effect as a written signature.

In PFS registration, the Financial Administration verifies the existence of the tax subject and provides the Provider with the Verification Data required for the subsequent SMP registration. In the standard activation flow, the Provider relies on the PFS authorization, the Verification Data, confirmation of the relevant checkbox, and the audit trail. The Provider may refuse or suspend registration if the PFS authorization is invalid, duplicate, revoked, or technically conflicting.

By registering, the User consents to the registration of their Peppol identifier 0245:[TAX ID] in the centralized SMP operated by FR SR. SMP registration is performed based on the Verification Data obtained through the Financial Administration process. This registration is technically necessary for receiving e-Invoices via the Peppol network and is public in nature — the identifier is visible to other Peppol network participants.

The User is responsible for the confidentiality of their account access credentials. In case of suspected unauthorized access, the User must immediately contact the Provider at info@epostak.sk.

Registration may only be performed by representatives of legal age authorized to act on behalf of the User. The individual completing the registration declares that they are authorized to legally bind the User.

The User is solely responsible for the content of sent e-Invoices and tax data documents, including their tax accuracy, compliance with applicable accounting and tax regulations, and identification of correct tax rates. This responsibility corresponds to the requirements of OpenPeppol SPA Art. 9.2(b).

The User is obliged to keep their registration and contact details (name, address, Company ID, Tax ID, email address) current and truthful. Changes must be reported to the Provider without undue delay, no later than 5 business days.

The Service must not be used to send fraudulent invoices, unsolicited commercial communications (spam), to commit criminal offences, or to circumvent tax obligations. Violation of this prohibition entitles the Provider to immediately block the account and deregister it from the SMP without any right to compensation, in accordance with OpenPeppol SPA Art. 9.2(d).

The User acknowledges that ePošťák is not an archiving service. The User is obliged to ensure archiving of e-Invoices and tax documents in their own system in accordance with Section 76 of Act No. 222/2004 Coll. on VAT and Section 35 of Act No. 431/2002 Coll. on Accounting, which set a 10-year retention period. If a special regulation requires a longer period, the User is responsible for complying with it.

The User must refrain from conduct that could disrupt the availability, security, or integrity of the Peppol network or the Service, including attempts at unauthorized access, attacks on infrastructure, or circumvention of security mechanisms.

In addition to the above, the Integrator is responsible for compliance of Enterprise API usage with the Provider's specifications, secure storage of API keys, and the conduct of their clients when using the API.

5.1 The Provider provides the Free Program free of charge subject to these GTC.

5.2 The monthly limits of the Free Program are: (a) receipt of max. 500 electronic invoices and (b) sending of max. 5 electronic invoices per calendar month per one company or Tax ID.

5.3 After either limit is reached, additional received invoices are archived but are not shown in the interface; sending a new invoice is refused with the notice “limit exhausted”; the User receives email notifications at 80% and 100% of limit usage.

5.4 Data is retained for at least 90 days and becomes fully available again after switching to a Paid Program. Peppol receipt continues in the background after the Free Program monthly limit is reached.

5.5 The Provider may reasonably change the limits; it will notify the User of the change at least 30 days in advance.

The Provider retains User data in the following scope and for the following period:

Free Program: documents are available and exportable in the web interface for 90 days from the date of sending or receipt. After this period, they may be hidden from the application interface or removed; the User's statutory archiving obligations remain unaffected.

Standard and Business Plans: documents and records are kept for the duration of the active subscription. After termination of the subscription or Contract, the User has 30 days to export their data. After this period, data is permanently deleted.

Enterprise API: transport metadata (identifiers, timestamps, delivery status), structured invoice data, and document content (UBL/XML) are retained permanently during the active subscription. After subscription termination, the User has 30 days for bulk export.

The Provider is not an archiving service and retention periods under this article do not replace the User's obligation to archive tax documents under applicable legislation. The User is solely responsible for their own archiving.

The Provider will send the User an email notification 7 days before planned data deletion to allow the User to export their data.

Delivery logs, activity logs, and audit records are kept for at least 6 months unless legal or security reasons require a longer period. Records related to security incidents may be retained longer.

Data export is available in UBL 2.1 (XML), PDF, and CSV formats via the web interface or API.

The Provider uses reasonable efforts to achieve availability of the ePošťák platform at 99.5% measured monthly, 24 hours a day, 7 days a week (hereinafter "SLA"). This is a reasonable-efforts obligation, not a guarantee of result or uninterrupted availability of all external delivery layers.

The SLA applies only to availability of the ePošťák platform operated by the Provider, in particular the web interface, API, login, and application components under the Provider's direct control. It does not apply to the availability or performance of the Peppol network, FR SR, SMP/SML, Peppol Authority, OpenPeppol AISBL, access points of other providers, recipients' receiving systems, telecommunications, hosting, email, payment, or other third-party services that are not under the Provider's direct control.

Planned maintenance windows are limited to a maximum of 2 hours. The Provider notifies Users by email or via the status page at least 3 calendar days in advance. Planned maintenance time and outages described in the previous paragraph are not counted in availability calculations.

In case of temporary document sending failure, the Provider automatically makes 3 retry attempts at 2-hour intervals if retrying is technically possible and is not blocked by Peppol network rules, FR SR, or the receiving Access Point. The User is notified by email of repeated failure.

In the event of an incident affecting availability of the ePošťák platform under the Provider's direct control, the Provider undertakes to begin resolution within 4 hours of identification and inform Users about the resolution status within 2 hours of the outage start.

The status of the ePošťák platform and the status of the Peppol/external delivery layer are monitored separately on the status page at epostak.sk/status. The Peppol layer status is informational monitoring of external dependencies and does not by itself constitute a breach of the ePošťák platform SLA.

The platform SLA scope does not apply to the Free plan. Free plan Users acknowledge that platform availability, supplementary web interface features, notifications, exports and user comfort are provided as-is without availability guarantees. This sentence does not apply to the Provider's obligations as a digital postman to receive and make Documents available through the Peppol network to the extent arising from mandatory legal regulations, Peppol network rules and these GTC.

The Provider is liable for damage caused to the User only to the extent set out in these GTC and applicable legal regulations.

Free Plan: The Free plan is provided free of charge and supplementary web interface features, notifications, exports, user comfort and support are provided as-is, without any warranty of quality or availability. The Provider is not liable for damage arising in connection with use of these free supplementary features, except for liability that cannot be excluded under mandatory legal regulations and except for failure of the Provider's obligation as a digital postman to receive or make available a tax data document where that obligation is on the Provider's side and under its direct control.

Paid Plans: The Provider's total liability for damage incurred by the User during one contractual year is limited to the amount of fees actually paid to the Provider in the last 12 months prior to the damage event.

Under no circumstances shall the Provider be liable for indirect damages, lost profits, loss of revenue, data loss, loss of business opportunities, or any other consequential or unforeseeable damages, even if the Provider was previously advised of the possibility of such damages.

Claims for damages must be asserted in writing within 12 months of the damage event, otherwise they expire.

The Provider is not liable for damages caused by force majeure or events outside the Provider's direct control, including but not limited to: cyberattacks and information security incidents beyond the Provider's control, outages of telecommunications, hosting, storage, database, email, or payment infrastructure of third parties, pandemic, decisions of state authorities, natural disasters, changes to or outages of Peppol network rules or infrastructure, FR SR, SMP/SML, Peppol Authority, OpenPeppol AISBL, access points of other providers, or recipients' receiving systems.

If a failure in the transfer of a tax data document occurs on the side of the Provider's certified AP, the Peppol network, FR SR, SMP/SML, Peppol Authority, OpenPeppol AISBL, a third-party access point, the recipient's receiving system, or other infrastructure outside the Provider's direct control, the Provider will provide the User, upon request, with reasonable technical cooperation, in particular available confirmation, an error log, an audit trail, or other technical evidence. The Provider is not liable for penalties, tax, accounting, or legal consequences caused by failure of infrastructure outside its direct control.

The Provider is not liable for tax, accounting, or legal consequences of the content of invoices sent by the User.

The User may terminate the Contract or request a change of digital postman at any time without stating a reason through account settings or by written notice to info@epostak.sk. Termination of a paid subscription takes effect on the last day of the current billing period unless the parties agree otherwise.

The Provider may terminate the Contract without stating a reason with 30 days' notice. Notice is sent by email to the User's address.

The Provider is entitled to terminate the Contract immediately in the event of: (a) material breach of the GTC by the User; (b) proven fraud or criminal activity; (c) payment delay exceeding 30 days; (d) request of a competent public authority; (e) violation of Peppol network rules that could jeopardize the Provider's AP certification.

When the User requests a change of digital postman, the Provider will issue an SMP migration code. The Service remains active with the Provider and the SMP record remains in transfer state until the new digital postman takes over the Peppol ID using the migration code or until the User cancels the request. The Provider does not perform immediate deletion of the SMP record for a digital postman change; the migration code must be handed to the new digital postman.

After termination of the Contract, the User has 30 days to export their data. After this period, all User data is permanently deleted in accordance with Article 6 and Annex No. 1.

Termination of the Contract does not affect obligations and claims that arose prior to the effective date of termination.

The ePošťák platform, its code, design, documentation, trademarks, and all related intellectual property rights are the exclusive property of Kaja Solutions s.r.o.

The Provider grants the User a limited, non-exclusive, non-transferable, and revocable license to use the Service solely for the User's internal business purposes during the term of the Contract.

The User shall not: (a) copy, modify, or distribute any parts of the platform; (b) reverse engineer, decompile, or disassemble it; (c) create derivative works; (d) sublicense access to third parties without the Provider's prior written consent.

User data (invoices, transaction records, and other documents) is the exclusive property of the User. The Provider does not acquire any ownership rights to the content of User data and processes it solely in accordance with Annex No. 1 (DPA) and for the purpose of providing the Service.

The User grants the Provider a non-exclusive right to process User data to the extent necessary for providing the Service.

The Provider is entitled to unilaterally change these GTC. The Provider shall inform the User of any change by email to the address provided during registration, at least 30 days before the changes take effect.

If the User continues to use the Service after the amended GTC take effect, they are deemed to have accepted the changes.

In the case of material changes to the GTC (changes in the scope of liability, changes in fees, or changes in termination conditions), the User has the right to terminate the Contract without penalties before the changes take effect, by written notice to the Provider within the 30-day period.

The following are not considered material changes: addition of new functionalities, change of technical documentation, clarification of definitions, or legislatively required changes (i.e., changes resulting from amendments to applicable regulations).

The current version of the GTC is always available at epostak.sk/podmienky. The date of the last update is stated in the document header.

These GTC and the Contract are governed by the laws of the Slovak Republic. Any disputes arising from these GTC shall be resolved by the courts of the Slovak Republic with jurisdiction in Bratislava.

The contracting parties undertake to maintain confidentiality of confidential information of the other party obtained in connection with the performance of the Contract, in accordance with Peppol SPA Art. 17.3.

If any provision of these GTC is found to be invalid, ineffective, or unenforceable, this shall not affect the validity and enforceability of the remaining provisions (severability clause). The parties agree to replace such provision with a valid and enforceable provision that most closely approximates the economic purpose of the original provision.

These GTC in version v1.1-2026-06-18 take effect on June 18, 2026 and supersede all previous versions of the GTC. Contracts concluded before this date are governed by the new GTC from their effective date.

Annex No. 1 — Data Processing Agreement (DPA), which governs the processing of personal data in accordance with the GDPR and Act No. 18/2018 Coll., forms an integral part of these GTC.

pursuant to Art. 28 of Regulation (EU) 2016/679 (GDPR)

Controller: User (legal entity or sole trader registered with the Service). Processor: Kaja Solutions s.r.o., Company No.: 57369186, Lermontovova 3, 811 05 Bratislava.

Purpose of Processing: provision of the Service — exchange of e-Invoices and tax data documents through the certified Peppol network on behalf of the Controller.

Categories of Personal Data: names and surnames of individuals, business addresses, Company ID, Tax ID, IBAN, email addresses, telephone numbers, transaction metadata (dates, amounts, document identifiers). The Processor does not process special categories of personal data within the meaning of Art. 9 GDPR.

Data Subjects: customers of the Controller, suppliers of the Controller, contact persons of contractual partners, and employees appearing on invoices.

Legal Basis: processing is necessary for the performance of a contract [Art. 6(1)(b) GDPR], compliance with a legal obligation [Art. 6(1)(c) GDPR], and for the purposes of the legitimate interests of the Controller in carrying out business [Art. 6(1)(f) GDPR].

Hosting and Security: all personal data is stored exclusively on servers within the EU/EEA. The Processor implements appropriate technical and organisational measures to protect personal data, including: encryption in transit (TLS 1.2+), password hashing (bcrypt), role-based access control (RBAC), and regular backups.

Sub-processors: The Processor is entitled to engage sub-processors on the basis of the Controller's general authorization, provided that such sub-processors provide the same guarantees for the protection of personal data. The current list of sub-processors is available at https://epostak.sk/sub-spracovatelia. The Processor informs the Controller of a planned change to the list at least 30 days in advance; the Controller may object to the change during that period.

Personal Data Breach: The Processor shall inform the Controller of any personal data breach within 24 hours of its detection, so that the Controller can fulfill the obligation to report to the Office for Personal Data Protection of the Slovak Republic within 72 hours under Art. 33 GDPR.

Audit and Security Evidence: The Processor undertakes to provide the Controller, once a year upon request, with information on security measures and audit results. Routine audits under this clause are performed preferably remotely by providing documentation, security evidence, and written explanations under Art. 28(3)(h) GDPR; this does not affect the right of the Controller or its mandated auditor to carry out a legally required or reasonably necessary inspection under pre-agreed security, confidentiality, and organisational conditions.

Rights of Data Subjects: The Controller is responsible for handling requests of data subjects (access, rectification, erasure, portability, restriction of processing). The Processor provides the Controller with the necessary assistance to fulfill these obligations.

Return and Deletion of Data: after termination of the Contract, the Processor shall return or delete all personal data of the Controller within 30 days, unless a special legal regulation requires retention. The Processor shall issue a written confirmation of deletion to the Controller.