General Terms and Conditions

For the purposes of these General Terms and Conditions:

Provider — Kaja Solutions s.r.o., Company No.: 57369186, operator of the ePošťák platform and a certified Peppol Access Point.

User — a legal entity or sole trader who has entered into a Contract with the Provider and uses the Service to send or receive electronic invoices.

Integrator — a legal entity or sole trader who accesses the Service through the Enterprise API on behalf of their clients and is responsible for technical integration of ERP or other third-party systems.

Peppol Network — the international interoperable infrastructure for exchanging electronic business documents operated under the supervision of OpenPeppol AISBL, governed by the Peppol Interoperability Framework (PIF) and Peppol Service Provider Agreement (SPA).

SMP (Service Metadata Publisher) — the register of Peppol participants and their capabilities, operated in Slovakia by the Financial Directorate of the Slovak Republic (FR SR) as the Peppol Authority.

Access Point (AP) — a certified technical node of the Peppol network that sends and receives documents on behalf of Users. The Provider operates an AP certified by OpenPeppol.

Digital Mailbox (Digital Postman) — an entity within the meaning of Act No. 385/2025 Coll. on electronic invoicing, authorized to mediate the transfer of tax data documents between taxpayers and the Financial Administration of the Slovak Republic.

E-Invoice — an electronic invoice in a structured format corresponding to the European standard EN 16931 and UBL 2.1 format, sent via the Peppol network.

Tax Data Document — an electronic invoice or other document in the format required by Act No. 222/2004 Coll. on Value Added Tax, as amended, and Act No. 385/2025 Coll.

Slovak CIUS — the Core Invoice Usage Specification applicable for Slovakia, issued by FR SR, specifying local validation rules beyond Peppol BIS Billing 3.0.

FR SR — the Financial Directorate of the Slovak Republic, acting as the national Peppol Authority in Slovakia.

Identifier 0245:[TAX ID] — the standard Peppol participant identifier for Slovakia, where 0245 is the scheme code for the Slovak Tax ID.

GTC — these General Terms and Conditions including Annex No. 1 (DPA).

Service — the ePošťák platform available at epostak.sk, including the web interface, mobile application, and Enterprise API.

Contract — the contractual relationship between the Provider and the User arising from registration and acceptance of these GTC.

The Provider undertakes to provide the User with access to the ePošťák platform, which is a certified Peppol Access Point connected to the Peppol network in accordance with the Peppol Interoperability Framework.

Within the Service, the Provider ensures: (a) registration of the User with the centralized SMP operated by FR SR under identifier 0245:[TAX ID]; (b) sending and receiving e-Invoices via the Peppol network; (c) transfer of tax data documents to the FR SR AP in accordance with Act No. 385/2025 Coll.; (d) validation of documents according to Peppol BIS Billing 3.0 combined with the Slovak CIUS before sending.

The Provider acts as a technical intermediary — a certified Digital Mailbox. The Provider is not responsible for the tax accuracy, completeness, or content correctness of invoices. Liability for compliance of invoice content with tax legislation rests solely with the User.

For Integrators using the Enterprise API, the Provider ensures document transfer via the Peppol network and a permanent content archive (UBL/XML), structured data, and transport metadata during the active subscription — see Article 6.

The Service is operated in accordance with the Peppol Service Provider Agreement (SPA) in the version effective as of the date of these GTC. The User acknowledges that Peppol network rules take precedence over these GTC to the extent they concern technical requirements of the Peppol infrastructure.

The Provider reserves the right to extend, modify, or change Service functionalities while preserving its core purpose, with notification according to Article 11.

The Contract between the Provider and the User is concluded upon completion of registration via the web form at epostak.sk, authentication via Google OAuth, or acceptance of an invite link within the PFS (Partner Flow System), and simultaneously checking the relevant checkbox expressing consent to these GTC.

By checking the box, the User confirms that they have familiarized themselves with the GTC, understood their content, and agree to them within the meaning of Section 263 of Act No. 513/1991 Coll. Commercial Code, as amended. Electronic consent has the same legal effect as a written signature.

Registration is subject to identity verification (KYC): The Provider verifies the validity of the provided Company ID and Tax ID through public registers (ORSR, FinStat). The Provider reserves the right to refuse registration or deactivate an account if the provided identification data is inconsistent.

By registering, the User consents to the registration of their Peppol identifier 0245:[TAX ID] in the centralized SMP operated by FR SR. This registration is technically necessary for receiving e-Invoices via the Peppol network and is public in nature — the identifier is visible to other Peppol network participants.

The User is responsible for the confidentiality of their account access credentials. In case of suspected unauthorized access, the User must immediately contact the Provider at info@epostak.sk.

Registration may only be performed by adult representatives authorized to act on behalf of the User. The individual completing the registration declares that they are authorized to legally bind the User.

The User is solely responsible for the content of sent e-Invoices and tax data documents, including their tax accuracy, compliance with applicable accounting and tax regulations, and identification of correct tax rates. This responsibility corresponds to the requirements of OpenPeppol SPA Art. 9.2(b).

The User is obliged to keep their registration and contact details (name, address, Company ID, Tax ID, email address) current and truthful. Changes must be reported to the Provider without undue delay, no later than 5 business days.

It is strictly prohibited to use the Service for sending fraudulent invoices, unsolicited commercial communication (spam), committing criminal offenses, or circumventing tax obligations. Violation of this prohibition entitles the Provider to immediately block the account and deregister from the SMP without compensation, in accordance with OpenPeppol SPA Art. 9.2(d).

The User acknowledges that ePošťák is not an archiving service. The User is obliged to ensure archiving of e-Invoices and tax documents in their own system in accordance with Section 32 of Act No. 222/2004 Coll. on VAT, which sets a retention period of 10 years, and in accordance with Section 35 of Act No. 431/2002 Coll. on Accounting, which sets a 10-year retention period for accounting documents. Under special regulations, the archiving period may be up to 20 years.

The User must refrain from conduct that could disrupt the availability, security, or integrity of the Peppol network or the Service, including attempts at unauthorized access, attacks on infrastructure, or circumvention of security mechanisms.

In addition to the above, the Integrator is responsible for compliance of Enterprise API usage with the Provider's specifications, secure storage of API keys, and the conduct of their clients when using the API.

The current price list of the Service is published at epostak.sk/cennik and forms an integral part of the Contract. In case of conflict between these GTC and the price list, the GTC take precedence.

The Provider offers the following tariffs: (a) Free — free plan with limited features and capacities according to the current price list; (b) Standard — monthly or annual subscription for small and medium businesses; (c) Business — monthly or annual subscription with extended limits and priority support; (d) Enterprise API — individually agreed terms for Integrators with API access.

The subscription is paid in advance, monthly or annually depending on the chosen plan. Invoices are due within 14 days of issue and are sent electronically to the User's email address.

In case of late payment, the Provider is entitled to default interest under Section 369 of the Commercial Code at the statutory rate. The Provider may suspend access to paid Service features after 7 days of payment delay.

Annual subscription paid in advance may be offered at a discounted price. In case of early termination of the annual subscription by the User, there is no entitlement to a refund of the pro-rata prepaid amount, unless the GTC or price list provide otherwise.

Founder Price: The first 200 Users who activate the Business plan during the founder period (hereinafter "Founders") are entitled to a discounted price of EUR 8/month (excl. VAT) instead of the standard EUR 19/month. This discounted price is guaranteed for the entire duration of the Contract — the Provider is not entitled to unilaterally increase it. The discounted price only ceases upon termination of the Contract by the User. Reactivation after Contract termination does not entitle to the founder price.

The Provider is entitled to change the price list with 30 days' notice by email to the User. If the User does not agree with the new price list, they have the right to terminate the Contract before the new price list takes effect; continued use of the Service after this date is deemed acceptance of the new price list. Price changes do not apply to Founders — their discounted price remains unaffected.

The Provider retains User data in the following scope and for the following period:

Free Plan: documents and transaction records are kept for 90 days from the date of sending or receiving. After this period, they are permanently deleted.

Standard and Business Plans: documents and records are kept for the duration of the active subscription. After termination of the subscription or Contract, the User has 30 days to export their data. After this period, data is permanently deleted.

Enterprise API: transport metadata (identifiers, timestamps, delivery status), structured invoice data, and document content (UBL/XML) are retained permanently during the active subscription. After subscription termination, the User has 30 days for bulk export.

The Provider is not an archiving service and retention periods under this article do not replace the User's obligation to archive tax documents under applicable legislation. The User is solely responsible for their own archiving.

The Provider will send the User an email notification 7 days before planned data deletion to allow the User to export their data.

Activity logs and audit records are kept for at least 3 months in accordance with Peppol SPA requirements. Records related to security incidents may be retained longer.

Data export is available in UBL 2.1 (XML), PDF, and CSV formats via the web interface or API.

The Provider undertakes to ensure Service availability at 99.5% measured monthly, 24 hours a day, 7 days a week (hereinafter "SLA"). Availability is measured as the ratio of (total monthly time minus planned and unplanned downtime) to total monthly time.

Planned maintenance windows are limited to a maximum of 2 hours. The Provider notifies Users by email or via the status page at least 3 calendar days in advance. Planned maintenance time is not counted in availability calculations.

In case of temporary document sending failure, the Provider automatically makes 3 retry attempts at 2-hour intervals. The User is notified by email of repeated failure.

Acknowledgement of receipt (AS4 receipt) from the target Access Point is typically available within 2 seconds of sending. This timeframe may be exceeded during outages on the recipient's side or other APs in the Peppol network.

In the event of an incident affecting Service availability, the Provider undertakes to begin resolution within 4 hours of identification and inform Users about the resolution status within 2 hours of the outage start.

Service status and incident history can be monitored on the status page available at status.epostak.sk.

SLA guarantees do not apply to the Free plan. Free plan Users acknowledge that the Service is provided as-is without availability guarantees.

The Provider is liable for damage caused to the User only to the extent set out in these GTC and applicable legal regulations.

Free Plan: The Service is provided free of charge, without any warranty of quality or availability (as-is). The Provider is not liable for any damage incurred by the User in connection with the use of the free plan.

Paid Plans: The Provider's total liability for damage incurred by the User during one contractual year is limited to the amount of fees actually paid to the Provider in the last 12 months prior to the damage event.

Under no circumstances shall the Provider be liable for indirect damages, lost profits, loss of revenue, data loss, loss of business opportunities, or any other consequential or unforeseeable damages, even if the Provider was previously advised of the possibility of such damages.

Claims for damages must be asserted in writing within 12 months of the damage event, otherwise they expire.

The Provider is not liable for damages caused by force majeure, including but not limited to: cyberattacks and information security incidents beyond the Provider's control, telecommunication infrastructure outages, pandemic, decisions of state authorities, natural disasters, outages of Peppol network infrastructure or FR SR.

In accordance with Act No. 385/2025 Coll.: if failure in the transfer of a tax data document occurs on the side of the certified AP or FR SR and the taxpayer has verifiable evidence thereof (e.g. proof of sending, error log), tax penalties associated with this failure shall not be applicable to them. The Provider shall issue the relevant confirmation upon request.

The Provider is not liable for tax, accounting, or legal consequences of the content of invoices sent by the User.

The User may terminate the Contract at any time without stating a reason through account settings or by written notice to info@epostak.sk. Termination takes effect on the last day of the current billing period.

The Provider may terminate the Contract without stating a reason with 30 days' notice. Notice is sent by email to the User's address.

The Provider is entitled to terminate the Contract immediately in the event of: (a) material breach of the GTC by the User; (b) proven fraud or criminal activity; (c) payment delay exceeding 30 days; (d) request of a competent public authority; (e) violation of Peppol network rules that could jeopardize the Provider's AP certification.

After termination of the Contract, the Provider shall ensure deregistration of the User from the SMP within 3 business days, in accordance with FR SR PA Specific Requirements. After deregistration, the User's identifier 0245:[TAX ID] will not be available in the Peppol network.

After termination of the Contract, the User has 30 days to export their data. After this period, all User data is permanently deleted in accordance with Article 6 and Annex No. 1.

Termination of the Contract does not affect obligations and claims that arose prior to the effective date of termination.

The ePošťák platform, its code, design, documentation, trademarks, and all related intellectual property rights are the exclusive property of Kaja Solutions s.r.o.

The Provider grants the User a limited, non-exclusive, non-transferable, and revocable license to use the Service solely for the User's internal business purposes during the term of the Contract.

It is prohibited to: (a) copy, modify, or distribute any parts of the platform; (b) reverse engineer, decompile, or disassemble; (c) create derivative works; (d) sublicense access to third parties without the Provider's written consent.

User data (invoices, transaction records, and other documents) is the exclusive property of the User. The Provider does not acquire any ownership rights to the content of User data and processes it solely in accordance with Annex No. 1 (DPA) and for the purpose of providing the Service.

The User grants the Provider a non-exclusive right to process User data to the extent necessary for providing the Service.

The Provider is entitled to unilaterally change these GTC. The Provider shall inform the User of any change by email to the address provided during registration, at least 30 days before the changes take effect.

If the User continues to use the Service after the amended GTC take effect, they are deemed to have accepted the changes.

In the case of material changes to the GTC (changes in the scope of liability, changes in fees, or changes in termination conditions), the User has the right to terminate the Contract without penalties before the changes take effect, by written notice to the Provider within the 30-day period.

The following are not considered material changes: addition of new functionalities, change of technical documentation, clarification of definitions, or legislatively required changes (i.e., changes triggered by amendments to applicable regulations).

The current version of the GTC is always available at epostak.sk/podmienky. The date of the last update is stated in the document header.

These GTC and the Contract are governed by the laws of the Slovak Republic. Any disputes arising from these GTC shall be resolved by the courts of the Slovak Republic with jurisdiction in Bratislava.

The contracting parties undertake to maintain confidentiality of confidential information of the other party obtained in connection with the performance of the Contract, in accordance with Peppol SPA Art. 17.3.

If any provision of these GTC is found to be invalid, ineffective, or unenforceable, this shall not affect the validity and enforceability of the remaining provisions (severability clause). The parties agree to replace such provision with a valid and enforceable provision that most closely approximates the economic purpose of the original provision.

These GTC take effect on January 1, 2027 and supersede all previous versions of the GTC. Contracts concluded before this date are governed by the new GTC from their effective date.

Annex No. 1 — Data Processing Agreement (DPA), which governs the processing of personal data in accordance with the GDPR and Act No. 18/2018 Coll., forms an integral part of these GTC.

pursuant to Art. 28 of Regulation (EU) 2016/679 (GDPR)

Controller: User (legal entity or sole trader registered with the Service). Processor: Kaja Solutions s.r.o., Company No.: 57369186, Lermontovova 3, 811 05 Bratislava.

Purpose of Processing: provision of the Service — exchange of e-Invoices and tax data documents through the certified Peppol network on behalf of the Controller.

Categories of Personal Data: names and surnames of individuals, business addresses, Company ID, Tax ID, IBAN, email addresses, telephone numbers, transaction metadata (dates, amounts, document identifiers). The Processor does not process special categories of personal data within the meaning of Art. 9 GDPR.

Data Subjects: customers of the Controller, suppliers of the Controller, contact persons of contractual partners, and employees appearing on invoices.

Legal Basis: processing is necessary for the performance of a contract [Art. 6(1)(b) GDPR], compliance with a legal obligation [Art. 6(1)(c) GDPR], and for the purposes of the legitimate interests of the Controller in carrying out business [Art. 6(1)(f) GDPR].

Hosting and Security: all personal data is stored exclusively on servers within the EU/EEA. The Processor adopts appropriate technical and organizational measures to protect personal data, including: transport encryption (TLS 1.2+), password hashing (bcrypt), role-based access control (RBAC), and regular backups.

Sub-processors: The Processor is entitled to engage sub-processors (cloud infrastructure providers, monitoring tools) provided that such sub-processors provide the same guarantees for the protection of personal data. The current list of sub-processors is available upon request.

Personal Data Breach: The Processor shall inform the Controller of any personal data breach within 24 hours of its detection, so that the Controller can fulfill the obligation to report to the Office for Personal Data Protection of the Slovak Republic within 72 hours under Art. 33 GDPR.

Audit and Certification: The Processor undertakes to provide the Controller, once a year upon request, with information on security measures and audit results. The Processor strives to obtain ISO 27001 certification.

Rights of Data Subjects: The Controller is responsible for handling requests of data subjects (access, rectification, erasure, portability, restriction of processing). The Processor provides the Controller with the necessary assistance to fulfill these obligations.

Return and Deletion of Data: after termination of the Contract, the Processor shall return or delete all personal data of the Controller within 30 days, unless a special legal regulation requires retention. The Processor shall issue a written confirmation of deletion to the Controller.