Last updated: March 2025

Privacy Policy

This Privacy Policy explains how faktura ("we", "us", or "our") collects, uses, stores, and protects personal data when you install and use the faktura Shopify app. We are committed to complying with the General Data Protection Regulation (GDPR) and all applicable EU data protection laws.

1. Data Controller

The data controller responsible for your personal data is:

2. Data We Collect

When you install and use faktura, we collect the following categories of personal data:

2.1 Shop & merchant data

• Shopify store domain, shop name, and shop owner contact details
• Business name, legal address, and VAT registration number
• Invoice numbering preferences and invoice settings you configure

2.2 Order & customer data

• Order information pulled from Shopify: order number, order date, line items, prices, applied taxes, and discount codes
• Customer billing details required for invoicing: full name, billing address, country, and — where provided — VAT identification number

2.3 Generated documents

• PDF invoices and credit notes generated from order data
• OSS (One-Stop-Shop) threshold figures and aggregate VAT reports

2.4 Technical & usage data

• Session tokens required for Shopify embedded app authentication
• GDPR compliance request logs (customer data requests, erasure requests)

We do not collect payment card numbers, passwords, or any sensitive personal data beyond what is listed above.

3. Purpose and Legal Basis for Processing

4. Data Retention

• Invoices and order data — retained for 10 years from the invoice date, as required by EU VAT and accounting regulations (e.g. French CGI Art. 289, German UStG § 14b, EU VAT Directive 2006/112/EC Art. 246).
• Shop and merchant settings — retained for the duration of your subscription. Deleted within 30 days of app uninstall.
• Session tokens — deleted on session expiry or app uninstall, whichever comes first.
• GDPR compliance logs — retained for 3 years to demonstrate regulatory compliance, then securely deleted.

5. Third-Party Processors

We share data with the following sub-processors, each bound by a data processing agreement (DPA):

• Shopify Inc. — the host platform that provides the underlying order and shop data via its Admin API. Shopify acts as a data processor on your behalf. See Shopify's Privacy Policy.
• European Commission VIES API — used to validate EU VAT identification numbers. Only the VAT number is transmitted; no personal data is retained by this service.
• Email delivery provider — used to deliver invoice PDFs by email. Email addresses and attachment content are transmitted for this purpose only.
• Cloud storage provider — used to store generated PDF invoice files. Data is encrypted at rest and in transit.
• Database host — stores structured application data including shop settings, invoice metadata, and compliance logs.

6. International Data Transfers

Some of our sub-processors may store data on servers located outside the European Economic Area (EEA). Where this occurs, we ensure adequate safeguards are in place through one or more of the following mechanisms:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• An adequacy decision by the European Commission for the recipient country
• Binding Corporate Rules or other legally recognised transfer mechanisms under GDPR Chapter V

Where possible, we configure storage regions within the EEA to minimise transfers outside the EEA.

7. Your Rights Under GDPR

As a data subject, you have the following rights. You can exercise them at any time by contacting us at privacy@faktura.so:

• Right of access (Art. 15) — request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17) — request deletion of your data, subject to legal retention obligations. Erasure requests submitted via Shopify's mandatory GDPR webhooks are processed automatically.
• Right to restriction of processing (Art. 18) — request that we limit how we use your data in certain circumstances.
• Right to data portability (Art. 20) — receive your data in a machine-readable format where processing is based on consent or contract.
• Right to object (Art. 21) — object to processing based on our legitimate interests.
• Right to lodge a complaint — you have the right to lodge a complaint with your national data protection authority (e.g. CNIL in France, BfDI in Germany, AEPD in Spain, Garante in Italy, AP in the Netherlands).

8. Data Security

We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, or destruction, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls limiting data access to authorised personnel
• Regular security reviews and dependency audits
• Shopify's verified app review process and mandatory webhook signature verification

9. Cookies and Tracking

faktura is a Shopify embedded app and does not use third-party advertising trackers or analytics cookies on this website. We use strictly necessary session cookies required for the OAuth authentication flow between Shopify and our app. No cookies are set on your customers' storefronts.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will update the "Last updated" date at the top of this page and, where required by law, notify you via email or in-app notification. Your continued use of faktura after the effective date of any changes constitutes your acceptance of the revised policy.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us: