Privacy Policy

Last updated: March 1, 2026

Introduction

Fakturo ("we", "us", "our") is a Shopify embedded application that automatically generates EU-compliant electronic invoices (Factur-X, ZUGFeRD, XRechnung) from your Shopify orders. This privacy policy explains what data we collect, why we collect it, how we store it, and what rights you have over your data.

We are committed to protecting the privacy of our merchants and their customers in full compliance with the General Data Protection Regulation (GDPR) and Shopify's privacy requirements for apps.

Who We Are

Fakturo is operated by Denis Belyaev, an individual developer.

For GDPR purposes, Fakturo acts as a data processor on behalf of Shopify merchants (the data controllers) when processing order and customer data to generate invoices.

What Data We Collect

1. Merchant Account Information

When you install and set up Fakturo, we collect:

  • Company name and legal form
  • Business address
  • VAT registration number
  • Tax identification details
  • Invoice settings (number prefix, numbering sequence, default language)
  • Shopify store domain and access credentials (provided by Shopify during app installation)

Purpose: This information is required to generate legally compliant EU e-invoices on your behalf.

Legal basis: Performance of a contract (GDPR Art. 6(1)(b)).

2. Order and Customer Data

When an order is placed in your Shopify store, we receive the following via Shopify webhooks:

  • Order details (order number, line items, quantities, prices, discounts, taxes, shipping costs)
  • Customer name and billing/shipping address
  • Currency and payment information relevant to the invoice

Purpose: This data is used exclusively to generate invoices for your orders. We do not use this data for any other purpose.

Legal basis: Legitimate interest (GDPR Art. 6(1)(f)).

3. Analytics Data

We use PostHog (hosted in the EU at eu.i.posthog.com) to collect anonymous usage analytics:

  • Pages visited within the app
  • Feature usage patterns
  • Error events

We do not track individual customer data through analytics.

Legal basis: Legitimate interest (GDPR Art. 6(1)(f)).

4. Shopify Session Data

We store Shopify session tokens as required by the Shopify App Bridge framework to keep you authenticated while using the app.

Legal basis: Performance of a contract (GDPR Art. 6(1)(b)).

What We Do NOT Collect

  • We do not collect payment card numbers or bank account details
  • We do not collect customer email addresses or phone numbers beyond what Shopify provides in order data
  • We do not use cookies for advertising or tracking outside the app
  • We do not build customer profiles or perform behavioral targeting

How We Use Your Data

We use the data we collect for one purpose: generating EU-compliant electronic invoices from your Shopify orders.

  1. Invoice generation — We combine your merchant details with order data to produce legally compliant invoices in formats such as Factur-X, ZUGFeRD, and XRechnung.
  2. Invoice storage — Generated invoices are stored so you can download them later.
  3. Error handling — We log webhook events and processing errors to ensure reliable invoice generation.
  4. App improvement — Anonymous usage analytics help us identify bugs and improve the user experience.

We do not sell, rent, or share your data with third parties for marketing or advertising purposes.

Data Storage and Security

All data is stored in a PostgreSQL database hosted by Supabase in the European Union. Your data does not leave the EU.

  • All data is transmitted over encrypted connections (TLS/HTTPS)
  • Database access is restricted and authenticated
  • Shopify API credentials are stored securely and never exposed to the client
  • We follow the principle of least privilege — we only request the Shopify API scopes we need (read_orders, read_products, read_customers, write_files, read_files)

Third-Party Services

ServicePurposeLocation
ShopifyApp platform, order data sourceGlobal
SupabaseDatabase hostingEU
VercelApplication hostingGlobal (EU processing)
PostHogAnonymous usage analyticsEU

We do not share your data with any other third parties.

Data Retention

  • Merchant data: Retained while the app is installed. Deleted 30 days after uninstallation.
  • Invoice data: Retained per EU tax record-keeping requirements (7-10 years depending on jurisdiction). Merchants may request earlier deletion but should be aware of their own legal retention obligations.
  • Session data: Automatically expired and cleaned up after the session ends.
  • Webhook logs: Retained for 90 days for debugging, then automatically deleted.

Your Rights Under GDPR

As a merchant using Fakturo, you have the following rights:

  1. Right of access — Request a copy of all data we hold about you and your store.
  2. Right to rectification — Update your merchant information at any time through the app settings.
  3. Right to erasure — Request deletion of all your data. We will comply within 30 days, subject to legal retention obligations.
  4. Right to data portability — Request your data in a structured, machine-readable format.
  5. Right to restrict processing — Ask us to temporarily stop processing your data.
  6. Right to object — Object to processing based on legitimate interest.
  7. Right to withdraw consent — Withdraw consent at any time by uninstalling the app.

To exercise any of these rights, contact us at denis@fakturo.dev. We will respond within 30 days.

Data Processing on Behalf of Merchants

When Fakturo processes order and customer data to generate invoices, the merchant is the data controller and Fakturo is the data processor.

  • We only process customer data as instructed by the merchant (to generate invoices)
  • We do not use customer data for our own purposes
  • We implement appropriate technical and organizational security measures
  • We will assist merchants in responding to data subject requests from their customers
  • We will notify merchants without undue delay if we become aware of a data breach

Children's Privacy

Fakturo is a business-to-business application for Shopify merchants. We do not knowingly collect data from children under 16. If you believe a child's data has been inadvertently collected, contact us at denis@fakturo.dev and we will delete it promptly.

Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and notify installed merchants through the app if the changes are significant.

Complaints

If you believe we have not handled your data appropriately, you have the right to lodge a complaint with your local data protection authority (supervisory authority) under GDPR Article 77.

Contact Us

If you have any questions about this privacy policy or how we handle your data: