Privacy Policy
Last updated: 2026-05-01 Effective: 2026-05-01 Version: 1.0
1. Introduction & scope
This Privacy Policy describes how Revatly (the "App") collects, uses, stores, and protects personal data. The App is a Shopify application available through the Shopify App Store at https://apps.shopify.com/revatly. References to "we," "us," or "our" refer to the legal entity that operates the App, identified in §2 below.
The App is intended for use by Shopify merchants. Two categories of data subjects fall within the scope of this policy:
- Merchants – the Shopify store owners and staff who install, configure, and use the App. We are the controller for the personal data we hold about merchants directly (account, billing, support correspondence).
- Merchants' end-customers – natural persons whose orders are processed by a merchant's Shopify store while the App is installed. For this data, we are the processor on behalf of the merchant, who is the controller.
This distinction matters: merchants are responsible for the lawful basis on which they collect end-customer data; we are responsible for processing that data only as instructed by the merchant and as described in this policy.
2. Who we are
| Legal entity | WEBIXO S.R.L. |
| Registration | Reg. Com. J2022004846350; CUI RO47008450 |
| Registered office | Vlad Banateanu Nr. 1A, A/8/79, Timisoara, Timis, 300668, Romania |
| Contact | revatly@webixo.com |
We are a small business based in the European Union. We do not maintain an EU representative under GDPR Art. 27 because our establishment is itself in the EU.
We have not appointed a Data Protection Officer (DPO). Under GDPR Art. 37, a DPO is required only when (a) the core activities of the controller or processor consist of large-scale, systematic monitoring of data subjects, or (b) processing of special-category data is a core activity. Neither applies to the App.
3. What data we collect
We collect only the minimum personal data required to deliver the App's stated function: bridging the EU VAT identifier Shopify validates natively at checkout into structured order and customer metafields so that invoice-generation apps can render compliant B2B invoices.
3.1 From Shopify, via OAuth and webhooks
When a merchant installs the App, Shopify grants us access to specific Admin API resources via OAuth (see §10 for the exact scopes requested). We then receive webhook payloads from Shopify when relevant events occur in the merchant's store.
Shopify's webhook payloads contain the full event data and we cannot filter what they send. However, the App reads and processes only a strict subset of each payload, and stores even less. The table below distinguishes received fields from processed fields:
| Webhook topic | Fields the App reads from the payload | Fields persisted by the App |
|---|---|---|
orders/paid |
Order identifier, customer identifier, order-creation timestamp, line-item tax rates and prices, order timeline events (to extract Shopify's validated VAT number) | Order identifier, customer identifier, validated VAT number + country, parse outcome, timestamp – stored in our audit log alongside operational metadata (parse latency, event count, internal record IDs) that contains no personal data |
app_subscriptions/update |
Subscription identifier, status, plan name, timestamp | Subscription identifier, status, plan name, timestamp – stored in our billing log |
customers/data_request (GDPR) |
Customer identifier | Webhook delivery identifier + shop domain stored in our deduplication log; the customer identifier itself is not persisted to the database. Fulfilment is reactive on merchant request (see §12) |
customers/redact (GDPR) |
Customer identifier, shop domain | Used to locate and erase records |
shop/redact (GDPR) |
Shop domain | Used to locate and erase records |
app/uninstalled |
Shop domain | Wipe shop's session, audit log, billing events, and webhook deduplication records |
app/scopes_update |
Shop domain, updated scope list | Update the stored scope string on the shop's session row |
Fields explicitly NOT read or persisted from the orders/paid payload, even though they are present in the wire payload Shopify sends: customer email, customer name, customer phone, billing address, shipping address, line-item product details (titles, SKUs, prices), discount codes, gift-card codes, IP addresses, and browser metadata. These pass through our HTTPS endpoint into Shopify's webhook delivery framework but are never parsed by the App and never written to our database.
From the orders/paid event, the App parses Shopify's native reverse-charge timeline message to extract the validated EU VAT number that Shopify already verified at checkout. The App does not re-validate the VAT number, does not contact VIES or other validation services, and does not perform any independent customer or business lookups.
A VAT identification number is a business identifier in most EU jurisdictions, but for sole traders and certain natural-person registrations it can constitute personal data. The App treats VAT numbers as personal data for retention and deletion purposes regardless of merchant context.
3.2 From merchants, directly
When a merchant installs the App, we store the following in our database for that merchant:
- Merchant store identifier (
*.myshopify.comdomain) - OAuth offline access token and refresh token issued by Shopify (stored in our EU database, which encrypts data at rest, used only to call Shopify's Admin API on the merchant's behalf and transmitted only over TLS)
- Granted OAuth scope string and token-expiry timestamps
The App uses Shopify's managed-install token-exchange flow, which issues only an app-scoped offline token. We do not collect or store the installing user's name, email address, locale, account-owner / collaborator status, or any other Shopify-staff personal identifiers.
We also collect:
- Subscription state and billing events relayed from Shopify Billing (see
app_subscriptions/updaterow in §3.1) - Support correspondence (email content) when a merchant contacts us
3.3 From end-customers, directly
None. We have no direct relationship with end-customers. All end-customer data we process is received through the merchant's Shopify store.
3.4 What we write back to Shopify
The App's purpose is to write structured metafields. After processing an order, we write the validated EU VAT identification number, the associated EU country code, the verbatim Shopify timeline-event message (retained for reference), and non-personal provenance markers (validation source, exemption basis, validation timestamp) to order-level and customer-level metafields on the merchant's Shopify store, so that invoice-generation apps can render compliant B2B invoices.
These metafields are owned by the merchant and remain in the merchant's Shopify store. Removing the App does not automatically remove existing metafield values from the merchant's store; merchants who wish to remove them can do so via the Shopify Admin or by issuing the appropriate API requests.
4. How we use the data
We use the data described in §3 strictly for the following purposes, and for no others:
| Purpose | Data used | How |
|---|---|---|
| Provide App functionality | orders/paid payload, validated VAT data |
Parse the event, write metafields back to Shopify |
| Audit + support | Order identifier, shop domain, validation outcome, timestamp | Stored in our audit log for diagnostics and merchant support; capped at 90 days |
| Billing | Subscription state from Shopify | Determine App access; we do not process payment-card data – Shopify handles payment |
| GDPR compliance | Customer/shop identifiers from compliance webhooks | Locate and erase data as required |
| Debug + system health | Shop domain, webhook receipt timestamp | Operational logs (retained per §7) |
We do not use the data for: advertising, profiling, automated decision-making with legal effect, training machine-learning models, sale or sharing with third parties for their own purposes, or any purpose unrelated to operating the App.
5. Lawful basis for processing
Controller vs. processor split. The lawful-basis analysis below applies to data for which we are the controller (merchant account, billing, support correspondence – see §1). For end-customer data we hold as processor on behalf of the merchant (the contents of our audit log), the merchant is responsible for establishing and documenting an Art. 6 lawful basis for the processing; we process such data only on the merchant's documented instructions, recorded in §12 of our Terms of Service, and not on a basis of our own.
Under GDPR Art. 6, where we act as controller, we rely on the following bases:
- Art. 6(1)(b) – performance of a contract. Processing is necessary to perform our contract with the merchant (the App's Terms of Service) and to enable the merchant to perform their own obligations to their end-customers.
- Art. 6(1)(f) – legitimate interests. Where we process personal data for purposes beyond strict contract performance – for example, retaining audit logs for 90 days to support incident investigation – we rely on our legitimate interest in operating a secure, compliant service.
Balancing test for legitimate interest (summary). The data subjects are end-customers whose orders are passed through Shopify checkout; they have a reasonable expectation that the merchant uses third-party tools to issue compliant invoices. The data we retain (order identifier, shop domain, validation outcome) is the minimum required to support and audit the App. We have considered less-intrusive alternatives – including not retaining audit logs at all – and rejected them because incident investigation and merchant support troubleshooting both require the ability to reconstruct what the App did with a given order; the 90-day cap balances diagnostic utility against retention minimisation. We do not use the data for marketing or profiling. The interests of data subjects in privacy are protected by the 90-day cap on audit logs, encryption at rest and in transit, the minimum OAuth scopes required for the App's function, and full GDPR-webhook compliance.
For the merchant-as-data-subject context (account data, billing records), the lawful basis is contract performance and our legitimate interest in maintaining business records for tax, audit, and dispute purposes.
6. Data sources
We receive end-customer personal data indirectly via the merchant's Shopify store, through OAuth and webhook delivery. This triggers the requirements of GDPR Art. 14 (information to be provided where personal data have not been obtained from the data subject). Merchants are responsible for notifying their end-customers, in their own privacy policy, that third-party Shopify apps may process order data for invoicing purposes.
The categories of personal data we obtain indirectly via Shopify are: validated EU VAT identification number, associated EU country code, Shopify-issued order and customer identifiers, and order-event timestamps. These are itemised in §3.1.
7. Retention
We apply specific retention periods per data category. Data is retained no longer than necessary for the stated purpose, and is deleted automatically thereafter or upon receipt of a valid erasure request.
| Data | Retention | Reason |
|---|---|---|
| OAuth session tokens | For the duration of the App installation; deleted on receipt of app/uninstalled or shop/redact |
Required to call Shopify Admin API on the merchant's behalf |
| Validation audit log | 90 days from creation (automatic time-based purge), or earlier on customers/redact (per customer), shop/redact (per shop), or app/uninstalled (per shop) |
Supports merchant troubleshooting and incident investigation; capped at 90 days because beyond that the data has no diagnostic value |
| Webhook deduplication records | For the duration of the App installation; deleted on shop/redact or app/uninstalled |
Operational record of webhook delivery (Shopify-issued event ID, shop domain, receipt timestamp); contains no customer-identifying fields |
| Billing event records | For the duration of the App installation; deleted on shop/redact or app/uninstalled |
Subscription-state metadata for billing reconciliation. Contains no customer-identifying fields (only shop domain, subscription state, plan name) |
| Order metafields written to the merchant's Shopify store | Indefinitely, in the merchant's Shopify store; we hold no copy | The merchant owns this data; deletion is at the merchant's discretion |
| Backups | Per Neon's platform defaults | Disaster recovery |
Upon receipt of a valid customers/redact or shop/redact webhook from Shopify, we erase all associated records within the timelines required by Shopify's GDPR webhook contract: 30 days from webhook receipt for both topics. Shopify sends the shop/redact webhook 48 hours after App uninstall.
8. Sub-processors
We use the following sub-processors to operate the App:
| Sub-processor | Purpose | Region |
|---|---|---|
| Shopify Inc. | Source platform – OAuth, Admin API, webhook delivery, billing | Operates globally; merchant data is held on Shopify's infrastructure |
| Vercel Inc. | Application hosting and request routing | Compute pinned to Frankfurt, Germany; request edge points may transit non-EU points-of-presence for TLS termination |
| Neon (Databricks Inc.) | PostgreSQL database (primary data store) | Frankfurt, Germany; region is locked at project creation |
We have data processing agreements with each sub-processor that bind them to GDPR-equivalent obligations. We do not sell, rent, or share personal data with any third party for that party's own purposes.
If we add or replace a sub-processor, we will update the list above before the change takes effect. Merchants are encouraged to review this section periodically and may object to any change as set out in §14 below and in §12 of our Terms of Service.
9. International transfers
Our application compute and primary data storage are pinned to the European Union (Frankfurt, Germany).
- Shopify Inc. (Canada) and its subsidiaries operate globally. Data flows from Shopify infrastructure (which may be located in Canada or the United States) to our EU-pinned compute and database, and back. We rely on Shopify's published Data Processing Addendum, which incorporates the EU Standard Contractual Clauses, as the lawful transfer mechanism under GDPR Chapter V for these flows. A copy of Shopify's DPA is publicly available at https://www.shopify.com/legal/dpa.
- Vercel Inc. (United States) – application compute is pinned to Frankfurt, Germany. Request edges may transit Vercel's global points-of-presence for TLS termination; the personal data transferred via these edges is limited to in-flight HTTP request and response payloads (which Vercel does not persist). Transfers outside the EEA are governed by Vercel's Data Processing Addendum, which incorporates the EU Standard Contractual Clauses (Module 2). The DPA is published at https://vercel.com/legal/dpa.
- Neon (Databricks Inc.) – primary database storage is in Frankfurt, Germany. Automated backups are retained on Neon's platform per their published retention defaults, in the same region as the primary database. Where any cross-border transfer occurs, it is governed by Neon's DPA, which incorporates the EU Standard Contractual Clauses.
Where any sub-processor transfers personal data outside the European Economic Area, the transfer is covered by the EU Standard Contractual Clauses or another lawful transfer mechanism under GDPR Chapter V. A copy of the relevant Standard Contractual Clauses or other transfer mechanism for any sub-processor is available on request – see §14.
10. Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption in transit – TLS 1.2+ for all connections to the App, to Shopify, and between the App and its sub-processors
- Encryption at rest – AES-256 for the primary database (Neon)
- Authentication – OAuth 2.0 session tokens stored in the encrypted-at-rest database (above); HMAC verification on every webhook before any processing
- Scope minimization – we request only the OAuth scopes the App actually needs:
write_ordersandwrite_customers. These two scopes are the narrowest available in the Shopify Admin API for an app that writes structured metafields onto orders and customers – Shopify's API does not offer a metafield-only scope. The App uses these scopes exclusively to write its own VAT metafields and does not modify any other order or customer data. - Access control – production database, Vercel project, Shopify Partner Dashboard, and source-control accounts (GitHub) are protected by unique strong passwords and multi-factor authentication
- Webhook integrity – all incoming webhook payloads are HMAC-validated against Shopify's signing secret before any side effect
- Deduplication – webhook events are deduplicated by Shopify-issued event ID to prevent replay
- Test/production separation – separate Shopify development stores, separate database, separate environment variables
- Incident response – in the event of a personal-data breach, our obligations depend on our role for the affected data:
- For data where we act as processor (end-customer data processed on a merchant's behalf), we will notify the affected merchant without undue delay after becoming aware of the breach, in line with GDPR Art. 33(2), and assist the merchant in their own Art. 33–34 obligations.
- For data where we act as controller (merchant account, billing, support correspondence), we will notify the competent supervisory authority within 72 hours of becoming aware where the breach is likely to result in a risk to the rights and freedoms of natural persons, and notify affected data subjects where Art. 34 applies.
11. Your rights
Under GDPR, individuals have the following rights:
- Right of access (Art. 15) – to request a copy of the personal data we hold about you
- Right to rectification (Art. 16) – to request correction of inaccurate data
- Right to erasure (Art. 17, "right to be forgotten") – to request deletion of your data, subject to lawful retention exceptions
- Right to restriction (Art. 18) – to request that processing be paused
- Right to data portability (Art. 20) – to receive your data in a structured, machine-readable format
- Right to object (Art. 21) – to object to processing based on legitimate interests
- Right to withdraw consent (Art. 7(3)) – where consent is the lawful basis (not generally applicable to the App)
- Right not to be subject to automated decision-making (Art. 22) – we do not engage in automated decision-making with legal effect
- Right to lodge a complaint with a supervisory authority
If you are an end-customer of a merchant using the App, please direct rights requests to the merchant in the first instance – they are the controller of your data. We will assist the merchant in responding.
If we receive a rights request directly from a data subject for whom we are processor (an end-customer of a merchant), we will (a) acknowledge receipt within 5 business days, (b) forward the request without undue delay to the merchant who is the controller, and (c) inform the data subject we have done so. We may verify the requester's identity by reasonable means (for example, asking for an order reference and the email associated with the order on the merchant's store) before disclosing personal data. We will not respond substantively to an end-customer rights request unless instructed by the controlling merchant or required by law.
If you are a merchant, see §14 below.
The Romanian supervisory authority is the Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) – https://www.dataprotection.ro. You may also contact the supervisory authority of your EU country of residence.
12. GDPR webhook compliance
The App implements all four mandatory Shopify GDPR webhook topics:
| Webhook | What we do | Response timeline |
|---|---|---|
customers/data_request |
On receipt, we acknowledge receipt of the webhook and record receipt of the webhook delivery in our deduplication log (webhook delivery identifier, shop domain, timestamp; the customer identifier is not stored in our records). Merchants seeking the underlying audit-log entries linked to a named customer – or confirmation that none exist – should contact us at revatly@webixo.com referencing the customer's Shopify GID; we will respond within 30 days. We do not transmit personal data in the synchronous webhook response itself | Within 30 days of merchant request |
customers/redact |
Erase all personal data we hold about the named customer, and remove the customer's VAT metafields written by the App from the merchant's store. If the redact webhook arrives after the App has been uninstalled (Shopify may send it within the 48h grace before shop/redact), we no longer have credentials to access the merchant's store and cannot remove the metafields; in that case the merchant must delete the customer's VAT metafields manually via Shopify Admin or API to complete the redaction |
Within 30 days |
shop/redact |
Erase all data scoped to the named shop, including audit logs, session records, billing events, and webhook deduplication records | Within 30 days of webhook receipt (Shopify sends the webhook 48 hours after uninstall) |
app/uninstalled |
Wipe the shop's session, audit log, billing events, and webhook deduplication records | Immediate, in the same request |
These webhooks are implemented per Shopify's compliance webhook contract.
13. Cookies and tracking
The App is delivered as an embedded application inside the Shopify Admin. We do not set first-party tracking cookies, do not use third-party analytics or tracking SDKs, and do not embed advertising or social-media trackers. The only cookies set in the App context are session cookies required by Shopify's App Bridge and the OAuth authentication flow. These cookies are strictly necessary for the App to function within the Shopify Admin and do not require consent under Article 5(3) of the ePrivacy Directive (Directive 2002/58/EC as amended). They contain no advertising or cross-site tracking identifiers.
We do not maintain a separate marketing website that uses tracking cookies.
14. Contact
For privacy questions, rights requests, or to review our processor terms (set out in §12 of our Terms of Service):
Email: revatly@webixo.com Postal: see §2 above for our registered office address
We aim to respond to privacy enquiries within 5 business days, and to formal rights requests within the timelines required by GDPR (one month, extendable by two further months for complex requests).
Audit rights (where you are a controller using the App as a processor) are governed by §12 of our Terms of Service.
15. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, in our sub-processors, in applicable law, or in Shopify's platform. The version number, effective date, and last-updated date at the top of this policy reflect the current version; merchants are encouraged to review periodically. Prior versions are available on request.
Appendix A – Shopify-required disclosures
The following questions are required by Shopify's Partner Program privacy-policy guidelines. Answers are summarised below; full detail is in the body of this policy.
- What information do you collect through Shopify's APIs? See §3.1.
- What information do you collect directly from the merchant? See §3.2.
- What information do you collect directly from merchants' customers? None – see §3.3.
- How do you use the information you collect? See §4.
- For how long do you store or retain the data that you collect? See §7.
- Are you established in Europe? Yes – Romania, European Union.
- Are you storing or processing information outside of Europe? Primary storage and compute are in Frankfurt, Germany (EU). Some request-routing transit may pass through non-EU points-of-presence. See §9.
- Do you share customer information with third parties? No, except with the sub-processors listed in §8 to operate the App. We do not sell, rent, or share personal data for any third party's own purposes.