1. Overview
Smart Invoice Generator ("the App", "we", "us") is a Shopify app developed by ErosTech that generates invoices, packing slips, refund documents, pro forma invoices, and return forms for Shopify merchants. This Privacy Policy explains what data we access, how we use it, how we protect it, and your rights under applicable data protection laws including the EU General Data Protection Regulation (GDPR).
By installing and using the App, you agree to the collection and use of information in accordance with this policy.
2. Data Controller
The data controller responsible for your personal data is:
ErosTech
Email: info@erostech.de
Website: erostech.de
3. Legal Basis for Processing
We process your data based on the following legal grounds:
- Contract Performance (GDPR Art. 6(1)(b)): Processing is necessary to provide the invoice generation and email services you requested
- Legitimate Interest (GDPR Art. 6(1)(f)): For app analytics, fraud prevention, and service improvement
- Consent (GDPR Art. 6(1)(a)): For optional features like SFTP backup (you can withdraw consent anytime)
4. Data We Access from Shopify
The App accesses the following data from your Shopify store via the Shopify API:
- Order data: Order number, line items, prices, taxes, shipping costs, discounts, payment status
- Customer data: Name, email address, billing address, shipping address
- Shop data: Store name, myshopifyDomain, billing address, contact email
- Draft orders: Draft order details for generating pro forma invoices
- Product data: Product titles, SKUs, prices (only as part of order data)
This data is accessed in real-time when you generate a document and is not stored permanently by us. We only store minimal metadata (see section 5).
5. Data We Store
We store the following data in our Firebase (Google Cloud) database, keyed by your Shopify shop domain:
- App configuration: Logo URL, invoice template/theme, colors, font sizes, language preference
- Company information: Your company name, address, VAT number (as entered in settings)
- Email settings: Sender name, subject template, email body template, CC/BCC addresses, Reply-To address
- SFTP configuration: Host, port, username, remote path — password is stored encrypted
- Translation overrides: Custom text for invoice labels (if you customize translations)
- Export history: Order number, document type (invoice/packing slip/refund), filename, timestamp (for the last 90 days)
- Usage metrics: Invoice generation counter (for plan limit tracking), plan type (free/basic)
- Customer VAT/tax numbers: If manually entered by you for specific customers
- Invoice comments: Internal notes you add to invoices
- Tax override rules: Custom tax rate configurations
We do NOT store: Full order data, complete customer records, payment information, credit card details, or any sensitive financial data beyond what's necessary for document generation.
6. How We Use Your Data
We use the collected data for the following purposes:
- Generate PDF documents (invoices, packing slips, refunds, pro forma, return forms)
- Send invoice emails to your customers via Resend
- Upload documents to your SFTP server (if configured)
- Display export history and usage statistics
- Enforce plan limits (free vs. paid plan)
- Provide customer support
- Improve and debug the app
7. Email Sending via Resend
Invoice emails are sent via Resend (resend.com), a third-party email service provider. When you send an invoice email:
- The recipient email address comes from the Shopify order
- The email content is generated from your template with order data
- The PDF is attached to the email
- We log: order number, recipient email, subject line, send status (success/failed), timestamp
Resend processes email data according to their Privacy Policy. Email data is only stored temporarily for delivery purposes.
8. SFTP Upload (Optional)
If you configure SFTP backup (Basic Plan feature), your credentials (host, port, username, password) are stored encrypted in Firebase and used only to upload invoice PDFs to your own server. We do not share SFTP credentials with any third party. You can disable or delete SFTP configuration at any time in Settings.
9. Third-Party Services & Data Transfers
We use the following third-party services to operate the App:
- Firebase / Google Cloud (USA): Database and file storage. Data is stored in Google's data centers and may be transferred to the USA. Google is certified under the EU-US Data Privacy Framework. Firebase Privacy Policy
- Resend (USA): Transactional email delivery service. Resend Privacy Policy
- Shopify (Canada/USA): We access your store data via Shopify's API. Shopify Privacy Policy
- Render.com (USA): Hosting platform for the app infrastructure. Render Privacy Policy
International Data Transfers: Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. We ensure appropriate safeguards are in place (such as Standard Contractual Clauses and adequacy decisions) to protect your data in accordance with GDPR requirements.
10. Data Security
We implement appropriate technical and organizational measures to protect your data:
- All data transmission uses TLS/SSL encryption (HTTPS)
- Firebase security rules restrict database access to authorized operations only
- SFTP passwords are encrypted before storage
- Access to production systems is restricted to authorized personnel only
- Regular security updates and monitoring
- No payment data is stored (handled by Shopify)
However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
11. Data Retention & Automatic Deletion
Active Usage: Your data is retained as long as the app is installed and actively used.
Export History: Automatically deleted after 90 days.
App Uninstallation: When you uninstall the app from your Shopify store:
- We receive a webhook notification from Shopify
- Your app configuration and settings are retained for 30 days in case of accidental uninstallation
- After 30 days, all data is automatically and permanently deleted
12. Your Data Protection Rights (GDPR)
Under the GDPR, you have the following rights:
- Right of Access (Art. 15): Request a copy of your data we store
- Right to Rectification (Art. 16): Correct inaccurate data (you can do this in Settings)
- Right to Erasure (Art. 17): Request deletion of your data (see section 13)
- Right to Restriction (Art. 18): Request limitation of processing
- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
- Right to Object (Art. 21): Object to processing based on legitimate interest
- Right to Withdraw Consent (Art. 7(3)): For consent-based processing (e.g., SFTP)
- Right to Lodge a Complaint: File a complaint with your local data protection authority
To exercise any of these rights, contact us at info@erostech.de
13. Data Deletion Options
You can delete your data at any time using one of these methods:
- Via the app: Go to Settings → System → Reset Settings → Delete All My Data. This immediately and permanently removes all settings, history, and configuration for your shop.
- Via email: Contact info@erostech.de with your shop domain. We will delete your data within 48 hours and confirm deletion.
- Via Shopify GDPR webhooks: If a customer requests data deletion via Shopify's GDPR tools, we automatically process the request and delete relevant customer-specific data (VAT numbers, email history) within 48 hours.
- Automatic deletion: Uninstall the app — data is automatically deleted after 30 days.
14. Shopify GDPR Compliance
We comply with Shopify's GDPR requirements and handle the following mandatory webhooks:
- customers/data_request: We provide any customer data we store upon request
- customers/redact: We delete customer-specific data (VAT numbers, email logs) within 48 hours
- shop/redact: We delete all shop data within 48 hours when your Shopify store is closed/deleted
15. Cookies & Tracking
The App does not use cookies for tracking or analytics. We do not use Google Analytics, Facebook Pixel, or similar tracking technologies. The only cookies used are Shopify's authentication cookies required for the app to function within the Shopify Admin.
16. Children's Privacy
The App is intended for business use by Shopify merchants. We do not knowingly collect personal data from children under 16 years of age. If you believe we have inadvertently collected such data, please contact us to have it removed.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify you via email (if we have your contact information)
- Display a notification within the app
Continued use of the App after changes constitutes acceptance of the updated policy.
18. Contact & Data Protection Officer
For questions about this Privacy Policy, data protection concerns, or to exercise your rights, contact us at:
ErosTech
Email: info@erostech.de
Website: erostech.de
EU Representative: If you are located in the EU and need to contact our EU representative regarding data protection matters, please use the email address above.
19. Supervisory Authority
If you are located in the European Economic Area and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.
Language Note: This Privacy Policy is written in English. If there are any conflicts between the English version and translations, the English version shall prevail.