GDPR & Data Processing
This page explains how Smart Invoice supports merchants in meeting their obligations under the EU General Data Protection Regulation (GDPR), the UK GDPR, and similar privacy laws. It complements our Privacy Policy.
Controller and Processor Roles
Under GDPR, responsibilities depend on who decides why and how personal data is processed:
| Context | Our role | Your role |
|---|---|---|
| Storefront customers' personal data shown on invoices (names, addresses, order details) | Processor — we process it only to provide invoice and PDF features, on your instructions | Controller — you decide what data appears and are responsible for your storefront privacy notices |
| Your merchant account, settings, and branding data | Controller — we determine how we operate the app and your account | Data subject / customer of the app |
Data Subject Rights
GDPR gives individuals rights to access, rectify, erase, restrict, object to, and port their personal data, and to withdraw consent.
- If you are a storefront customer of a Shopify store, please contact that store (the controller). The merchant can action your request, and Smart Invoice will assist them through Shopify's compliance webhooks.
- If you are a merchant, contact us at info@smrtinvoice.com to exercise your rights over your account data.
We support Shopify's mandatory data-subject webhooks automatically:
| Webhook | What we do |
|---|---|
customers/data_request | Identify any stored per-order invoice data for the requested orders and make it available to the merchant. |
customers/redact | Delete stored per-order invoice data for the specified orders. |
shop/redact | Delete shop-related data — templates, settings, and sessions — 48 hours after uninstall. |
International Transfers
We and our infrastructure providers may process data outside the EEA and UK, including in the United States. Where personal data is transferred internationally, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (and the UK Addendum) or an equivalent recognized mechanism.
Retention & Deletion
We retain personal data only as long as needed to provide the app or meet legal obligations. Uninstalling the app triggers Shopify's deletion webhooks, and we then remove your data as described above. See the retention section of our Privacy Policy for details.
Security Measures
- Encryption in transit (HTTPS/TLS).
- Access controls and least-privilege on production systems.
- Data minimization — we avoid storing customer data we don't need.
- Vendor due diligence for any service providers.
No system is perfectly secure, but we work to protect personal data with measures appropriate to the risk. In the event of a personal-data breach, we will notify affected parties and regulators as required by law.
Contact & DPA Requests
For any data protection or privacy question, or to request a signed DPA, contact us at info@smrtinvoice.com.