GDPR & Data Processing

Last updated: July 3, 2026

This page explains how Smart Invoice supports merchants in meeting their obligations under the EU General Data Protection Regulation (GDPR), the UK GDPR, and similar privacy laws. It complements our Privacy Policy.

Need a signed Data Processing Agreement (DPA)? Email info@smrtinvoice.com with your store domain and legal entity name, and we'll provide our current DPA for signature.

Controller and Processor Roles

Under GDPR, responsibilities depend on who decides why and how personal data is processed:

ContextOur roleYour role
Storefront customers' personal data shown on invoices (names, addresses, order details) Processor — we process it only to provide invoice and PDF features, on your instructions Controller — you decide what data appears and are responsible for your storefront privacy notices
Your merchant account, settings, and branding data Controller — we determine how we operate the app and your account Data subject / customer of the app

Data Subject Rights

GDPR gives individuals rights to access, rectify, erase, restrict, object to, and port their personal data, and to withdraw consent.

We support Shopify's mandatory data-subject webhooks automatically:

WebhookWhat we do
customers/data_requestIdentify any stored per-order invoice data for the requested orders and make it available to the merchant.
customers/redactDelete stored per-order invoice data for the specified orders.
shop/redactDelete shop-related data — templates, settings, and sessions — 48 hours after uninstall.

International Transfers

We and our infrastructure providers may process data outside the EEA and UK, including in the United States. Where personal data is transferred internationally, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (and the UK Addendum) or an equivalent recognized mechanism.

Retention & Deletion

We retain personal data only as long as needed to provide the app or meet legal obligations. Uninstalling the app triggers Shopify's deletion webhooks, and we then remove your data as described above. See the retention section of our Privacy Policy for details.

Security Measures

No system is perfectly secure, but we work to protect personal data with measures appropriate to the risk. In the event of a personal-data breach, we will notify affected parties and regulators as required by law.

Contact & DPA Requests

For any data protection or privacy question, or to request a signed DPA, contact us at info@smrtinvoice.com.