InvoNorm Privacy Policy

Version 1.0-draft · A German translation is available on request (hello@invonorm.com); the English version is authoritative.

Status: pre-launch draft. This policy takes effect with the public launch of the InvoNorm app on the Shopify App Store (planned: September 2026); the effective date will be inserted at launch.

Controller/Processor: Fengjing (Shenzhen) Trading Co., Ltd., Rm 902, Block B, Haijing Court, Haojing Garden, No. 2 Shazui Rd, Futian District, Shenzhen, China · hello@invonorm.com

For merchant account data (your company details, login, billing) we act as controller. For personal data contained in your orders (your customers' names, addresses, order details) we act as processor on your behalf under our Data Processing Agreement.

1. What we process and why

DataPurposeLegal basis
Merchant company data (name, address, VAT ID, IBAN, contact)Appears on invoices; account management; billingContract performance (Art. 6(1)(b) GDPR)
Order data incl. customer name, billing/shipping address, email, line items, taxesGenerating legally required invoices; archiving; deliveryContract performance; legal obligation of the merchant (Art. 6(1)(c))
Technical logs (IP, timestamps, app events)Security, abuse prevention, debuggingLegitimate interest (Art. 6(1)(f))

We do not sell personal data, use it for advertising, or process payment card data (payments are handled by Shopify).

2. Where data is stored

All invoice data and archives are stored exclusively on servers in the European Union. Backups are encrypted (AES-256 at rest, TLS 1.2+ in transit).

3. International access (important notice)

Our support team operates from China. Support access to personal data is: (a) disabled by default — personal data in our support tools is masked; (b) only unmasked for a specific ticket with your consent, logged and time-limited. Such access constitutes a third-country transfer safeguarded by the EU Standard Contractual Clauses (Module 2) incorporated in our DPA, together with the technical measures above.

4. Subprocessors

SubprocessorRoleLocation
EU hosting provider (to be announced before launch)Hosting & storageEU
Cloudflare, Inc.DNS, CDN, email routingEU/Global
Shopify International Ltd.Platform, billingEU/Global
Peppol access point partner (when enabled)E-invoice transmissionEU

We will update this list and notify merchants of changes via the app.

5. Retention

Invoice archives: for the statutory retention period of the respective country (e.g. 8 years for German invoices, 10 years for French) or until you delete them, whichever you configure. Upon app uninstallation we honour Shopify's GDPR webhooks: shop data is deleted within 48 hours of the redaction request issued by Shopify, except where continued storage was explicitly agreed for archive export (max. 60 days). Technical logs: max. 90 days.

6. Your rights (and your customers' rights)

Under GDPR: access, rectification, erasure, restriction, portability, objection, and complaint to a supervisory authority. Customer requests should be directed to the merchant (controller); we support merchants in fulfilling them within the timelines of Art. 28 GDPR.

7. Contact

Privacy inquiries: hello@invonorm.com (subject "Privacy"). We respond within 30 days.