GDPR Compliance Statement

The SmartBill Invoice App is designed with privacy-by-design principles and complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This document describes our technical and organizational measures for data protection.

CECO DIGITAL SOLUTIONS S.R.L. — Email: privacy@weinstall.ro — Website: https://weinstall.ro — Country: Romania (EU Member State).

As a data processor acting on behalf of Shopify merchants (data controllers), we process personal data only as instructed by the merchant through their app configuration.

Invoice generation from order data: contract performance (Art. 6(1)(b)). SmartBill API credential storage: contract performance. Stock synchronization: contract performance. Audit logging: legitimate interest (Art. 6(1)(f)). AI chat support: legitimate interest. Billing and usage tracking: contract performance.

No customer PII stored: customer names, emails, addresses, and phone numbers are accessed on-demand from Shopify during invoice generation and sent directly to SmartBill. They are never persisted in our database.

Minimal order data: we store only order references (order ID, order number), invoice metadata (series, number, amount), and processing status.

No tracking: we do not use cookies, tracking pixels, or any client-side analytics.

We honor all GDPR data subject rights globally. Right of Access (Art. 15): we respond confirming no customer PII is stored. Right to Erasure (Art. 17): we confirm no customer PII to delete. Right to Rectification (Art. 16): no customer PII stored. Right to Data Portability (Art. 20): available upon request. Right to Object (Art. 21) and Right to Restriction (Art. 18): contact privacy@weinstall.ro.

Response time: within 30 days of receiving a valid request.

We implement all three mandatory Shopify GDPR webhooks: customers/data_request (returns confirmation that no customer PII is stored), customers/redact (acknowledges request, no customer PII to delete), and shop/redact (permanently deletes ALL shop data including settings, invoices, logs, sessions, mappings, and chat history).

All webhooks are verified via Shopify HMAC signature validation.

Encryption: SmartBill API tokens encrypted with AES-256-GCM at rest, all communications use TLS 1.2+ in transit.

Authentication: Shopify OAuth 2.0 for merchant authentication, HMAC signature verification for webhooks, bearer token authentication for SmartBill stock webhooks, session-based access control with shop-level data isolation.

Infrastructure: multi-tenant architecture with strict shop-level isolation, every database query filters by shop field, Kubernetes deployment with TLS ingress, encrypted database connections, regular automated backups.

SmartBill (Romania): invoice generation and stock management — order and customer data shared on-demand. OpenAI (USA): AI chat assistant — chat messages shared, no customer PII. Resend (USA): support escalation emails — chat transcript when merchant requests. Shopify (Canada/Global): platform and data source — order metafields with invoice references.

Successful invoices: indefinite (legal obligation). Failed invoice records: 30 days. Audit logs: 7 days to 3 years (plan-based). Stock sync logs: 7 days to 3 years. Chat conversations: until uninstall. SmartBill credentials: until disconnect/uninstall.

A scheduled cleanup service runs daily and removes data exceeding retention periods.

When you uninstall the App, all data is permanently and irreversibly deleted within 48 hours.

Our primary infrastructure is located in Europe. When data is transferred outside the EEA (specifically to OpenAI for AI chat processing), we rely on Standard Contractual Clauses (SCCs), OpenAI's commitment to GDPR-compliant processing, and data minimization (no customer PII sent to OpenAI).

In the event of a personal data breach, we will notify affected merchants within 72 hours (GDPR Art. 33), provide details of the breach and remediation steps, cooperate with Shopify's breach notification procedures, and document all breaches in our internal register.

For GDPR-related inquiries: CECO DIGITAL SOLUTIONS S.R.L. — Email: privacy@weinstall.ro — Website: https://weinstall.ro