Facturify

Declaratie de Conformitate GDPR

Aplicatia SmartBill Invoice pentru Shopify — CECO DIGITAL SOLUTIONS S.R.L. — Ultima actualizare: 13 Aprilie 2026

Operated by: Hombeeinternational SRL (Facturify) Last Updated: April 13, 2026

Overview

The SmartBill Invoice App is designed in accordance with privacy-by-design and privacy-by-default principles and complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

This document explains how we process and protect personal data when providing our services to Shopify merchants.

1. Roles and Responsibilities

Hombeeinternational SRL
Email: privacy@facturify.ro
Website: https://facturify.ro
Country: Romania (EU Member State)

For the purposes of GDPR:

  • Shopify merchants act as Data Controllers
  • We act as a Data Processor, processing data strictly on behalf of merchants

We process personal data only in accordance with the instructions provided by the merchant through the app configuration and usage.

2. Lawful Basis for Processing

We process data based on the following lawful grounds under GDPR:

  • Contract Performance (Art. 6(1)(b)) – for invoice generation, billing, and app functionality
  • Legitimate Interest (Art. 6(1)(f)) – for service security, audit logging, and support

3. Data Minimization

We strictly apply data minimization principles:

  • No persistent storage of customer personal data: customer names, emails, addresses, and phone numbers are accessed only when needed for invoice generation and transmitted directly to SmartBill.
  • Minimal operational data stored: we store only order identifiers, invoice metadata, and processing status.
  • No tracking technologies: we do not use cookies, tracking pixels, or analytics on storefronts or end users.

4. Data Subject Rights

We support all GDPR data subject rights globally, regardless of user location:

  • Right of Access (Art. 15)
  • Right to Erasure (Art. 17)
  • Right to Rectification (Art. 16)
  • Right to Data Portability (Art. 20)
  • Right to Object (Art. 21)
  • Right to Restriction (Art. 18)

Requests are handled either via Shopify GDPR webhooks or directly via email at privacy@facturify.ro.

Response time: within 30 days of receiving a valid request.

5. Shopify GDPR Compliance

We implement all required Shopify GDPR webhooks:

  • customers/data_request – we confirm that no customer personal data is stored
  • customers/redact – we confirm no personal data is retained
  • shop/redact – we permanently delete all merchant-related data

All webhook requests are verified using secure signature validation.

6. Security Measures

We implement appropriate technical and organizational measures to ensure data protection, including:

  • Encryption of sensitive credentials
  • Secure transmission of data using HTTPS
  • Access controls and authentication mechanisms
  • Logical separation of merchant data
  • Regular review of security practices

7. Sub-Processors

We rely on trusted third-party providers to deliver our services:

  • SmartBill – invoice generation and financial processing
  • Shopify – platform and data source
  • OpenAI – AI-powered support features (no customer personal data shared)
  • Resend – support-related email communication (only when initiated by merchant)

Each provider operates under its own data processing agreements and applicable safeguards.

8. Data Retention

We retain data only as long as necessary for service operation and legal obligations:

  • Invoice-related data – retained as required by accounting regulations
  • Operational logs – retained for a limited period for debugging and monitoring
  • Chat data – retained until app uninstall or deletion request

Data is automatically deleted once it is no longer required.

9. Data Deletion

When a merchant uninstalls the app, all associated data is permanently deleted following Shopify's shop/redact process.

This includes configuration data, logs, and any stored operational data.

10. International Data Transfers

Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs)
  • Data minimization practices

11. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify affected merchants without undue delay
  • Provide relevant details and mitigation steps
  • Comply with GDPR notification requirements (including the 72-hour rule where applicable)

12. Contact

For any privacy or GDPR-related inquiries:

Hombeeinternational SRL
Email: privacy@facturify.ro
Website: https://facturify.ro

This document is reviewed periodically and updated when necessary.