Privacy Policy — ElkSend e-Invoicing

Effective date: October 29, 2025

App developer / legal entity: Midori Virtuality OÜ (Estonian business registry code 14106558)

Registered address: Väike-Turu tn 5-36, Tartu, 51004, Estonia

Contact (privacy & support): andres@arraygator.com

Support page: https://arraygator.com/elksend/support/

This policy explains how we collect, use, disclose, and protect personal data when merchants install or use the ElkSend e-Invoicing Shopify app and when they contact us for support. Nothing here limits your rights under applicable law.

1) What ElkSend does

ElkSend helps Shopify merchants create and send Peppol BIS Billing 3.0 (BIS3) invoices (UBL 2.1). Documents are delivered over the Peppol eDelivery network via an Access Point (Maventa) using secure transport (Peppol AS4 profile).

2) Roles (Controller vs. Processor)

• For invoice content and recipient details (your customers/suppliers), you (the merchant) are the controller and we act as your processor, processing only per your documented instructions to provide the app.
• For our own operations (billing, security logs, accounting, abuse prevention), we act as an independent controller.

3) Scope

This policy applies to the ElkSend Shopify app, our API endpoints used by the app, and our support channels (email/ticketing). Your use of Shopify is also governed by Shopify’s own terms and privacy policy.

4) Data we collect

From Shopify APIs (after you approve scopes):

• Store information (shop domain/ID, owner/admin contact).
• Orders, customers, and products as needed to generate e-invoices (e.g., names, business names, VAT IDs, addresses, emails, phone numbers; line items, currency, amounts; purchase-order or reference numbers).
• Scopes requested: read_orders, read_customers, read_products.
  We do not request read_all_orders.

From you directly (via the app UI or configuration):

• Recipient addressing identifiers: buyer Peppol participant identifiers (scheme + value; e.g., GLN 0088, national/company or VAT schemes), and other recipient identifiers used in the network.
• Tax identifiers: VAT numbers for buyer and seller.
• Optional buyer identifiers such as GLN if used for addressing.
• We do not collect invoice branding (BIS3 is XML; ElkSend doesn’t implement branding).
• We do not accept attachments (no PDFs or embedded supporting documents via the app).
• We do not collect bank account details at this time. If support for credit-transfer fields (e.g., IBAN/BIC) is added later, this policy will be updated.

Automatically: Technical/diagnostic information (IP address, device/browser, timestamps, application and server logs, error traces).

We do not collect special-category data via the app and we do not send marketing emails.

4A) Cookies & similar technologies

ElkSend is an embedded Shopify Admin app. We don’t use advertising or cross-site tracking technologies.

• Authentication & security. We rely on Shopify session tokens and, where needed on our own domain, strictly-necessary first-party mechanisms (e.g., short-lived cookies for login/CSRF/rate-limiting).
• Preferences stored in your browser. The app may save small UI/UX settings (e.g., layout, dismissed tips, last used filters) in your browser’s local storage. These values stay on your device, are only read by the ElkSend app, and are not used for profiling or cross-site tracking. You can clear them anytime in your browser or via the app’s “Reset preferences” control.
• No third-party trackers. We do not set third-party advertising cookies, pixels, or similar identifiers.
• Changes. If we later enable optional analytics, we’ll update this section and provide in-app controls (and consent where required).

5) How we use data (purposes)

• Provide core functionality: create/validate BIS3 invoices and credit notes; prefill invoice fields from Shopify data; route via the Access Point.
• Operate, secure, and troubleshoot the service (authentication, logging, fraud/abuse prevention, availability monitoring, backups).
• Provide support and service notices.
• Fulfil legal obligations (e.g., accounting and fraud prevention).

6) Legal bases (GDPR/UK GDPR)

Depending on context: Contract (to provide the app); Legitimate interests (security, debugging, reliability, proportionate to privacy impact); and Legal obligation (records we must keep). Where we rely on consent (e.g., optional AI features), you may withdraw at any time.

7) PEPPOL processing & Access Point

We transmit documents via the Peppol network using Maventa (Visma) as our Access Point service provider. Typical BIS3 invoice fields can include business names, addresses, email, VAT numbers, product/service details, totals/currency, and references such as PO numbers. Only fields you enter or authorize via the app are sent.

8) Sharing & recipients

We share personal data only as needed to run the app:

• Infrastructure: Amazon Web Services (AWS) — primary region eu-north-1 (Stockholm) — hosting, databases, backups/logs.
• Peppol Access Point: Maventa (Visma) — e-document transmission/delivery.
• Email/support: Zoho Mail and Microsoft 365 — business/support email only.
• (Optional) OpenAI API — only if you enable upcoming AI features (see §12A).

A current list of processors appears in the Appendix of this same page.

9) International transfers

We aim to process data in the EEA (AWS Stockholm; Nordic/EU operations for our Access Point). Some providers (e.g., Microsoft/Zoho/OpenAI if enabled) may process outside your country. Where transfers occur, we implement appropriate safeguards (e.g., Standard Contractual Clauses) and vendor due-diligence.

10) Security

We apply administrative, technical, and physical controls appropriate to the risk, including TLS in transit, role-based access and least privilege, audit logging, and vulnerability management.

Storage encryption (self-managed PostgreSQL on EC2): we use encrypted EBS volumes and snapshots (AWS KMS, typically AES-256) for databases and disks that hold app data; backups/exports to S3 are stored with bucket-level default encryption (SSE). We also use secrets management and periodic patching.
(If your environment changes, we’ll update this section to stay accurate.)

11) Data retention & deletion

We follow data minimization with merchant control:

• Invoice payloads (actual BIS3 XML):
  • Default: deleted 30 days after successful transmission/delivery or the last send attempt (whichever is later).
  • Merchant-controlled archive (optional): You may opt-in to keep invoice payloads longer if you want ElkSend to serve as invoice storage.
  • Note: Accounting law can require you (as controller) to preserve accounting source documents for several years; ElkSend doesn’t have to be your system of record—use the archive only if it fits your policy.
• Delivery metadata (minimal): document ID, timestamps, sender/recipient identifiers, status codes, and Access-Point envelope/transaction IDs — retained 12 months for support and abuse diagnostics, then deleted or anonymized.
• Application/server logs: retained 90 days (security/debug).
• Backups: database snapshots taken daily and retained ≥30 days rolling.
• Upon uninstall: after Shopify sends the shop/redact webhook (typically ~48 hours post-uninstall), we queue deletion/anonymization of store-linked data within 30 days, unless retention is legally required. We also respond to customers/data_request and customers/redact within 30 days.

12) Your privacy rights

Depending on your location, you (or your customers, via you) may request access, correction, deletion, portability, or restriction/objection. When we act as processor, we’ll assist you in responding to data-subject requests.

12A) Optional AI features (OpenAI) — OFF by default

If you enable an AI feature in ElkSend, we use AI only for decision-support, for example:

• Classifying or flagging potentially ambiguous cases for manual review (e.g., tax-exempt edge cases or missing context).
• Suggesting configuration options or prefilling certain fields that the store owner must confirm (e.g., tax treatment options).

What we send: minimal, structured inputs (e.g., country/jurisdiction codes, order totals, product tax category, delivery country, flags) needed for the suggestion. We do not send entire invoices, free-text line descriptions, or personal data unless you explicitly include such fields.

Provider & retention: If enabled, we use OpenAI’s API; they may retain inputs/outputs up to ~30 days for abuse monitoring. OpenAI states API data isn’t used to train models by default. If zero-data-retention endpoints become available and suitable, we’ll document that in-app.

Your control: features are off unless you turn them on. Outputs are recommendations only; you decide whether to accept them (no solely automated decisions with legal effects).

13) Children

The app is for business use and not directed to children under 16.

14) Data Protection Officer / Representatives

A formal DPO is not required for our current processing activities. We provide a privacy contact:
Privacy contact: Andres Traumann — andres@arraygator.com
(EU Art. 27 representative: not applicable, as we are established in the EU.)

15) Changes

We may update this policy from time to time. We’ll post updates at https://arraygator.com/elksend/support/ and adjust the Effective date. Material changes will be communicated in-app or by email.

---

Appendix — Subprocessors (current)