Facturely — Privacy Policy & Data Processing Terms
Last updated: 13 July 2026
Facturely provides tax-compliant invoicing for Shopify merchants. For customer personal data processed by the app, the merchant is the data controller and Facturely is a data processor acting on the merchant's instructions. This page constitutes our data processing terms.
What personal data we process, and why
We process the minimum data required to generate legally valid invoices:
| Data | Purpose | Legal basis (merchant's) |
|---|---|---|
| Buyer name, company, billing/shipping address | Mandatory invoice fields under EU VAT law | Legal obligation (Art. 6(1)(c) GDPR) |
| Buyer email | Delivering the invoice PDF to the customer | Legal obligation / contract |
| Buyer VAT ID | Reverse-charge determination; validated against the EU VIES service with stored consultation proof | Legal obligation |
| Order lines, amounts, taxes | Invoice content | Legal obligation |
We do not process phone numbers, payment credentials, or any data for marketing, analytics resale, or advertising. We never sell personal data.
Sub-processors
- Shopify — source platform (order webhooks)
- Fly.io (EU region, Frankfurt) — application and database hosting
- Resend — transactional email delivery of invoices
- EU Commission VIES — VAT ID validation (VAT number only)
Retention
Issued invoices and credit notes are retained for the statutory tax-retention period applicable to the merchant (up to 10 years, e.g. §147 AO in Germany) — this retention is itself a legal requirement and survives customer erasure requests (GDPR Art. 17(3)(b)). All other data is short-lived. On app uninstall, all shop data is permanently deleted when Shopify sends the shop/redact webhook (~48 hours after uninstall). Merchants should export their invoice archive before uninstalling.
GDPR requests
Shopify's mandatory compliance webhooks are implemented. Data-subject requests should be directed to the merchant (controller); we support the merchant in fulfilling them.
Security
TLS for all data in transit; encrypted volumes and encrypted backups at rest; access restricted to Shopify-authenticated merchant sessions; separated test and production environments. Report vulnerabilities to support@facturely.app with subject "SECURITY".