Privacy Policy

1. Purpose and Scope

1.1 Purpose

This Privacy Policy provides transparent information to Merchants and data subjects about how the Provider processes personal data while operating the SyncParadise Shopify app (the "App"), in accordance with Regulation (EU) 2016/679 (GDPR) and Hungarian Act CXII of 2011 on the right to informational self-determination and freedom of information.

1.2 Scope

This Policy applies to:

• Merchants who install and use the App (Shopify store operators);
• Customers who place orders in the Merchant's Shopify store (whose data is processed during synchronization);
• visitors to the syncparadise.com website;
• persons who contact the Provider.

1.3 Controller

The data controller under this Policy is:

• Company: LogiNet Enterprise Software Technologies Ltd.
• Website: loginet.com
• Contact: support@syncparadise.com

1.4 Controller / Processor Relationships

• Merchant → Customer: the Merchant is the controller of their Customers' personal data (within the meaning of the GDPR).
• Provider → Merchant: with respect to the Merchant's own account and billing data, the Provider acts as controller.
• Provider → Customer: with respect to Customers' personal data, the Provider acts as processor (Article 28 GDPR), since it processes Customer data for synchronization purposes on the Merchant's documented instructions (the Merchant's in-app configuration).
• Invoicing Providers: Billingo, Számlázz.hu and any future integrated invoicing providers are independent controllers for the data stored in their own systems, and simultaneously processors for the invoicing service they provide to the Merchant.

2. Data Processing Principles

The Provider complies with the principles set out in Article 5 GDPR:

• Lawfulness, fairness and transparency: processing is based on a legal basis, for the purposes described in this Policy and with prior notice to data subjects.
• Purpose limitation: data is processed only for synchronization, service delivery and compliance with legal obligations.
• Data minimisation: only data strictly required for synchronization and service delivery is processed. The backend does not store detailed order data — only Invoicing Provider partner and document IDs and synchronization status.
• Accuracy: data accuracy is based on what is recorded in Shopify and the Invoicing Providers' systems; the Provider does not alter data during synchronization.
• Storage limitation: data is retained only for the duration of the service relationship and any statutory retention period.
• Integrity and confidentiality: the Provider applies appropriate technical and organizational measures.
• Accountability: the Provider is able to demonstrate the lawfulness of processing.

3. Categories of Processing

3.1 Merchant registration and account management

• Data processed: Merchant name, email address, Shopify store name and URL, Shopify account ID, billing data, Invoicing Provider API keys (Billingo API V3 key, Számlázz.hu Agent key), configuration settings.
• Purpose: operating the App, identifying the Merchant, establishing and maintaining connections to Invoicing Providers, billing.
• Legal basis: Article 6(1)(b) GDPR — performance of a contract.
• Retention: for the duration of the service relationship, then deletion within 30 days of termination, except for data subject to statutory retention (typically 8 years under Hungarian accounting law).

3.2 Customer data processing (synchronization)

• Data processed: Customer name (company or natural person), email, phone (if available), billing and shipping address (country, postal code, city, street), tax number (if provided), company registration number (if provided), order ID, line items (product name, quantity, unit price, VAT rate), totals (gross, tax amount, currency), payment method, discounts.
• Purpose: creating and updating invoices / draft invoices in the selected Invoicing Providers' systems based on Shopify orders; partner synchronization.
• Legal basis: Article 6(1)(b) GDPR (performance of a contract); Article 6(1)(f) GDPR (legitimate interest — fulfilling invoicing obligations); Article 6(1)(c) GDPR (legal obligation under Hungarian VAT, accounting and tax laws).
• Data transfer: to Billingo via Billingo API V3 (partner create/update, document create/update); to Számlázz.hu via the Számlázz.hu Agent API (invoice creation, customer management); to future Invoicing Providers via their respective APIs, with a corresponding update to this Policy.
• Backend storage: the backend does not store detailed order data. It only stores Invoicing Provider partner IDs (e.g. Billingo partner ID, Számlázz.hu partner ID), Invoicing Provider document IDs, Shopify order IDs, synchronization status, partner email, name, address, tax number, and company registration number.
• Retention: for the duration of the service relationship, then deletion within 30 days of termination. Retention of data stored in the Invoicing Providers' systems is governed by their own privacy policy and statutory requirements.

3.3 Synchronization log data

• Data processed: sync event ID, operation type (create, update), related Shopify order ID, related Invoicing Provider document ID, status (success, failed, manual_review_needed, pending_retry), error message (if any), timestamp.
• Purpose: monitoring synchronization, troubleshooting, informing the Merchant about sync state.
• Legal basis: Article 6(1)(b) GDPR (performance of a contract); Article 6(1)(f) GDPR (legitimate interest in service quality).
• Retention: 90 (ninety) days, then automatic deletion, unless a legal retention obligation applies.

3.4 Website visitor data (syncparadise.com)

• Data processed: IP address (anonymized), browser type and version, operating system, referring URL, pages viewed, visit time and duration, cookie identifiers.
• Purpose: operating the website, visit statistics, improving user experience.
• Legal basis: Article 6(1)(a) GDPR (consent for marketing and analytics cookies); Article 6(1)(f) GDPR (legitimate interest for strictly necessary cookies).
• Retention: depends on the cookie type (see section 7).

3.5 Contact and customer support

• Data processed: name, email address, content of the message, attached files (if any), timestamp.
• Purpose: answering inquiries and providing support.
• Legal basis: Article 6(1)(b) GDPR (for existing Merchants) or Article 6(1)(f) GDPR (for prospects).
• Retention: 1 (one) year after closure of the inquiry, then deletion.

4. Data Transfers

4.1 Transfers to Invoicing Providers

Based on the Merchant's configuration and instructions, the App transfers Customer order and invoicing data to the following Invoicing Providers:

4.2 Transfers to Shopify

The App runs on the Shopify platform and accesses order data via the Shopify API. Shopify's handling of this data is governed by Shopify's Privacy Policy.

4.3 International Transfers

The Invoicing Providers (Billingo, Számlázz.hu) are based in Hungary; their systems operate within the European Economic Area (EEA). Shopify's server infrastructure, per Shopify's privacy policy, may operate across several geographic regions; Shopify's own safeguards apply. If a non-EEA Invoicing Provider is integrated in the future, the Provider will ensure GDPR Chapter V safeguards (such as Standard Contractual Clauses) and update this Policy accordingly.

4.4 Other transfers

The Provider transfers personal data to other third parties only:

• to comply with a legal obligation (e.g. authority request);
• with the Merchant's express consent;
• to enforce the Provider's legitimate interests (e.g. legal claims).

5. Data Security

5.1 Technical Measures

• Communication between the App and Invoicing Providers is exclusively over encrypted channels (HTTPS/TLS).
• Merchant API keys are stored encrypted.
• Shopify webhooks are verified via HMAC signature; payloads with an invalid signature are not processed.
• Access control: Merchant data is accessible only within that Merchant's Workspace; cross-Merchant access is not possible.
• Regular backups and logging.

5.2 Organizational Measures

• Staff may access personal data only to the extent necessary to perform their duties.
• Staff are bound by confidentiality obligations.
• Regular review of the adequacy of security measures.

5.3 Data Breach Handling

In the event of a personal data breach, the Provider acts in accordance with Articles 33 and 34 GDPR:

• notifies the supervisory authority (NAIH) without undue delay and, where feasible, within 72 hours of becoming aware of the breach (where it is likely to result in a risk to data subjects' rights and freedoms);
• notifies affected data subjects without undue delay where the breach is likely to result in a high risk.

6. Data Retention and Deletion

6.1 General Rule

Data is retained until the purpose of processing is fulfilled or until the statutory retention period expires.

6.2 Uninstallation

• Configuration data, API keys and synchronization logs associated with the Merchant's Workspace are permanently deleted within 30 days of uninstallation.
• Partners and documents previously created in the Invoicing Providers' systems are not deleted — they remain under the Merchant's own control in those systems.

6.3 Statutory Retention

Data subject to retention under Hungarian accounting and tax legislation is retained until expiry of the statutory period (typically 8 years) and then deleted.

7. Cookie Policy

7.1 Cookies Used

The syncparadise.com website may use the following cookie categories:

7.2 Cookie Consent

On first visit, a cookie consent banner is displayed where the visitor can fine-tune which categories to accept. Consent can be withdrawn at any time via the website's cookie settings.

8. Data Subject Rights

Under Chapter III of the GDPR, data subjects (Merchants and Customers) may exercise the following rights:

8.1 Right of access (Art. 15)

You may request confirmation of whether your personal data is processed and obtain access to it and to the processing details.

8.2 Right to rectification (Art. 16)

You may request rectification of inaccurate data or completion of incomplete data.

8.3 Right to erasure — "right to be forgotten" (Art. 17)

You may request erasure when:

• the purpose of processing has ended;
• consent has been withdrawn and there is no other legal basis;
• you object and there is no overriding legitimate ground;
• processing is unlawful;
• erasure is required by a legal obligation.

8.4 Right to restriction of processing (Art. 18)

You may request restriction when:

• you contest the accuracy of the data;
• processing is unlawful but you prefer restriction over erasure;
• the controller no longer needs the data, but you need it for legal claims;
• you have objected to processing (pending assessment).

8.5 Right to data portability (Art. 20)

You may receive the personal data you provided in a structured, commonly used, machine-readable format and transmit it to another controller.

8.6 Right to object (Art. 21)

You may object to processing based on legitimate interest. Processing may continue only if the controller demonstrates compelling legitimate grounds.

8.7 Withdrawal of consent

Where processing is based on consent, you may withdraw it at any time without giving reasons. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

8.8 How to exercise your rights

Send your request to support@syncparadise.com or via the syncparadise.com/support form. The Provider responds without undue delay and in any case within 1 (one) month. If necessary, this period may be extended by a further 2 (two) months, with notice to the data subject.

8.9 Note for Customers

The primary controller of Customer personal data is the Merchant (the Shopify store operator). As processor, the Provider forwards Customers' data-subject requests to the Merchant and cooperates in enabling the exercise of rights. Customers are encouraged to contact the Shopify store where they placed the order in the first instance.

9. Sub-Processors

The Provider uses the following sub-processors:

Future Invoicing Providers will be added through an update to this Policy and the sub-processor list.

10. Data Processing Agreement (Article 28 GDPR)

With respect to the processing of Customers' personal data for synchronization purposes, the Provider acts as processor towards the Merchant. A Data Processing Agreement under Article 28(3) GDPR is concluded between the parties upon acceptance of this Policy.

The Provider, as processor, undertakes to:

• Process personal data only on the Merchant's documented instructions (i.e. the configuration set in the App).
• Ensure that authorized staff are under a confidentiality obligation.
• Apply technical and organizational measures meeting Article 32 GDPR.
• Not engage further processors without the Merchant's prior written authorization (except those listed in this Policy, which the Merchant authorizes by accepting it).
• Assist the Merchant in responding to data-subject requests.
• Upon termination (App uninstallation), delete personal data in accordance with section 6.2.
• Make available information necessary to demonstrate compliance and allow for audits.

11. Profiling and Automated Decision-Making

The App does not perform profiling and does not make automated decisions that produce legal or similarly significant effects on data subjects. The App's activity is limited to transferring Shopify order data and preparing documents in the Invoicing Providers' systems.

12. Children's Data

The App does not knowingly collect personal data of persons under 16. The App's target audience is Shopify store operators (B2B service). If the Provider becomes aware that it is processing data of a person under 16, it will delete that data without delay.

13. Remedies

13.1 Complaint to the Provider

Contact support@syncparadise.com or use the form at syncparadise.com/support.

13.2 Supervisory Authority

You may lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH):

• Address: 1055 Budapest, Falk Miksa utca 9-11.
• Phone: +36 (1) 391-1400
• Email: ugyfelszolgalat@naih.hu
• Web: www.naih.hu

13.3 Judicial Remedy

You may also seek judicial remedy before the court competent for your place of residence or stay.

14. Changes to This Policy

The Provider may unilaterally amend this Policy — in particular in case of legal changes, authority requirements, the integration of a new Invoicing Provider, or new App functionality.

The Merchant is notified in the App admin interface and/or by email at least 15 (fifteen) calendar days before the amendment takes effect.

Continued use of the App after the amendment constitutes acceptance of the updated Policy.

15. Contact

For privacy questions or to exercise your rights:

• Email: support@syncparadise.com
• Support website: syncparadise.com/support
• Controller: LogiNet Enterprise Software Technologies Ltd.

Annex A — Billingo Integration Specifics

The App communicates with Billingo via Billingo API V3. Endpoints used:

• GET /partners — find partner by email
• POST /partners — create new partner
• POST /documents — create draft invoice
• GET /documents/{id} — retrieve document status
• PUT /documents/{id} — update draft document

Partner data transferred to Billingo: name, address (country, postal code, city, street), email, tax number (if available), company registration number (if available), phone (if available). Document data transferred: partner ID, block ID, bank account ID, line items (product, quantity, unit price, VAT rate), totals, currency, payment method, fulfillment date, due date, notes.

Documents are created in Billingo as drafts; finalization is the Merchant's responsibility in Billingo. The backend only stores the billingo_partner_id and billingo_document_id, plus basic partner data (email, name, address, tax number, company registration number).

The Merchant must hold a valid Billingo subscription and API key. Billingo's own terms and privacy policy are available at billingo.hu/aszf and billingo.hu/adatvedelem.

Annex B — Számlázz.hu Integration Specifics

The App communicates with Számlázz.hu via the Számlázz.hu Agent API. Functions used:

• Invoice creation (xmlszamla) — create invoice or proforma
• Invoice cancellation / modification — cancel or amend invoices (if configured)
• Customer management — set customer data on the invoice

Customer data transferred: name, address (country, postal code, city, street), email, tax number (if available). Invoice data transferred: customer data, line items (product, quantity, unit price, VAT rate), totals, currency, payment method, fulfillment date, due date, notes.

Depending on Merchant configuration, invoices may be created as drafts or finalized. The backend only stores Számlázz.hu internal identifiers (invoice ID, customer ID where available) and sync status.

The Merchant must hold a valid Számlázz.hu account and Agent key. Számlázz.hu's own terms and privacy policy are available at szamlazz.hu/aszf and szamlazz.hu/adatvedelem.

Annex C — Future Integrations

Each new integration triggers:

• an addition to these annexes covering the new Invoicing Provider;
• an update to the sub-processor list (section 9) and the data transfer table (section 4.1);
• advance notice to Merchants as described in section 14;
• access for active subscribers at no additional cost, unless an amendment states otherwise.