Privacy Policy

InvoiceFlow Pro is a Shopify application developed and operated by Specifek Ltd (Companies House No. 13059185), registered in Sidcup, London, United Kingdom. Specifek Ltd is the data controller for personal data collected directly through this website and the data processor for personal data accessed via Shopify on behalf of merchants using the application.

For any privacy-related enquiry contact info@specifek.co.uk.

Merchant data (you, the Shopify store owner): shop domain, shop name, country, currency, plan name, billing email, the company and contact details you enter in Settings (legal name, address, VAT and EORI numbers, phone, email, website, bank details, social media links), the visual configuration of your invoice templates, and your subscription status.

End-customer data (your customers): for every paid order processed during your active subscription, we receive from Shopify the customer name, email address, phone number (if provided), billing and shipping address, the line items purchased, prices, tax breakdown, currency, order number, and any VAT identification number the customer supplied at checkout.

Operational data: webhook receipts and idempotency markers, application logs (including timestamps and error traces), email delivery status returned by our email provider, and audit records of GDPR data-subject requests we receive from Shopify.

We process merchant data to provide the contracted service of generating, storing, and delivering invoices and credit notes (Article 6(1)(b) UK-GDPR — performance of a contract with you).

We process end-customer data only to produce, store, and re-deliver tax invoices and credit notes related to orders placed in your store (Article 6(1)(b) UK-GDPR on your behalf as the data controller, and Article 6(1)(c) where retention is required by HMRC, EU VAT, or other applicable tax law).

We retain a minimal audit log to demonstrate the lawful operation of the service and to comply with App Store compliance webhooks (Article 6(1)(c)).

Shopify Inc. and its regional affiliates — the platform that hosts your store and through which we receive order data. Governed by Shopify's own privacy policy and Data Processing Addendum.

Resend (resend.com) — transactional email delivery, used only when you enable email delivery of invoices to your customers or send a test email. Resend is contractually bound by EU/UK standard contractual clauses where data leaves the UK.

Fly.io (fly.io) — application hosting in the London (lhr) region, keeping merchant data physically within the UK by default.

Cloudflare — for tunnel termination and TLS in development environments only. Production traffic terminates at Fly.io.

We do not sell, rent, or share personal data with any third party for marketing or any purpose other than running the service.

Active accounts: data is retained for as long as the application is installed on your store and your subscription is active.

Uninstall: when you remove InvoiceFlow Pro from your store, Shopify emits the standard `app/uninstalled` webhook and 48 hours later the `shop/redact` webhook. On receipt of `shop/redact` we permanently delete the Shop row and every related Setting, Order, Invoice, Template, Tax Profile, Email Log, and Session record we hold for your store.

Individual customer request: if one of your customers exercises their right to be forgotten, Shopify sends us the `customers/redact` webhook (typically 10 days after the request). We then anonymise the customer's personal data on every related Order, Invoice, and Email Log by replacing it with `[REDACTED]`, while preserving statutory invoice fields (numbers, totals, dates) for the duration required by UK/EU tax law (typically 6–10 years).

Data-subject access request: Shopify sends us `customers/data_request`. We log the request and make available, through the embedded admin, every invoice we hold that involves the requesting customer so you (the merchant and data controller) can fulfil the request.

By default, your data is hosted in the United Kingdom. Where any sub-processor is located outside the UK or EEA (notably Resend in the United States), transfers are protected by UK International Data Transfer Agreements or EU Standard Contractual Clauses, plus the technical and organisational measures described below.

All traffic to InvoiceFlow Pro is served over TLS. Data is stored on encrypted volumes. Access to production systems is restricted to named operators and protected by two-factor authentication. Application secrets are managed via environment variables, never committed to source control. We follow the OWASP top-ten guidance and conduct dependency scans before each release.

No system can be guaranteed absolutely secure. We commit to notifying you within 72 hours of becoming aware of a personal-data breach affecting your store, as required by UK-GDPR Article 33.

InvoiceFlow Pro is an embedded Shopify application. We use only essential session cookies required by Shopify's App Bridge to authenticate the embedded frame. We do not deploy advertising, profiling, or third-party analytics cookies inside the application.

If you are a Shopify merchant, you can access, correct, or delete merchant data directly within the application's Settings page, or by uninstalling the app (which triggers full deletion 48 hours later).

If you are a customer of a merchant using InvoiceFlow Pro, please direct access and erasure requests to that merchant — they are your data controller. They can fulfil your request through their Shopify admin, which propagates the deletion to InvoiceFlow Pro via the GDPR webhooks described in Section 5.

You always have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).

We may update this policy from time to time. Material changes will be announced via email to merchants using the application and reflected in the 'Last updated' date above.

For any privacy enquiry — access requests, deletion requests, security questions — write to info@specifek.co.uk. We aim to respond within 5 working days and to fulfil verified data-subject requests within 30 days as required by UK-GDPR.