This Privacy Policy explains how Addora B.V. ("Addora", "we", "us", "our") collects, uses, shares, and protects personal data when you visit addora.app (the "Site") or install and use the Addora buy now, ship later and order consolidation app for Shopify (the "App", and together with the Site, the "Service"). It also explains the rights you have over your personal data under the EU General Data Protection Regulation (GDPR) and the Dutch GDPR Implementation Act (UAVG).
1. Who we are and our role
The Service is provided by Addora B.V., a private limited company established in The Hague, the Netherlands. You can reach us about privacy at [email protected]. Our VAT identification number (BTW-ID) is NL869366683B01.
Our responsibility depends on whose data is involved:
- We are the data controller for personal data we collect for our own purposes: your merchant account and store details, your contact details, billing and usage records, support messages, Site visitor data, and product-usage analytics about how the App is used.
- We act as a data processor for the personal data of a merchant's shoppers that we process in order to deliver the App (for example, order and customer details used to hold, consolidate, and ship orders, and to send notifications the merchant has enabled). For that data the merchant is the controller and we process it on the merchant's documented instructions.
Merchants can enter into a Data Processing Agreement (DPA) with us that governs this processing. Contact us to request one.
2. The personal data we process
Data from Site visitors
- Details you submit through our contact form or by email, such as your name, email address, store URL, and message.
- Limited, privacy-friendly analytics and server logs, such as pages viewed, referrer, approximate region, and technical data needed to keep the Site secure.
Data from merchants who install the App
- Store identity and account data received from Shopify when you install, such as your store name, myshopify domain, contact email, plan, locale, and the access scopes you grant.
- Configuration you create in the App, such as shipping rules, lifecycle labels, and customer-facing messaging.
- Subscription and usage data, such as your plan, Ship Later order counts, and billing status. Payments are processed by Shopify Billing; we never receive or store your payment card details.
- Support communications and diagnostic logs (audit logs and webhook event records) used to operate and troubleshoot the Service.
Shopper data we process on the merchant's behalf
To deliver buy now, ship later and order consolidation, the App processes order data from the merchant's Shopify store. This can include order contents and status, shipping and billing addresses, and the customer name, email address, phone number, and customer identifier needed to hold orders, combine shipments, collect shipping, and provide order tracking. Where the merchant enables them, we send hold-notification and order-update emails to shoppers and keep limited email deliverability records (unsubscribe and suppression entries) so we can honor opt-outs.
This shopper data is "protected customer data" under Shopify's requirements. We apply data minimization and process only the data the App needs to function.
3. Why we process personal data, and our legal bases
Under the GDPR we rely on the following legal bases for each purpose:
- Providing and operating the App (holding orders, consolidating shipments, calculating shipping, fulfillment, tracking): performance of our contract with the merchant, and, for shopper data, processing on the merchant's instructions.
- Account setup, billing, and usage metering: performance of a contract and compliance with legal obligations (such as accounting and tax rules).
- Sending notifications and reminders the merchant has enabled: the merchant's instruction, supported by legitimate interests or consent as applicable.
- Support, security, fraud and abuse prevention, and debugging: our legitimate interests in providing a safe, reliable Service.
- Product analytics and improvement: our legitimate interests in understanding and improving the App. We sanitize known personal data from analytics and error events.
- The Site and marketing communications: consent (for non-essential cookies and marketing email) and our legitimate interests.
- Complying with the law: compliance with a legal obligation.
Where we rely on legitimate interests, you can ask us about our balancing assessment, and you can object as described below.
4. Cookies and analytics
The Site uses cookies that are strictly necessary for it to work and privacy-friendly analytics to understand how the Site is used. We ask for your consent before setting any non-essential cookies, and you can manage cookies through your browser settings. The App itself uses cookies and tokens that are necessary for authentication and core functionality.
5. Who we share data with
We do not sell personal data. We share data only with service providers (sub-processors) that help us run the Service under contractual data-protection terms, and only as needed:
- Shopify, which provides the platform, authentication, and billing, and is the source and destination of store and order data. Shopify's own processing is governed by Shopify's privacy policy and data processing addendum.
- Mailgun (Sinch), which delivers transactional and customer-notification emails. We use its European infrastructure.
- PostHog, which provides product analytics and error monitoring. We use its European infrastructure and remove known personal data from the events we send.
- Discord, which receives internal operational alerts (such as install, uninstall, and billing events). These contain store-level operational information, not shopper personal data.
- Railway, which provides the cloud hosting that runs our application and databases.
- Cloudflare, which provides content delivery and network security in front of our Site.
A current list of sub-processors is available on request. We may also disclose data where required by law, to enforce our agreements, or to protect the rights, safety, and security of our users, the public, or us.
6. International transfers
We aim to keep processing within the European Economic Area (EEA), and our email and analytics providers use European infrastructure. Where a provider processes personal data outside the EEA, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where relevant, the UK International Data Transfer Addendum. You can request more information about these safeguards using the contact details below.
7. How long we keep personal data
We keep personal data only as long as needed for the purposes above, then delete or anonymise it. In particular:
- Audit logs are retained for 180 days, with known personal data removed from log metadata.
- Webhook event records are retained for 90 days.
- Billing and usage event records are retained for 12 months, plus any longer period required by accounting and tax law (Dutch law requires certain financial records to be kept for seven years).
- Email suppression and unsubscribe records are kept for as long as needed to honor the opt-out and meet our anti-spam obligations.
- When a merchant uninstalls the App, Shopify sends us a shop redaction signal approximately 48 hours after uninstall, and we then delete that store's data from our systems.
We complete data deletion requests within 30 days of receiving them, unless we are legally required to retain specific records.
8. Your rights
Subject to applicable law, you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected and incomplete data completed;
- have your data erased ("right to be forgotten");
- restrict or object to our processing;
- receive your data in a portable format; and
- withdraw consent at any time, where we rely on consent.
Shoppers in a merchant's store should usually direct requests to that merchant, who is the controller of their data. We support merchants in responding to requests, including through Shopify's mandatory privacy webhooks: a customer data request (we provide the data we hold to the store owner), a customer redaction request, and a shop redaction request (we erase the store's data). To exercise a right with us directly, email [email protected]. We may need to verify your identity before responding.
9. Complaints
If you have a concern about how we handle personal data, please contact us first so we can try to resolve it. You also have the right to lodge a complaint with the Dutch data protection authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl), or with the supervisory authority in your country of residence.
10. How we keep data secure
We use technical and organisational measures appropriate to the risk, including encryption in transit (TLS) and at rest, verification of platform requests, least-privilege and restricted staff access to protected customer data, audit logging, separation of test and production data, and an incident-response process. No method of transmission or storage is completely secure, but we work to protect your data and to notify the relevant parties and authorities of a personal data breach as required by law.
11. Automated decision-making
We do not make decisions that produce legal effects, or similarly significant effects, about individuals solely by automated means.
12. Children
The Service is intended for businesses and is not directed at children, and we do not knowingly collect personal data from them.
13. How Addora works with Shopify
The App is an embedded Shopify app and depends on Shopify's platform and APIs. Shopify's processing of store and customer data is governed by Shopify's own privacy policy and data processing addendum, which are separate from this policy.
14. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the date at the top and, where appropriate, notify you. Your continued use of the Service after an update means you accept the revised policy.
15. Contact us
Addora B.V., established in The Hague, the Netherlands. Privacy questions and data-rights requests can be sent to [email protected]. VAT (BTW-ID): NL869366683B01.