Privacy Policy

Effective date: 27 Oct 2025

1. Scope and applicability

This Privacy Policy explains how Komplians.com ("Komplians", "we", "us") processes personal data when you:

  • • install or use our Shopify/WooCommerce apps, APIs, or services; and/or
  • • visit Komplians.com or related pages.

This Policy is intended to meet requirements of the EU/EEA GDPR and similar laws. It does not create third-party rights or contractual obligations beyond those in our Terms and DPA.

2. Roles under GDPR

  • • For store/customer/order data processed to provide the Service (e.g., generating invoices, sending via PEPPOL), Merchant is Controller and Komplians acts as Processor.
  • • For admin/account data about Merchant users and for our websites/marketing/support, Komplians is Controller.

A Data Processing Addendum (DPA) is available upon request and prevails for Processor activities.

3. Categories of data we process

Depending on your use:

A. Merchant account/admin data (Controller):

Name, email, role, company details, billing identifiers, subscription info, support tickets, product feedback, audit trail of admin actions.

B. Store data via APIs (Processor):

Order and invoice details; customer business contact details (e.g., name, company, VAT ID, addresses); line items, prices, discounts, taxes; order/invoice identifiers; delivery and status events; configuration and mapping tables (e.g., VAT codes).

C. Technical data & logs:

IP addresses, device/browser data, timestamps, error traces, job IDs, PEPPOL message IDs, SMP/SML lookups, webhook payloads, API usage metrics.

D. Credentials & integrations:

OAuth tokens, webhook secrets, API keys, and configuration necessary to post to Access Points, Directo, SmartAccounts, etc. We store such secrets encrypted at rest.

E. Website analytics & cookies (Controller):

Page views, referrers, UTM tags, session identifiers, and minimal cookies/local storage for authentication and CSRF protection.

We do not collect full payment card numbers.

4. Sources

We obtain data from: (i) you/your organization; (ii) e-commerce platforms (e.g., Shopify, WooCommerce) per the permissions you grant; (iii) accounting/ERP integrations you enable; (iv) PEPPOL AP callbacks and SMP/SML; (v) our websites and support tools.

5. Purposes and legal bases

  • Provide and operate the Service (contract): create UBL invoices, deliver via PEPPOL, sync with accounting, manage accounts and permissions.
  • Security and reliability (legitimate interests/legal obligation): monitor abuse, detect fraud, maintain logs and backups.
  • Support and communications (legitimate interests/contract): respond to tickets, provide updates, handle incidents.
  • Billing and accounting (legal obligation/contract).
  • Improvement and analytics (legitimate interests): aggregate usage to enhance performance and features.
  • Legal compliance and dispute handling (legal obligation/legitimate interests).
  • Marketing (consent/legitimate interests): optional newsletters; you may opt out anytime.

6. Sharing and disclosures

We share personal data only as needed to provide the Service or as required by law:

  • • Infrastructure & storage: EU-hosted providers incl. Cloudflare R2 and other EU cloud services.
  • • PEPPOL Access Points (e.g., Unifiedpost, Pagero) to transmit invoices and receive statuses.
  • • SMP/SML directories for endpoint discovery.
  • • Accounting/ERP systems: Directo, SmartAccounts (if enabled by you).
  • • Support/monitoring/analytics: ticketing, email delivery, error tracking (e.g., Sentry).
  • • Professional advisors and authorities where legally required.

Where recipients are outside the EEA/UK, we use appropriate safeguards (e.g., Standard Contractual Clauses) and additional measures where necessary.

7. International transfers

If data is transferred outside the EEA/UK, we rely on SCCs or other lawful transfer mechanisms and implement technical/organizational measures appropriate to the risk.

8. Security

We use TLS, encryption at rest (provider level), least-privilege access, MFA for staff, role-based access, audit logs, and regular backups. You are responsible for secure use of your platform accounts, strong passwords, and access management.

9. Retention

We keep personal data only as long as necessary for the purposes set out in this Policy:

  • • Operational artifacts (invoices, delivery receipts, logs): default 30 months or as configured by the Merchant; longer where required by accounting/tax law.
  • • Backups: ~30 days rolling cycle.
  • • Support & billing records: as required by law.
  • • When retention ends, we delete or irreversibly anonymize the data.

10. Uninstall, termination, and deletion

Upon uninstall or written request from the Merchant, we stop processing store data (Processor role). Unless you request earlier deletion, we delete or anonymize store-linked personal data within 48 hours, subject to legal retention obligations and backup cycles. Exports are available on request. Contact privacy@komplians.com.

11. Your rights (EEA/UK and similar jurisdictions)

Where Komplians is Controller, you may have the right to access, correct, delete, restrict, or object to processing, and to data portability. Where we act as Processor, we will assist the Merchant (Controller) in responding to data subject requests. You may lodge a complaint with your local authority; in Estonia, the Data Protection Inspectorate.

12. Cookies and tracking

We use minimal cookies/local storage to operate embedded apps (authentication, preferences, CSRF). We do not run third-party ad trackers. You can control cookies via your browser settings.

13. Children

The Service is not directed to children under 16 and should not be used to process children's personal data unless required for your legitimate business and in compliance with law (you remain responsible as Controller).

14. Changes to this Policy

We may update this Policy from time to time. We will post the updated date above and provide notice of material changes where appropriate.

15. Contact and DPO

Questions about this Policy or to exercise your rights, contact privacy@komplians.com. Komplians.com, Tallinn, Estonia.