Legal

Privacy Policy

Effective date: 10 July 2026·Last updated: 10 July 2026

This Privacy Policy explains how Verlo Digital (“we”, “us”, or “our”) collects, uses, stores, and protects information when merchants use NAP Audit Bulgaria (the “App”), a Shopify embedded application that generates standardized ecommerce audit XML files for Bulgarian NRA/NAP (НАП) reporting.

1. Who we are

The App is operated by Verlo Digital. For privacy questions or data requests, contact Verlo Digital through the in-app support chat available in the App.

The App runs at https://nap-audit-bulgaria-production.up.railway.app. This Privacy Policy is published at https://nap-audit-bulgaria-production.up.railway.app/privacy.

2. Scope

This Policy applies to:

  • Merchants who install and use the App on a Shopify store
  • Store staff who open the App inside Shopify Admin
  • Personal data of end customers that may appear in Shopify order data we process solely to build audit export files for the merchant

We do not offer a public consumer product. End customers of a merchant’s store interact with Shopify and the merchant, not with our App UI.

We do not collect personal data directly from merchants’ end customers. We do not install cookies or use other tracking technologies on buyers’ devices through the App. Any customer-related information we process is received only from Shopify APIs as part of order data the merchant asks us to include in an audit export.

3. Roles and Shopify relationship

Shopify Inc. and related Shopify entities provide the platform where the App is installed. When a merchant installs the App, Shopify shares certain shop and order information with us through Shopify’s APIs, subject to the merchant’s Shopify account settings and Shopify’s own policies.

For merchant account data, we generally act as an independent controller of App usage data. For order-derived content we process to generate NRA audit files on the merchant’s instructions, we act as a processor on behalf of the merchant (the controller of their customer data).

4. Information we collect

4.1 Shop and authentication data

  • Shopify shop domain and offline/online session tokens
  • App installation and uninstall events
  • Granted API access scopes
  • Billing / plan selection data from Shopify App Pricing (for example plan handle such as Free or Standart)

4.2 Merchant configuration

  • Business details the merchant enters (company name, UIC/EIK, VAT ID, address)
  • Shop details used in the audit file (shop type, unique NRA shop number, domain, customer-facing email/phone for receipts)
  • VAT, payment mapping, refund mapping, document numbering, locale, and related export preferences

4.3 Order and commerce data (from Shopify APIs)

To generate audit XML files for a selected reporting month, the App reads order, line item, shipping, tax, payment/transaction, and refund data via Shopify Admin APIs. Depending on what the merchant’s store stores, this may include:

  • Order IDs, names, dates, financial and fulfillment status
  • Product titles, quantities, prices, discounts, and tax lines
  • Payment gateway identifiers and transaction metadata
  • Amounts in shop and presentment currencies (converted to EUR where needed)

We use this data to produce the standardized NRA audit file for the merchant. We do not sell customer lists or use order data for advertising.

4.4 Generated files and job logs

  • Generated audit XML files (encoded as required for NRA submission) stored in our object storage
  • Generation job status, included/skipped order counts, and technical logs (for example conversion notes, validation errors)

4.5 Support communications

If you contact Verlo Digital through in-app support chat (Crisp), we receive the message content and any contact details you provide so we can respond.

4.6 Technical and security logs

Our hosting provider may process IP addresses, timestamps, and request metadata needed to operate, secure, and debug the App.

5. How we use information

  • Authenticate the merchant and operate the embedded App
  • Generate, validate, store, and let merchants download NRA/NAP audit XML files
  • Convert non-EUR amounts to EUR using Bulgarian National Bank (BNB) official exchange rates and the official BGN peg where applicable
  • Enforce free-period and subscription access rules
  • Provide support and improve reliability and compliance
  • Meet legal obligations, including Shopify GDPR mandatory webhooks

6. Legal bases (GDPR / EEA / UK)

Where GDPR or UK GDPR applies, we rely on:

  • Contract — to provide the App features merchants request
  • Legitimate interests — securing the service, preventing abuse, improving reliability (balanced against merchant and individual rights)
  • Legal obligation — responding to lawful requests and compliance webhooks
  • Merchant instructions — when processing store customer-related order data as a processor for audit export

7. Sharing and processors

We do not sell personal data. We use service providers who process data only to help us run the App:

  • Shopify — platform authentication, APIs, and billing
  • Railway — application hosting and managed PostgreSQL
  • Object storage (S3-compatible) — audit file storage
  • Bulgarian National Bank (BNB) — official exchange rate lookups (currency + date; not customer profiles)
  • Crisp — optional customer-support chat widget

These providers may process data in the EU, US, or other locations. Where required, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses) offered by those providers.

8. Retention

  • Session and shop configuration data are kept while the App is installed and as needed to provide the service
  • After uninstall, Shopify sends a shop/redact webhook following Shopify’s standard delay; we then delete shop-owned App data (sessions, settings, mappings, document sequences, generation jobs/logs)
  • Generated audit files are retained so merchants can re-download historical exports until shop deletion / redact, unless deleted earlier as part of maintenance
  • Support chats are kept as long as needed to resolve the request and for legitimate business records

9. Shopify GDPR webhooks

The App implements Shopify’s mandatory compliance webhooks:

  • customers/data_request — acknowledge merchant/customer data access requests; the App does not maintain a separate end-customer profile store beyond order-derived audit processing
  • customers/redact — acknowledge deletion requests for customer personal data associated with the shop
  • shop/redact — delete shop-owned App data after uninstall

10. Security

We use industry-standard safeguards appropriate to a Shopify embedded app, including HTTPS, authenticated Admin API access via Shopify session tokens, and access-controlled hosting/storage. No method of transmission or storage is 100% secure; we work to prevent unauthorized access, use, or disclosure.

11. Your rights

Depending on your location, you may have rights to access, correct, delete, restrict, or object to certain processing, and to data portability. Merchants can update configuration inside the App, and uninstalling the App stops new processing.

To exercise privacy rights or ask questions, contact Verlo Digital through the in-app support chat available in the App. We may need to verify the request and the Shopify shop involved. If you are an end customer of a merchant, please contact that merchant first — they are typically the controller of your store purchase data.

12. Children

The App is intended for business use by Shopify merchants and is not directed to children. We do not knowingly collect personal data from children.

13. International users and data location

The App is designed for Bulgarian NRA reporting needs but may be installed by merchants elsewhere. Verlo Digital is established in the European Economic Area (EEA). App data is hosted and processed using service providers that may operate in the EU, US, or other locations, as described in section 7.

If you access the App from outside the EEA/UK, your information may be transferred to and processed in countries where our providers operate. Where required, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses) offered by those providers.

14. Changes to this Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top will change when we do. Continued use of the App after an update means you accept the revised Policy, except where applicable law requires additional consent or notice.