Privacy Policy
Last Updated: April 2026
1. Introduction
This Privacy Policy describes how TradeLiq (operated by Daniel Benjamin Rey Lopez) ("we", "us", "our") collects, uses, stores, and protects information in connection with the TradeLiq Shopify application (the "App").
By installing or using the App, you acknowledge that you have read and understood this Privacy Policy.
2. Data We Collect
2.1 Shop and Merchant Data
- Shopify store domain, name, and configuration
- Merchant account information and staff user details
- App installation metadata and subscription/billing status
2.2 Customer and Company Data
- Company names, addresses, tax identifiers, and contact details
- Customer names and email addresses
- Credit limits, payment terms, and account balances
2.3 Transactional Data
- Quotes (line items, pricing, status, dates)
- Invoices (line items, amounts, compliance numbers, payment status)
- Orders and draft orders created through the App
- Payment records and history
2.4 Payment Information
- Stripe payment method references and tokens
- Payment transaction identifiers
- We do NOT store raw credit card numbers; payment card data is tokenized and handled by Stripe
2.5 Technical and Operational Data
- Server logs (IP addresses, request metadata, timestamps)
- Error reports and diagnostics (via Sentry)
- Webhook delivery metadata
- Security audit events
3. How Data Is Stored
- Database: Data is stored in a PostgreSQL database hosted on Neon (EU region — Frankfurt by default) with encryption at rest.
- File Storage: PDF documents (invoices, statements) are stored in encrypted object storage (Cloudflare R2 or equivalent) with server-side encryption.
- Encryption: Sensitive fields (e.g., API tokens, payment references) are encrypted using AES-256-GCM before storage.
- Transport: All data in transit is encrypted via TLS 1.3 / HTTPS.
- Access Controls: Least-privilege access policies; data is isolated per merchant via row-level security in the database.
4. How We Use Data
We process data to:
- Provide App functionality (quotes, invoices, credit management, portal, payments)
- Authenticate users and secure access
- Synchronize data with Shopify via APIs and webhooks
- Process payments through Stripe
- Send transactional emails (invoice reminders, quote notifications, dunning)
- Monitor service health and debug issues
- Comply with legal obligations
5. Sub-processors and International Transfers
We engage the following sub-processors. By using the App, you authorize us to share data with them as described. We do not sell personal data to third parties.
| Provider | Location | Purpose | Data Shared | Safeguards |
|---|---|---|---|---|
| Shopify | Canada / Ireland (EU) | Platform APIs, OAuth, billing, webhooks | Store data, orders, customers, billing metadata | Shopify is the processor of the merchant; their own DPA applies. |
| Stripe Payments Europe Ltd. | Ireland (EU) / US | Payment processing | Payment method tokens, invoice amounts, buyer email | Stripe Ireland is data controller for EU; SCCs / EU-US Data Privacy Framework. |
| Cloudflare, Inc. | US (with EU edge nodes) | CDN, DNS, email routing for tradeliq.com, edge security | HTTP request metadata, email forwarding addresses | SCCs / EU-US Data Privacy Framework. |
| Neon, Inc. | EU (Frankfurt) by default; failover US available | PostgreSQL database hosting | All application data (encrypted at rest) | SCCs; EU region selected by default to keep data in EEA. |
| Anthropic PBC (only when AI Quote Assistant is enabled by the merchant) | US | AI processing of merchant-supplied RFQ text to draft quotes | Quote request content (text, item names, quantities, prices) | SCCs / EU-US Data Privacy Framework. Anthropic does not train its models on API data per their terms. |
| Resend / Amazon SES | EU (Ireland) or US depending on configuration | Transactional email delivery | Recipient email, email body content | SCCs; EU region preferred when available. |
| Sentry (error monitoring; optional) | US (with EU region available) | Error monitoring and diagnostics | Error context, request metadata (PII redacted where possible) | SCCs / EU-US Data Privacy Framework. |
International transfers: Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and on each provider's adherence to the EU-US Data Privacy Framework where applicable. A current list of sub-processors is maintained in this Privacy Policy and changes are communicated at least 30 days in advance via email to merchant administrators.
6. Data Retention
| Data category | Retention period |
|---|---|
| Active merchant data | Retained while the App is installed and the subscription is active. |
| Post-uninstall data (recoverable) | Up to 30 days after uninstall — data remains accessible for reactivation and support. |
| Post-uninstall data (soft-deleted) | 31-60 days — data is soft-deleted in the primary database; only encrypted backups remain. |
| Backup expiration | 61-90 days — backups expire and data is removed from all systems. |
| Operational / server logs | Up to 12 months for security and abuse-prevention purposes. |
| Invoice / accounting metadata (Spanish tax law) | 4 years after issuance, as required by Spanish tax authorities (Hacienda). Used solely for legal compliance. |
| Payment records | As required by applicable financial regulations (typically 5-7 years in EU). |
GDPR right to erasure (Article 17): You or any data subject may request immediate deletion at any time by emailing [email protected]. We fulfil verified erasure requests within 30 days, with the exception of records we are legally required to retain (invoicing/accounting metadata under Spanish tax law). Records exempt from erasure are isolated and not used for any purpose other than legal compliance.
If law or contract requires longer retention, that obligation prevails over the periods above.
7. User Rights
Where applicable under GDPR, CCPA, or other privacy regulations, individuals may request:
- Access — Obtain a copy of personal data we hold
- Correction — Request correction of inaccurate data
- Deletion — Request deletion of personal data
- Portability — Receive data in a structured, machine-readable format
- Restriction — Request limitation of processing
- Objection — Object to certain types of processing
To exercise these rights, contact: [email protected]
We will respond to verified requests within the timeframes required by applicable law (e.g., 30 days under GDPR).
8. GDPR Compliance
- Data Controller: The merchant (Shopify store owner) is the data controller for their customer data
- Data Processor: We act as a data processor on behalf of the merchant
- Legal Bases: Contract performance, legitimate interests (security, service reliability), legal obligations, and consent where required
- International Transfers: Where data is transferred outside the EEA, we rely on appropriate safeguards (e.g., Standard Contractual Clauses, provider certifications)
- DPA: A Data Processing Addendum is available upon request at [email protected]
9. Cookies and Tracking
The App uses cookies and session mechanisms strictly necessary for authentication and session continuity within the Shopify admin embed and the customer portal session management. These cookies are exempt from prior consent under the LSSI-CE in Spain.
We do not use third-party advertising trackers or non-essential analytics trackers within the App or the public site at tradeliq.com.
9.1 Use of Artificial Intelligence (where enabled)
If the merchant enables the optional AI Quote Assistant feature (available on Growth and Enterprise plans):
- Quote request text (subject lines, body content, item descriptions, quantities and prices) submitted by the buyer or by the merchant is sent to Anthropic PBC (US) via API for the sole purpose of generating a draft quote.
- Anthropic does not train its models on API data per their commercial terms.
- The transfer is governed by Standard Contractual Clauses and Anthropic's adherence to the EU-US Data Privacy Framework.
- The merchant can disable this feature at any time in the App settings; disabling it stops further data transfers to Anthropic immediately.
- UI surfaces that display AI-generated content include a clear notice that the content is AI-generated and should be reviewed before sending (compliance with the EU AI Act transparency obligation, Article 52).
10. Security
We implement reasonable technical and organizational measures including:
- HMAC signature verification for App Proxy requests and webhooks
- Input validation and parameterized queries
- Regular dependency security audits
- Structured logging and monitoring
- Secret management and rotation practices
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the App or as required by applicable law.
12. Contact
- Privacy inquiries: [email protected]
- Support: [email protected]
- Company: TradeLiq (operated by Daniel Benjamin Rey Lopez)
- Address: Madrid, Spain (full registered address will be published once company is constituted; meanwhile contact via email)