Privacy Notice

Shopify App: FineCom Connector
Last updated: February 2026

1. Identity and Contact Details (Art. 13(1)(a) GDPR)

2. Roles and Scope of Processing

The Shopify merchant (store operator) acts as the Controller for end-customer data. FineCom processes such data exclusively as a Processor pursuant to Art. 28 GDPR and only on documented instructions of the Controller under a Data Processing Agreement (DPA).

This notice applies to data processed via the Shopify App “FineCom Connector” in connection with fulfillment operations.

3. Categories of Personal Data Processed

3.1 Merchant / Store Data

• Store name, domain, identifier
• Merchant contact details required for operation
• API access tokens
• App configuration data

3.2 Order and Fulfillment Data

• Recipient name
• Shipping address (street, postal code, city, country)
• Order numbers and fulfillment identifiers
• SKU, product reference, quantity
• Shipment and tracking data

3.3 Logs

Operational logs are maintained for system stability and security. No personal data is stored in logs.

4. Purposes of Processing (Art. 13(1)(c))

• Provision and operation of the App
• Execution of fulfillment workflows (pick, pack, ship)
• Inventory synchronization
• Security and operational stability

5. Legal Basis of Processing (Art. 13(1)(c))

For end-customer fulfillment data, FineCom acts solely as a processor under Art. 28 GDPR. The legal basis for the processing is determined by the Controller (e.g., Art. 6(1)(b) GDPR – performance of contract).

Where FineCom processes limited merchant contact data for contractual administration or support purposes, processing is based on:

• Art. 6(1)(b) GDPR – performance of a contract
• Art. 6(1)(f) GDPR – legitimate interest in ensuring secure and reliable service operation

6. Recipients of Data (Art. 13(1)(e))

6.1 Sub-processors

• IONOS SE (Germany) – hosting infrastructure
• Shopify – platform provider (independent controller)

6.2 Transport Service Providers (Carriers)

For the purpose of performing shipping and delivery services on behalf of the Controller, personal data necessary for shipment (e.g., recipient name and address) may be transmitted to selected transport service providers.

Such transmission occurs exclusively on documented instructions of the Controller. Transport service providers generally act as independent controllers for the transport process.

7. International Data Transfers (Art. 13(1)(f))

FineCom hosts App data within Germany / the EU. If data is transferred to third countries (e.g., through Shopify or international carriers), appropriate safeguards such as Standard Contractual Clauses or equivalent legal mechanisms are applied where required.

8. Storage Period (Art. 13(2)(a))

• Fulfillment data: Deleted 90 days after shipping completion unless otherwise instructed.
• Logs: Retained 14 days (no personal data contained).

9. Data Subject Rights (Art. 13(2)(b–d))

Data subjects have the following rights under the GDPR:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

Where FineCom acts as processor, data subjects should contact the Controller (merchant). FineCom supports the Controller in fulfilling such requests pursuant to Art. 28(3) GDPR.

10. Security Measures (Art. 32 GDPR)

• Encryption in transit (TLS/HTTPS)
• Access control and role-based permissions
• Multi-factor authentication for administrative access
• Security monitoring and incident response processes
• Regular patch management

11. Changes to this Notice

This Privacy Notice may be updated to reflect legal or operational changes. The current version will always be published where the App documentation is hosted.