Privacy Policy

1. Overview

MrejaNet: Order Flow ("the App", "we", "us") is a Shopify application developed and operated by MrejaNet. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

2. Data We Collect

When you install and use the App, we may collect and store:

• Shop information — your Shopify store domain and the OAuth access token needed to interact with the Shopify API on your behalf.
• Courier credentials — usernames and passwords for Econt, Speedy, and BOX NOW courier accounts. Passwords are stored encrypted at rest.
• Sender/business details — company name, contact person, address, phone number, and email that you enter in the courier settings.
• Order & shipment data — Shopify order IDs, customer delivery names, phone numbers, and addresses needed to create courier waybills.
• Courier API responses — waybill numbers, tracking codes, and status messages returned by the courier APIs.

3. How We Use Your Data

• To authenticate with the Shopify API and receive order webhooks.
• To create, track, and manage courier shipments on your behalf.
• To display shipping options to your customers at checkout.
• To fulfil your obligations under Bulgarian courier service agreements (Econt, Speedy, BOX NOW).

We do not sell, rent, or share your data with third parties for marketing purposes.

4. Data Storage & Security

All data is stored on servers located within the EU. Courier passwords are encrypted using AES-256 encryption before storage. Access to the database is restricted to authorised personnel and systems only.

5. Data Retention

Shipment records are retained for as long as your store has the App installed. After you uninstall the App, we retain your data for up to 48 days in accordance with Shopify's GDPR requirements, after which all shop data is permanently deleted.

6. Customer Data (GDPR Compliance)

As a Shopify Partner, we comply with Shopify's privacy requirements for app developers. We handle the following mandatory privacy webhooks:

• Customer data request — we log requests for customer data export. You, as the merchant, are responsible for fulfilling the export to the customer.
• Customer erasure — we anonymise personal data (name, phone, address) stored in shipment records for the requested customer.
• Shop erasure — we permanently delete all data associated with your store within 48 days of uninstallation.

7. Third-Party Services

The App communicates with the following third-party services to deliver its functionality:

• Shopify — order and cart data via the Shopify Admin API.
• Econt Express — courier API for creating and tracking shipments.
• Speedy — courier API for creating and tracking shipments.
• BOX NOW — parcel locker API for creating and tracking shipments.

Each of these services has its own privacy policy which governs how they handle data transmitted to them.

8. Your Rights

Under GDPR you have the right to:

• Access the personal data we hold about you.
• Request correction or deletion of your data.
• Withdraw consent at any time by uninstalling the App.

9. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at: privacy@order-flow.net