# Privacy Policy
Effective date: May 18, 2026
This Privacy Policy explains how Not Final (“Not Final”, “we”, “us”, or “our”) processes personal data in connection with the Easy bol.com Shopify app (the “App”).
This document is a draft and should be reviewed by a qualified legal professional before publication.
## 1. Contact Details
Not Final
PO Box 110
8430 AC Oosterwolde
Netherlands
Email: luna@not-final.com
Phone: +31 85 369 6103
## 2. What the App Does
Easy bol.com helps Shopify merchants import bol.com orders into Shopify, manage order sync settings, map bol.com product identifiers to Shopify products, and optionally send selected order data to a merchant-configured webhook.
## 3. Our Role
For personal data relating to a merchant’s customers and orders, the merchant is generally the data controller and Not Final acts as a data processor/service provider. For account, support, billing, operational, and security data relating to merchants, Not Final may act as an independent controller.
## 4. Personal Data We Process
Depending on how a merchant configures the App, we may process:
– Shopify store information, including shop domain, app installation status, access token, granted scopes, and app session details.
– App settings, including sync interval, fulfillment method filter, receipt preferences, webhook settings, and product mapping settings.
– Encrypted credentials, including bol.com Retailer API credentials and optional webhook secret.
– bol.com order data needed to create or simulate Shopify orders, such as order ID, order item ID, order dates, product details, quantities, prices, customer name, email, phone number, and billing or shipping address fields.
– Shopify order import results, such as Shopify order ID, order name, import status, errors, and timestamps.
– Webhook delivery logs, including delivery status, timestamps, and error messages.
– Technical and security data, such as request metadata, server logs, and diagnostic information needed to operate and secure the App.
When the optional webhook feature is enabled, the App sends the order data configured for Shopify order creation to the merchant’s webhook endpoint. Address data sent to the webhook is limited to country information.
## 5. How We Use Personal Data
We process personal data to:
– Authenticate merchants and operate the embedded Shopify app.
– Connect to the bol.com Retailer API using merchant-provided credentials.
– Import bol.com orders into Shopify or simulate imports when order creation is disabled.
– Maintain sync history, import status, error status, and webhook delivery status.
– Apply product mappings between bol.com identifiers and Shopify variants.
– Provide support, troubleshoot errors, protect the App, and maintain service reliability.
– Comply with legal obligations and Shopify platform requirements.
## 6. Legal Bases
Where the GDPR applies and Not Final acts as a controller, we rely on the following legal bases:
– Performance of a contract, to provide the App to merchants.
– Legitimate interests, to secure, maintain, improve, and troubleshoot the App.
– Legal obligation, where we must comply with applicable laws or platform compliance requirements.
– Consent, where a merchant chooses to enable optional features such as webhook delivery.
Where Not Final acts as a processor, we process personal data on the merchant’s instructions.
## 7. Sharing and Subprocessors
We may share or process data with:
– Shopify, to authenticate the App and create or read Shopify resources authorized by the merchant.
– bol.com, to retrieve order data using the merchant’s Retailer API credentials.
– Hosting, database, logging, email, and infrastructure providers used to operate the App.
– A merchant-configured webhook endpoint, only when the merchant enables that feature.
– Professional advisers, authorities, or other parties where required by law or necessary to protect rights and security.
Merchants are responsible for ensuring that any webhook endpoint they configure is lawful, secure, and appropriate for receiving the data sent by the App.
## 8. International Transfers
We are based in the Netherlands. Depending on our service providers and the merchant’s configured integrations, personal data may be processed outside the European Economic Area. Where required, we use appropriate safeguards, such as contractual protections or other lawful transfer mechanisms.
## 9. Retention
We retain personal data only as long as necessary to provide the App, maintain records, troubleshoot imports, comply with legal obligations, and resolve disputes.
When a merchant uninstalls the App or Shopify sends a mandatory privacy webhook, we stop scheduled syncs and delete or anonymize relevant stored data within a reasonable period, unless retention is required by law, security, fraud prevention, or dispute resolution.
## 10. Security
We use technical and organizational measures designed to protect personal data, including encryption for stored bol.com client secrets and webhook secrets, HMAC verification for Shopify webhooks, access controls, and secure transport where supported. No system is completely secure, and merchants are responsible for protecting their own Shopify, bol.com, and webhook credentials.
## 11. Merchant and Customer Rights
Depending on applicable law, individuals may have rights to access, correct, delete, restrict, object to, or receive a copy of their personal data. Merchant customers should contact the Shopify merchant directly about their order data. Merchants may contact us at luna@not-final.com for App-related privacy requests.
If you are in the EEA or UK, you may also have the right to lodge a complaint with your local data protection authority.
## 12. Shopify Mandatory Privacy Webhooks
The App is configured to receive and respond to Shopify’s mandatory privacy webhooks, including:
– `customers/data_request`
– `customers/redact`
– `shop/redact`
The App verifies Shopify webhook signatures before processing webhook requests.
## 13. Children’s Data
The App is intended for use by Shopify merchants and is not directed to children. We do not knowingly collect personal data directly from children.
## 14. Changes to This Policy
We may update this Privacy Policy from time to time. If changes are material, we will take reasonable steps to notify merchants through the App, the Shopify App Store listing, or another appropriate channel.