Nelumbo Flow← Back to Home

NELUMBO FLOW – PRIVACY POLICY

> ## 🚨 WE ARE A DATA AGGREGATOR, NOT A DATA RETENTION OFFICER

>

> Nelumbo Flow is designed as a privacy-first data conduit. We temporarily cache data for accounting synchronization and automatically delete it within 24 hours. We do not store customer personal information long-term.

>

> Key Privacy Commitments:

> - ✅ Customer PII deleted within 24 hours maximum

> - ✅ Automated hourly cleanup (no manual intervention)

> - ✅ Only aggregated financial summaries retained (NO customer data)

> - ✅ GDPR compliant by design (Article 5(1)(c) - Data Minimization)

>

> Data Flow: `Order Created → Temp Cache (24h) → Sync to Netvisor → Auto-Delete PII → Keep Aggregates Only`

Effective Date: November 18, 2025

Last Updated: December 22, 2025

App Name: Nelumbo Flow

App Provider: Nelumbo Oy

Business ID (Y-tunnus): 2327242-0

Registered Address:

Toppelundintie 5 D 18, 02170 Espoo, Finland

1. Introduction

This Privacy Policy explains how Nelumbo Oy ("we", "us", "our") processes personal data when you install and use the Nelumbo Flow Shopify embedded application ("the App").

By installing or using the App, you agree to the processing practices described in this Privacy Policy.

Privacy-First Architecture

We are a data conduit, not a data keeper. The App follows strict data minimization principles (GDPR Article 5(1)(c)):

- Customer personal data is retained for a maximum of 24 hours

Data is automatically deleted after successful synchronization to Netvisor

Only aggregated, anonymized summaries are retained for accounting purposes

Automatic hourly cleanup ensures compliance without manual intervention

This policy complies with:

EU General Data Protection Regulation (GDPR) - Articles 5, 15, 17, 25, 30

Finnish Data Protection Act (1050/2018)

Applicable Finnish business legislation

Shopify App Store privacy requirements

2. Information We Collect

We only collect the minimum data required to operate the App.

2.1 Shopify Store Information

Shop domain

Shop name

Currency, timezone, store country

- Order data (TEMPORARY CACHE ONLY - 24 hours maximum):

- Order ID, countries, line items, tax lines, refunds

- Customer data (ID, email) - automatically deleted after sync

Financial totals (gross sales, net sales, tax amounts)

Payment transactions (gateway, timestamps, amounts)

Inventory data (product IDs, SKUs, levels, location IDs)

Customer Personal Information (PII) Handling:

Customer PII is stored temporarily (maximum 24 hours) only for accounting synchronization

Data is automatically deleted after successful Netvisor sync (typically within hours)

Aggregated financial summaries contain no PII

We do not store customer names, addresses, or phone numbers

Customer emails are deleted immediately after sync completion

2.2 Netvisor Credentials (Provided by You)

Netvisor Customer ID

Customer Key

Organization ID

Partner ID

Partner Key

Credentials are encrypted using AES-256-GCM.

2.3 Configuration Data

Account mapping rules

VAT mappings

Inventory accounting configuration

Automation and scheduling settings

2.4 Authentication and Technical Data

Shopify OAuth tokens (encrypted)

Session IDs and expiry timestamps

IP addresses (security logging)

Audit and sync logs

Error logs and performance diagnostics

3. How We Use Your Information

3.1 Core App Functionality

Synchronizing financial summaries to Netvisor

Generating and sending accounting vouchers (XML)

Processing sales, tax, payment and inventory data

Maintaining historical sync logs

Displaying reporting dashboards

3.2 Security and Compliance

Authentication and access control

Monitoring for unauthorized access

Maintaining required security logs

3.3 Service Improvement

Aggregated and anonymized data may be used to improve performance and reliability.

No profiling or marketing use is performed.

4. Data Storage and Security

4.1 Data Storage Locations

- Supabase PostgreSQL (EU – Stockholm)

- Fly.io hosting (EU region)

All data encrypted at rest and in transit (TLS 1.3)

4.2 Security Controls

AES-256-GCM encryption for tokens and credentials

Strict row-level security (RLS)

Input validation using schema enforcement

HMAC validation for Shopify webhooks with replay attack prevention

- Automatic 24-hour TTL (Time-To-Live) on customer data

- Hourly automated PII cleanup via Edge Functions

No cross-site tracking, no analytics

Automatic PII redaction in logs

Constant-time HMAC comparison (prevents timing attacks)

5. Data Sharing and Third Parties

We only share data with service providers essential to the App's operation:

- Shopify – we receive data from Shopify; we do not share data back.

- Netvisor – accounting vouchers (aggregated sales, payments, VAT, inventory).

- Supabase – encrypted database storage.

- Fly.io – application hosting and server processing.

We do not sell or trade personal data.

6. Data Retention

| Data Type | Retention Period | Cleanup Method |

|-----------|------------------|----------------|

| Customer PII (order data) | 24 hours maximum | Automatic (TTL + hourly cleanup) |

| Aggregated financial summaries | 90 days | Automatic |

| App configuration | Until uninstall | Manual (shop/redact webhook) |

| Encrypted credentials | Until uninstall | Automatic (cascade delete) |

| Sync logs | 90 days | Automatic (TTL-based) |

| Security logs | 90 days | Automatic |

| Audit logs | 2 years | Automatic |

| Privacy request logs | Indefinite (immutable) | GDPR compliance requirement |

| Session data | 30 days | Automatic |

Automatic Data Deletion:

Customer personal information is automatically deleted 24 hours after creation OR immediately after successful Netvisor sync (whichever comes first)

Hourly cleanup Edge Function runs to enforce TTL policies

Upon app uninstall, the `shop/redact` webhook deletes ALL store data across all tables

You may request earlier deletion at: asiakaspalvelu@nelumbo.fi

6.1 Automatic Privacy Cleanup System

The App implements automated privacy protection through:

TTL-Based Expiry:

Database triggers automatically calculate expiry dates (`pii_expires_at = synced_at + 24 hours`)

No manual intervention required

Hourly Cleanup Edge Function:

Runs every hour to delete expired data

Deletes customer PII older than 24 hours

Removes old sync logs (90+ days)

Cleans expired webhook nonces (10+ minutes)

Execution is logged and monitored

Sync-Triggered Deletion:

After successful Netvisor sync, orders are marked as `synced_to_netvisor = true`

Cleanup function deletes synced orders after 1-hour grace period

Ensures accounting integrity while minimizing data retention

7. Your Rights Under GDPR

You have the right to:

- Access your data (GDPR Article 15) - Automated via `customers/data_request` webhook

- Request correction - Contact asiakaspalvelu@nelumbo.fi

- Request deletion (GDPR Article 17) - Automated via `customers/redact` webhook

- Restrict processing - Contact asiakaspalvelu@nelumbo.fi

- Obtain data portability - Aggregated data available via API

- Withdraw consent - Uninstall the App (triggers `shop/redact` webhook)

Automated Privacy Rights:

The App implements automated privacy webhooks required by Shopify for GDPR compliance:

`customers/data_request` - Returns any cached customer data (max 24 hours old)

`customers/redact` - Immediately deletes all customer personal data

`shop/redact` - Deletes all shop data upon app uninstall

To exercise these rights manually, contact: asiakaspalvelu@nelumbo.fi

7.1 Privacy Webhook Endpoints

The App provides three mandatory GDPR compliance webhooks as required by Shopify:

#### `POST /webhooks/customers/data-request`

Purpose: GDPR Article 15 - Right of Access

Functionality:

Queries database for customer data cached within 24-hour window

Returns structured JSON with customer PII or empty dataset

Logs all requests to `privacy_requests` table for compliance audit

Implements HMAC verification and replay attack prevention

Response Time: < 5 seconds

#### `POST /webhooks/customers/redact`

Purpose: GDPR Article 17 - Right to Erasure

Functionality:

Deletes all customer personal data from `orders_mirror` table

Logs deletion to `privacy_requests` and `audit_log` tables

Returns success confirmation (idempotent - safe to call multiple times)

Implements HMAC verification and replay attack prevention

Response Time: < 3 seconds

#### `POST /webhooks/shop/redact`

Purpose: Complete shop data deletion after app uninstall

Functionality:

Deletes ALL shop data across 10+ database tables in dependency order

Includes: credentials, configuration, sync logs, sessions, audit logs

Returns detailed table-by-table deletion report

Implements HMAC verification and replay attack prevention

Response Time: < 10 seconds

Security: All webhook endpoints:

Verify HMAC signatures using SHA-256 with constant-time comparison

Implement replay protection via nonce tracking

Validate request timestamps (5-minute window)

Log all operations for compliance audit trail

8. Cookies

The App only uses essential session cookies required for authentication inside Shopify Admin.

We do not use analytics cookies or advertising tracking.

9. International Data Transfers

All core processing occurs within the EU/EEA.

If Shopify routes data outside the EEA as part of its infrastructure, these transfers follow GDPR Chapter V requirements, including Standard Contractual Clauses where applicable.

Netvisor synchronization takes place within Finland.

10. Children's Privacy

The App is intended for business use only and is not directed at children.

We do not knowingly process personal data of children.

11. Security Incident Response

In the event of a data breach:

- You will be notified within 72 hours

We will describe affected data and actions taken

Authorities will be notified if required under GDPR

- All privacy operations are logged to the `privacy_requests` audit table

- Immutable audit trail ensures compliance verification

Privacy Operations Logging:

All `customers/data_request` webhook calls logged with timestamps

All `customers/redact` deletion operations logged with record counts

All `shop/redact` uninstall operations logged with detailed reports

Logs retained indefinitely for GDPR compliance (Article 30: Records of Processing)

Security issues can be reported to: asiakaspalvelu@nelumbo.fi

12. Changes to This Policy

We may update this Privacy Policy due to legal, security or functional changes.

Material updates will be communicated at least 30 days in advance.

The latest version is always available via the App's documentation.

13. Data Protection Officer (DPO)

Name: Jukka Saarikorpi

Email: jukka.saarikorpi@nelumbo.fi

Company: Nelumbo Oy

Address: Toppelundintie 5 D 18, 02170 Espoo, Finland

14. Governing Law and Dispute Resolution

This Privacy Policy is governed by Finnish law.

Any disputes arising from the use of the Nelumbo Flow application or this Privacy Policy shall be resolved exclusively in:

Espoo District Court (Espoon käräjäoikeus), Finland.

15. Contact Information

For privacy, support, security or general inquiries, contact:

Email: asiakaspalvelu@nelumbo.fi

Address: Nelumbo Oy, Toppelundintie 5 D 18, 02170 Espoo, Finland

Document Version: 1.1.0

Classification: PUBLIC

Review Cycle: Annual (or upon material changes)