Privacy Policy

Last updated: 1 May 2026

This policy describes how Billoop (operated by Westpoint) collects and processes personal data in connection with its Shopify application for generating Factur-X invoices.

1. Data controller

Westpoint, reachable at marketplace@westpoint.io, acts as a processor on behalf of the Shopify merchant (the controller) within the meaning of the GDPR.

2. Data collected

• Shopify session data: shop identifiers, OAuth access tokens, app configuration.
• Merchant settings: legal name, VAT number, SIREN, SIRET, postal address, logo, optional bank details, legal mentions.
• Invoice data: Shopify order IDs, buyer name and address, fiscal identifiers (VAT, SIREN/SIRET for B2B buyers), order line items, amounts, taxes.
• Generated documents: Factur-X invoices (PDF/A-3 with embedded CII XML), credit notes, reminders.
• Technical logs: audit events, application logs, correlation IDs, email delivery metadata.

3. Purposes

• Automatic generation of Factur-X compliant electronic invoices for each Shopify order.
• Email delivery of invoices to buyers.
• Archiving of issued documents for the legally required duration.
• Technical support and incident resolution.
• Security, fraud prevention, and abuse mitigation.

4. Legal bases

Processing is based on (i) the performance of the contract between the merchant and Westpoint, (ii) compliance with legal invoicing and accounting retention obligations, and (iii) the legitimate interest of securing the service.

5. Retention

• Invoices and fiscal documents: 10 years, in line with French Commercial Code article L123-22.
• Merchant settings: kept while the app is installed; deleted upon uninstall request.
• Technical logs: up to 13 months.
• Shopify sessions: deleted as soon as the app is uninstalled.

6. Sub-processors

• Amazon Web Services (AWS): application hosting and storage in the eu-central-1 region (Frankfurt, Germany) for business data; us-east-1 (Virginia, USA) is used only for static asset distribution of this marketing site (CDN), with no personal data.
• Shopify Inc.: the platform the app is embedded in, governed by its own policy.
• Resend: transactional email delivery (invoices, notifications).

7. Data location

All business data (merchant settings, invoices, logs) is stored exclusively within the European Union, in the AWS eu-central-1 region (Frankfurt). No business data is transferred outside the EU.

8. Data subject rights

Under the GDPR, data subjects have the right to access, rectification, erasure, restriction, portability, and objection. Buyers wishing to exercise these rights should contact the Shopify merchant from whom they purchased. Westpoint, as a processor, will assist the merchant in fulfilling such requests.

Merchants may exercise their own rights by writing to marketplace@westpoint.io.

9. GDPR webhooks (Shopify)

Standard Shopify GDPR requests (customers/data_request, customers/redact, shop/redact) are received and processed within 30 days.

10. Security

Encryption in transit (TLS 1.2+) and at rest (AES-256). Least-privilege access. Access logging. Billoop does not handle payment data — payments remain with Shopify.

11. Cookies

The marketing site billoop.westpoint.io does not use tracking cookies. The embedded app uses only the strictly necessary session cookies provided by Shopify.

12. Complaints

Any data subject may lodge a complaint with the French data protection authority CNIL (cnil.fr) if they believe their rights have not been respected.

13. Changes

This policy may be updated to reflect legal or product changes. The last-updated date is shown at the top of the page.