Privacy Policy

1. Introduction

The Service combines core ERP capabilities (for example orders, inventory, accounting, customers, employees, and reporting) with optional integrations to ecommerce platforms and courier or logistics providers. This document is designed to be read by both business stakeholders and compliance teams. It does not replace your subscription agreement or data processing terms; where they differ, those documents prevail.

We do not control how our customers configure integrations, which third parties they enable, or what they enter into the Service. Those choices determine much of what personal and business data flows through the platform.

2. Who we are and roles and responsibilities

Customer (your organization) is the data controller (or equivalent role under applicable privacy law) for personal data it submits to the Service or causes to be processed through integrations. The customer decides why and how that data is used within its business, subject to its own legal obligations.

We (the ERP platform operator) act as a data processor (or service provider) in relation to personal data we process on the customer’s instructions to provide, secure, and support the Service. We process such data only to deliver the functionality the customer has subscribed to, in line with our agreement with the customer, unless applicable law requires otherwise.

Third-party platforms (for example Shopify or similar ecommerce systems, and Postex or similar courier and logistics providers) are independent third parties. They may act as controllers, processors, or both in respect of data they receive, depending on their role and contract with the customer. Their processing is governed by their own terms and privacy notices, not by this Policy alone.

We are not responsible for third-party policies or practices. Customers are responsible for reviewing integration partners’ documentation, obtaining any required consents or notices, and ensuring their use of the Service complies with applicable law.

3. Data we process

3.1 Data provided by users and customers

Examples include:

• Account and access data: names, email addresses, roles, organization identifiers, authentication events, and audit-relevant activity within the Service.
• Business records: data the customer or its users create or import (orders, inventory, accounting entries, partners, employees, payroll-related fields where applicable, and similar operational records).

3.2 Data from integrations

When a customer enables an integration, the Service may receive or send categories of data defined by that integration (see Sections 5 and 6). Data is shared with couriers and ecommerce systems only when the customer has enabled and configured the relevant integration and supplied or authorized the credentials required to operate it.

3.3 Technical and log data

We generate and retain technical information needed to run and protect the Service, such as IP addresses, device and browser types, timestamps, diagnostic logs, and security signals. Where such data relates to an identified individual, we treat it in accordance with this Policy and our role as processor where applicable.

4. Purposes and legal bases

We process personal data to:

• Provide, operate, and maintain the Service and features the customer has enabled.
• Authenticate users, enforce access controls, and protect tenant isolation in a multi-tenant environment.
• Execute integrations and workflows the customer configures (for example synchronizing orders or booking shipments).
• Provide support, prevent abuse, monitor reliability, and improve security and performance.
• Comply with legal obligations that apply to us as operator of the Service, where relevant.

The legal basis for processing is determined primarily by the customer as controller (for example performance of a contract, legitimate interests, or compliance with law). Where we have a direct relationship with an individual (for example a user account we administer), we may rely on contract, legitimate interests, or legal obligation as appropriate under applicable law.

5. Ecommerce integration (for example Shopify)

When a customer connects an ecommerce store (such as a Shopify shop or another supported platform), the Service may use application programming interfaces (APIs), webhooks, or similar mechanisms to read or write data according to the permissions and scopes the customer grants.

Permissions are controlled by the customer through the ecommerce platform’s authorization flows and the customer’s configuration in the Service. We do not expand those permissions beyond what the customer (or its authorized administrators) has approved.

Typical categories of data may include:

• Commercial data: orders, line items, prices, taxes, discounts, payment or fulfillment status, refunds, and related metadata.
• Catalog and inventory: products, variants, SKUs, stock levels, and taxonomies exposed by the store.
• Customer and delivery data: names, contact details, and shipping or billing addresses when made available by the store or entered for operational purposes.
• Credentials and tokens: API keys, OAuth tokens, webhook secrets, and similar secrets the customer provides to maintain the connection. Customers should store and rotate credentials according to their security policies.

We use this data to reconcile ecommerce activity with ERP records, automate workflows the customer enables, and present operational views. We do not sell personal data obtained through ecommerce integrations.

Customers remain responsible for complying with the ecommerce platform’s terms (including API and acceptable use rules) and for providing appropriate notices to their own end customers. For reference, Shopify publishes its privacy materials at shopify.com/legal/privacy; analogous providers maintain their own notices.

6. Courier and logistics integration (for example Postex)

When a customer enables a courier or logistics integration (such as Postex or another supported carrier), the Service acts as a technical intermediary: it transmits data the customer has chosen to send in order to create shipments, obtain labels, track parcels, or reconcile cash on delivery (COD) and related charges, as configured.

Recipient and sender personal data is shared with the courier only to the extent necessary for delivery and related services, and only when the customer has activated the integration and initiated or automated that data flow. The courier processes such data under its own agreement with the customer and under its own privacy notice.

Typical categories include:

• Shipment and recipient data: names, phone numbers, addresses, and delivery instructions.
• Parcel and service data: weights, dimensions, service types, references, tracking identifiers, and status events.
• Financial data for COD or settlements: amounts and references needed for collection or accounting reconciliation, as configured.
• Integration credentials: API keys, account identifiers, and callback or webhook settings supplied by the customer or carrier as applicable.

We retain integration-related records in the Service where the customer’s use of the product produces such records (for example shipment history or accounting links), in line with Section 8.

7. Data sharing and third parties

We disclose personal data only as needed to operate the Service or as the customer instructs, including:

• Integration partners the customer enables (ecommerce platforms, couriers, payment or other connectors), as described in Sections 5 and 6.
• Subprocessors that provide hosting, infrastructure, monitoring, email delivery, or similar services on our behalf, subject to Section 11.
• Professional advisers, regulators, or law enforcement where required or permitted by law, or to protect rights, safety, and integrity of the Service and our users.

We do not sell personal data as a business practice. Any aggregated or de-identified analytics we use to understand service performance does not identify individuals.

8. Data retention

We retain customer content and account data for as long as the subscription is active and for a reasonable period thereafter to allow export, dispute resolution, backup rotation, and compliance with legal obligations. Specific retention periods may be further defined in the customer agreement or order form.

Customers are responsible for defining retention and deletion rules for their own legal and operational needs (for example accounting or employment recordkeeping). Customers should revoke integration credentials and disable connections when they are no longer required.

9. Security

We implement appropriate technical and organizational measures designed to protect personal data against unauthorized access, loss, or alteration, including controls appropriate to a multi-tenant SaaS environment.

Security is a shared responsibility. Customers are responsible for configuring users and permissions, safeguarding administrator credentials, choosing least-privilege access for integrations, managing API tokens, and ensuring their own devices and networks are secure. We are not liable for security incidents that result solely from customer misconfiguration, compromised customer credentials, or vulnerabilities in third-party systems outside our reasonable control.

10. International transfers

Personal data may be processed in countries where we or our subprocessors operate. Where applicable law imposes requirements for cross-border transfers, the customer and we will address those requirements through the contractual mechanisms agreed between us (for example standard data protection terms where available and appropriate).

Customers remain responsible for the lawfulness of transfers they initiate to third-party integrations outside their primary region.

11. Subprocessors

We may engage subprocessors to assist in hosting, infrastructure, communications, security monitoring, and related functions. We impose obligations on subprocessors that are materially consistent with our obligations to customers regarding personal data protection.

A current list of subprocessors (or a description of categories) may be provided in the customer agreement, an annex, or a page we maintain and update. Where our agreement with the customer requires notice of subprocessor changes, we will provide such notice in accordance with that agreement.

12. User rights

Individuals whose personal data is processed through the Service may have rights under applicable privacy law (for example to access, correct, delete, restrict, or object to certain processing, or to obtain a copy of data in a portable format, where such rights exist).

Because the customer is typically the controller for operational and integration data, requests should first be directed to the customer’s administrator. We will assist the customer in responding, where required by law and our agreement, within a reasonable timeframe.

Where we process data as a controller in our own right (for example limited account relationship data), we will respond to valid requests in line with applicable law.

13. Data breach handling

If we become aware of a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data processed by us on behalf of a customer, we will notify the affected customer without undue delay where required by applicable law or by our agreement with the customer, and we will provide information reasonably necessary for the customer to meet its own regulatory or contractual obligations.

The customer, as controller, remains responsible for assessing whether it must notify supervisory authorities, affected individuals, or other parties under its applicable laws. We will cooperate with reasonable requests related to investigation and remediation, consistent with confidentiality and security constraints.

14. Changes to this policy

We may update this Policy to reflect changes to the Service, our practices, or legal expectations. We will revise the “Last updated” date when we publish changes. Where changes are material and our agreement with the customer requires specific notice, we will provide notice in the manner described in that agreement.

15. Contact information

For questions about personal data processed on behalf of your organization through the Service, contact your organization’s administrator or data protection lead.

For questions directed to us as operator of the Service (including processor-related inquiries from authorized customer contacts), use the support or legal contact details provided in your order form, service documentation, or tenant administration settings.