Oditto - Privacy Policy

Last updated: 2026-05-31 · Controller: Fundamental Studio · Contact: info@fundamental.bg

Oditto is a Shopify app that helps Bulgarian merchants comply with Ordinance Н-18 by generating the standardized audit file (SAF-T) for the National Revenue Agency (НАП) and issuing digital receipts. This policy explains what data we process and why.

1. Data we process

• Shop & account data - store domain, the company/tax details you enter (EIK, VAT number, name, address, contact).
• Order data - orders, line items, payments, refunds, and the customer name, email and address attached to an order - used to build the audit file and receipts.
• Product data - product titles, SKUs, prices, tax rates.

2. Why we process it (legal basis)

To provide the app's functionality and to enable you to meet your legal obligations under Bulgarian tax law (Ordinance Н-18). Processing is necessary for the performance of our service to you and to comply with the merchant's legal obligations. We do not sell personal data or use it for advertising.

3. Sub-processors

• Shopify - source of store/order data.
• Hosting - Hetzner (EU/Germany data centres).
• Email (SMTP) - the SMTP provider you configure, used only to deliver receipts/audit files you initiate.
• EU VIES - VAT/EIK lookups for company autofill (sends only the number you enter).
• ECB / Bulgarian National Bank - public exchange rates (no personal data sent).

4. Retention

Generated audit files, receipts and the order data they derive from are retained for the period required for tax record-keeping. When you uninstall the app, we delete shop data following Shopify's shop/redact request (typically 48 hours after uninstall). We honour customer redaction requests via Shopify's customers/redact webhook by anonymizing personal data while retaining the minimum required accounting records.

5. Security

Data is transmitted over HTTPS and stored on access-controlled servers. Access tokens and credentials are stored securely and never exposed to third parties.

6. Your rights

As a merchant you can request access to, correction of, or deletion of data via your Shopify admin (GDPR data-request and redaction flows) or by emailing us. Customers should contact the merchant (the data controller for their order data); the merchant can fulfil requests through Oditto.

7. Independence

Oditto is an independent product of Fundamental Studio and is not affiliated with, endorsed by, or connected to the National Revenue Agency (НАП).

Поверителност (накратко, БГ)

Oditto обработва данни за магазина, поръчките (вкл. име, имейл и адрес на клиента), продуктите и плащанията единствено за да генерира одиторския файл (SAF-T) за НАП и електронни касови бележки по Наредба Н-18. Данните се съхраняват за изисквания от закона срок и се изтриват при деинсталиране (shop/redact) или при заявка за заличаване (customers/redact). Подизпълнители: Shopify, Hetzner (ЕС), вашият SMTP сървър, EU VIES и БНБ/ЕЦБ. Oditto е независим продукт на Fundamental Studio и не е свързан с НАП. Контакт: info@fundamental.bg.