Privacy Policy

Last updated: June 2026

Legatix ("we", "our", "us") operates a Shopify application that syncs product listings, inventory, pricing, and orders between your Shopify store and third-party marketplaces. This policy explains what data we access, how we use it, and how you can request its deletion.

1. Data we access

When you install Legatix, we request the following Shopify scopes:

• Products & inventory — to read your product catalogue, variants, images, and stock levels so they can be published to connected marketplaces.
• Orders — to read marketplace orders and create the corresponding orders in your Shopify store.
• Webhooks — to register webhooks so we receive real-time updates when products or orders change.

We do not access customer payment information, financial reports, or any data beyond the scopes listed above.

2. Data we store

We store the following data in our AWS infrastructure (EU region):

• Shop credentials — your Shopify access token, shop domain, and API version, stored in AWS Secrets Manager and encrypted at rest. This is required to call the Shopify Admin API on your behalf.
• Marketplace credentials — API keys or username/password pairs for connected marketplaces, stored in AWS Secrets Manager and encrypted at rest.
• Product pipeline state — Shopify product IDs, variant IDs, EANs, content hashes, and sync status records stored in DynamoDB. Used for idempotency and to detect product drift between Shopify and marketplaces.
• Order pipeline state — marketplace order IDs and their corresponding Shopify order IDs stored in DynamoDB. Used to prevent duplicate order creation.
• Audit logs — a time-limited record of payloads sent to and received from marketplaces, stored in DynamoDB with a TTL of 30 days. Used for debugging.

We do not store customer names, addresses, email addresses, or any other personally identifiable information about your buyers. Orders are processed in-flight and only the marketplace/Shopify order ID mapping is persisted.

3. How we use your data

• To sync your product catalogue to connected marketplaces.
• To keep stock levels and prices up to date across channels.
• To create Shopify orders from marketplace sales.
• To send you operational alerts (e.g. sync failures) by email.

We do not sell your data, share it with third parties for advertising purposes, or use it for any purpose other than providing the Legatix service.

4. Third-party services

To deliver the service we use the following sub-processors:

• Amazon Web Services (AWS) — cloud infrastructure (Lambda, DynamoDB, SQS, Secrets Manager, S3) hosted in the EU (eu-central-1).
• Shopify — your store platform. Data flows between Legatix and Shopify via the Shopify Admin API under your store's terms.
• Marketplace APIs — the external marketplaces you choose to connect (e.g. Trendyol). Data sent to each marketplace is governed by your agreement with that marketplace.

5. Data retention

• Product and order pipeline state is retained for as long as your subscription is active.
• Audit log payloads are automatically deleted after 30 days.
• When you uninstall Legatix, we disable all sync operations immediately. Your shop credentials are revoked. Residual pipeline state records are deleted within 48 hours.

6. Your rights (GDPR)

If you are located in the European Economic Area you have the right to access, correct, or delete personal data we hold about you. Because Legatix processes merchant data (shop credentials and product/order state) rather than consumer data, most GDPR obligations apply at the merchant level.

Shopify may send us data access or redaction requests on behalf of your customers via mandatory GDPR webhooks. We honour these automatically:

• customers/data_request — we confirm receipt. No customer PII is stored by Legatix.
• customers/redact — acknowledged. No customer PII to redact.
• shop/redact — all merchant data is deleted within 48 hours of receiving this webhook.

7. Security

All data at rest is encrypted (AES-256). All data in transit is encrypted via TLS 1.2+. Access credentials are stored in AWS Secrets Manager and are never logged or included in error reports. We use IAM least-privilege policies to restrict internal access to your data.

8. Contact

For privacy-related questions or to request deletion of your data, contact us at contact@legatix.ro. We will respond within 72 hours.

---

Legatix is operated by AB-IT. Registered in Romania.