Privacy Policy

Important Role Distinction

When processing customer personal data obtained from connected platforms (such as order and transaction data), Pamete acts solely as a data processor on behalf of the merchant. The merchant remains the data controller and is responsible for providing privacy notices and establishing a lawful basis for processing such data.

1. Data Collection and Minimization

We collect only the minimum personal data required to provide our bookkeeping service to merchants. Processing of customer personal data is performed solely on behalf of merchants under our Data Processing Agreement. Through Etsy's and Shopify's APIs, we collect three categories of data:

Ledger Data (Transactions to Bookkeep)

Financial transactions from your shop that need to be recorded in your books, such as:

  • Sales and refunds
  • Platform and payment processing fees
  • Payouts/withdrawals
  • Other transaction types as supported by the platform

Order Details (Transaction Composition and Counterparty)

To properly bookkeep certain transactions, we need to know what was sold and to whom:

  • Order IDs and transaction IDs
  • Items sold in each order (for itemized bookkeeping and applying product-specific VAT rates)
  • Customer names and addresses (required for receipts, invoices, and determining applicable tax rules)
  • Customer country (for VAT calculation based on destination)

Product Catalog (VAT Configuration)

We import your product catalog so you can configure VAT rates for each product:

  • Product names and platform-specific product IDs
  • Product type (physical good vs. digital/service) for correct VAT treatment

We do not request or intentionally collect customer email addresses or phone numbers from connected platforms. If a platform includes them in API responses, we discard them during processing and do not store or use them. All data retained is strictly necessary for accounting, tax compliance, and invoice generation purposes.

2. Purpose of Data Processing

We process your data exclusively for the following purposes:

  • Generate accounting documents in country and accounting software specific formats (e.g., SIE files for Swedish accounting systems)
  • Process monthly sales summaries

We commit to limiting our processing strictly to these stated purposes. Your data will never be used for marketing, profiling, or sold to third parties. We do not determine the purposes or means of processing customer personal data and do not use such data for analytics, profiling, or any independent purpose.

3. Data Storage and Security

Your data is stored securely on servers located within the European Union, using industry-standard encryption provided by our infrastructure vendors. We use HTTPS when data moves between our app and our servers.

  • Data residency: All data is stored and processed in EU-based data centers
  • Encryption in transit: HTTPS for browser, server, and third-party API traffic
  • Encryption at rest: Provided by Supabase and Cloudflare R2 for stored data
  • Render (EU region) for backend API processing - data from Etsy and Shopify APIs is processed here
  • Supabase (EU region) for user authentication and shop data (encryption at rest)
  • Cloudflare R2 (EU region) for generated documents (encryption at rest)
  • Vercel for frontend hosting - serves static pages only, no merchant or customer data is stored

4. Data Sharing and Service Providers

We do not sell, rent, or share personal data with third parties for their own independent purposes. We only disclose personal data where necessary to operate and deliver our services.

Subprocessors (service providers)

We rely on the following third-party service providers to host and process data as part of our service infrastructure:

  • Render Services, Inc. (EU region)
    Backend API hosting and application-level data processing.
  • Supabase Inc. (EU region)
    Database hosting, user authentication, and access control.
  • Cloudflare, Inc. (EU region)
    Secure document storage, content delivery, and network security.

These providers process data in accordance with their publicly available terms of service and data processing terms. We rely on the standard data protection commitments and safeguards offered by these providers, including published Data Processing Addenda (DPAs) and security measures.

Where available, these providers maintain independent security assessments or certifications (such as SOC 2 Type II or equivalent) to support the security of their services.

Platforms you connect (data sources)

These platforms provide your shop data under your authorization and are not subprocessors.

  • Etsy, Inc. (USA) - Platform data source. We access shop data via API with read-only permissions
  • Shopify Inc. (Canada) - Platform data source. We access shop data via API with read-only permissions

Other providers (no customer personal data on our behalf)

These providers support billing or static hosting and do not process customer personal data on our behalf.

  • Stripe, Inc. (USA) - Merchant billing only; no customer data
  • Vercel Inc. (USA) - Static frontend hosting only; no merchant or customer data stored

5. Data Retention

We apply the following retention periods to ensure personal data is not kept longer than necessary:

  • Active accounts: Data is retained while your account remains active
  • Generated documents: Accounting files (SIE files, receipts) are retained for 6 months from generation, after which they are automatically deleted
  • Transaction data: Order and transaction data from connected platforms is processed in memory only and is not stored. We store only the generated accounting files that result from this processing; raw or intermediate platform data is discarded immediately after processing
  • Account deletion: Upon account deletion request, all personal data is removed within 30 days
  • Inactive accounts: Accounts inactive for 24 months may be deleted after notification

Important: You are responsible for downloading and storing generated accounting documents for your own records in accordance with your local tax and accounting regulations. You can regenerate documents at any time.

6. Your Rights

Under GDPR and applicable EU/EEA law, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request data deletion (subject to legal retention requirements)
  • Export your data in a portable format
  • Lodge a complaint with a supervisory authority

7. Data Processing Agreement

We act as a data processor on behalf of merchants (data controllers) for customer personal data. Our processing is governed by our Data Processing Agreement, which covers:

  • Roles and responsibilities (controller/processor)
  • Scope and purpose of processing
  • Security measures and access controls
  • Subprocessor management
  • International data transfers
  • Audit rights
  • Data deletion and breach notification

8. Contact Information

For privacy-related inquiries, data access requests, or to exercise your rights, please contact us at:

Email: support@pamete.com

Last updated: December 2025