Privacy Policy

Last updated: 18 May 2026

This Privacy Policy describes how InvoicePro AU ("the App", "we", "us") collects, uses and protects information when you install and use the App on your Shopify store.

The App is operated by Josiah O'Keeffe, sole trader, ABN 12 385 144 036, trading as Plyth ("Plyth"), based in Queensland, Australia. We comply with the Australian Privacy Principles ("APPs") under the Privacy Act 1988 (Cth).

1. Information we collect

When you install the App, Shopify shares the following with us:

• Your shop domain and basic shop information
• An OAuth access token used to read order data on your behalf

When you use the App, we store:

• Business details you enter in the Settings page (business name, ABN, address, contact email, phone, logo URL, GST registration status, invoice numbering preferences, email and template preferences)
• Order data delivered via Shopify's orders/paid webhook, including: order ID, order name, currency, line items, subtotal, tax amount, total, order timestamp, and the customer's name, email address and shipping address as captured in the order

We do not collect payment card data. We do not access products, draft orders, fulfilment data or any other Shopify resource outside of paid orders.

2. How we use information

We use the information solely to:

• Generate ATO-compliant tax invoices for paid orders
• Email those invoices to customers on your behalf, using the email address recorded against the order
• Provide BAS export functionality (CSV and bundled PDFs) within the App
• Authenticate your shop and operate the App's billing relationship with you

We do not sell your data. We do not use your data or your customers' data to train AI models. We do not share your data with third parties for marketing purposes.

3. Sub-processors

We share data only with the following sub-processors, strictly to operate the service:

• Shopify Inc. — platform host, authentication, billing, and webhook delivery
• Resend (Resend, Inc.) — transactional email delivery for sending invoices
• Application hosting provider — application hosting and Postgres database (current provider: Fly.io)

Each sub-processor is bound by its own terms and privacy practices.

4. Data retention and deletion

We retain shop settings, invoice records and order data for as long as the App remains installed on your store, so that you can re-download historical invoices and export BAS data for past periods.

When you uninstall the App, Shopify sends us an app/uninstalled webhook. On receipt, we permanently delete your shop's settings, invoice records and associated order data within 30 days.

You may request earlier deletion at any time by emailing support@plyth.app. We will respond within a reasonable period.

5. Your rights

Under the Australian Privacy Principles, you (and your customers, where applicable) have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate personal information
• Request deletion of personal information
• Make a complaint about our handling of personal information

To exercise these rights, email support@plyth.app.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

For shoppers in the European Economic Area or United Kingdom, equivalent rights under the GDPR/UK GDPR apply, including the right to data portability and the right to lodge a complaint with your local supervisory authority.

6. Security

We use industry-standard measures to protect personal information, including encrypted connections (TLS) for all data in transit, restricted database access, and access tokens stored at rest in a managed database. No method of transmission or storage is 100% secure, but we work to safeguard your data appropriately.

7. International transfers

Data may be processed in countries outside Australia, including the United States, where our hosting and email sub-processors operate. We rely on those providers' contractual safeguards (including Standard Contractual Clauses where applicable) for cross-border transfers.

8. Children

The App is not directed to individuals under 16, and we do not knowingly collect personal information from children.

9. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect the most recent change. Material changes will be notified inside the App.

10. Contact

For any privacy questions or requests, contact:

Terms of Service