← Back to EU VAT Pilot
Privacy policy
Last updated: 6 July 2026
The short version
We store your email address, your business profile, and the order data you add or sync — nothing more.
We never store names or addresses of your customers. No analytics, no ads, no tracking, no marketing emails.
You can download everything or delete your account (and all its data) yourself at any time on the
Settings page.
Who is responsible
EU VAT Pilot is a pilot service operated by Kevin Avroutskii.
For anything about your data, email kevin.avroutskii@gmail.com —
you will get a personal reply, this is a small pilot.
What we store, and why
- Account: your email address, a hash of your password (bcrypt — we cannot see the password
itself), and timestamps for account creation and email confirmation. Needed to sign you in and to send you
the confirmation and password-reset emails you request.
- Business profile: the EU country where your business is established and whether you are
registered for OSS / IOSS or opted into destination-country VAT. This drives every VAT classification —
it is the product.
- Orders: order date, destination country, ship-from country, amounts, currency, whether a
marketplace handled the sale, and — for synced orders — the Shopify order ID.
Deliberately absent: any personal data about your customers. No names, no addresses,
no emails — VAT classification only needs the country and the amounts, so that is all we take.
- Shopify connection (only if you connect a store): your shop domain, the Admin API access
token you paste, and your default ship-from country. The token is used solely to read orders from your store
when you press Sync. It is a credential, so it is excluded from data exports.
- Password-reset and email-confirmation links: we store only a SHA-256 fingerprint of each
link's token, never the link itself. A copy of our database would not contain any usable links.
- Feedback (only if you send some): the message you write, the page you sent it from, and
when. It is also emailed to the operator so it gets read. Included in your data export, erased with your
account.
Cookies
Exactly one cookie: evp_session, which keeps you logged in for up to 30 days. It is strictly
necessary for the service, HttpOnly, and sent only over HTTPS in production. There are no analytics, advertising,
or tracking cookies of any kind — which is why you don't see a cookie banner.
Where your data lives, and who touches it
- Hosting — Fly.io: the app and its database run on a server in Frankfurt, Germany,
on an encrypted disk. Fly.io is a US company; its EU data processing is covered by its
data processing terms (EU standard contractual
clauses). Like any hosting platform, Fly.io keeps short-lived infrastructure logs that include IP addresses.
- Email — Resend: when we send you a signup confirmation or a password-reset link, your email
address and that message pass through Resend (configured to their EU region). Resend is a US company; see their
privacy policy for their safeguards.
We send only these transactional emails — never marketing.
- Shopify (only if you connect a store): we read order data from your store using your token.
We send nothing to Shopify beyond those read requests.
- European Central Bank: the app fetches official exchange rates from the ECB's public API.
Those requests contain no personal data.
Nobody else. We do not sell, share, rent, or trade your data, and there are no advertising or analytics
providers.
Legal basis
We process your data to provide the service you signed up for (Art. 6(1)(b) GDPR — performance of a contract)
and, for security measures such as hashed passwords and session management, based on our legitimate interest in
keeping the service safe (Art. 6(1)(f) GDPR).
How long we keep it
As long as your account exists. When you delete your account, everything — account, profile, orders, Shopify
connection, sessions, reset and confirmation records, feedback — is erased immediately and permanently. Backup
copies of the database (the host's encrypted snapshots, kept about 5 days, and a daily off-site copy on the
operator's own computer, deleted after 14 days) rotate automatically, so deleted data disappears from every
backup within at most 14 days. The only thing that stays is our cache of official ECB exchange rates, which
contains no personal data.
Your rights
Under the GDPR you can access, correct, export, and erase your data, restrict or object to processing, and
complain to a data protection supervisory authority. Most of this is self-service:
- Export everything as JSON (or your orders as CSV) on the Settings page.
- Correct your profile and orders directly in the app.
- Delete your account and all its data on the Settings page — immediate, no questions asked.
For anything else, email kevin.avroutskii@gmail.com.
Changes to this policy
If this policy changes in a way that matters, we will say so in the app before the change takes effect.
The date at the top always tells you when it was last touched.