Privacy Policy

EU VAT Validation App

Last updated: January 2026

This Privacy Policy describes how Dragon Apps ("we", "us", "our") collects, uses, discloses, and protects personal information when you install and use our app ("EU VAT Validation") on your Shopify store and any related services.

This policy applies to all merchants who install the app and to customers whose data is processed on merchant stores to enable the core functionality of the app.

1. Information We Collect

Merchant Information

We collect information required to install and operate the app:

  • Store name and domain
  • Shopify account identifiers
  • Store country and VAT registration country
  • App configuration settings

This information is used to enable the service you install and support merchant-specific settings.

Customer Information

When a merchant's customer enters their details into the EU VAT validation widget, we process the following data:

  • Email address
  • Value Added Tax (VAT) number
  • Company name and address (as returned by the EU VIES database)
  • Customer ID and Order ID (Shopify identifiers)
  • Tags and notes added to customer records or orders

We do not collect or store payment information, credit card numbers, or any financial account information. We do not access or process browsing histories, marketing preferences, or data unrelated to the app's core function.

2. How Personal Data Is Used

We use the customer data only for the purposes necessary to provide the core functionality of the app:

  • Validate EU VAT IDs using the official EU VIES database
  • Determine eligibility for VAT tax exemption for B2B customers
  • Apply VAT tax exemption when configured by the merchant
  • Store VAT-related information on customer and order records
  • Add customer tags and order notes to assist merchants in invoicing and automation workflows
  • Provide translations and language-specific text in the VAT entry widget

The app does not use customer data for unrelated purposes such as marketing, profiling, or advertising.

3. Legal Basis for Processing

When required by applicable law (including the GDPR), our legal basis for processing customer data includes:

  • Consent: The data subject (customer) voluntarily enters their information in order to receive VAT validation and tax exemption.
  • Contractual necessity: Processing is necessary to provide the app's functionality as part of the merchant's Shopify store.
  • Legitimate interest: The app processes only the minimal personal data needed to complete VAT validation workflows and support merchant operations.

4. Data Sharing and Disclosure

We do not sell, rent, or share personal data with third parties for marketing or advertising purposes.

Your Shopify store data and customer details may be shared with:

  • The official EU VIES service for VAT number validation
  • Shopify's APIs (Customers, Orders, Online Store) solely to update relevant customer and order records

We do not share personal data with any other external parties except as required by law or as necessary to provide the service you requested.

5. Data Retention

We retain personal data only as long as needed to provide the app service and support merchant workflows:

  • Customer VAT validation records and related tags, metafields, and order notes are stored in your Shopify store
  • This data remains accessible as long as the merchant keeps the app installed and the store active
  • You may remove or delete any stored customer data via Shopify at any time

We do not retain separate backups of personal data outside of merchant Shopify data beyond what is required for support, compliance, or legal obligations.

6. Security

We implement reasonable technical and organizational measures to protect personal data, including:

  • Encryption in transit (HTTPS/TLS) and at rest
  • Secure hosting environments with access controls
  • Separation of test and production data
  • Data loss prevention practices
  • Access logging for administrative operations
  • Strong password requirements for staff

Despite these measures, no system can be guaranteed completely secure; however, we continuously maintain appropriate safeguards.

7. International Data Transfers

Because our app interacts with the official European VIES service, customer VAT numbers may be transmitted outside the merchant's country in order to validate them. Such transfers are necessary only to complete the VAT validation function.

8. Merchant Responsibilities

Merchants are responsible for:

  • Informing their customers about the use of this app and the collection of VAT-related data
  • Ensuring compliance with local laws where they operate
  • Maintaining any notice or consent mechanisms required by their jurisdiction

9. Your Rights

Depending on applicable law, customers may have rights including:

  • Right to access their personal data
  • Right to correct or update inaccurate data
  • Right to request deletion of personal data
  • Right to restrict or object to certain processing

To exercise any of these rights, customers should contact the merchant or use the mechanisms provided by Shopify.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our practices or legal requirements. The latest version will always be posted at the same URL with an updated "Last updated" date.

11. Contact

For questions about this Privacy Policy, data practices, or access requests, contact:

Dragon Apps
Email: [email protected]
Website: https://dragonapps.io