Introduction
P'tite Tête ("we", "our") operates the Doli2Shop application that enables bidirectional synchronization between Shopify stores and Dolibarr ERP systems. This privacy policy describes how we collect, use, and protect your information.
1. Data Collected
1.1 Data collected via Shopify API
- Product information: names, descriptions, images, prices, inventory, variants
- Order information: order numbers, dates, amounts, statuses
- Customer information: names, emails, addresses, phones, marketing consent
- Payment information: payment methods (not card numbers)
- Shipping information: addresses, methods, costs
- Collection information: categories, tags
- Inventory information: stock levels, locations
- Synchronization logs: timestamps, sync statuses
1.2 Data collected directly from merchants
- Shopify API credentials: Client ID, Client Secret, Access Token
- Module configuration: sync options, mappings
- Shopify store URL and domain name
- Support contact email
1.3 End customer data
We process end customer data only for order synchronization with Dolibarr. This data includes names, emails, shipping/billing addresses, phone numbers.
1.4 Automatic logs
- IP addresses of Dolibarr servers (API connections)
- Browser User-Agent
- Request timestamps
- Synchronization errors
2. Data Usage
We use your data exclusively to:
- Synchronize your products between Dolibarr and Shopify
- Automatically import your Shopify orders into Dolibarr
- Synchronize stock levels
- Create and update customer records in Dolibarr
- Manage collections and categories
- Provide technical support
- Improve module features
- Detect and fix synchronization errors
3. Data Sharing
We NEVER sell, rent, or share your data with third parties for commercial or marketing purposes.
Limited exceptions:
- Shopify Inc.: transmission via Shopify API for synchronization
- Server host: data storage on your Dolibarr server (you control)
- Legal obligations: if required by French or European law
4. Data Security
- OAuth 2.0: secure authentication with Shopify
- HTTPS/TLS: all communications encrypted
- HMAC SHA256: webhook validation
- Secure tokens: encrypted Access Token storage
- CSRF validation: state/nonce protection
- Secure servers: data stored on YOUR Dolibarr server
5. Data Retention
- Synchronization data: retained while module is active
- Error logs: retained 90 days maximum
- API credentials: stored until module uninstallation
- Complete deletion: upon Dolibarr module uninstallation
6. Your Rights (GDPR)
Under European GDPR, you have the following rights:
- Right of access: access data via your Dolibarr interface
- Right of rectification: modify data in Dolibarr
- Right to erasure: uninstalling module deletes all data
- Right to data portability: export your data from Dolibarr
- Right to object: disable synchronization anytime
- Right to restriction: configure which products/orders to sync
7. California Residents (CPRA)
If you are a California resident, you have additional rights under the California Privacy Rights Act (CPRA):
- Right to know what data is collected
- Right to delete data
- Right to opt-out of data sale (we NEVER sell)
- Right to non-discrimination
8. Colorado & Virginia Residents
Under Colorado Privacy Act and Virginia Consumer Data Protection Act, you have the right to:
- Access your personal data
- Correct inaccuracies
- Delete your data
- Obtain a copy of your data
- Opt-out of sensitive data processing
9. Cookies and Trackers
Our application only uses strictly necessary cookies:
- PHP session: OAuth session maintenance (deleted after installation)
- oauth_nonce: CSRF protection (deleted after validation)
- installation_data: temporary credentials storage (10 min max)
We do NOT use ANY tracking, analytics, or advertising cookies.
10. Children's Protection
Our application is intended for businesses (B2B). We do not knowingly collect data from children under 16.
11. International Transfers
Your data is stored on YOUR Dolibarr server in the country of your choice. Communications with Shopify transit through Shopify servers according to their privacy policy.
12. Policy Changes
We reserve the right to modify this policy. Changes will be published on this page with an updated date.
14. Regulatory Compliance
- GDPR (General Data Protection Regulation) - EU
- CPRA (California Privacy Rights Act) - California, USA
- CPA (Colorado Privacy Act) - Colorado, USA
- VCDPA (Virginia Consumer Data Protection Act) - Virginia, USA
- French Data Protection Act