Privacy Policy

1. Who We Are

AvoPay (“we”, “us”, “our”) provides a Bitcoin Lightning payment infrastructure service. Our service is available at avopay.dev. This Privacy Policy applies to:

• The AvoPay website (avopay.dev)
• The AvoPay merchant dashboard
• The AvoPay Shopify App (unlisted, installed via direct link)
• The AvoPay WooCommerce plugin

2. Information We Collect

2.1 Merchant Account Data

When you create an AvoPay merchant account we collect:

• Email address — used for account authentication and transactional notifications (payment alerts, slow-confirmation warnings).
• Password — stored as a bcrypt hash; we never store your plaintext password.
• Wallet descriptors — public-key-only BIP32/SLIP-0077 descriptors exported from your AQUA wallet. These are encrypted at rest using AES-256-CBC. We use them solely to derive Bitcoin and Liquid addresses for payment routing.

2.2 Shopify Merchant Data (App Store Integration)

When you install the AvoPay Shopify app we receive, via the Shopify OAuth flow:

• Shop domain (e.g. your-store.myshopify.com)
• Shopify access token — stored encrypted (AES-256-CBC). Used solely to call Shopify's Admin API to read order details and update order notes with payment links.

We request the following OAuth scopes: read_orders, write_orders. We do not read or store customer profiles, addresses, or payment card information.

2.3 Order and Payment Data

For each Bitcoin payment we process, we record:

• Shopify order ID and order number
• Fiat amount, currency, and equivalent satoshi amount
• A Lightning invoice (BOLT11) and associated Boltz reverse swap identifiers
• Liquid (L-BTC) destination address (derived from your wallet descriptor)
• Cryptographic ephemeral keypair data required to claim the Bitcoin HTLC (stored encrypted, deleted once the swap is settled)
• Payment timestamp and settlement status

We do not collect or store: customer names, email addresses, physical addresses, phone numbers, or payment card information. We do not have access to any Shopify customer PII beyond what is embedded in an order's metadata.

2.4 Technical Logs

Our API server logs minimal operational data: HTTP status codes, rate-limit events, and error traces. Access logs for sensitive endpoints (wallet connect, SamRock protocol) are suppressed at the Nginx layer. Logs are retained for 14 days and then deleted automatically.

3. How We Use Your Data

• To process Bitcoin payments — deriving addresses, creating Boltz swaps, broadcasting claim transactions, and marking Shopify orders as paid.
• To send transactional notifications — payment received confirmations, slow-confirmation alerts, and subscription receipts. These go to the merchant email address only. We never email your customers.
• To enforce fair usage — counting confirmed payments against your trial or subscription quota.
• To maintain service security — detecting abuse, rate-limiting, and auditing authentication events.

We do not use your data for advertising, profiling, or sale to third parties.

4. Third-Party Services

We use the following third-party services to operate AvoPay:

• Boltz Exchange (boltz.exchange) — trustless submarine swap infrastructure for converting Lightning payments to Liquid Bitcoin. We send swap parameters (invoice amount, claim public key, destination address) to Boltz. No personal data is shared.
• Blockstream Esplora — public Liquid blockchain explorer used to detect incoming L-BTC transactions. We send Liquid addresses only; no personal data.
• CoinGecko / CoinCap — public Bitcoin price APIs used for fiat-to-satoshi conversion. No data is sent; we only receive price data.
• Resend — transactional email delivery for merchant notifications only. Resend receives the merchant’s email address and email content.
• Hetzner — EU-based cloud hosting (Nuremberg, Germany). All data processed by AvoPay resides on Hetzner infrastructure subject to GDPR.
• Cloudflare — CDN, DDoS protection, and TLS termination. Cloudflare processes HTTP request metadata (IP, headers) under their Privacy Policy.
• Shopify — when you install our Shopify app, your use of Shopify is subject to Shopify’s Privacy Policy. We are a data processor acting on your (the merchant’s) behalf.

5. Data Retention

We retain data for as long as necessary to provide the service and meet legal obligations:

• Active merchant accounts — retained while the account exists. You may request deletion at any time (see Section 7).
• Order and payment records — retained for 3 years for accounting and dispute resolution purposes.
• Shopify OAuth tokens — deleted within 48 hours of app uninstall via Shopify’s shop/redact GDPR webhook.
• Ephemeral swap claim data — deleted automatically once a swap is settled or expired (typically within minutes to hours).
• Server logs — 14 days rolling.

6. Data Security

We take data security seriously:

• All data in transit is encrypted via TLS 1.2/1.3.
• Shopify access tokens and wallet descriptors are encrypted at rest (AES-256-CBC).
• The SQLite database file is restricted to 600 permissions on the server.
• SSH access is restricted to private network (Tailscale); no public SSH.
• Automatic security updates are enabled on the server.
• We do not log or store plaintext secrets.

7. Your Rights (GDPR)

If you are located in the European Economic Area or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of access — request a copy of the data we hold about you.
• Right to rectification — request correction of inaccurate data.
• Right to erasure — request deletion of your personal data, subject to legal retention obligations.
• Right to restriction — request that we stop processing your data while a dispute is resolved.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

Shopify GDPR Compliance

Our Shopify app implements Shopify’s mandatory GDPR webhooks:

• customers/data_request — we acknowledge the request. We do not store customer PII, only order IDs.
• customers/redact — we delete order records associated with specified order IDs upon request.
• shop/redact — we delete all merchant and order data for a shop within 48 hours of an uninstall event.

8. Cookies

The AvoPay merchant dashboard uses a single HttpOnly, Secure session cookie (__Host-avopay_token) for authentication. No tracking or advertising cookies are used. The embedded Shopify admin UI (shopify-admin/) uses sessionStorage only — no cookies.

9. Children’s Privacy

AvoPay is a B2B service for merchants. We do not knowingly collect personal data from individuals under 18 years of age.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects when changes were last made. Continued use of the service after changes are posted constitutes acceptance of the updated policy. For material changes, we will notify merchant account holders by email.

11. Contact

If you have questions about this Privacy Policy or our data practices, please contact us:

• Email: [email protected]
• Website: avopay.dev

For Shopify App Store inquiries specifically, our app support email is [email protected].

© 2026 AvoPay. All rights reserved.  ·  Terms & Conditions