VATLens Privacy Policy

Effective date: April 3, 2026

This Privacy Policy explains how MoLabs LLC ("VATLens", "we", "us") collects, uses, and protects information when merchants install and use the VATLens Shopify app.

1. Our role

VATLens acts as a data processor on behalf of the merchant (the data controller). We process store data solely to provide VAT reporting features as instructed by the merchant through their use of the app.

2. Information we collect

When you install VATLens, we access and store:

• Shop information — shop domain, shop name, timezone, country, and store currency.
• Authentication and session data — Shopify app session identifiers, granted scopes, and related authentication metadata needed to securely run the embedded app. Depending on what Shopify provides during authentication, this can include Shopify admin user account details such as user ID, email, locale, or collaborator status.
• Order and refund data — order totals, tax amounts, shipping costs, currency codes, shipping and billing country codes, tax-exempt status, and refund amounts. We access this through Shopify's read_orders scope and order/refund webhooks.
• Aggregated rollups — daily and country-level summaries computed from order data for dashboard display and CSV exports.
• App settings — merchant-configured preferences such as VAT pricing mode, display currency, threshold rules, and FX source.

We do not collect customer names, email addresses, phone numbers, physical address lines, postal codes, payment card details, or other customer-identifying fields. For customer location, we store country codes only because VAT reporting in VATLens is based on destination country.

3. Lawful basis for processing (GDPR)

We process data on the following bases:

• Contractual necessity — processing is required to deliver the VAT reporting service you subscribed to.
• Legitimate interest — maintaining app reliability, preventing abuse, and improving performance.

4. How we use information

We use the data described above exclusively to:

• Generate VAT overview dashboards and country breakdown tables.
• Produce CSV exports (monthly VAT, daily rollup) when requested.
• Enforce plan usage limits (e.g., Starter order cap).
• Process webhook events to keep data in sync.
• Diagnose errors and maintain service reliability.

5. Data sharing and sub-processors

We do not sell, rent, or trade merchant data. We do not use your data for advertising. Data is shared only with the following service providers required to operate the app:

• Vercel (hosting and serverless functions) — United States
• Neon (PostgreSQL database) — United States

Each sub-processor is bound by their own data processing agreements. We select providers that maintain appropriate security standards.

6. International data transfers

Your data may be processed and stored in the United States. Where data is transferred outside the European Economic Area (EEA), we rely on Standard Contractual Clauses or equivalent safeguards provided by our sub-processors.

7. Data retention and deletion

• While installed: VATLens retains order data and rollups for as long as the app is installed and the merchant has an active subscription.
• On uninstall: When a merchant uninstalls VATLens, we receive Shopify's app/uninstalled webhook and delete the shop record and associated app data as part of the uninstall flow.
• Compliance requests: We process Shopify's customers/data_request, customers/redact, and shop/redact webhooks. Data subject requests are fulfilled within 30 days of receipt.

8. Cookies and tracking

VATLens does not set its own cookies or use third-party analytics or tracking scripts. The app runs within the Shopify Admin iframe, which may use Shopify's own session cookies.

9. Security

We use industry-standard measures to protect data, including encrypted connections (TLS), environment-isolated secrets, and access controls on our database and hosting infrastructure. No system is completely secure, and we cannot guarantee absolute security.

10. Your rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or port your data. You can exercise these rights by:

• Uninstalling the app (triggers automatic app data deletion).
• Contacting us at the email below to request data access or deletion.

We will respond to verified requests within 30 days.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the app or via email. Continued use of VATLens after changes constitutes acceptance.

12. Contact

For privacy questions or data requests, contact: skinglowapp@gmail.com