← Back

Privacy Policy

Last updated: June 2, 2026

1. Who we are

Rioko is a service operated by Kapta, based in Portugal, which automates invoicing for Shopify stores through InvoiceXpress. For privacy matters, contact us at [email protected].

2. Data we collect

  • Account: name, email and unique identifier (via Clerk authentication).
  • Integration credentials: Shopify token, InvoiceXpress API key, webhook secrets — used only to issue tax documents on your behalf.
  • Order data: ID, customer, VAT ID, amounts, products — processed in real time to create the invoice or credit note.
  • Technical logs: timestamps, request IDs, responses from external APIs, for auditing and diagnostics.

3. What we use it for

Data is used exclusively to:
  • Automatically create Invoice-Receipts and Credit Notes in InvoiceXpress.
  • Ensure tax compliance (AT rules, VAT exemptions M01–M99, VAT ID).
  • Display history in the dashboard.
  • Provide technical support when you request it.

We do not sell or share your data with third parties for marketing purposes.

4. Subprocessors

To operate the service, we rely on:
  • Cloudflare (hosting, DNS, D1, KV, Workers) — EU/global.
  • Clerk (authentication) — EU/US.
  • Shopify (order source) — per your store configuration.
  • InvoiceXpress (tax issuer) — Portugal.
  • Vercel (supplementary logging) — EU/US.
  • Google (Google Analytics 4 — anonymous traffic measurement) — EU/US, under the EU Standard Contractual Clauses. Loads only with your consent.

5. Retention

We keep your data while your account is active. Once the account is deleted, personal data is removed from our database within 30 days. Anonymized logs may be retained for up to 12 months for diagnostics and fraud prevention.

6. Your rights (GDPR)

You have the right to:
  • Access your personal data.
  • Correct inaccurate data.
  • Request deletion ("right to be forgotten").
  • Data portability.
  • Withdraw consent at any time.
  • File a complaint with CNPD (Portuguese Data Protection Authority).

To exercise any right, email [email protected].

7. Security

All tokens and API keys are stored encrypted. Communications between Rioko and external services (Shopify, InvoiceXpress, Clerk) use HTTPS/TLS exclusively. Shopify webhooks are verified with HMAC-SHA256 before any processing.

8. Cookies

Strictly necessary (always active, no consent needed): Clerk session — authentication; rioko_impersonate_id — admin impersonation only (1 day); rioko_attr — records signup origin (referrer/campaign) for abuse prevention (90 days).

Analytics (only with your consent): Google Analytics 4 — cookies _ga and _ga_* (~2 years) measure anonymous traffic. Data may be processed by Google in the United States under the EU Standard Contractual Clauses. Loaded via Google Consent Mode v2 with analytics denied by default — these cookies are set only after you accept.

You can change or withdraw your choice at any time via Cookie settings in the page footer. Your choice is stored locally on your device for 6 months, after which we ask again. We use no marketing or advertising cookies.

9. Changes

This policy may be updated. Material changes will be communicated by email to registered users at least 14 days before taking effect.

10. Contact

Kapta — [email protected]
Site: kapta.pt