Privacy Policy

This Privacy Policy applies to the ArmPay Shopify application, developed and operated by EcomHub ("we", "us", "our"). ArmPay connects your Shopify store to Armenian bank payment gateways (VPOS), enabling your customers to pay with Visa, Mastercard, and ArCa cards.

This policy explains what data we access, how we use it, who we share it with, and how we protect it. It covers processing by the ArmPay application and the ecomhub.am marketing website.

When you install ArmPay, we access the following through the Shopify API:

• —Store name and domain
• —Order information (order ID, amounts, currency, financial status)
• —Customer email addresses associated with orders

We request the following Shopify API scopes: read_orders and write_orders.

• —Bank VPOS credentials (username, password, client ID) entered in the ArmPay merchant dashboard
• —Bank provider selection (which Armenian bank you use)
• —Test / Live mode preference

We do notcollect, store, or process credit card numbers, CVV codes, or any cardholder data. All payment card information is entered directly on your bank's secure hosted payment page (VPOS). We only receive:

• —Payment status (success or failure)
• —Masked card number (e.g. **** **** **** 1234)
• —Transaction reference IDs

• —Initiate payment transactions with your bank on behalf of your customers
• —Mark orders as paid in your Shopify store
• —Display payment history and status in the merchant dashboard
• —Process refunds and cancellations through your bank
• —Calculate billing for your ArmPay subscription

We share the minimum data necessary to process payments and operate the service. The parties below are the only categories of recipients:

• —Shopify— order payment status updates and required compliance data, via the Shopify API.
• —Armenian acquiring banks— your selected bank receives VPOS credentials and transaction details to process the payment. Supported: Ameria, Inecobank, Ardshinbank, ACBA, IDBank, Converse, Evocabank, and VTB Armenia.
• —Card networks— Visa, Mastercard, and ArCa process the underlying card authorisation through your bank. We do not send data to them directly.
• —Brevo— transactional email infrastructure (account notifications, support replies). Recipient email and message content only.
• —Cloudflare— CDN, DNS, and edge-layer protection for ecomhub.am and the ArmPay service. Cloudflare processes request metadata (IP, user agent) as a routine part of content delivery.

We do not sell data. We do not share data with advertisers, data brokers, or any third party not listed above.

We use Cloudflare Web Analytics, which is cookieless and does not track users across sites. No personally identifying information is stored by this analytics layer.

The ArmPay merchant dashboard uses strictly-necessary session cookies to keep you signed in and to remember your bank-provider and test/live preferences. There are no advertising cookies, no cross-site trackers, and no third-party analytics beyond Cloudflare.

Your bank VPOS credentials are stored on our servers and are only used to communicate with your bank's payment gateway. All data transmission uses HTTPS encryption. Payment session data (order IDs, amounts, status) is stored in our database to maintain transaction history.

• —Merchant configuration— retained while the app is installed; deleted within 30 days of uninstall.
• —Payment session data— retained for up to 7 years to comply with financial record-keeping requirements.
• —Customer email addresses— retained only as part of payment session records.

ArmPay complies with Shopify's API Terms of Service. We handle the following mandatory compliance webhooks:

• —Customer data request— we provide all stored data related to a customer upon request.
• —Customer data erasure— we delete all customer-related data upon request.
• —Shop data erasure— we delete all store data when the app is uninstalled.

ArmPay is operated from Armenia and processes data under the Republic of Armenia's Law on Protection of Personal Data. Where EU-based merchants or their customers use the service, the EU General Data Protection Regulation (GDPR) also applies. Under these frameworks you have the right to:

• —Access the data we hold about you and your store
• —Rectification — request correction of inaccurate or incomplete data
• —Deletion — request erasure of your data, subject to legal retention requirements
• —Portability — receive your data in a structured, machine-readable format
• —Restriction of processing — limit how we use your data while a request is being resolved
• —Objection to processing — object to any processing based on legitimate interest
• —Withdraw consent at any time, without affecting prior lawful processing
• —Lodge a complaint with your supervisory authority — in Armenia, the Personal Data Protection Agency; in the EU, your national data protection authority
• —Uninstall the app at any time to stop all data processing

To exercise any of these rights, contact us at [email protected]. We respond to verified requests within 30 days.

ArmPay is not intended for, marketed to, or knowingly used by children under 16. If we learn we have collected data from a user under 16, we delete it immediately.

We may update this Privacy Policy from time to time. We will notify merchants of significant changes via email or through the ArmPay app dashboard. The date at the top of this page always reflects the current version.

If you have any questions about this Privacy Policy:

• —Email: [email protected]
• —Developer: EcomHub, Yerevan, Armenia