Introduction

Solidshop publishes a free, open-source e-commerce component for Joomla. The software itself runs entirely on your server — we never see the orders, customers, or products stored inside your Solidshop installation. This policy applies only to the data we collect through our website (solidshop.app), our commercial extensions marketplace, and our support channels.

Who we are

For the purposes of the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018, Solidshop is the data controller for the website, your account, and support. You can reach us at This email address is being protected from spambots. You need JavaScript enabled to view it. for any privacy-related questions or requests.

Purchases of commercial extensions are sold by Paddle.com Market Limited as the Merchant of Record. When you buy an extension, your contract for that purchase is with Paddle, and Paddle is the independent data controller for the billing, payment, and tax data you provide at checkout. Paddle’s privacy policy applies to that processing — see paddle.com/legal/privacy. Solidshop only receives the limited order metadata Paddle passes back to us (described in the next section).

Data we collect

We collect the minimum data required to run the website, process purchases, and provide support. Categories below describe what we collect and when.

When you visit the website

• Server logs — IP address, user agent, referring URL, pages visited, and timestamps. Retained for 30 days for security and debugging.
• Analytics events — page views, referrer, country (derived from your IP at request time, not stored), and browser/OS class, processed through Cloudflare Web Analytics. No cookies are set, no cross-site tracking takes place, and no persistent identifier is assigned to your browser.

When you create an account

• Email address — for sign-in and transactional messages.
• Name — displayed on invoices and in forum posts.
• Password hash — stored using industry-standard one-way hashing; the plain-text password is never stored.

When you purchase an extension

Purchases are processed by Paddle as Merchant of Record. Solidshop never receives your card number, CVV, or full billing address — those are collected and held by Paddle. From Paddle, we receive only:

• Order metadata — customer email, name (if provided), country, order ID, the product purchased, and the purchase amount.
• Accounting records — the payout reports Paddle provides to us, retained for as long as required by tax and accounting law in our jurisdiction (typically 7–10 years). The customer-facing invoice is issued by Paddle, not by Solidshop.
• Download and licence-key usage logs — which file you downloaded and the domain(s) you activated a licence on, for licence enforcement and updates delivery.

When you contact support or post on the forum

• Message content, attachments, and screenshots — the text and files you send us.
• Forum posts — publicly visible alongside your chosen display name. You can request deletion of your forum posts at any time.

What we do not collect

We do not collect: government IDs, precise geolocation, biometric data, health data, browsing history from other websites, or data from your Solidshop installation. We do not sell, rent, or trade any personal data to third parties.

How we use data

Purpose	Data categories used
Run the website and serve pages	Server logs
Measure site usage and improve the service	Aggregated, cookieless analytics events
Authenticate your account	Email, password hash
Process purchases and issue invoices	Name, email, billing details, payment metadata
Deliver licence keys and software updates	Email, licence usage logs
Send transactional email (receipts, password resets, update notices)	Email, name
Provide support	Support messages, attachments, account email
Prevent fraud and abuse	Server logs, payment metadata
Comply with tax, accounting, and legal obligations	Invoices, billing details

Legal basis (GDPR)

Under the GDPR, every processing activity must have a lawful basis. Ours are:

• Performance of a contract — processing necessary to deliver extensions, licence keys, and support you have purchased.
• Legal obligation — retaining invoices and transaction records as required by tax law.
• Legitimate interests — server-log retention for security and fraud prevention, and aggregated, cookieless analytics for understanding how the website is used and improving it. Our legitimate interests do not override your fundamental rights.
• Consent — optional marketing emails and any non-essential cookies. Consent is always opt-in and can be withdrawn at any time.

Cookies & tracking

The website uses a small number of cookies. We group them as follows:

Cookie type	Purpose	Requires consent?
Strictly necessary	Session identifier, CSRF token, shopping cart contents, language preference	No (required for the site to function)
Preferences	Theme (light/dark), sidebar state	No (set by your explicit choice)

Our analytics provider (Cloudflare Web Analytics) does not set cookies or any persistent identifier on your device, so analytics is not listed in the table above. We do not use advertising cookies, third-party remarketing pixels, or cross-site behavioural advertising networks. You can clear cookies at any time from your browser settings.

Third-party services

We use a small number of sub-processors to operate the service. Each is bound by a data processing agreement and transfers only what is necessary for the stated purpose. Paddle is listed separately because it acts as an independent data controller (Merchant of Record) for purchases, not as a sub-processor.

Service	Purpose	Data shared
Paddle.com Market Limited Merchant of Record — independent controller	Sell commercial extensions, collect payment, calculate and remit sales tax/VAT, issue customer invoices	You provide name, email, billing address, and payment details directly to Paddle at checkout. Solidshop receives back only order metadata (email, name, country, order ID, product, amount).
Email delivery provider	Send transactional email (receipts, password resets, update notices)	Recipient email, subject, message content
Cloudflare, Inc. (Cloudflare Web Analytics)	Aggregated, cookieless website analytics	IP address (read at request time for country lookup, not stored), user agent, page URL, referrer, basic performance metrics. No cookies, no persistent identifier.
Cloud hosting provider	Host the website, database, and file storage	All data processed on our behalf; primary storage stays in the EU

Data sharing

We do not sell, rent, or trade your personal data. We share data only:

• With the third parties listed above, strictly for the purposes stated.
• When required by a valid court order or binding legal request.
• With a successor entity in the event of a merger, acquisition, or sale of assets — with advance notice to you and an opportunity to object.

Data retention

• Server logs — 30 days, then deleted.
• Account data — retained while your account is active. Deleted within 30 days of account closure (except data we are legally required to retain).
• Invoices and financial records — 10 years from issue, to satisfy tax-law retention requirements.
• Support conversations — 3 years from the date of the last message, so we can reference prior context for returning customers.
• Forum posts — kept indefinitely unless you request deletion.

Security

We take reasonable technical and organisational measures to protect personal data:

• All connections to the website are encrypted with TLS 1.2 or higher.
• Passwords are stored using one-way hashing.
• Payment card data is tokenised and never stored on our servers.
• Production databases are backed up daily and encrypted at rest.
• Access to production systems is limited to named staff, protected by multi-factor authentication, and audited.

No online system is perfectly secure. If we ever detect a breach affecting your personal data, we will notify you and the relevant supervisory authority within the timeframes required by law (72 hours under GDPR).

Your rights

If you are in the EU, UK, Switzerland, California, or another jurisdiction with a comparable privacy law, you have the following rights:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct data that is inaccurate or incomplete.
• Erasure — request deletion of your data, subject to retention obligations.
• Restriction — ask us to pause processing in specific circumstances.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests or for direct marketing.
• Withdraw consent — where processing is based on consent, withdraw it at any time.
• Lodge a complaint — with your local data protection authority.

To exercise any of these rights, email This email address is being protected from spambots. You need JavaScript enabled to view it.. We will respond within 30 days. We do not charge a fee for reasonable requests.

International data transfers

Our servers are located in the European Union. If you access the service from outside the EU, your data is transferred to and processed within the EU. Cloudflare Web Analytics is operated by Cloudflare, Inc., based in the United States, and serves your requests from a globally distributed edge network; this transfer is covered by Cloudflare’s certification under the EU–US Data Privacy Framework, supplemented by Standard Contractual Clauses (SCCs). For any other sub-processor located outside the EU/EEA, transfers are governed by SCCs or an equivalent transfer mechanism approved by the European Commission.

Children’s privacy

Solidshop is a business-to-business service not intended for anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

Changes to this policy

We may update this policy from time to time to reflect changes in our practices, new features, or legal requirements. The “Last updated” date at the top of this page always reflects the current version. If we make material changes, we will notify registered users by email at least 14 days before the change takes effect.

Contact us

For any question about this policy or about how we handle your personal data, contact us at This email address is being protected from spambots. You need JavaScript enabled to view it..