Español·English

Privacy Policy

CFDI Pronto ("we" or "the app") issues this notice in accordance with Mexico's Federal Law on the Protection of Personal Data Held by Private Parties.

Last updated: 30 de mayo de 2026

1. Who collects the data

CFDI Pronto, an electronic CFDI 4.0 invoicing solution operating as an app within Shopify. For any questions about your personal data, write to atulverma4796@gmail.com.

2. Data we collect

To issue CFDIs on behalf of the merchant, we receive and store the following data:

  • From the merchant: their Shopify store domain, legal name, RFC, tax regime, and tax postal code. We also receive the Digital Seal Certificate files (.cer, .key) and their password at configuration time — these are forwarded to our PAC and not stored in our database.
  • From the merchant's end customer: name or legal name, RFC, tax regime, postal code, CFDI use, and email captured in the self-billing portal. We use this data (1) to issue the requested CFDI and (2) — if the buyer returns to the same merchant's portal — to prefill the form so they don't have to retype it. The prefill cache is scoped per merchant and is automatically deleted when Shopify forwards us a redaction request for that buyer's email.
  • From orders: we read public order data from Shopify (number, date, amount, line items, payment method) to build the CFDI. We do not access personal buyer data beyond what the end customer provides in the portal.

3. What we use it for

  • Issue the CFDI 4.0 with SAT on behalf of the merchant through an Authorized Certification Provider (PAC).
  • Send the end customer the PDF and XML of their invoice by email.
  • Allow the merchant to view, download, resend, or cancel their invoices from the admin panel.
  • Comply with tax and audit obligations (retention for the period required by SAT).

We do not use the data for targeted marketing purposes nor sell it to third parties.

4. Processors / subprocessors

To operate the service we share data with:

  • Facturapi — our SAT-authorized PAC, which seals and stamps the CFDIs.
  • Shopify — on whose infrastructure the app runs; it provides authentication, order data, and subscription billing.
  • Hosting provider — to run the service (server + database).

5. Your ARCO rights

You have the right to Access, Rectify, Cancel, or Object to the processing of your personal data. To exercise them, write to atulverma4796@gmail.com from the email associated with your account. We will respond within a maximum of 20 business days.

6. Data retention

Issued CFDIs: CFDIs and their XML files are retained for at least 5 years, as Mexico's Federal Tax Code requires of the merchant issuer. This retention cannot be accelerated on buyer request — it is the merchant's legal obligation, not ours.

Buyer prefill cache: the fiscal data the buyer enters in the portal and we keep to prefill future visits is automatically deleted when Shopify forwards us a redaction request for that email, or when the merchant uninstalls the app (deletion 48 h after the shop/redact webhook).

Merchant: on uninstall we delete the merchant's session and access credentials. Historical CFDIs remain for the legal-retention period above.

7. Security

We use TLS encryption on all communications, store tokens and sensitive data in protected databases, and transmit CSD files to the PAC over secure channels. We do not retain the private key password in our database.

8. Changes to the notice

We may modify this notice to reflect legal or service changes. We'll publish the current version at this same URL and update the "Last updated" date.

See also: Terms of Service.