Ledgerly: Payout Journals ("Ledgerly", "the app", "we", "us") is a Shopify app that posts balanced settlement-summary journals to Xero for your Shopify Payments payouts. Each settled payout becomes one journal, split into gross sales, processor fees, refunds, and adjustments, so your bank reconciliation matches what your books recorded. This policy explains what data the app accesses and stores, how we use it, who we share it with, and what rights you have.
The app is operated by Ioannis Kerkinos (sole operator). Contact details are in Section 9.
With your authorization, the app accesses your Shopify store's orders and Shopify Payments payout and dispute data through the Shopify Admin API. We use this access solely to build and post balanced settlement journals to your connected accounting ledger.
Specifically, the app reads:
The app does not request or read customer names, email addresses, phone numbers, or shipping
addresses. It does not use a read_customers scope and has no access to end-customer
personal data.
The table below summarizes every category of data the app stores.
| Data | Contains personal data? | Purpose | Retention |
|---|---|---|---|
| Store domain and Shopify access/refresh tokens | Merchant store credential (not end-customer data) | Authenticate Admin API calls | Until uninstall or shop/redact, then deleted |
| Xero OAuth connection (organization ID, organization name, access/refresh tokens) | Merchant ledger credential (not end-customer data) | Authenticate Xero API calls to post and read journals in the connected organization | Until disconnected or shop/redact, then deleted |
| Subscription plan state | No | Entitlements (feature access by plan tier) | Until shop/redact |
Raw inbound webhook payloads (including orders/create, refunds/create, orders/cancelled) |
Transiently yes (an order or refund payload includes buyer fields while in transit) | Async processing via the outbox queue; settlement and reversal computation only | 7 days maximum, purged automatically by a scheduled job |
| Settlement ledger entries (order ID, currency, gross revenue, tax amount, gateway name, order timestamp, reconciled payout reference) | No (order ID and money figures only) | Building the balanced settlement journal per payout | Until shop/redact |
| Posted journal records (provider, payout or period reference, external journal ID, organization ID, currency, amount, status, and the per-role breakdown of gross sales, fees, refunds, bank/clearing amounts, adjustments) | No (money figures and identifiers only) | Posting idempotency (so a retried sync never double-posts a payout) and the dashboard's reconciliation view | Until shop/redact |
| Pending reversals (order ID, webhook topic, raw refund/cancel payload) | Transiently yes (a raw refund/cancel webhook body while parked) | Replaying a refund or cancellation once its original settlement lands, so books stay reconciled | Replayed and cleared once the settlement lands, or purged after 7 days |
| Web vitals and product events | No | App performance and funnel telemetry (internal only) | Until shop/redact |
Ledgerly stores no end-customer personal data. Order and payout webhooks are processed only to extract settlement amounts, fees, and refunds for the journal-posting formula. The only long-lived records hold order IDs, currency, and money figures, never a name, email address, or phone number. Raw webhook payloads are purged within 7 days.
We do not store the personal data of your end customers. No customer names, email addresses, physical addresses, phone numbers, or payment details are retained by Ledgerly. Incoming order, refund, and cancellation notifications are processed only to extract settlement amounts, currency, and tax for the journal-posting formula. The raw webhook payloads containing any transient buyer fields are deleted from our processing queue within 7 days by an automatic scheduled purge, regardless of install status.
We use the data described above only to provide the Ledgerly service: computing the settlement amounts for each Shopify Payments payout and posting a balanced summary journal to your connected accounting ledger. We do not use your data for advertising, profiling, or any purpose outside the service you signed up for.
We do not sell or share your data with third parties for marketing or advertising purposes. The app relies on the following sub-processors to operate:
No advertising networks, analytics SDKs, or other third parties receive your data. Ledgerly uses no AI or language-model processing of any kind; the journal-posting math is deterministic software running on our servers. Ledgerly does not send transactional or marketing email today, so no email-delivery sub-processor is engaged.
We apply the following technical safeguards:
Ledgerly honors Shopify's three mandatory privacy-compliance webhooks, all protected by HMAC-SHA256 verification:
customers/data_request): Acknowledged and
logged. Because the app stores no end-customer personal data, there is nothing to disclose.
customers/redact): Acknowledged and logged.
Because no per-customer data is stored, there is nothing to erase.
shop/redact): Permanently and completely removes all
data for your store via cascading database deletion, including your Xero connection,
settlement ledger entries, posted journal records, pending reversals, staging events, and
subscription records.
Settlement and journal data are retained while the app is installed on your store. On
uninstall, and on receipt of a valid shop/redact request from Shopify, all data for
your store is permanently deleted. You may also request deletion at any time by contacting us
at the address in Section 9.
If you are a merchant in the European Economic Area, the United Kingdom, or another jurisdiction with applicable data protection law, you may have rights to access, correct, or erase the merchant-scoped data we hold about your store. To exercise any of these rights, contact us at john.kerkinos@gmail.com.
Support and privacy enquiries: john.kerkinos@gmail.com
Data controller: Ioannis Kerkinos (sole operator)