Data Processing Agreement
Auftragsverarbeitungsvertrag (AVV) pursuant to Art. 28(3) GDPR
EU Withdrawal Button / Widerrufsbutton · Version: March 2026
Overview
When you use the EU Withdrawal Button app, we process personal data of your end customers (consumers who submit a withdrawal) on your behalf. Under the General Data Protection Regulation (GDPR), this requires a Data Processing Agreement (DPA) between you (the data controller) and us (the data processor).
This DPA sets out our respective obligations regarding the protection of personal data, including the types of data processed, security measures, sub-processor management, and your rights as the data controller.
How it works: By installing and using the App, you accept this DPA. No separate signature is required. This is standard practice for SaaS applications and is compliant with Art. 28(3) GDPR, which permits electronic form.
Download the DPA
The DPA is available in German (legally binding original) and English (convenience translation).
Hinweis zur Sprachfassung / Note on language:
Die deutsche Fassung ist die rechtsverbindliche Originalfassung. Die englische Fassung dient ausschließlich der Information. Bei Abweichungen zwischen den Sprachfassungen geht die deutsche Fassung vor.
The German version is the legally binding original. The English version is provided for informational purposes only. In the event of any discrepancy between the language versions, the German version shall prevail.
Auftragsverarbeitungsvertrag (AVV)
Rechtsverbindliche Originalfassung gemäß Art. 28 Abs. 3 DSGVO.
Download PDFData Processing Agreement (DPA)
English convenience translation. In case of discrepancy, the German version prevails.
Download PDFWhat the DPA covers
- ✓Subject matter and duration of processing (tied to your use of the App)
- ✓Types of personal data processed (name, email, order number, timestamps, status)
- ✓Your right to issue instructions on how data is processed
- ✓Our technical and organisational security measures (encryption, access controls, tenant separation)
- ✓Approved sub-processors and how changes are communicated
- ✓Assistance with data subject rights (Art. 15–22 GDPR)
- ✓Data breach notification procedures
- ✓Data deletion upon termination (within 30 days of uninstallation)
- ✓Audit and accountability rights
- ✓International data transfer safeguards
Where is your data stored?
All primary data processing takes place within the European Union:
- ✓Database: Supabase (PostgreSQL) – Frankfurt, Germany
- ✓Application servers: Fly.io – Amsterdam (NL) & Frankfurt (DE)
- ✓Email delivery: Resend – Ireland (eu-west-1)
- ✓Error monitoring: Sentry – Frankfurt, Germany (EU region)
For full details on sub-processors and any third-country transfers, please refer to Annex 2 of the DPA.
Frequently asked questions
Do I need to sign the DPA separately?
No. The DPA takes effect when you install the App. This is consistent with Art. 28(3) GDPR, which permits electronic form, and is the standard approach used by SaaS providers across the EU.
Who is the data controller, and who is the processor?
You (the merchant) are the data controller for your end customers’ personal data. We (the App provider) act as the data processor on your behalf. This means we only process data according to your instructions and the terms set out in the DPA.
What happens to data when I uninstall the App?
Upon uninstallation, we delete all personal data processed on your behalf within 30 days, unless you have requested data export beforehand. You can export your data (CSV) from the App before uninstalling.
How will I be notified of sub-processor changes?
We will notify you at least 14 days in advance via email and/or in-app notification. If you object, we will work with you to find an alternative solution.
Does the DPA cover all EU Member States?
Yes. The DPA is based on Art. 28 GDPR, which applies uniformly across the entire EU/EEA. The DPA is governed by German law, but respects mandatory local data protection provisions of your Member State where applicable.
Related documents
Terms of Service · Privacy Policy
Questions?
If you have questions about this DPA or data protection in general, please contact us at hello@buschbytes.com.