Privacy Policy
EU Withdrawal Button / Widerrufsbutton
Effective date: 20.03.2026
Last updated: 20.03.2026
This Privacy Policy explains how EU Withdrawal Button (“App”, “we”, “us”) processes personal data in connection with the App. It is intended to meet the information requirements under Articles 13 and 14 GDPR.
1) Controller (Merchant Data) and Contact
Controller:
Jonas Busch (Einzelunternehmer)
Email: hello@buschbytes.com
2) Roles Under Data Protection Law
Depending on the context, we act in different roles:
A) End-customer data (Processor)
For personal data of a merchant’s end customers (withdrawal-related data), we act as a data processor (Art. 28 GDPR) on behalf of the merchant, who is the controller. The details of this processing relationship are governed by our Data Processing Agreement (DPA/AVV).
B) Merchant data (Controller)
For personal data relating to merchants (e.g., store account administration, support, security), we act as an independent controller.
3) Categories of Personal Data We Process
A) Merchant data (Controller)
- Shopify store name and store email address
- Shopify identifiers necessary to operate the App (e.g., shop ID, access tokens where applicable)
- Support communications (content you provide via support chat, contact form, or email)
- Technical logs related to merchant use of the App (e.g., timestamps, request metadata)
B) End-customer data (Processor, on behalf of merchants)
To handle electronic withdrawal requests, the App processes:
- Name (first and/or last name)
- Email address
- Order number / contract reference
- Timestamps (date and time of withdrawal declaration and confirmation)
- Withdrawal status (new / in_progress / completed / rejected)
- Browser language data (Accept-Language header for automatic language selection)
We do not collect withdrawal reasons or any additional end-customer tracking data beyond what is strictly required for withdrawal handling.
C) Technical and security data (Controller)
- Server logs (e.g., request time, endpoint accessed, status codes)
- Webhook event metadata
- Error and performance telemetry (see Sentry below)
4) Sources of Personal Data (Art. 14 GDPR)
Where personal data is not obtained directly from the data subject, it is typically received from the merchant’s Shopify store environment via Shopify APIs and webhooks, and/or from the merchant’s storefront withdrawal flow enabled by the App. Merchant data is provided by the merchant via Shopify and via communications with us.
5) Purposes of Processing
A) Withdrawal handling (Processor)
- Receiving and processing electronic withdrawal requests submitted by end customers on behalf of the merchant
- Enabling the merchant to manage withdrawal requests in the App (e.g., status changes, notes, audit trail where applicable)
B) Confirmation and communication (Processor)
- Sending the legally required acknowledgment of receipt (confirmation email) to the end customer on behalf of the merchant
C) Operation, security, and support (Controller)
- Providing and maintaining App functionality
- Preventing abuse, fraud, and ensuring IT security
- Troubleshooting and error diagnosis
- Responding to support inquiries
6) Legal Bases (for processing where we are Controller)
Where we act as controller (primarily merchant data and security/operations), the legal bases include:
- Art. 6(1)(b) GDPR – performance of the contract with the merchant (providing the App)
- Art. 6(1)(c) GDPR – compliance with legal obligations (where applicable)
- Art. 6(1)(f) GDPR – legitimate interests (security, fraud prevention, service reliability, debugging, and defending legal claims)
Where we process end-customer data, we do so as processor on the merchant’s instructions; the merchant determines the relevant legal basis for that processing.
7) Recipients / Service Providers
We use the following categories of recipients (processors/sub-processors):
A) Email delivery: Resend
We use Resend to send withdrawal confirmation emails. Resend receives the email address and the necessary message content to deliver the email. Data processing location: Ireland (eu-west-1). Resend is a US-based company, but email processing is configured to use their EU region.
B) Error monitoring: Sentry
We use Sentry for error monitoring and stability diagnostics. Sentry is configured to use their EU region (Frankfurt, Germany). Note: Some metadata/operational data may still be processed outside the selected region by Sentry.
C) Support chat: Crisp
We use Crisp to handle support messages from merchants. Crisp is a French company with data processing in the EU. Note: Support chat is used for merchant communications only, not for end-customer data processing.
D) Database hosting: Supabase
We host the App’s primary database on Supabase (PostgreSQL). Data processing location: Frankfurt, Germany (EU). Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
E) Application hosting: Fly.io
The App’s server infrastructure runs on Fly.io. Data processing locations: Amsterdam (Netherlands) and Frankfurt (Germany). Both locations are within the EU.
F) Domain registration: Strato
Our domain (consumer-withdrawal.eu) is registered with Strato. Strato does not process any end-customer or merchant data beyond standard DNS resolution.
G) E-commerce platform: Shopify
The App operates within the Shopify ecosystem and accesses order data via Shopify APIs for order verification purposes (where enabled by the merchant). Shopify’s own data processing is governed by Shopify’s privacy policy and DPA.
We do not sell personal data and do not share personal data for advertising.
8) International Data Transfers (Outside the EU/EEA)
Our primary data infrastructure is located entirely within the EU (Germany and the Netherlands). The following transfers outside the EU/EEA may occur:
- Resend: US-based company, but email processing is configured for the EU region (Ireland). Safeguards: DPA with Resend; EU Standard Contractual Clauses (SCCs) where applicable.
- Sentry: EU region configured (Frankfurt), but some operational metadata may be processed in the US. Safeguards: DPA with Sentry; SCCs for potential US processing.
- Shopify: Canada / global. Safeguards: Adequacy decision for Canada; Shopify DPA; SCCs.
9) Retention and Deletion
We retain personal data only as long as necessary for the purposes described above.
A) Withdrawal-related data (Processor)
- Basic plan: automatic deletion after 30 days (fixed, privacy-by-default)
- Safe / Proof plan: configurable retention (6 / 12 / 18 / 24 months)
- Upon uninstallation: deletion within 30 days, unless the merchant requests data export
Note: If a merchant selects a shorter retention period, this does not override any retention obligations applicable to the merchant under their own legal requirements.
B) Technical logs (Controller)
Server/security logs: typically up to 30 days (or longer if needed for security incident investigation).
C) Error monitoring data (Controller)
Sentry events: retained according to Sentry configuration, typically 30–90 days.
D) Support communications (Controller)
Retained for the duration of the support relationship and up to 12 months thereafter, unless required longer for legal reasons.
10) Security Measures
We implement appropriate technical and organizational measures to protect personal data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Access controls (least-privilege principle)
- Logical separation of merchant environments (row-level security)
- Anti-spam protection (honeypot, rate limiting)
- Monitoring and incident response processes
- Multi-factor authentication for infrastructure access
11) Is Providing Data Required?
For end customers, providing certain information (order number, name, and email address) is required to identify the relevant contract and to send the legally required confirmation message. If this data is not provided, the withdrawal request may not be processable via the App, and the customer may need to use alternative withdrawal channels offered by the merchant (e.g., email, letter).
12) Data Subject Rights
Under GDPR, data subjects have rights including access, rectification, erasure, restriction, portability, and objection.
A) End customers
Because end-customer data is processed on behalf of the merchant (controller), end customers should generally direct requests to the merchant. We will support merchants in fulfilling such requests where applicable.
B) Merchants
Merchants can exercise their rights by contacting us at hello@buschbytes.com.
Complaint to a supervisory authority
Data subjects have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of habitual residence, place of work, or place of the alleged infringement.
13) Automated Decision-Making
We do not carry out automated decision-making or profiling within the meaning of Art. 22 GDPR.
14) Cookies and Similar Technologies
The App may use technically necessary cookies/session storage in the merchant-facing interface to maintain sessions and ensure core functionality. We do not set analytics or advertising cookies for end customers through the withdrawal functionality.
15) Deletion Requests / Shopify Processes
If a merchant uninstalls the App or submits a Shopify-related deletion request, we process deletion in line with Shopify’s mechanisms and our contractual obligations, without undue delay, subject to legal retention requirements.
16) Data Processing Agreement (DPA / AVV)
For the processing of end-customer data on behalf of merchants, we have established a Data Processing Agreement (Auftragsverarbeitungsvertrag / AVV) pursuant to Art. 28 GDPR. The DPA is available at: consumer-withdrawal.eu/dpa. By installing and using the App, merchants accept the DPA.
17) Changes to This Privacy Policy
We may update this Privacy Policy from time to time. The updated version will be made available within the App and/or on our website, with the “Last updated” date adjusted accordingly.
18) Contact
Jonas Busch (Einzelunternehmer)
Email: hello@buschbytes.com
Website: www.consumer-withdrawal.eu