Privacy Policy

Effective date: 10.02.2026
Last updated: 10.02.2026

This Privacy Policy explains how EU Withdrawal Button (“App”, “we”, “us”) processes personal data in connection with the App. It is intended to meet the information requirements under Articles 13 and 14 GDPR.

1) Controller (Merchant data) and Contact

Controller:
Jonas Busch (Einzelunternehmer)
Hofstraße 2-4
51061, Cologne, Germany
Email: hello@buschbytes.com

Data Protection Officer (if appointed):Jonas Busch

2) Roles Under Data Protection Law (Controller vs. Processor)

Depending on the context, we act in different roles:

A) Processing end-customer data on behalf of merchants (Processor)

For personal data of a merchant’s end customers (withdrawal-related data), we generally act as a data processor (Art. 28 GDPR) on behalf of the merchant, who is the controller.

B) Processing merchant data for our own purposes (Controller)

For personal data relating to merchants (e.g., store account administration, support, security), we act as an independent controller.

3) Categories of Personal Data We Process

A) Merchant data (Controller)

• Shopify store name and store email address
• Shopify identifiers necessary to operate the App (e.g., shop ID, access tokens/credentials where applicable)
• Support communications (content you provide via support chat, contact form, or email)
• Technical logs related to merchant use of the App (e.g., timestamps, request metadata)

B) End-customer data (Processor, on behalf of merchants)

To handle electronic withdrawal requests, the App processes (as provided through the merchant’s storefront/Shopify environment):

• Name
• Email address
• Order number / contract reference
• Ordered item information required to identify the relevant purchase

We do not intentionally collect additional end-customer tracking data beyond what is required for withdrawal handling.

C) Technical and security data (Controller)

• Server logs (e.g., request time, endpoint accessed, status codes)
• Webhook event metadata
• Error and performance telemetry (see Sentry below)

4) Sources of Personal Data (Art. 14 GDPR)

Where personal data is not obtained directly from the data subject, it is typically received from:

• The merchant’s Shopify store environment via Shopify APIs and webhooks, and/or
• The merchant’s storefront withdrawal flow enabled by the App.

Merchant data is provided by the merchant via Shopify and via communications with us.

5) Purposes of Processing

We process personal data only for the following purposes:

A) Withdrawal handling (Processor)

• Receiving and processing electronic withdrawal requests submitted by end customers on behalf of the merchant
• Enabling the merchant to manage withdrawal requests in the App (e.g., status changes, notes, audit trail where applicable)

B) Confirmation and communication (Processor / Controller split)

• Sending the legally required confirmation message to the end customer (typically on behalf of the merchant)

C) Operation, security, and support (Controller)

• Providing and maintaining App functionality
• Preventing abuse, fraud, and ensuring IT security
• Troubleshooting and error diagnosis
• Responding to support inquiries (support chat/contact form/email)

6) Legal Bases (for processing where we are Controller)

Where we act as controller (primarily merchant data and security/operations), the legal bases may include:

• Art. 6(1)(b) GDPR – performance of the contract with the merchant (providing the App)
• Art. 6(1)(c) GDPR – compliance with legal obligations (where applicable)
• Art. 6(1)(f) GDPR – legitimate interests (security, fraud prevention, service reliability, debugging, and defending legal claims)

Legitimate interests (Art. 6(1)(f)) include:

• Ensuring the security and integrity of our systems
• Detecting, preventing, and investigating misuse
• Maintaining stable operation and diagnosing errors
• Establishing, exercising, or defending legal claims

Where we process end-customer data, we do so as processoron the merchant’s instructions; the merchant determines the relevant legal basis for that processing.

7) Recipients / Service Providers

We use the following categories of recipients (processors/sub-processors), to the extent necessary:

A) Email delivery (Postmark)

We use Postmark to send withdrawal confirmation emails. Postmark receives the email address and the necessary message content to deliver the email.

Important note on data location: Postmark states that its primary servers are hosted in the United States and it does not currently plan to add EU servers.

B) Error monitoring (Sentry)

We use Sentry for error monitoring and stability diagnostics. Depending on configuration, Sentry offers an EU region with storage in Frankfurt, Germany. However, Sentry also notes that some metadata/operational data may still be stored outside the selected region.

C) Support chat provider

We use a support chat provider to handle support messages: Crisp.

D) Hosting and infrastructure

We host the App and primary data storage in the EU: Strato.

We do not sell personal data and do not share personal data for advertising.

8) International Transfers (Outside the EU/EEA)

Because we use Postmark for email delivery, personal data processed for sending emails may be transferred to and processed in the United States, depending on Postmark’s infrastructure.

Where international transfers occur, we rely on appropriate safeguards (e.g., Standard Contractual Clausesand/or other applicable mechanisms under GDPR), as reflected in the agreements with the relevant service providers.

9) Retention and Deletion

We retain personal data only as long as necessary for the purposes described above and in accordance with applicable legal requirements.

A) Withdrawal-related data (Processor)

• Stored to enable the merchant to process the withdrawal and maintain documentation/auditability as required by applicable law and the merchant’s settings.
• Merchants can configure retention settings where supported. If a merchant selects a shorter retention period, this does not override any retention obligations applicable to the merchant.

B) Technical logs (Controller)

• Server/security logs: typically up to 30 days (or longer if needed to investigate security incidents or ensure system integrity).

C) Error monitoring data (Controller)

• Sentry events: retained according to our Sentry configuration and plan settings, typically 30–90 days.

D) Support communications (Controller)

• Retained for the duration of the support relationship and thereafter as needed to document the interaction, typically up to 12 months, unless a longer period is required for legal reasons.

10) Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

• Encryption in transit and encryption at rest
• Access controls (least-privilege)
• Segregation of merchant environments
• Monitoring and incident response processes

Where end-customer data is stored, it is encrypted at rest and access is restricted.

11) Is Providing Data Required? Consequences of Non-Providing

For end customers, providing certain information (e.g., order number and contact email) may be required to:

• identify the relevant contract/order and
• send the confirmation message.

If required data is not provided, the withdrawal request may not be technically attributable or processable via the App, and the customer may need to use alternative withdrawal channels offered by the merchant.

12) Data Subject Rights and How to Exercise Them

Under GDPR, data subjects may have rights including access, rectification, erasure, restriction, portability, and objection.

A) End customers (typically: contact the merchant)

Because end-customer data is processed on behalf of the merchant, end customers should generally direct requests to the merchant (controller). We will support merchants in fulfilling such requests where applicable.

B) Merchants (contact us)

Merchants can exercise their rights by contacting us at [CONTACT EMAIL].

Complaint to a supervisory authority

Data subjects have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of habitual residence, place of work, or place of the alleged infringement.

13) Automated Decision-Making

We do not carry out automated decision-making or profiling within the meaning of Art. 22 GDPR.

14) Cookies and Similar Technologies

The App may use technically necessary cookies/session storage in the merchant-facinginterface to maintain sessions and ensure core functionality.

We do not set analytics or advertising cookies for end customers through the withdrawal functionality.

15) Deletion Requests / Shopify Processes (Uninstall & Data Requests)

If a merchant uninstalls the App or submits a Shopify-related deletion request, we process deletion in line with Shopify’s mechanisms and our contractual obligations, without undue delay, subject to legal retention requirements.

16) Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be made available within the App and/or on our website, with the “Last updated” date adjusted accordingly.

17) Contact

Jonas Busch (Einzelunternehmer)
Email: hello@buschbytes.com