Legal

Data Processing Agreement

Data processing agreement pursuant to Art. 28(3) GDPR governing personal data the EasyWithdraw app processes on a merchant's behalf.

Last updated June 4, 2026

Controller: the Merchant operating the Shopify store on which the App is installed (as identified through the Shopify installation record)
Processor: R11N Ventures GmbH (the "Provider")
Service: EasyWithdraw. Shopify application for handling end-customer withdrawal declarations
Document type: Data Processing Agreement pursuant to Art. 28(3) GDPR
Version: 04.06.2026
Governing law: Federal Republic of Germany

Recitals and Incorporation
Definitions
Role of the Parties
Subject Matter, Nature, Purpose, Duration
Categories of Data Subjects and Personal Data
Documented Instructions; Unlawful-Instruction Flag
Confidentiality of Personnel
Security of Processing: Technical and Organisational Measures
Sub-Processors
International Data Transfers
US State Privacy Laws
Data Subject Rights Assistance
Personal Data Breach Notification
DPIA and Prior Consultation Assistance
Audit Rights
Deletion or Return of Personal Data
Shopify Webhook Commitments
Article 22 GDPR Cooperation
Liability
Records of Processing
Term, Conflict, Survival
Governing Law
Annexes

Annex I: Parties and Contact Points
Annex II: Description of Processing and Technical and Organisational Measures
Annex III: Authorised Sub-Processors

1. Recitals and Incorporation

(A) The Merchant (the "Controller") operates a Shopify store and has installed the App (as defined in the Terms of Service) operated by the Provider (the "Processor").

(B) In connection with the App, the Processor processes personal data on behalf of the Controller within the meaning of Art. 4(8) and Art. 28 GDPR.

(C) This Data Processing Agreement ("DPA") sets out the parties' rights and obligations in respect of such processing and supplements the Terms of Service to which it is annexed and into which it is incorporated by reference. Acceptance of the Terms of Service constitutes acceptance of this DPA.

(D) This DPA is intended to satisfy the requirements of Art. 28(3) GDPR. Where the UK GDPR or the Swiss Federal Act on Data Protection (FADP) applies, this DPA is intended to satisfy the corresponding requirements of those regimes, supplemented by the cross-references in §10.

2. Definitions

2.1 Capitalised terms used in this DPA have the meaning given in the Terms of Service.

2.2 Terms defined in the GDPR (including "personal data", "processing", "data subject", "personal data breach", and "supervisory authority") have the meaning given in Art. 4 GDPR.

2.3 For the avoidance of doubt:

(a) "Controller" means the Merchant in its role of controller per Art. 4(7) GDPR. (b) "Processor" means the Provider in its role of processor per Art. 4(8) GDPR. (c) "Sub-Processor" means a sub-processor of the Processor as defined in Art. 28(2) and (4) GDPR; for readability, the lowercase form "sub-processor" carries the same meaning where used in this DPA.

2.4 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in implementing decision (EU) 2021/914 of 4 June 2021. References to a specific Module are made where relevant.

2.5 "UK IDTA" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office under §119A of the Data Protection Act 2018 in the current published version.

2.6 "FADP" means the Swiss Federal Act on Data Protection of 25 September 2020, as amended.

3. Role of the Parties

3.1 With respect to processing carried out by the Processor to provide the App to the Controller and to handle End-Customer Withdrawal Declarations on the Controller's behalf:

(a) the Controller is the controller within the meaning of Art. 4(7) GDPR; (b) the Processor is a processor within the meaning of Art. 4(8) GDPR; and (c) sub-processors engaged by the Processor act as sub-processors of the Controller within a chain of processing.

3.2 The Processor does not act as an independent controller for Controller-instructed processing. The Processor does not determine the purposes and means of processing personal data on behalf of the Controller.

3.3 For processing carried out by the Processor in connection with its own billing of the Controller, management of Controller-side user accounts, security monitoring of its infrastructure, and compliance with its own legal obligations, the Processor acts as an independent controller. Such processing is outside the scope of this DPA and is governed by the Processor's own privacy notice.

3.4 The Controller acknowledges that, where personal data is exchanged between Shopify and the App (including via Shopify webhooks and Admin API), Shopify and the Controller each act in accordance with their own arrangements; the Processor's role in such exchange is solely to provide the App on the Controller's instruction.

4. Subject Matter, Nature, Purpose, Duration

4.1 The subject matter, nature, purpose, and duration of the processing are described in Annex II and summarised here:

Subject matter. Receipt, classification, logging, and Merchant-side handling of End-Customer Withdrawal Declarations.
Nature. Electronic processing in cloud infrastructure, including receipt of HTTP form submissions, application of Merchant-configured rules, storage in a managed PostgreSQL database, generation of emails and PDF/CSV exports, and provision of an admin dashboard.
Purpose. To provide the Controller with tools intended to assist it in meeting its own consumer-protection record-keeping and refund obligations under §§355 ff. BGB, Directive 2011/83/EU as amended by Directive (EU) 2023/2673, and equivalent law; and to enable the Controller to operate its withdrawal workflow efficiently. The Processor does not warrant that use of the App results in the Controller's compliance with any such law.
Duration. From installation of the App until termination of the Subscription, plus the retention and deletion period set out in §16.

5. Categories of Data Subjects and Personal Data

5.1 The categories of data subjects and personal data are described in Annex II and summarised here:

Data subjects. End-Customers (consumers) of the Controller who submit Withdrawal Declarations through the App.
Personal data. Master data (name, email address); order data (order number, order date, items, monetary amounts); evidentiary data (IP address, user agent, timestamp); content (declaration text, optional reason); locale.
Excluded. The Controller warrants that it will not route through the App any data falling within Art. 9 GDPR (special categories) or Art. 10 GDPR (criminal convictions and offences). The Controller indemnifies the Processor against any third-party claim arising from breach of this warranty per §16 of the Terms of Service.

6. Documented Instructions; Unlawful-Instruction Flag

6.1 The Processor processes personal data only on documented instructions from the Controller, including with regard to transfers of personal data to third countries or international organisations, unless required to do so by Union or Member-State law applicable to the Processor; in such case, the Processor will inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

6.2 The Controller's instructions are constituted by:

(a) this DPA; (b) the Terms of Service; (c) the Controller's Configuration in the App (including unreturnable-item rules, withdrawal periods, automation toggles, notification settings, retention settings, and locale overrides); and (d) any further documented written instruction the Controller gives through the App's interface, by email, or by API.

6.3 Unlawful-instruction flag. Where the Processor reasonably believes that an instruction infringes the GDPR, the UK GDPR, the FADP, or other applicable data-protection law, the Processor will inform the Controller of that belief without undue delay. The Processor may suspend execution of the instruction until the Controller confirms it in writing or withdraws it.

7. Confidentiality of Personnel

7.1 The Processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.2 The Processor ensures that access to personal data is limited to personnel who need access for the performance of the Processor's obligations under the Terms of Service and this DPA, and that such personnel are trained in data-protection and information-security requirements.

8. Security of Processing: Technical and Organisational Measures

8.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risks for the rights and freedoms of data subjects, the Processor implements appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk.

8.2 The TOMs are described in Annex II. The Processor may update the TOMs from time to time to maintain or improve the level of security, provided that the overall level of protection is not diminished.

8.3 The TOMs include measures pursuant to Art. 32(1) GDPR, including (a) pseudonymisation and encryption of personal data where appropriate, (b) the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services, (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and (d) a process for regularly testing, assessing, and evaluating the effectiveness of the measures.

9. Sub-Processors

9.1 General authorisation. The Controller grants the Processor general written authorisation to engage sub-processors for the processing of personal data under this DPA, subject to the conditions in this §9.

9.2 Current sub-processors. The sub-processors currently engaged by the Processor are listed in Annex III. An up-to-date list is published at https://easywithdraw.eu/en/articles/subprocessors.

9.3 Notice of changes. The Processor will give the Controller at least thirty (30) days prior notice of any addition or replacement of a Sub-Processor by (a) publication of the updated list at https://easywithdraw.eu/en/articles/subprocessors and (b) email to the Controller's primary administrative contact registered in the App.

9.4 Right of objection. The Controller may object to the addition or replacement of a sub-processor on reasonable data-protection grounds within the notice period. The Processor and the Controller will discuss the Controller's objection in good faith. If no resolution is reached and the Processor maintains the change, the Controller may terminate the affected Subscription without further charge as its sole and exclusive remedy.

9.5 Sub-processor contracts. The Processor concludes a written contract with each sub-processor that imposes data-protection obligations no less protective than those imposed on the Processor under this DPA, including the obligations in Art. 28(3) GDPR.

9.6 Liability for sub-processors. Where a sub-processor fails to fulfil its data-protection obligations, the Processor remains fully liable to the Controller for the performance of that sub-processor's obligations, subject to the liability provisions in §19.

10. International Data Transfers

10.1 Primary processing location. Personal data is processed primarily in EU regions of the Processor's sub-processors as set out in Annex III. The Processor uses sub-processors with EU-region deployments where reasonably available.

10.2 EU SCCs: controller-to-processor. Where the Controller is established in a third country that is not the subject of an adequacy decision under Art. 45 GDPR (or in the United Kingdom or Switzerland, in which case §§10.3 and 10.4 below additionally apply) and personal data is transferred from the Controller (as data exporter) to the Processor (as data importer in Germany) outside the EEA, or otherwise where Module Two SCCs are required to legitimise that transfer, the parties incorporate Module Two of the Standard Contractual Clauses (controller to processor) by reference. The following Clause-specific selections apply unless otherwise agreed:

(a) Clause 7 (Docking Clause): not applicable. (b) Clause 9(a) (Use of sub-processors): Option 2, general written authorisation, with thirty (30) days prior notice as set out in §9. (c) Clause 11(a) (Independent dispute resolution body): the optional language is not included. (d) Clause 17 (Governing law): the laws of the Federal Republic of Germany. (e) Clause 18 (Choice of forum and jurisdiction): the courts of Berlin, Germany. (f) Annex I.A (List of parties): as set out in this DPA's Annex I. (g) Annex I.B (Description of transfer): as set out in this DPA's Annex II. (h) Annex I.C (Competent supervisory authority): the supervisory authority for the EU/EEA establishment of the Controller; absent such an establishment, the supervisory authority of the Member State in which the EU representative is located; absent both, the supervisory authority for the Processor's registered office in Berlin. Where the UK GDPR applies, the UK Information Commissioner's Office is the competent authority; where the FADP applies, the Swiss Federal Data Protection and Information Commissioner (FDPIC) is the competent authority. (i) Annex II (Technical and Organisational Measures): as set out in this DPA's Annex II. (j) Annex III (List of sub-processors): as set out in this DPA's Annex III.

10.2a Onward transfers to Sub-Processors. Where the Processor onward-transfers personal data to a US-based Sub-Processor listed in Annex III, that transfer is legitimised by a separately-concluded Module Three SCC (processor-to-processor) between the Processor and the Sub-Processor (supplemented by the Sub-Processor's EU-US Data Privacy Framework certification where applicable). Those instruments bind the Processor and Sub-Processor and are not concluded with the Controller; the Processor remains liable to the Controller under §9.6 for the Sub-Processor's performance.

10.3 UK transfers. Where personal data is transferred from the United Kingdom to a third country not subject to UK adequacy, the parties incorporate the UK IDTA by reference to the current published version on the ICO website. The UK IDTA modifies the SCCs as required by UK data-protection law. For enterprise Controllers requiring a fully completed UK IDTA schedule (Part 1–4), the Processor will, on request, conclude a separate IDTA schedule with the relevant transfer details and security measures.

10.4 Swiss transfers. Where personal data is transferred from Switzerland to a third country not subject to Swiss adequacy, the parties incorporate the SCCs with the adaptations published by the Swiss Federal Data Protection and Information Commissioner (FDPIC) for use under the FADP, in the current published version.

10.5 US sub-processors. For US-based Sub-Processors, the Processor relies on (a) the EU-US Data Privacy Framework certification where the Sub-Processor is currently certified and the certification covers the processing in question, and (b) the SCCs (and corresponding UK/Swiss instruments) in all other cases, which the parties agree apply as a binding fall-back if at any point the Data Privacy Framework ceases to provide a valid transfer mechanism. A summary of the Processor's Transfer Impact Assessment for these Sub-Processors is set out in Annex II Part 3; the full assessment is available to the Controller on reasonable request, subject to confidentiality.

10.6 Supplementary measures. Supplementary measures applied to international transfers include encryption at rest (AES-256), encryption in transit (TLS 1.2 or higher), strict access controls, and contractual safeguards in sub-processor agreements.

11. US State Privacy Laws

Where the laws of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), or equivalent US state privacy laws apply to processing under this DPA, the Processor acts as a "service provider", "processor", or equivalent under those laws. The Processor (a) will not sell or share personal information within the meaning of those laws, (b) will not retain, use, or disclose personal information outside the direct business relationship with the Controller or for any purpose other than for the specific purpose of performing the services specified in the Terms of Service, (c) will not combine personal information with information from other sources except as permitted under those laws to perform the services, and (d) certifies that it understands and will comply with these restrictions. The Controller may take reasonable and appropriate steps to ensure the Processor's compliance with these obligations.

12. Data Subject Rights Assistance

12.1 Taking into account the nature of the processing, the Processor assists the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising data subject rights under Chapter III GDPR (Articles 12–22).

12.2 End-Customer requests routed to the Processor. Where an End-Customer addresses a data-subject request directly to the Processor (for example via the App's contact form), the Processor will, without undue delay and in any event within five (5) business days, refer the request to the Controller. The Processor will not respond substantively to an End-Customer's data-subject request without the Controller's written instruction, except (a) to confirm receipt and (b) to inform the End-Customer that the request has been forwarded to the Controller.

12.3 Technical assistance. The Processor provides the Controller with the technical means to (a) access personal data through the App's admin dashboard and exports, (b) rectify personal data within the App, (c) delete or restrict personal data per §16, and (d) provide a portable copy of Withdrawal Declaration data via PDF and CSV export or documented API.

12.4 Costs. Routine assistance under the App's standard functionality is provided at no additional charge. For non-standard assistance disproportionate to the nature of the processing, the Processor may charge its reasonable costs at standard rates, with prior notice and on a per-request basis.

13. Personal Data Breach Notification

13.1 The Processor notifies the Controller of a personal data breach affecting the Controller's personal data without undue delay after becoming aware of it, and in any event such that the Controller is able to meet its own seventy-two (72)-hour notification obligation under Art. 33(1) GDPR; ordinarily, notification will be made within forty-eight (48) hours of the Processor's awareness.

13.2 The notification includes, to the extent then known:

(a) a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (b) the name and contact details of the Processor's privacy contact from whom more information can be obtained; (c) a description of the likely consequences of the personal data breach; and (d) a description of the measures taken or proposed to be taken to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.

13.3 Where it is not possible to provide all information at once, the information may be provided in phases without further undue delay.

13.4 The Processor reasonably cooperates with the Controller in the Controller's discharge of its obligations under Art. 33 and Art. 34 GDPR.

13.5 The Processor flows the breach-notification obligation down to its sub-processors with timing commensurate with this §13.

14. DPIA and Prior Consultation Assistance

14.1 Taking into account the nature of the processing and the information available to it, the Processor provides the Controller with reasonable assistance in respect of:

(a) data protection impact assessments (DPIAs) under Art. 35 GDPR; and (b) prior consultation with the competent supervisory authority under Art. 36 GDPR.

14.2 Assistance is limited to information available to the Processor concerning the App's functioning, security measures, and sub-processors. Substantive DPIA decisions remain the Controller's responsibility.

14.3 For non-standard or disproportionate assistance, the Processor may charge its reasonable costs at standard rates, with prior notice.

15. Audit Rights

15.1 Information rights and on-site audits. This §15 implements the Processor's obligation under Art. 28(3)(h) GDPR to make available to the Controller all information necessary to demonstrate compliance with Art. 28 and to allow for and contribute to audits. The Controller's right to receive information necessary to demonstrate compliance is not limited by this §15. The Controller does not, however, have an unconditional right to conduct an annual on-site audit of the Processor's premises; on-site inspections are subject to §15.3 below. The reason is the high operational burden of on-site audits on a SaaS processor with many controllers, balanced by the standing information rights and certification-substitution mechanism in §15.2 and §15.4(h) below.

15.2 Standing information rights. The Processor will, once per calendar year on reasonable Controller request:

(a) provide a current security overview document describing the TOMs implemented; and (b) complete a reasonable security questionnaire from the Controller.

15.3 For-cause audit. The Controller may exercise an on-site audit or commission a qualified third-party auditor only for cause, specifically:

(a) following a confirmed personal data breach affecting the Controller; or (b) on documented specific compliance concerns that cannot be resolved by the information rights in §15.2.

15.4 Audit conditions. Any for-cause audit is subject to the following conditions:

(a) at least thirty (30) days prior written notice; (b) conducted during normal business hours; (c) no unreasonable interference with the Processor's operations; (d) compliance with the Processor's site security and confidentiality rules; (e) no auditor that is a direct competitor of the Processor; (f) the Controller bears its own audit costs and reimburses the Processor's reasonable personnel and infrastructure costs at standard rates; (g) the auditor and any audit report are subject to confidentiality obligations no less protective than the Confidentiality section (§19) of the Terms of Service; and (h) where a recognised certification (such as SOC 2 Type II or ISO/IEC 27001) is held by the Processor or a relevant sub-processor and the certificate or executive summary is provided, that certification substitutes for an on-site audit to the extent the certification covers the audit scope.

15.5 Supervisory authority audits. The Processor cooperates with audits or inspections required by a competent supervisory authority.

16. Deletion or Return of Personal Data

16.1 Retention by data category. The Processor applies the following maximum retention periods per data category, in each case subject to earlier deletion on documented Controller instruction:

Data category	Default retention	Basis
Withdrawal Declaration content (declaration text, items, reason) and order linkage	Up to ten (10) years from the end of the calendar year in which the declaration was made, to the extent the Controller's tax-law and commercial-law retention obligations require (§147 AO, §257 HGB); otherwise three (3) years from the end of the calendar year of the declaration (regular statutory limitation period per §§195, 199 BGB)	Controller's record-keeping under tax/commercial law; consumer-claim limitation periods
Evidentiary log data (IP address, user agent, timestamp)	Three (3) years from the end of the calendar year of the declaration, after which the data is either deleted or pseudonymised	Proportionality (Art. 5(1)(c) and (e) GDPR); covers regular statutory limitation period
Merchant administrative data (Controller-side user accounts, audit-log of Controller actions)	Duration of the Subscription plus thirty (30) days	Account management
Backups	Standard backup-rotation cycle; data in backups is deleted on cycle expiry, not on individual instruction	Backup integrity

The Processor will not retain personal data beyond the maximum period applicable to its category. The Controller is responsible for instructing earlier deletion where its own purpose of processing no longer requires retention.

16.2 Routine deletion on instruction. Where the Controller instructs deletion of specific personal data, the Processor will delete that data within thirty (30) days of the instruction, unless retention is required by applicable law.

16.3 End of services. At the choice of the Controller, expressed in writing within thirty (30) days after termination of the Subscription (other than termination resulting from an Uninstall of the App from the Controller's Shopify store, whether Controller- or Shopify-initiated, in which case §17.1(c) and §17.2 apply and this thirty (30) day election window does not), the Processor will delete or return all the personal data to the Controller and delete existing copies, unless Union or Member-State law requires storage of the personal data.

(a) Return. Where the Controller chooses return, return is by export through the App's PDF and CSV export functions or documented API. (b) Default to deletion. Absent the Controller's written election within thirty (30) days, the Processor will proceed with deletion. This default-to-deletion rule operates only in respect of terminations to which the thirty (30) day election window in the opening paragraph of this §16.3 applies; in respect of terminations resulting from an Uninstall, the Shopify-mandated deletion timeline in §17.1(c) governs. (c) Records subject to retention. Personal data for which the Processor is required by Union or Member-State law to retain (for example, tax-law retention obligations applicable to invoices) is not deleted but instead switched to restricted processing (Sperrung) per Art. 18 GDPR, accessible only to authorised personnel for the purpose of complying with the retention obligation, and deleted at the end of the retention period.

16.4 Sub-processor deletion. The Processor will procure that its sub-processors apply equivalent deletion or return obligations to copies they hold.

16.5 Certificate of deletion. On Controller request, the Processor will provide a written certificate of deletion.

17. Shopify Webhook Commitments

17.1 The Processor maintains and operates the Shopify-mandated GDPR webhooks for the App as follows:

(a) customers/data_request. On receipt, the Processor will action the request within thirty (30) days of receipt and respond with HTTP 200. The Processor will forward such requests to the Controller as set out in §12.2 and, on Controller instruction, package the relevant End-Customer data for the Controller's response. (b) customers/redact. On receipt, the Processor will, within thirty (30) days, delete the End-Customer's personal data held by the Processor on the Controller's behalf, subject to applicable retention obligations and the Sperrung provisions in §16.3(c); the Processor will respond with HTTP 200. (c) shop/redact. On receipt, the Processor will, within forty-eight (48) hours, delete all personal data associated with the Controller's shop held by the Processor; the Processor will respond with HTTP 200.

17.2 The Controller acknowledges that the webhook commitments above operate in addition to, and not in substitution of, the broader deletion provisions in §16, with the following clarification: where the Subscription terminates as a result of an Uninstall of the App from the Controller's Shopify store (whether Controller- or Shopify-initiated), Shopify's shop/redact webhook is the binding deletion trigger and the forty-eight (48) hour deletion window in §17.1(c) applies. The thirty (30) day Controller-election window in §16.3 does not apply in that case. The Controller must therefore export any personal data it requires for its own retention obligations through the App's PDF and CSV export functions or documented API before Uninstalling. See §17.2 of the Terms of Service for the automatic-termination mechanism that links the Uninstall event to the operation of this §17.

18.1 The processing under this DPA includes rule-based automated processing of Withdrawal Declarations that may produce legal effects on End-Customers or similarly significantly affect them within the meaning of Art. 22(1) GDPR.

18.2 No AI/ML. The automation is rule-based and deterministic. No artificial intelligence or machine learning is used. The general description of the decision logic is set out in Annex II.

18.3 Allocation of responsibility.

(a) The Controller is the controller of the decision logic and bears legal responsibility under Art. 22 GDPR. The Controller configures the rules; the Processor supplies only the execution engine. See §12 of the Terms of Service. (b) The Controller is responsible for establishing and documenting a lawful basis under Art. 22(2) GDPR for the automated processing (typically Art. 22(2)(a) contractual necessity or Art. 22(2)(c) explicit consent), and for implementing the safeguards required by Art. 22(3) GDPR.

18.4 Technical means provided by the Processor. The Processor provides the following technical means to support the Controller's Art. 22(3) safeguards:

(a) Human intervention. The admin dashboard allows the Controller's personnel to review, override, or reverse any automated outcome on a case-by-case basis at any point before or after the outcome is communicated to the End-Customer. (b) Expression of a point of view. The App's End-Customer confirmation page and confirmation email include a structured channel through which the End-Customer may submit comments or a point of view on the outcome; submissions are routed to the Controller's admin dashboard for action. (c) Contestation. The App supports a reversal workflow that allows the Controller, in response to an End-Customer contestation, to undo a previously-executed automated outcome (such as a cancellation or refund), subject to Shopify Billing API constraints. (d) Logging. A log of rule evaluation (inputs, rules matched, outcome) is recorded for every automated decision and is exportable through the admin dashboard or API for the retention period set out in §16.

18.5 Assistance with challenges. The Processor assists the Controller in responding to End-Customer requests under Art. 22 GDPR by making the underlying data and rule-evaluation log available through the App's standard functionality at no additional charge.

19. Liability

19.1 The limitation-of-liability regime in §15 of the Terms of Service applies mutatis mutandis to this DPA and forms an integral part of it. In particular, the 12-month fee cap, the excluded categories of damages, and the mandatory carve-outs (intent, gross negligence, life/body/health, Produkthaftungsgesetz, Art. 82 GDPR, breach of essential contractual duties, fraudulent concealment, guarantees, payment default) apply equally to claims under this DPA.

19.2 Where the SCCs apply to a particular transfer, Clause 12 of the SCCs (Liability) prevails to the extent it provides greater protection to data subjects or contradicts §19.1.

19.3 Additional rule for joint liability under Art. 82 GDPR. Each party's liability towards data subjects under Art. 82 GDPR is not limited by this DPA. The internal allocation between the parties of joint liability under Art. 82(4) GDPR follows the parties' respective fault contributions. This §19.3 supplements, and does not replace, the §15 ToS regime mirrored in §19.1 above.

20. Records of Processing

20.1 The Processor maintains records of all categories of processing activities carried out on behalf of the Controller per Art. 30(2) GDPR.

20.2 The Processor makes these records available to a competent supervisory authority on request and, on reasonable request, to the Controller to the extent necessary for the Controller's compliance with its own Art. 30 obligations.

21. Term, Conflict, Survival

21.1 Term. This DPA enters into force on the date the Controller accepts the Terms of Service and continues for as long as the Processor processes personal data on behalf of the Controller, including any post-termination retention period under §16.

21.2 Conflict. The full order of precedence is set out in §23.4 of the Terms of Service: (a) the Standard Contractual Clauses (where applicable to the transfer in question), (b) any enterprise annex separately signed by the parties, (c) this DPA, (d) the Terms of Service, (e) the App Store listing. On matters of personal data processing, this DPA prevails over the Terms of Service.

21.3 Survival. §16 (Deletion or Return), §17 (Webhook Commitments, to the extent of pending or future deletions), §19 (Liability), §20 (Records), §21 (this section), and §22 (Governing Law) survive termination.

22. Governing Law

22.1 This DPA is governed by the laws of the Federal Republic of Germany, in accordance with §22 of the Terms of Service, except where the SCCs specify a different governing law for transfers they cover (Clause 17 SCCs), in which case the SCCs apply to those transfers.

22.2 Mandatory provisions of the GDPR, the UK GDPR, the FADP, and applicable Member-State law are not affected.

23. Annexes

The following Annexes form an integral part of this DPA:

Annex I: Parties and Contact Points
Annex II: Description of Processing and Technical and Organisational Measures
Annex III: Authorised Sub-Processors

Annex I: Parties and Contact Points

Controller (Data Exporter):

Identity. The Merchant operating the Shopify store on which the App is installed, as identified through the Shopify installation record.
Address. As registered by the Merchant with Shopify.
Contact person. The shop owner or designated privacy contact as registered in the App.
Activities. Operation of an e-commerce store on Shopify.
Role. Controller.
Signature. Electronic acceptance of the Terms of Service constitutes signature for the purposes of this DPA and Annex I.A of the SCCs.

Processor (Data Importer):

Identity. R11N Ventures GmbH
Registered office. Glasbläserallee 6, 10245 Berlin, Germany
Commercial register. HRB 270992 B, Amtsgericht Charlottenburg
VAT ID. DE452327161
Managing director(s). Lars Philipp Triebel
Privacy contact. privacy@easywithdraw.eu
DPO. Not appointed at the date of this DPA. At the date of this DPA, the Processor's headcount is below the threshold of §38 BDSG and the Processor's preliminary assessment is that Art. 37(1) GDPR does not mandatorily require a DPO. The Processor will reassess this position as the volume, scale, and risk profile of processing increases (in particular as Controller and End-Customer counts grow), and will appoint a DPO and update this Annex I if a reassessment so requires. Until appointment, the Privacy contact above serves as the responsible point of contact for data-protection matters.
Activities. Provision of the EasyWithdraw Shopify application.
Role. Processor.
Signature. Acceptance of the Terms of Service in the Processor's identity constitutes signature.

Annex II: Description of Processing and Technical and Organisational Measures

Part 1: Description of Processing

(a) Categories of data subjects. End-Customers (natural persons who are consumers per §13 BGB) of the Controller who submit Withdrawal Declarations through the App.

(b) Categories of personal data.

Category	Examples
Master data	First name, last name, email address
Order data	Order number, order date, ordered items (SKU, variant, quantity), monetary amounts, currency, fulfilment status
Withdrawal content	Declaration text or selection, optional reason, items withdrawn, locale of declaration
Evidentiary / log data	IP address, user agent, timestamp of submission, reference number, status transitions
Notification data	Email content and delivery status of automated confirmations

(c) Special categories of personal data. None. The Controller warrants that no Art. 9 GDPR (special categories) or Art. 10 GDPR (criminal convictions and offences) data will be routed through the App.

(d) Frequency of transfer. Continuous, on submission of Withdrawal Declarations and on Controller use of the dashboard.

(e) Nature of processing.

Receipt of HTTP form submissions from the Controller's Shopify storefront.
Application of Controller-configured rules: order lookup, withdrawal-period check, per-item unreturnable-rule evaluation (by product type, vendor, tag, collection, product ID), subscription detection.
Persistence in a managed PostgreSQL database hosted in the EU.
Routing to one of three workflow paths based on the rule outcome: auto-cancel-and-refund (where the order is unfulfilled and no exclusions apply), auto-return-request-creation (where some items are fulfilled), or manual-review fallback (default safe path).
Generation and dispatch of email confirmations to End-Customers.
Provision of an admin dashboard for the Controller's review, classification, internal notes, audit-log access, and PDF/CSV export.
Provision of Shopify webhooks to the Shopify platform.

(f) Purpose of processing.

Provide the Controller with tools intended to assist it in meeting its own consumer-protection record-keeping and refund obligations under §§355 ff. BGB and Directive 2011/83/EU (as amended by Directive (EU) 2023/2673). The Processor does not warrant that use of the App results in the Controller's compliance with any such law.
Enable the Controller to operate its withdrawal workflow efficiently.
Provide the Controller with auditable records of declarations and outcomes.

(g) Duration. Personal data is retained as long as the Controller's legal retention obligations require, and in any case for no longer than ten (10) years (per §147 AO / §257 HGB), unless the Controller instructs earlier deletion. After termination of the Subscription, deletion or restricted processing applies per §16.

(h) Description of automated decision-making. The App applies rules configured by the Controller to each incoming Withdrawal Declaration. The rule set comprises:

Pre-submission validation (shop active, order found, email matches order email, order within configured withdrawal period).
Per-item evaluation against the Controller's unreturnable rules (product type, vendor, tag, collection, product ID: OR-combined; case-insensitive string and ID match).
Subscription detection (orders containing subscription contracts route to manual review).
Fulfilment-status branching (unfulfilled → auto-cancel-and-refund path; partially or fully fulfilled → auto-return-request path; ambiguous → manual review).
Logging of each evaluation and outcome.

Each automated outcome is reversible by the Controller's personnel through the admin dashboard.

(i) Shopify Admin API access scopes. The App accesses the Controller's Shopify store exclusively through the following OAuth access scopes, granted by the Controller on installation via Shopify's consent screen. A plain-language explanation of each permission is published at https://easywithdraw.eu/en/articles/shopify-permissions.

Scope	Shopify API resources	Purpose in the App
`read_locales`	ShopLocale	Detection of the store's published languages and primary language to localise the withdrawal form and notification emails
`read_products`	Product, ProductVariant, Collection	Configuration and display of the Controller's unreturnable-item rules (by product type, vendor, tag, collection, product) and variant-option-name suggestions
`read_themes`	OnlineStoreTheme	Detection of whether the App's storefront blocks are installed in the Controller's theme; storefront-type detection for onboarding
`read_customers`	Customer	Resolution of the customer record linked to an order so the Controller's dashboard can link to that record in the Shopify admin
`write_orders`	Order, OrderTransaction, Fulfillment (read and write; limited to orders of the last 60 days)	Order lookup and validation of Withdrawal Declarations; fulfilment-status routing per (e); order cancellation and refund creation on the paths described in (e) and (h); refund prechecks; storage of an app-owned configuration metafield
`write_returns`	Return (read and write)	Creation of return requests for fulfilled items on the auto-return-request path described in (e) and (h)

The App does not request the read_all_orders scope; Shopify limits the App's order access to orders created within the last sixty (60) days. Read-only scopes confer no write access: the App cannot modify the Controller's products, themes, customer records, or language settings.

Part 2: Technical and Organisational Measures (TOMs)

The Processor implements the following measures pursuant to Art. 32 GDPR. The Processor may update these measures from time to time, provided the overall level of protection is not diminished.

Category	Measures
Encryption at rest	AES-256 for personal data stored in the database, file storage, and backups.
Encryption in transit	TLS 1.2 or higher for all connections between merchants, end-customers, the App, Sub-Processors, and internal services.
Key management	Encryption keys are managed through the platform-managed key services of the Processor's infrastructure Sub-Processors. Application-level secrets are stored in a secrets manager with access restricted to authorised personnel and processes.
Multi-tenancy and tenant separation	Personal data is logically partitioned per merchant (Controller) at the application layer through merchant-scoped identifiers enforced on every read and write. Direct cross-tenant queries are not permitted.
Access control: authentication	Multi-factor authentication required for all personnel accounts with access to production systems containing personal data.
Access control: authorisation	Role-based access controls. Production access limited to personnel with operational need. Access reviews conducted at least annually and on personnel role change.
Access logging	Access to production systems and personal data is logged. Change logs maintained for configuration and code changes. Logs retained for at least one (1) year.
Backups	Automated daily backups of personal data, stored in EU regions, with restoration tests performed at least annually.
Incident response	Documented incident-response process, including triage, containment, eradication, recovery, and post-mortem stages, and notification protocols consistent with §13 of this DPA.
Vulnerability management	Continuous dependency scanning. Vulnerabilities are triaged by severity (CVSS) and patched on a risk-prioritised schedule; the Processor targets remediation of critical and exploit-likely vulnerabilities within thirty (30) days of confirmed availability of a fix, subject to compatibility testing. No hard patching SLA is given under this standard DPA.
Personnel	Written confidentiality undertakings and regular security and data-protection training for personnel with access to personal data.
Sub-processor due diligence	Documented due-diligence and contractual safeguards before engagement of any Sub-Processor, and ongoing review.
Pseudonymisation	Applied where consistent with the purpose of processing and operationally feasible. In particular, IP/user-agent evidentiary data is pseudonymised or deleted at the end of its retention period per §16.1.
Network security	Web application firewall, DDoS protection, and rate-limiting at the network edge through the Processor's CDN/edge Sub-Processor.
Audit log	Tamper-evident audit log of merchant configuration changes and withdrawal-record state changes, write-once at the application layer, retained per §16.

Note on availability. The Processor does not give a hard recovery-time objective (RTO), recovery-point objective (RPO), or patching service-level commitment under this standard DPA. Enterprise merchants requiring such commitments may negotiate them in a separate enterprise annex.

Part 3: Transfer Impact Assessment (Summary)

The following summary applies to the Sub-Processors listed in Annex III. A more detailed assessment is available on reasonable Controller request, subject to confidentiality.

Categories of personal data transferred. Master data, order data, withdrawal content, evidentiary data, locale (see Part 1 above). No special-category data.
Recipients. US-headquartered Sub-Processors, with EU-region deployments where available, per Annex III. Onward transfers from those Sub-Processors are limited to their own infrastructure providers and are bound by their respective sub-processing arrangements.
Risk of access by third-country public authorities. The Processor relies on EU-region deployments to minimise data-at-rest and data-in-processing exposure. The principal residual risk is lawful access requests under US surveillance laws (FISA 702, EO 12333). Each Sub-Processor publishes a transparency report; the Processor reviews these reports during sub-processor due diligence.
Supplementary measures applied. AES-256 encryption at rest; TLS 1.2+ in transit; strict role-based access; contractual safeguards in each Sub-Processor agreement including notice and challenge obligations on government access requests where legally permitted.
Conclusion. Taking the supplementary measures into account, the Processor's preliminary assessment is that the level of protection for transferred personal data is essentially equivalent to that guaranteed within the EEA. The Processor monitors developments in the EU-US Data Privacy Framework (including pending litigation) and will update the assessment as required.

Annex III: Authorised Sub-Processors

The current list of authorised sub-processors at the date of this DPA is set out below. An up-to-date list is published at https://easywithdraw.eu/en/articles/subprocessors.

#	Sub-processor	Service provided	Entity location	Data location	Transfer mechanism
1	Cloudflare, Inc.	CDN, WAF, DDoS protection, edge runtime (Cloudflare Workers)	United States	Global edge network (persistent application data stored in the EU per #2)	EU-US Data Privacy Framework certification (where applicable) and/or SCCs Module Three (and UK IDTA / Swiss FADP adaptations as applicable)
2	Neon, LLC (a Databricks company)	Managed PostgreSQL database	United States	EU region (AWS Frankfurt, eu-central-1)	EU-US Data Privacy Framework certification (where applicable) and/or SCCs Module Three
3	Resend (Plus Five Five, Inc.)	Transactional email delivery	United States	United States (EU sending region)	EU-US Data Privacy Framework certification (where applicable) and/or SCCs Module Three
4	Sentry (Functional Software, Inc.)	Error tracking and crash reporting	United States	EU region (sentry.io EU instance)	EU-US Data Privacy Framework certification (where applicable) and/or SCCs Module Three
5	Datadog, Inc.	Application and infrastructure monitoring	United States	EU region (datadoghq.eu)	EU-US Data Privacy Framework certification (where applicable) and/or SCCs Module Three

Note. Shopify Inc. is not a sub-processor of the Processor. The Controller's relationship with Shopify is governed by the Controller's own agreement with Shopify. Data exchanged between the App and Shopify (via Shopify webhooks and the Shopify Admin API) is exchanged on the Controller's instruction.

Data Processing Agreement

Table of Contents

1. Recitals and Incorporation

2. Definitions

3. Role of the Parties

4. Subject Matter, Nature, Purpose, Duration

5. Categories of Data Subjects and Personal Data

6. Documented Instructions; Unlawful-Instruction Flag

7. Confidentiality of Personnel

8. Security of Processing: Technical and Organisational Measures

9. Sub-Processors

10. International Data Transfers

11. US State Privacy Laws

12. Data Subject Rights Assistance

13. Personal Data Breach Notification

14. DPIA and Prior Consultation Assistance

15. Audit Rights

16. Deletion or Return of Personal Data

17. Shopify Webhook Commitments

19. Liability

20. Records of Processing

21. Term, Conflict, Survival

22. Governing Law

23. Annexes

Annex I: Parties and Contact Points

Annex II: Description of Processing and Technical and Organisational Measures

Annex III: Authorised Sub-Processors

We're launching soon

Table of Contents

1. Recitals and Incorporation

2. Definitions

3. Role of the Parties

4. Subject Matter, Nature, Purpose, Duration

5. Categories of Data Subjects and Personal Data

6. Documented Instructions; Unlawful-Instruction Flag

7. Confidentiality of Personnel

8. Security of Processing: Technical and Organisational Measures

9. Sub-Processors

10. International Data Transfers

11. US State Privacy Laws

12. Data Subject Rights Assistance

13. Personal Data Breach Notification

14. DPIA and Prior Consultation Assistance

15. Audit Rights

16. Deletion or Return of Personal Data

17. Shopify Webhook Commitments

18. Article 22 GDPR Cooperation

19. Liability

20. Records of Processing

21. Term, Conflict, Survival

22. Governing Law

23. Annexes

Annex I: Parties and Contact Points

Annex II: Description of Processing and Technical and Organisational Measures

Annex III: Authorised Sub-Processors