1. Introduction
This privacy policy describes how the Shopify app “EU Withdrawal Button” (hereinafter “the App”) collects, uses, stores, and protects personal data. The App is developed and operated by inventivo (Nils Harder).
Provider: inventivo – Nils Harder, Dülmener Str. 12 C, 48163 Münster, Germany
Contact: apps@inventivo.de
By installing the App, you (“the Merchant”) agree to this privacy policy.
2. Data We Collect
2.1 From Merchants (Shop Owners)
When you install the App, we access the following data through the Shopify API:
- Shop information: Shop name, shop domain (myshopify.com URL)
- Order data: Order numbers (read-only, for matching withdrawals to orders)
- Customer data: Only when a customer submits a withdrawal – name, email address, order number
We do not access payment information, passwords, or full customer lists.
Shopify API Scopes used:
read_orders– To verify order numbers submitted in withdrawal formswrite_orders– To tag orders with withdrawal statusread_customers– required by Shopify to read the customer name associated with the submitted order number
2.2 From End Customers (Shop Visitors)
When a customer submits the withdrawal form in your store, the following data is collected:
- Full name
- Email address
- Order number
- Reason for withdrawal (optional)
- Date and time of submission
- IP address (for legal proof of submission)
This data is collected solely for the purpose of processing the withdrawal request as required by EU Directive 2023/2673.
3. How We Use the Data
All collected data is used exclusively for:
- Processing withdrawal requests – Matching withdrawals to orders, sending confirmation emails
- Email notifications – Sending automatic confirmation emails to customers and notification emails to merchants
- Record keeping – Providing merchants with a list of withdrawals for legal compliance and documentation
- Export functionality – Enabling CSV and PDF exports of withdrawal records
We do not:
- Sell personal data to third parties
- Use data for advertising or marketing purposes
- Share data with any third party except the sub-processors listed below (Shopify, Hetzner)
- Use data for profiling or automated decision-making
With respect to the personal data submitted through the withdrawal form, we act as a data processor on behalf of the merchant. We may, however, disclose personal data where we are legally required to do so – for example, to comply with applicable law or to respond to a valid request by a public authority, court, or law enforcement agency (such as a court order or subpoena). Any such disclosure is limited to what the applicable law requires.
4. Data Storage and Security
- All withdrawal data is stored in a PostgreSQL database on a dedicated server operated by inventivo, located in a Hetzner Online GmbH data center in Germany (EU). The app itself runs on this server (apps.inventivo.de), not on Shopify's infrastructure.
- All communication is encrypted via HTTPS/TLS.
- Access to withdrawal data is restricted to the authenticated shop owner via Shopify's session token authentication.
5. Data Retention
- Withdrawal records are stored for as long as the App is installed
- Merchants can export their data at any time via CSV or PDF
- Upon app uninstallation, all data is permanently deleted – this includes all withdrawal records, settings, and session data
6. Data Deletion
Automatic Deletion
When the App is uninstalled from a Shopify store, all associated data is automatically and permanently deleted. This includes:
- All withdrawal records
- All app settings
- All session data
This process is triggered automatically and cannot be undone.
Manual Deletion Requests
End customers can request deletion of their personal data by contacting the merchant directly. Merchants can also contact us at apps@inventivo.de for assistance.
7. GDPR Compliance
The App implements the following GDPR-mandated Shopify webhooks:
- Customer Data Request – We provide all stored data for the requested customer
- Customer Data Erasure – We anonymize all personal data for the requested customer
- Shop Data Erasure – We delete all data associated with the shop
8. Third-Party Services
The App uses the following third-party services:
| Service | Purpose | Privacy Policy |
|---|---|---|
| Shopify | App platform, API, authentication | shopify.com/legal/privacy |
| Hetzner Online GmbH | Data center & server infrastructure for the app, database and outgoing email server (mail.inventivo.de) – located in Germany (EU) | hetzner.com/legal/privacy-policy |
| Crisp | In-app support chat (optional) | crisp.chat/privacy |
Confirmation and notification emails are sent from our own mailbox (shopifyapps@inventivo.de) via the mail server described above; no external email delivery service is used. All data is processed within the EU/EEA. Data is stored in Germany (Hetzner).
10. Children’s Privacy
The App is not directed at children under 16 years of age. We do not knowingly collect personal data from children.
11. Changes to This Policy
We may update this privacy policy from time to time. The “Last updated” date at the top will be revised accordingly. Continued use of the App after changes constitutes acceptance of the updated policy.
12. Your Rights
Under the GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data (“right to be forgotten”)
- Restrict processing of your data
- Data portability – receive your data in a structured format
- Object to processing of your data
- Lodge a complaint with a supervisory authority
13. Contact
For questions about this privacy policy or data protection:
inventivo – Nils Harder
Dülmener Str. 12 C
48163 Münster, Germany
Email: apps@inventivo.de
Website: www.inventivo.de