Skip to main content

Privacy & data subject requests

Privacy in general (GDPR)

The app is designed to help you comply with the GDPR:

  • Transparency: In the app’s legal notices you will find the app’s privacy policy (legal basis, what data is processed, retention, your rights). You must accept it on first access.
  • Retention: Personal data such as IP and User-Agent is only kept for a limited time (e.g. 30 days after a withdrawal is completed) and is anonymized automatically.
  • Data subject rights: The app supports access (Art. 15), rectification, and erasure via the channels provided by Shopify; for requests about data stored by the app, the Privacy section in the app is available (see below).

Legal responsibility for data processing in your shop lies with you as the merchant. The app provides the technical and documentary building blocks.

What is the “Privacy” section for?

When a person (e.g. a customer) asks you for access to the data stored about them, you must provide all relevant data. This includes:

  • Shopify data: Orders, customer data, addresses, etc. – you retrieve these as usual via Shopify Admin or Shopify’s data export.
  • App data: The “EU Withdrawal Form” app additionally stores data on withdrawal requests (e.g. which order, which status, when submitted). You can export this data via the Privacy section and provide it to the data subject.

How to export app data for a request

  1. In the app open the menu and select Privacy.
  2. Enter the email address of the data subject (exactly as in their request).
  3. Choose the export format (JSON or CSV).
  4. Click Download export.

The downloaded file contains all withdrawal-related data stored by the app for that email (order number, status, timestamps, and if applicable line items and returns). You can attach this file to your response to the data subject (e.g. as an attachment or as the basis for a summary).

Note: The export always applies to your shop; you do not need to enter the shop domain.

When there are no records for the email

If no withdrawal requests are stored in the app for the entered email, an error message appears (e.g. “No records (withdrawals) are stored in the app for this email address.”). This is normal and means:

  • The person has not submitted a withdrawal via the app under this email in your shop (or the data was redacted e.g. after an erasure request).
  • You can inform the data subject in your response that the app does not store additional personal data (withdrawal-related) for this email. Other data (orders, customer account, etc.) you provide as usual via Shopify.

When to use the export

  • When you receive a data subject access request (GDPR Art. 15) and must include the data stored by the app.
  • When Shopify triggers a data_request webhook and you need the app data for the full response.

Use the export only for legitimate access requests and to meet your data protection obligations.

More information

  • The app’s privacy policy (legal basis, retention, your rights) is in the app’s legal notices.