EU Widerrufsbutton — Privacy Policy
Last updated: 20 May 2026
This Privacy Policy describes how Anviara (“we”, “us”, or “our”) collects, uses, and protects information in connection with the EU Widerrufsbutton Shopify app (“the App”). The App helps merchants meet the electronic withdrawal-button obligation under § 356a BGB (Art. 11a EU Directive 2023/2673), enforced from 19 June 2026.
By installing or using the App, the merchant (“you”) agrees to the practices described in this policy.
Note for end-customers: When you submit a withdrawal through this App on a merchant’s storefront, your data is processed by Anviara on behalf of that merchant. The merchant (store owner) is the data controller and their own privacy policy governs how your data is handled. Anviara acts as a data processor under Art. 28 GDPR.
1. What the App does
The App provides two surfaces:
- A theme app embed that renders a “Vertrag widerrufen” button on the merchant’s storefront, available without login and visible site-wide.
- A withdrawal form served from the merchant’s own domain via Shopify App Proxy (e.g.
your-store.myshopify.com/a/withdrawal). Customers fill out the form, receive an automatic receipt-confirmation email, and the merchant manages submissions from an admin dashboard inside the Shopify admin.
The App does not read or modify the merchant’s orders. The order or contract number on the withdrawal form is free text that the customer enters; it is not matched against, or used to change, any Shopify order.
2. Roles
| Role | Party |
|---|---|
| Data controller for end-customer data | The Shopify merchant operating the storefront |
| Data processor | Anviara (acting on the merchant’s instructions) |
| Data controller for merchant-account data | Anviara (limited to operating the App) |
3. Data we access through Shopify
When a merchant installs the App, we receive the following through Shopify’s API:
- Shop domain — to identify the store.
- Shopify API access token — to authenticate API requests on behalf of the store. Stored encrypted at rest; never shared.
- Granted access scopes — to verify the App has the permissions it needs.
- Store metadata — the store’s primary language, contact email, country, and time zone, used to render the withdrawal receipt and merchant notification in the correct language and to stamp submissions in the merchant’s legal time zone.
The App requests the following Shopify API scopes:
| Scope | Purpose |
|---|---|
read_themes | Check whether the withdrawal-button theme embed is active on the published theme (compliance health check). |
read_locales | Read the store’s primary language so the receipt and merchant-notification emails are sent in the right language. |
write_app_proxy | Serve the withdrawal form from the merchant’s own domain via Shopify App Proxy. |
The App does not request read_orders or write_orders. It cannot read order details or change orders.
4. Data we collect from end-customers
When a customer submits a withdrawal via the App, the form captures only:
- Name (mandatory under § 356a)
- Email address for the receipt confirmation (mandatory under § 356a)
- Order or contract number (mandatory under § 356a) — free text entered by the customer
- Reason for withdrawal — optional only, never required.
- Submission language — the language the customer filled out the form in, stored so the receipt email is sent in that same language.
- Server timestamp of submission — required by § 356a as part of the receipt confirmation; rendered in the merchant’s legal time zone.
We do not collect or store the customer’s IP address. Our spam protection (Altcha, see Section 8) is a self-hosted proof-of-work scheme that does not require the IP address to function.
The structured withdrawal declaration that the receipt email reproduces (name + order/contract number + optional reason + server timestamp) is generated from the fields above; it is not stored as a separate copy.
5. What we do with the data
- Send the customer an immediate receipt-confirmation email containing the declaration content and the server timestamp.
- Send the merchant a parallel notification email.
- Store the submission so the merchant can manage it from the admin dashboard (search by order number or email, filter by status, set a status, add internal notes).
- Run periodic retention jobs that remove personal data after the retention period (see Section 7).
We do not use any data collected through the App for marketing, advertising, profiling, or sale to third parties.
6. Where data is stored
All application servers, databases, and backups are hosted inside Germany:
- Application server: Hetzner Cloud, Falkenstein FSN1 (DE).
- Database: PostgreSQL on the same Hetzner server.
- Encrypted backups: pushed every 6 hours to a Hetzner Storage Box (also located in Germany), encrypted at rest with GPG AES-256, with a 14-day retention window and a weekly automated restore drill.
The customer-facing host that serves the withdrawal form and its assets is delivered through Cloudflare (see Section 8). Personal data at rest is stored exclusively in Germany; some subprocessors that handle data in transit are established in the United States and are covered by EU Standard Contractual Clauses.
7. Retention
We minimise personal data while preserving the legal record. Anviara processes withdrawal data as the merchant’s processor (Auftragsverarbeiter); the merchant keeps their own copy of each submission via the notification email.
- On a customer-redact request (Section 10), the personal fields of any matching withdrawal — name, email, and optional note — are anonymised immediately, leaving an anonymised legal shell (order/contract reference, status, language, timestamps).
- Time-based retention: withdrawal entries are automatically removed after a retention window. The window is 24 months on the free plan and may vary by plan.
When a merchant uninstalls the App, associated data is scheduled for deletion within 48 hours. Customer-redact and shop-redact webhook handlers process Shopify’s mandatory deletion requests (see Section 10).
8. Subprocessors
| Subprocessor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Application server, database, encrypted backups | Falkenstein, Germany (EU) |
| Cloudflare, Inc. | DNS, TLS termination, and content delivery for the customer-facing host. Processes connection data and request content (incl. the form submission and the customer’s IP for asset requests) in transit. | United States (under EU Standard Contractual Clauses / DPA) |
| Resend, Inc. | Transactional email delivery (receipt confirmation, merchant notifications). Processes recipient name, email address, and declaration content. | United States (under EU Standard Contractual Clauses / DPA) |
Sentry GmbH (de.sentry.io) | Application error monitoring (no end-customer PII transmitted) | Germany (EU) |
The merchant’s Shopify storefront and the App Proxy transport are operated by Shopify, the merchant’s own platform provider; the merchant’s existing data-processing agreement with Shopify governs that layer.
We do not use third-party captchas (Google reCAPTCHA, Cloudflare Turnstile, etc.). Our spam protection is Altcha — proof-of-work, self-hosted, no cookies, no third-party data flow, no IP address stored.
We do not use Google Analytics, Meta Pixel, Hotjar, or any client-side tracking on the customer-facing withdrawal form or in the merchant admin.
9. Cookies and client-side storage
The withdrawal form does not set any cookies in the customer’s browser and uses no client-side tracking. The Altcha widget runs entirely in-page in invisible proof-of-work mode and stores no state between submissions.
In the embedded Shopify admin, session authentication uses Shopify-issued JWT session tokens; no Anviara-set cookies are required.
10. GDPR data-subject rights
End-customers and merchants located in the EEA (or otherwise entitled to data-protection rights) may exercise the following rights:
- Access (Art. 15 GDPR) — request a copy of the personal data we hold about you.
- Rectification (Art. 16) — request correction of inaccurate data.
- Erasure (Art. 17) — request deletion of your data.
- Restriction (Art. 18) — request that processing be limited.
- Portability (Art. 20) — request your data in a machine-readable format.
- Objection (Art. 21) — object to processing on legitimate-interest grounds.
End-customers should normally address these requests to the merchant (the data controller). Anviara as processor will support the merchant in fulfilling the request. Where the request reaches us directly, we will forward it to the responsible merchant and acknowledge it within 48 hours.
The App implements Shopify’s mandatory compliance webhooks:
customers/data_request— we surface the withdrawal data held for the requested customer.customers/redact— we anonymise the personal-data fields (name, email, note) of any matching withdrawal, retaining only an anonymised legal record.shop/redact— we delete all shop data within 48 hours of an uninstall.
11. Legal basis for processing
Processing of withdrawal-form submissions is necessary to comply with a legal obligation to which the merchant is subject (Art. 6 (1) (c) GDPR, in conjunction with § 356a BGB and § 357 BGB). The merchant is required by law to provide an electronic withdrawal function and to send an immediate receipt confirmation; Anviara processes the data on the merchant’s behalf to fulfil that obligation.
Our spam protection is based on the legitimate interest of the merchant and Anviara in preventing automated abuse of the withdrawal channel (Art. 6 (1) (f) GDPR). It uses local proof-of-work only and processes no personal data of the customer for that purpose.
12. Security
We take reasonable technical and organisational measures to protect personal data:
- All communication is encrypted in transit via TLS (HTTPS, SMTP STARTTLS, SSH).
- Backups are encrypted at rest with GPG AES-256 before leaving the application server.
- Database access is restricted to the application server.
- A weekly automated restore drill verifies backup integrity.
- Production application errors are monitored via Sentry; no end-customer PII is included in error reports.
No method of electronic transmission or storage is 100 % secure, and we cannot guarantee absolute security.
13. Children’s privacy
The App is not directed at anyone under the age of 16, and we do not knowingly collect data from children. If you believe a child has submitted data through the App, please contact us so we can remove it.
14. Changes to this policy
We may update this policy when the App, the underlying law, or our infrastructure changes materially. The “Last updated” date at the top reflects the most recent revision. Substantive changes will be communicated in the App’s admin area before they take effect.
15. Contact
For privacy questions, data-subject requests, or anything else covered by this policy:
- Email: [email protected]
- Website: https://anviara.com
- Postal: Available on request.
Our hosting provider’s data-processing terms (Hetzner) are available at hetzner.com/legal/order-processing.