EU Withdrawal Button — Data Processing Agreement (DPA)
Deutsche Fassung: Auftragsverarbeitungsvertrag (AVV).
In the event of any discrepancy between the German and English versions, the German version prevails.
Last updated: 18 June 2026
between
Anviara LLC (Limited Liability Company under the laws of the State of Wyoming, USA) 30 N Gould St, Ste N Sheridan, WY 82801 USA Email: [email protected] – hereinafter the “Processor” –
and
The Merchant, who installs and uses the App via the Shopify App Store – hereinafter the “Controller” –
– collectively the “Parties”, individually a “Party” –
Version: June 2026 (v1.0)
Preamble
The Processor operates the Shopify App “EU Withdrawal Button” (hereinafter the “App”). The App supports the Controller in the technical implementation of the electronic withdrawal function pursuant to § 356a of the German Civil Code (BGB) (effective 19 June 2026) and EU Directive (EU) 2023/2673: a storefront withdrawal form for end customers (consumers), an admin inbox for the merchant to manage and document withdrawal cases, and legally formatted confirmations of receipt by email.
In the course of using the App, the Processor processes personal data of the Controller’s end customers (consumers who declare a withdrawal via the App) on behalf of and under the instructions of the Controller.
This Data Processing Agreement (hereinafter “DPA”) specifies the data protection obligations of the Parties pursuant to Art. 28(3) GDPR and supplements the terms of use (Terms of Service) agreed between the Parties.
Note: This DPA takes effect upon active confirmation by the Controller (see Annex 3). Use of the App requires acceptance of this DPA.
Section 1 – Subject Matter and Duration
(1) Subject Matter
This DPA governs the processing of personal data by the Processor in connection with the provision and operation of the App. Processing shall be carried out exclusively on behalf of and pursuant to the documented instructions of the Controller.
(2) Duration
This DPA shall remain in effect for the entire duration of the Controller’s use of the App. It shall terminate automatically upon uninstallation of the App or termination of the usage relationship, subject to the deletion obligations set out in Section 10.
(3) Nature and Purpose of Processing
The processing serves the following purposes:
- Receiving and processing electronic withdrawal declarations from the Controller’s end customers;
- Sending the legally required confirmation of receipt to the end customer by email;
- Providing an administrative interface (Merchant Admin) for the Controller to manage and document withdrawal cases.
(4) Types of Personal Data
The following categories of personal data are processed:
| Data Category | Description | Source | Storage |
|---|---|---|---|
| Name | First and/or last name of the end customer | Withdrawal form | Stored |
| Email address | Identification and delivery of the confirmation of receipt | Withdrawal form | Stored |
| Order number / reference | Identifies the contract concerned | Withdrawal form | Stored |
| Withdrawal status | Processing status (e.g. received / in_progress / completed) | System-generated / Controller | Stored |
| Language preference | Locale for automatic form language selection | URL parameter / Shopify session / end-customer browser | Stored |
| Timestamps | Date and time of declaration and confirmation | System-generated | Stored |
| Customer comment (optional) | Optional free-text message from the customer | Withdrawal form (voluntary input) | Stored |
| Internal notes (optional) | Case notes entered by the Controller | Controller (admin) | Stored |
| Email metadata | Delivery status / timestamps of the confirmation email | Email service provider (MailerSend) | At the provider |
| IP address | Connection data; processed transiently by the CDN (Cloudflare) only when delivering the form assets. ALTCHA is a proof-of-work scheme that operates without the IP address | Cloudflare (in transit) | Not collected or stored by the Processor |
(4a) Relationship to Shopify
The App reads or modifies no orders of the Controller. The order or contract number entered on the withdrawal form is free text entered by the end customer and is not matched against Shopify order data. Via the Shopify API, the App processes only merchant-related configuration and metadata (e.g. shop domain, primary language, time zone) to render the form and notifications correctly; it does not request permission to read or modify orders (read_orders/write_orders are not used). Insofar as configuration metafields (form settings and texts) are stored, this takes place within the Shopify environment controlled by the Controller.
(5) Categories of Data Subjects
Data subjects are end customers (consumers) of the Controller who declare a withdrawal via the App.
Section 2 – Controller’s Right to Issue Instructions
(1) The Processor shall process personal data solely on the basis of documented instructions from the Controller, unless processing is required by Union or Member State law to which the Processor is subject (Art. 28(3)(a) GDPR). In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such information on grounds of an important public interest.
(2) The Controller’s instructions are primarily documented through the configuration and use of the App (e.g. enabling/disabling features, configuring email settings, setting retention periods), without prejudice to the Controller’s right to issue additional documented instructions. Such additional instructions require text form (email suffices) and shall be directed to [email protected].
(3) The Processor shall immediately inform the Controller if, in its opinion, an instruction violates data protection law. The Processor shall be entitled to suspend the execution of such an instruction until the Controller confirms or amends it.
Section 3 – Obligations of the Processor
The Processor undertakes in particular to:
- process personal data only within the scope of the Controller’s documented instructions (Section 2);
- ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR);
- take the technical and organisational measures required under Art. 32 GDPR (see Section 5 and Annex 1);
- comply with the conditions for engaging sub-processors set out in Section 6;
- assist the Controller, insofar as possible, in fulfilling the Controller’s obligation to respond to requests for exercising data subjects’ rights (Art. 15–22 GDPR) (Section 7);
- assist the Controller in ensuring compliance with its obligations under Art. 32–36 GDPR;
- delete or return all personal data after the end of the provision of services in accordance with Section 10;
- make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for and contribute to audits, including inspections (Section 9);
- maintain a record of all categories of processing activities carried out on behalf of the Controller pursuant to Art. 30(2) GDPR.
Section 4 – Obligations of the Controller
The Controller is in particular obliged to:
- ensure the lawfulness of data processing and bear sole responsibility for the permissibility of processing within the meaning of Art. 6 GDPR;
- inform data subjects (end customers) in accordance with Art. 13 and 14 GDPR about the data processing, including processing by the Processor and its sub-processors;
- accurately and completely reflect the data processing in its own privacy policy;
- ensure that the use of the App and the associated data processing comply with applicable data protection law;
- issue instructions to the Processor in documented form.
Section 5 – Technical and Organisational Measures (TOMs)
(1) The Processor shall implement appropriate technical and organisational measures pursuant to Art. 32 GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.
(2) The measures in place at the time of conclusion of this DPA are described in Annex 1. The Processor is entitled to adapt the measures during the term, provided the agreed level of protection is not reduced. The Controller shall be informed of material changes.
Section 6 – Sub-Processors
(1) The Controller grants the Processor general written authorisation to engage further processors (sub-processors), subject to compliance with paragraphs (2) to (4).
(2) The sub-processors engaged at the time of conclusion of this DPA are listed in Annex 2. By agreeing to this DPA, the Controller approves the engagement of the sub-processors listed therein.
(3) The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 14 days in advance by email and/or in-app notification. If the Controller does not object within 14 days, approval shall be deemed granted.
(4) If the Controller raises a justified objection, the Processor shall use best efforts to offer an alternative. If no reasonable alternative is available, either Party may terminate this DPA with 30 days’ notice.
(5) The Processor shall ensure that each sub-processor is subject to at least the same data protection obligations as set out in this DPA, in particular regarding technical and organisational measures and the binding nature of instructions.
(6) Ancillary services (e.g. telecommunications, postal and logistics services) without targeted access to the Controller’s data shall not be deemed sub-processors.
Section 7 – Assistance with Data Subject Rights
(1) The Processor shall assist the Controller in fulfilling the Controller’s obligation to respond to requests for exercising data subjects’ rights under Art. 15–22 GDPR.
(2) If a data subject contacts the Processor directly, the Processor shall promptly forward the request to the Controller and shall not act independently without the Controller’s instruction.
(3) The Processor provides functions within the App’s admin interface to view and delete the personal data processed. Erasure requests are additionally supported automatically via the Shopify compliance webhooks (customers/redact).
Section 8 – Data Breach Notification
(1) The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach (Art. 33(2) GDPR). Notification shall be made by email to the address stored in the Controller’s Shopify account.
(2) The notification shall contain at least: a description of the nature of the breach; the categories and approximate number of data subjects and data records affected; a description of the likely consequences; and a description of the measures taken or proposed.
(3) The Processor shall assist the Controller in fulfilling its notification obligations under Art. 33 and 34 GDPR. Independent notifications to the supervisory authority or data subjects shall be made only on the Controller’s prior instruction, unless the Processor is directly required by law to notify.
Section 9 – Accountability and Audit Rights
(1) The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and Art. 28 GDPR.
(2) The Controller shall have the right to conduct audits, or to have them conducted by a mandated auditor. Audits shall be carried out with reasonable consideration for the Processor’s business operations and with a notice period of at least 30 days. In the event of a substantiated suspicion of a personal data breach, a shorter notice period of 7 business days shall apply.
(3) As processing takes place in a cloud infrastructure, the audit requirement may primarily be satisfied by providing suitable and current attestations (e.g. certifications, third-party audit reports of the infrastructure providers, or self-assessment). A physical right of access exists only to the extent that personal data of the Controller is actually processed there and a remote audit is demonstrably insufficient.
Section 10 – Deletion and Return of Data
(1) Upon termination of the usage relationship (uninstallation of the App), the Processor shall delete all personal data processed on behalf of the Controller, unless statutory retention obligations apply.
(2) Full deletion takes place upon receipt of the Shopify compliance signal shop/redact (regularly approx. 48 hours after uninstallation) by deleting the merchant record including all associated withdrawal cases. The Controller may request the return of its data beforehand (e.g. via CSV export from the admin interface).
(3) During the term, stored withdrawal cases are subject to an automatic retention period of 24 months, after which they are deleted automatically. The Controller may delete individual cases manually at any time via the admin interface.
(4) The Controller is itself responsible for complying with its own statutory retention obligations (e.g. § 147 of the German Fiscal Code, § 257 of the German Commercial Code, regarding tax- or commercially-relevant data) within its Shopify environment.
(5) The Processor shall confirm deletion upon request by the Controller.
Section 11 – International Data Transfers
(1) The data infrastructure used for processing (application and database hosting and encrypted backups) is located within the EU/EEA, in Germany (Falkenstein/Frankfurt).
(2) The Processor (Anviara LLC) is a company incorporated under the laws of the State of Wyoming, USA; ongoing operation and administrative access to the data also take place from outside the EU/EEA. Where, as a result, or through individual sub-processors (see Annex 2), personal data is processed or made accessible outside the EU/EEA, the Processor ensures an adequate level of protection through appropriate safeguards pursuant to Art. 46 GDPR, in particular:
- the conclusion of the EU Standard Contractual Clauses (Module Two: Controller to Processor; Commission Implementing Decision (EU) 2021/914), which are hereby incorporated into this DPA. The annexes to those Clauses are populated by the party details of this DPA and by Annex 1 (technical and organisational measures) and Annex 2 (sub-processors);
- additionally, where applicable, an adequacy decision of the European Commission (Art. 45 GDPR) or certification under the EU-US Data Privacy Framework.
(3) The Processor assesses the level of protection by means of a Transfer Impact Assessment and makes it available upon the Controller’s request.
Section 12 – Liability
(1) The liability of the Parties shall be governed by the provisions of the GDPR, in particular Art. 82 GDPR, as well as applicable statutory provisions. Liability toward data subjects under Art. 82 GDPR remains unaffected by this agreement and is not limited by the provisions below.
(2) In the internal relationship between the Parties, the Processor shall be liable to the Controller for damage caused by slight negligence in breach of an essential contractual duty (cardinal duty) only up to the foreseeable damage typical of this type of contract. Liability for slight negligence in breach of non-essential duties is excluded. In cases of slight negligence, liability for indirect damage, consequential damage and lost profits is excluded.
(3) The Processor’s aggregate liability arising out of or in connection with this DPA shall be limited – as a maximum across all damage events – to the fees the Controller paid to the Processor for use of the App in the 12 months prior to the (first) damaging event.
(4) The limitations and exclusions in paragraphs (2) and (3) shall not apply to damage arising from injury to life, body or health, to damage caused by gross negligence or intent, or to liability toward data subjects under Art. 82 GDPR.
(5) Indemnification by the Controller. The Controller shall indemnify the Processor on first demand against all third-party claims – including claims by data subjects and fines or measures imposed by supervisory authorities – that arise from the Controller’s failure to comply with its own data protection obligations, in particular regarding the legal basis for processing (Art. 6 GDPR), the information obligations toward data subjects (Art. 13, 14 GDPR), or the issuing of unlawful instructions. The indemnification includes the reasonable costs of legal defence. It does not apply to the extent that the Processor is itself responsible for the damage.
(6) Where a Party is required to pay compensation to data subjects, it shall have a right of recourse against the other Party to the extent that the other Party has caused the damage (Art. 82(5) GDPR).
(7) Claims of the Controller against the Processor based on slightly negligent breaches of duty shall become time-barred 12 months after the statutory commencement of the limitation period. This does not apply to claims arising from injury to life, body or health, from gross negligence or intent, or to claims under Art. 82 GDPR; for those, the statutory limitation periods remain.
Section 13 – Final Provisions
(1) This DPA shall be governed by the laws of the Federal Republic of Germany, unless mandatory data protection provisions of the Controller’s EU Member State take precedence.
(2) Amendments and additions to this DPA require text form. This also applies to the waiver of this text-form requirement.
(3) Should any provision be or become invalid, the remaining provisions shall continue in full force. The Parties shall replace the invalid provision with one most closely approximating its economic and data-protection intent.
(4) In the event of conflicts between this DPA and other agreements, this DPA shall prevail with respect to data protection matters.
(5) The Processor may adapt this DPA in response to changes in law or technical infrastructure, subject to the following distinction:
- Editorial adjustments (e.g. correction of typographical errors, updating of contact details) and changes required by mandatory legal provisions shall be communicated to the Controller at least 30 days before taking effect by email and/or in-app notification. If the Controller does not object within 30 days, the amendment shall be deemed approved.
- Material changes – in particular those affecting the scope of processing, the mandatory contents pursuant to Art. 28(3) GDPR, the list of sub-processors, the technical and organisational measures, or international data transfers – require the Controller’s express consent in text form (email suffices).
Annex 1 – Technical and Organisational Measures (TOMs)
Status at the time of conclusion of this DPA. Continuously adapted to the state of the art.
| Measure | Description |
|---|---|
| Encryption in transit | TLS 1.2+ for all connections (storefront, app proxy, admin, email delivery); edge TLS via Cloudflare (Full-strict), HSTS enforcement; TLS-terminated origin (Cloudflare Origin certificate) |
| Encryption at rest | Database on an encrypted volume; backups GPG/AES-256-encrypted on Hetzner Storage Box |
| Access control | Least-privilege principle; production data restricted to the operator; multi-factor authentication for infrastructure access (Hetzner, Cloudflare, container registry); secrets in encrypted application credentials / secret manager, not in plaintext in source code |
| Tenant separation | Logical separation of merchant data at the application layer through consistent scoping of all records to unique merchant identifiers (shop_id) |
| Input control | Server-side input validation; anti-spam measures (ALTCHA proof-of-work, honeypot, rate limiting); signature and session-token verification at the trust boundaries (admin, extension API, app proxy) |
| Availability | Hosting on Hetzner Cloud (EU region, Falkenstein/Germany); 6-hourly encrypted backups, 14-day local retention, weekly restore drill; DDoS protection via Cloudflare |
| Processing control | Processing exclusively pursuant to documented instructions; no disclosure to third parties other than approved sub-processors |
| Separation control | Strict separation of development, staging and production environments; no real data in test/development environments |
| Deletion concept | Automatic deletion of stored withdrawal cases after 24 months; full deletion on uninstallation (Shopify shop/redact, approx. 48 hours); data-subject erasure via customers/redact |
| Monitoring & incident response | Error tracking via Sentry (EU region, data residency Germany). Transmission of personal data to Sentry is disabled (send_default_pii = false). Availability monitoring; defined incident response process |
| Software security (DevSecOps) | Automated dependency audits in the CI pipeline; automated test suite before each release; versioned, auditable deployments |
| Data minimisation | Collection only of data strictly necessary for the withdrawal process; no storage of address, payment or IP data by the Processor; the ALTCHA spam protection operates without the IP address |
| Accountability | Record of processing activities pursuant to Art. 30(2) GDPR |
Annex 2 – Approved Sub-Processors
As of: June 2026. Changes communicated pursuant to Section 6(3).
| Provider | Purpose | Location / Region | Third-Country Transfer / Safeguard | Contractual Basis |
|---|---|---|---|---|
| Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, DE) | Application and database hosting; encrypted backups | Falkenstein, Germany (EU) | EU – no third-country transfer | DPA with Hetzner |
| Cloudflare, Inc. (101 Townsend St, San Francisco, CA, USA) | CDN, reverse proxy, TLS termination, DDoS protection | Global edge network; EU traffic via EU edge | Third country (US): SCCs + EU-US Data Privacy Framework | Cloudflare DPA (incl. SCCs) |
| MailerSend, Inc. (US-incorporated; EU data region: Google Cloud, Belgium) | Sending the confirmation of receipt and merchant notification by email | EU data region (Belgium); provider US-incorporated | Third country (US provider): SCCs | DPA with MailerSend (incl. SCCs) |
Sentry GmbH (de.sentry.io) | Error tracking and performance monitoring (technical data; no transmission of end-customer personal data, send_default_pii = false) | Germany (EU) | EU – no third-country transfer | DPA with Sentry GmbH |
| Shopify International Ltd. (Dublin, Ireland) | E-commerce platform; App Proxy transport of the form; access only to merchant-related configuration/metadata (read_themes, read_locales, read_online_store_navigation, write_app_proxy) – no access to orders | Ireland (EU) / global | Adequacy decision and/or SCCs (Shopify DPA) | Shopify DPA / Partner Program Agreement |
Note: The Processor endeavours to keep data processing within the EU/EEA. Data Processing Agreements (DPAs) have been concluded with all sub-processors. For sub-processors based in third countries, an adequate level of protection is ensured through contractual measures (in particular SCCs) and/or certification under the EU-US Data Privacy Framework.
Not deemed sub-processors under this DPA: services that process only the merchant’s data within the Processor’s own area of responsibility and do not concern the Controller’s end-customer data – in particular the marketing/newsletter tool MailerLite (UAB “MailerLite”, Lithuania) for merchant contacts (only with the merchant’s separate consent). These are disclosed in the Processor’s own privacy policy.
Annex 3 – Conclusion of Agreement and Contact Details
Conclusion of Agreement
This DPA takes effect when the Controller actively confirms acceptance. Confirmation is provided through a combined acceptance during the App’s onboarding (“I agree to the Terms of Service and the Data Processing Agreement”). This DPA forms part of the Terms of Service and is concluded together with their acceptance. The date and time of acceptance, as well as the accepted version, are recorded electronically. Acceptance is legally valid without a handwritten signature pursuant to Art. 28(9) GDPR.
The full DPA is available at https://anviara.com/apps/order-editing/dpa at all times and can be downloaded as a PDF.
Contact Details for Data Protection Enquiries
| Processor | Anviara LLC (Wyoming LLC, USA) |
| Address | 30 N Gould St, Ste N, Sheridan, WY 82801, USA |
| Email (Data Protection) | [email protected] |
| Website | https://anviara.com |
| Data Protection Officer | Not appointed (no obligation pursuant to Art. 37 GDPR) |