Privacy Policy

Provider and data controller within the meaning of Art. 4(7) GDPR for the operation of the EU-Gewährleistungslabel app (the “App”) as a software service is:

Timmgard GmbH

Kurhausstraße 78a

53773 Hennef

Germany

Commercial Register: HRB 17527 (Amtsgericht Siegburg)

VAT ID: DE359202464

Authorised Representative: S. Timm

Email: [email protected]

Contact form: https://tg-ai.de/en/kontakt - response guaranteed within 24 hours

For the processing of shop and product data on behalf of the merchant, Timmgard GmbH acts as processor under Art. 28 GDPR - see Section 2.

Timmgard GmbH processes personal data in two distinct roles:

• As controller under Art. 4(7) GDPR for installation, operation, and billing of the App vis-à-vis the merchant (e.g. Shopify shop domain, staff sign-in data, app configuration, accountability logs).

• As processor under Art. 28 GDPR where shop and product data of the merchant is processed via the Shopify Admin API exclusively to calculate and display the label. The controller for that data is the merchant. Processing takes place solely on the merchant's documented instructions on the basis of the data processing agreement (DPA) concluded upon installation of the App, available at https://tg-ai.de/en/dpa.

As controller within the meaning of Art. 4(7) GDPR, the merchant is itself responsible for providing its own privacy policy, determining the legal bases for its processing operations, and responding to data subject requests from its end customers. In this respect, Timmgard GmbH acts solely as a processor on the merchant's instructions.

The App processes personal data for the following purposes:

• Calculation of the display state (render state) of the official EU warranty and guarantee label pursuant to Regulation (EU) 2025/1960 per product and writing it back to Shopify as an app-owned product metafield. The storefront display is rendered via a Theme App Extension without any runtime call to the App.

• Authentication of the session of merchant staff in the Shopify admin (Shopify OAuth).

• Provision of an optional operator support chat (disabled by default).

• Fulfilment of the accountability obligation (action log) and of the Shopify compliance webhooks customers/data_request, customers/redact, and shop/redact.

• Protection of the single anonymously reachable endpoint (receipt of Slack events) against abuse via rate limiting.

The App processes exclusively the following personal data:

(a) Staff session: On sign-in via Shopify OAuth, the name, email address, and Shopify user ID (userId) of the signed-in merchant staff member are processed. They serve to authenticate the App session.

(b) Optional support chat: If the merchant uses the support chat integrated into the App (disabled by default), the message content freely entered by the merchant and the shop domain are processed and transmitted to the operator support channel (Slack).

(c) Accountability logs: The action log (audit log) stores only the shop domain, the type of action, and a timestamp. The compliance webhook log (GdprRequest) documents incoming Shopify compliance webhooks. Neither log contains any personal data.

(d) IP address: At the single anonymously reachable endpoint (receipt of Slack events), the IP address is used only ephemerally for rate limiting and is not stored.

No end-customer data: The App does not process or store any personal data of the shop's end customers. In particular, no order, customer, or end-customer IP data is collected. The Shopify compliance webhooks customers/data_request and customers/redact are a documented no-op, as there is no customer data to export or erase.

Processing is based on the following legal grounds:

• Art. 6(1)(b) GDPR - performance of the contract on the use of the App, in particular for providing the App and authenticating the staff session.

• Art. 6(1)(f) GDPR - legitimate interest in handling support requests, in fulfilling the accountability obligation (action log), and in abuse prevention (rate limiting at the anonymous endpoint).

• Art. 6(1)(c) GDPR - compliance with legal obligations, in particular in connection with the Shopify compliance webhooks and the demonstrability of timely handling of requests.

The App engages the following processors (sub-processors), each under a data processing agreement per Art. 28 GDPR:

• Shopify Inc. (151 O'Connor Street, Ottawa, Ontario K2P 2L8, Canada) - e-commerce platform, data source via the Shopify Admin API, recipient of the compliance webhooks, and provision of session authentication. Location: Canada (headquarters), US-based infrastructure components. Safeguarded by the adequacy decision for Canada (Decision 2002/2/EC) and the EU-U.S. Data Privacy Framework for US components, failing that EU Standard Contractual Clauses 2021/914.

• Render Services Inc. (525 Brannan St, Suite 300, San Francisco, CA 94107, USA) - hosting of the application and the PostgreSQL database. Primary server location: Frankfurt, Germany (EU). DPF-certified since 6 January 2025; subsidiarily SCCs 2021/914.

• Slack (Slack Technologies Limited, Salesforce Tower, 60 R801, North Dock, Dublin, Ireland) - only where the optional support chat is enabled: transmission of the support message content entered by the merchant to the operator support channel. The contracting party is the EU entity Slack Technologies Limited (Ireland); the Slack/Salesforce processing infrastructure is located in the USA. Insofar as processing takes place in the USA, it is safeguarded by the EU-U.S. Data Privacy Framework (Salesforce/Slack has been certified since July 2023) and, in the alternative, the EU Standard Contractual Clauses 2021/914.

Beyond this, no personal data is shared with third parties. In particular, no data is processed or transferred for advertising or profiling purposes.

The App sets no cookies on the storefront; the label is rendered via a product metafield and a Theme App Extension without any call to the App. The Shopify admin-embedded merchant dashboard uses only technically necessary cookies of the Shopify platform (App Bridge and session cookies); these are set by Shopify, not by the App. No analytics, marketing, or third-party tracking is performed.

The application and the database operate within the EU (Frankfurt, Germany). Transfers to third countries (notably the USA) occur only with the sub-processors listed in Section 6 and are safeguarded by:

• EU-U.S. Data Privacy Framework (Render, Slack, and the US infrastructure components of Shopify are certified),

• EU Standard Contractual Clauses under Implementing Decision (EU) 2021/914 as a subsidiary safeguard,

• the adequacy decision of the European Commission for Canada (Shopify headquarters).

The following principles apply:

• Product label configurations are not personal data and are kept with the shop account for as long as the App is installed.

• On uninstallation of the App, Shopify typically triggers the shop/redact webhook within 48 hours. The session and shop data is then deleted; cascade deletion also removes the dependent product configurations and support conversations.

• The customers/redact webhook is an immediate no-op, as there is no end-customer data.

• The accountability logs (audit log, GdprRequest) contain no personal data and are deliberately retained beyond the deletion of the shop account in order to fulfil the accountability obligation under Art. 5(2) GDPR.

The App implements appropriate technical and organisational measures under Art. 32 GDPR:

• TLS encryption for all data transmissions

• Database encryption at rest

• HMAC signature verification and deduplication of all incoming webhooks

• scope-minimised Shopify Admin API (only the permissions required for the labelling function)

• masking of email addresses in the application logs

• tenant separation via the shop domain (shopDomain) in all database queries

The App does not carry out any automated individual decisions within the meaning of Art. 22 GDPR. The calculation of the label produces only a display state for the product page and has no legal effect on data subjects.

The App is directed at Shopify merchants and their staff, not at children. It does not collect data directly from minors and processes no end-customer data within the meaning of Art. 8 GDPR.

Data subjects (in particular merchant staff) have the following rights:

• Right of access (Art. 15 GDPR)

• Right to rectification (Art. 16 GDPR)

• Right to erasure (Art. 17 GDPR)

• Right to restriction of processing (Art. 18 GDPR)

• Right to data portability (Art. 20 GDPR)

• Right to object (Art. 21 GDPR)

• Right to withdraw consent (Art. 7(3) GDPR)

To exercise these rights, a message to [email protected] is sufficient. Responses are provided within the deadline set by Art. 12(3) GDPR (generally 30 days).

Data subjects have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The authority competent for Timmgard GmbH is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)

Kavalleriestr. 2-4

40213 Düsseldorf

Germany

Timmgard GmbH is not required to appoint a data protection officer under Section 38(1) of the German Federal Data Protection Act (BDSG) because it has fewer than 250 staff and no core activity involving large-scale regular monitoring or the processing of special categories of data. Privacy requests are handled centrally at [email protected] and answered within the statutory deadlines (Art. 12(3) GDPR, generally no longer than 30 days).

This privacy policy may be updated when processing changes or legal requirements so require. The current version is always available at this URL. Version date: 21 June 2026.