Privacy Policy

We process personal data in three categories: merchant data, customer data (accessed on behalf of the merchant via the Shopify Admin API), and technical analytics data.

Merchant Data

• Shopify shop domain and store name
• DHL business account credentials: the DHL API key is stored in plaintext, the DHL API password is encrypted at rest using AES-256-GCM with a rotatable master key
• App configuration and settings, including a country filter (ISO country codes the merchant excludes from returns — configuration only, no personal data)
• Cached subscription metadata from Shopify: plan name, billing status, trial end date, monthly order count, and last-check timestamp. PackFlow does not process payment data — billing runs exclusively through Shopify as Merchant of Record. We never see credit cards, bank accounts, or merchant invoicing addresses

Customer Data (processed on the merchant's behalf via the Shopify Admin API)

• Customer name and email address (to identify the order when a return is submitted)
• Shipping address (for generating DHL return labels)
• Postal code (only when the customer searches for a nearby Packstation via the DHL location finder)
• Order information: order number, line items, fulfillment status
• Shopify customer ID (where issued by the shop)
• Return note: an optional free-text field the customer may use to describe the reason for return. The content may contain personal information and is stored as the customer entered it

Technical / Analytics Data

• Internal return-status lookups: order number, success flag, and timestamp. This is pseudonymous, not anonymous within the meaning of Art. 4(5) GDPR, as the order number is re-identifiable in combination with Shopify data. No email addresses or tracking numbers are stored in this table
• Webhook deduplication markers to prevent duplicate processing (no PII, 90-day auto-retention)
• Return label URL and QR code URL: links pointing to PDF files hosted by DHL containing customer data. The PDF files themselves reside with DHL, not with PackFlow

We use the collected data exclusively to provide the App's functionality:

• Matching incoming returns to specific orders based on order number and email
• Generating DHL return labels and QR codes via the DHL Parcel DE Returns API using the customer's shipping address
• Tracking return shipment status via the DHL Shipment Tracking Unified API — used internally only, to document arrival at the merchant. PackFlow does not operate a public tracking portal for end customers
• Locating nearby Packstations via the DHL Unified Location Finder API based on the postal code provided by the customer
• Managing return workflows (approval, rejection, status updates)
• Syncing completed returns to Shopify's native returns system (shopifyReturnId) so the merchant can see the return within the Shopify admin
• Exchange orders: when a customer chooses an exchange instead of a refund, PackFlow creates a Shopify draft order containing the customer data from the original order. The draft order resides with Shopify; PackFlow stores only the exchangeOrderId reference
• Shopify Flow triggers: for the events “dhl-return-created”, “dhl-label-created”, and “dhl-return-status-changed”, PackFlow passes the fields customer_id, customer_email, order_number, return_reason, item_count, and return_id to Shopify's Flow engine. This data does not leave the Shopify ecosystem
• Merchant analytics (return rate, return reasons, timeline)
• Subscription enforcement via Shopify Managed Pricing based on the monthly order count

We share personal data only with the sub-processors listed below. Each is engaged under a data processing agreement per Art. 28 GDPR; the full DPA is available at https://tg-ai.de/en/dpa. We do not sell, rent, or share personal data with any other third parties for marketing, advertising, or profiling purposes.

Shopify Inc. (Canada / USA)

Shopify is our primary sub-processor. All order, customer, product, fulfillment, returns, and draft order data originates from and resides at Shopify; PackFlow accesses it via the Shopify Admin API. As Merchant of Record, Shopify also handles merchant billing. Transfers outside the EEA are safeguarded under EU Standard Contractual Clauses per Implementing Decision (EU) 2021/914 within the Shopify DPA.

Deutsche Post DHL Group (Germany)

DHL processes data via three distinct APIs, each limited to the minimum fields required:

• Parcel DE Returns (return label generation): customer name, email address, and full return shipping address
• Shipment Tracking Unified (return shipment status): tracking number only
• Unified Location Finder (nearby Packstation lookup): postal code only

DHL processes this data on EU infrastructure according to its own privacy policy.

Render Services, Inc. (Frankfurt, Germany)

Hosting provider for the application and the PostgreSQL database. Render operates the infrastructure but does not actively process personal data on our behalf beyond storage. Database backups are encrypted.

PackFlow implements appropriate technical and organisational measures under Art. 32 GDPR:

• All data is stored on servers hosted by Render in the EU (Frankfurt, Germany)
• DHL API passwords are encrypted at rest using AES-256-GCM with a rotatable master key
• Customer data (name, email, address, return notes) is protected at rest by database access control and encrypted backups; PackFlow is a processor and must be able to read this data to provide the service, so no end-to-end encryption is applied
• All data transmission uses TLS 1.3
• Database backups are encrypted
• Access to personal data is restricted to authorised personnel only

The following retention periods apply:

• Return records and return items: retained for the duration of the App installation. Upon uninstallation, all associated data is deleted within 48 hours via Shopify's shop/redact compliance webhook
• Analytics data (status-lookup events, webhook deduplication markers): 90-day automatic cleanup, regardless of installation state
• Cached subscription metadata: deleted together with the shop account on uninstallation (48 hours)
• Individual customer records on request: deleted via Shopify's customers/redact compliance webhook within 30 days of receipt
• Payment-related records: managed by Shopify as Merchant of Record; not within PackFlow's scope

If you are a customer of a merchant using the App, you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR): request a copy of the personal data we hold about you
• Right to rectification (Art. 16 GDPR): request correction of inaccurate personal data
• Right to erasure (Art. 17 GDPR): request deletion of your personal data
• Right to restriction (Art. 18 GDPR): request limitation of processing
• Right to data portability (Art. 20 GDPR): request transfer of your personal data
• Right to object (Art. 21 GDPR): object to the processing of your personal data

To exercise these rights, please contact the merchant (shop owner) directly as they are the controller. The merchant can forward data subject requests to us, which we handle via Shopify's mandatory compliance webhooks.

The App implements all Shopify-required GDPR compliance webhooks:

• customers/data_request: returns all stored data for a specific customer
• customers/redact: anonymises or deletes all personal data for a specific customer
• shop/redact: deletes all data associated with a merchant's shop (48 hours after uninstallation)

The App does not set cookies or use browser local storage for identification. Authentication within the embedded admin is handled via Shopify session tokens.

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the App after changes constitutes acceptance of the updated policy.

For questions about this Privacy Policy or data processing:

For data subject requests, please contact the merchant (shop owner) who installed the App on their Shopify store.