TG
Loading...
Retractly — EU Withdrawal Button for Shopify
Last updated: 24 April 2026
Retractly (formerly Revoka until April 2026) is a Shopify app by Timmgard GmbH that enables online stores to comply with the statutory EU withdrawal button under § 356a BGB. This privacy policy informs about the processing of personal data when using the App and is structured in line with Art. 13 GDPR.
Provider and data controller within the meaning of Art. 4(7) GDPR for the operation of the Retractly app (the “App”) as a software service is:
Timmgard GmbH
Kurhausstraße 78a
53773 Hennef
Germany
Commercial Register: HRB 17527 (Amtsgericht Siegburg)
VAT ID: DE359202464
Authorised Representative: S. Timm
Email: [email protected]
For the processing of data arising from individual withdrawal requests, Timmgard GmbH acts as processor under Art. 28 GDPR — see Section 2.
Retractly processes personal data in two distinct roles:
• As controller under Art. 4(7) GDPR for installation, operation, and billing of the App vis-à-vis the merchant (e.g. Shopify shop domain, admin contact data).
• As processor under Art. 28 GDPR for customer withdrawal data originating from shop end customers. The controller for that data is the merchant. Timmgard GmbH processes such data exclusively on the merchant’s documented instructions under the data processing agreement (DPA) concluded upon installation of the App. The full DPA is available at https://tg-ai.de/en/dpa.
Retractly processes personal data for the following purposes:
• Provision of the statutory EU withdrawal button under § 356a BGB and of the withdrawal confirmation required by Art. 11(3) of EU Directive 2011/83 (as amended by 2023/2673).
• Matching incoming withdrawal requests to specific shop orders.
• Calculating and verifying the 14-day withdrawal period under § 355(2) BGB.
• Sending an automated confirmation email to the customer (durable medium within the meaning of Art. 11(3) of EU Directive 2011/83).
• Abuse and fraud prevention via rate limiting and pattern-based fraud flagging (warn-only, see Section 12).
• Logging merchant staff decisions to fulfil commercial and tax retention obligations (§ 257(4) HGB, § 147 AO).
• Fulfilment of the Shopify compliance webhooks CUSTOMERS_DATA_REQUEST, CUSTOMERS_REDACT, and SHOP_REDACT.
Processing is based on the following legal grounds:
• Art. 6(1)(c) GDPR — legal obligation of the merchant to provide a withdrawal process under § 356a BGB.
• Art. 6(1)(b) GDPR — handling of the withdrawal as a contractual secondary obligation.
• Art. 6(1)(f) GDPR — legitimate interest in abuse and fraud prevention (rate limiting, truncated IP address, fraud flagging) and in the traceability of staff decisions (audit log).
• Art. 6(1)(c) GDPR in conjunction with § 257 HGB / § 147 AO — commercial and tax retention obligations for staff action logs.
• Art. 6(1)(c) GDPR in conjunction with Art. 12(3) GDPR — evidence of timely handling of data subject requests.
When a withdrawal record is created, the following data of the withdrawing end customer is processed:
• Order number
• Email address
• Order date
• Customer name
• Shopify customer ID (where provided by the shop)
• Selected products: title, variant, SKU, product image URL
• Order amount (total order value) and withdrawal amount (sum of withdrawn items)
• Delivery date (from Shopify fulfilment, where available)
• Calculated withdrawal deadline for this specific case
• Reason for withdrawal (voluntary, never mandatory)
• Language of the withdrawal form
IP address and user agent: The full IP address is held only ephemerally in memory for rate limiting (abuse prevention under Art. 6(1)(f) GDPR). Additionally, a truncated version is stored with the withdrawal record — IPv4 with its last octet zeroed (e.g. 203.0.113.0), IPv6 as a /48 prefix (e.g. 2001:db8:abcd::/48). Truncation happens at the storage boundary under the data-minimisation principle (Art. 5(1)(c) GDPR) and supports fraud detection. The truncated IP and the user agent are deleted together with the withdrawal record after 12 months or immediately upon a GDPR erasure request.
Durable medium: The automated confirmation email to the customer serves as the durable medium record required by Art. 11(3) of EU Directive 2011/83 and provides a tamper-evident record of the withdrawal submission. Retractly does not generate PDF files.
Decisions made by merchant staff on incoming withdrawal requests (approve, reject, refund) are documented in a separate staff action log (audit log). The following data is stored:
• Shopify user ID of the staff member
• Email address of the staff member
• Full IP address of the staff member (not truncated — admin context for abuse prevention)
• Timestamp of the action
• Type of action and the affected withdrawal record
Legal bases are Art. 6(1)(c) GDPR in conjunction with § 257(4) HGB and § 147 AO (commercial and tax retention obligation of 10 years) and Art. 6(1)(f) GDPR (legitimate interest in traceability of staff decisions). The data is deleted together with the shop account within 48 hours of the App being uninstalled (SHOP_REDACT webhook).
Every data subject request received via the Shopify compliance webhooks (CUSTOMERS_DATA_REQUEST, CUSTOMERS_REDACT, SHOP_REDACT) is logged internally in a GdprRequest table with timestamp, request type, and completion status. The purpose is to demonstrate compliance with the 30-day deadline under Art. 12(3) GDPR. The log entry contains no additional personal data beyond what is already held in the affected tables. Legal basis is Art. 6(1)(c) GDPR in conjunction with Art. 12(3) GDPR.
Retractly uses the following sub-processors, each engaged under a data processing agreement per Art. 28 GDPR:
• Shopify Inc. — role: data source via the Shopify Admin API, recipient of the compliance webhooks, host of the embedded admin session. Location: Canada (headquarters), US-based infrastructure. Covered by the Shopify DPA including EU Standard Contractual Clauses.
• Render Services, Inc. — role: hosting of the application and the PostgreSQL database. Location: region “Frankfurt (EU Central)”, data processing exclusively within the EU.
• Resend — role: dispatch of transactional confirmation emails. Location: USA, certified under the EU-US Data Privacy Framework (TADPF).
Beyond this, no personal data is shared with third parties. In particular, no data is processed or transferred for advertising or profiling purposes.
The App infrastructure and the database operate exclusively within the EU (Frankfurt, Germany). Transfers to third countries (notably the USA) occur only with the sub-processors Shopify and Resend listed in Section 8 and are safeguarded by:
• EU-US Data Privacy Framework (Resend is certified).
• EU Standard Contractual Clauses under Implementing Decision (EU) 2021/914 (within the Shopify DPA).
• Supplementary technical and organisational measures (transport encryption, access restrictions).
The following retention periods apply:
• Withdrawal records (including truncated IP, user agent, product data, amounts, delivery data): Withdrawal records are automatically deleted 12 months after the withdrawal is completed. Deletion is performed by a cron-driven expire sweeper that writes an audit log entry per deleted row.
• Staff action log (audit log): deleted together with the shop account within 48 hours of uninstallation (SHOP_REDACT).
• GdprRequest log: same deletion window as the underlying request type; within 48 hours for SHOP_REDACT.
• Rate limit bucket (full IP in memory): ephemeral, typically a few minutes, never persisted.
• Shop master data (shop domain, admin contact, app configuration): deleted within 48 hours of uninstallation (SHOP_REDACT).
• Individual CUSTOMERS_REDACT request: immediate deletion of all withdrawal records associated with the customer.
Retractly implements appropriate technical and organisational measures under Art. 32 GDPR:
• TLS encryption for all data transmissions
• Encrypted database backups
• HMAC-signed state parameters preventing tampering
• Request-level rate limiting (ephemeral, in memory)
• Cross-shop isolation via shopId scoping on all database queries
• Honeypot fields against automated form submissions
• Email verification on order lookup
• Access to personal data restricted to authorised personnel only
Retractly does not carry out any automated individual decisions within the meaning of Art. 22 GDPR. The built-in fraud detection is warn-only: suspicious patterns (e.g. three or more withdrawals from the same email address or the same truncated IP within 180 days) are flagged to the merchant in the dashboard. No automated rejection, blocking, or processing decision takes place — the final decision on every withdrawal is made manually by the merchant.
Retractly processes withdrawal data of B2C customers on behalf of the merchant; those customers have previously concluded a purchase contract with the shop. Age verification at the point of sale is the merchant’s responsibility. Retractly does not collect data directly from minors and is not directed at children under 16 within the meaning of Art. 8 GDPR.
Shop end customers have the following rights vis-à-vis the merchant as controller:
• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Right to withdraw consent (Art. 7(3) GDPR)
Requests can be made via the merchant (primary route) or directly to the processor at [email protected]. Requests arriving through Shopify are handled automatically via the CUSTOMERS_DATA_REQUEST and CUSTOMERS_REDACT compliance webhooks. Responses are provided within the deadline set by Art. 12(3) GDPR (generally 30 days).
Data subjects have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The authority competent for Timmgard GmbH is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestr. 2-4
40213 Düsseldorf
Germany
Timmgard GmbH is not required to appoint a data protection officer under § 38 BDSG because it has fewer than 250 staff and no core activity involving large-scale regular monitoring or the processing of special categories of data. Privacy requests are handled centrally at [email protected] and answered within the statutory deadlines (Art. 12(3) GDPR, generally no longer than 30 days).
This privacy policy may be updated when processing changes or legal requirements so require. The current version is always available at this URL. Version date: 24 April 2026.