Data Processing Agreement (DPA)

This Data Processing Agreement (hereinafter “DPA”) is entered into by and between

the controller (client):

The respective user (hereinafter “Merchant”) who uses the processor's services via the Shopify App Store,

and

the processor (contractor):

(hereinafter individually “Party”, collectively “Parties”)

This DPA supplements the main contract between the Parties governing the use of the processor's Shopify applications (hereinafter “Main Contract”) and regulates the data protection obligations of the Parties in connection with the processing of personal data on behalf of the controller.

This DPA applies to the following products of the processor:

• Retractly — withdrawal management for Shopify
• PackFlow — DHL returns portal and shipment tracking for Shopify

(1) The processor processes personal data on behalf of the controller. The subject, nature and purpose of the processing, the type of personal data, and the categories of data subjects are set out in Annex 1 of this Agreement.

(2) The duration of the processing corresponds to the term of the Main Contract. This DPA takes effect upon installation of one of the applications by the controller and ends upon the complete deletion of all personal data by the processor after termination of the Main Contract.

(3) Processing shall take place exclusively within the territory of the European Union, the European Economic Area, or in third countries for which an adequacy decision under Art. 45 GDPR exists or for which appropriate safeguards under Art. 46 GDPR are in place. Further details are set out in Section 11.

(1) Within the framework of this Agreement, the controller is responsible for compliance with data protection provisions, in particular the lawfulness of the data processing (Art. 4(7) GDPR).

(2) The legal basis for the processing of personal data lies with the controller. The processing is generally based on Art. 6(1)(b) GDPR (performance of a contract with the end customer) and Art. 6(1)(c) GDPR (compliance with legal obligations, in particular the right of withdrawal under § 355 German Civil Code (BGB) and the withdrawal button requirement under § 356a BGB). The controller shall ensure that an appropriate legal basis exists for each processing operation.

(3) The controller is entitled to issue instructions to the processor regarding the nature, scope and procedure of the data processing. Instructions are generally issued through the configuration and use of the applications. Further instructions require text form (email is sufficient).

(4) The controller shall notify the processor without undue delay of any errors or irregularities in the processing of personal data that the controller identifies.

3.1 Processing on Instructions (Art. 28(3)(a) GDPR)

(1) The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union law or the law of the Member State to which the processor is subject. In such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest.

(2) The processor shall not use the personal data entrusted for processing for any other purpose, in particular not for its own purposes. Copies or duplicates of personal data shall not be made without the controller's knowledge, except where required to ensure proper data processing (e.g. backups).

(3) The processor shall inform the controller without undue delay if it is of the opinion that an instruction infringes the GDPR or other data protection provisions of the Union or of its Member States. The processor is entitled to suspend the execution of the relevant instruction pending confirmation or amendment by the controller.

3.2 Confidentiality (Art. 28(3)(b) GDPR)

(1) The processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(2) The confidentiality obligation continues to apply after termination of the contractual relationship.

3.3 Technical and Organisational Measures (Art. 28(3)(c) in conjunction with Art. 32 GDPR)

(1) The processor shall implement all technical and organisational measures required under Art. 32 GDPR to ensure a level of security appropriate to the risk. The measures in place at the time of conclusion of this Agreement are documented in Annex 2.

(2) The technical and organisational measures are subject to technical progress and further development. The processor is entitled to implement alternative adequate measures. The level of security set out in the defined measures must not be undermined. Material changes shall be communicated to the controller.

3.4 Sub-Processing (Art. 28(3)(d) GDPR)

Further details are set out in Section 7.

3.5 Assistance with Data Subject Rights (Art. 28(3)(e) GDPR)

(1) The processor shall, where possible, assist the controller by appropriate technical and organisational measures in fulfilling the obligation to respond to requests for exercising the data subject rights set out in Art. 12–22 GDPR. The applications provide technical interfaces for this purpose: the Shopify webhook customers/data_request triggers a data export, the webhook customers/redact triggers anonymisation pursuant to Section 12(1).

(2) If a data subject contacts the processor directly with a request for access, rectification, erasure, restriction of processing, data portability or objection, the processor shall forward the request to the controller without undue delay. The processor shall not act independently towards the data subject without instructions from the controller.

3.6 Assistance Obligations (Art. 28(3)(f) GDPR)

Taking into account the nature of the processing and the information available to it, the processor shall assist the controller in complying with the obligations under Art. 32–36 GDPR, in particular:

• the security of processing (Art. 32 GDPR),
• notification of personal data breaches to the supervisory authority (Art. 33 GDPR),
• communication of a personal data breach to the data subject (Art. 34 GDPR),
• data protection impact assessment (Art. 35 GDPR),
• prior consultation of the supervisory authority (Art. 36 GDPR).

3.7 Deletion and Return (Art. 28(3)(g) GDPR)

(1) The processor deletes personal data via two independent processes:

(a) Ongoing retention deletion: During the active term of the Agreement, withdrawal or returns records are automatically removed by an application-integrated deletion process once the retention periods specified in Section 12 have expired. The deletion process runs on administrative access to the application and is internally limited to an execution interval of at most once every 24 hours to avoid repeated database operations. On each run, all records whose retention period has expired at the time of execution are deleted. An audit log entry is written for each deletion operation as evidence.

(b) Uninstall deletion: Upon termination of the Main Contract or uninstallation of the application, the processor deletes all personal data processed on behalf of the controller. Deletion is triggered by the Shopify webhook shop/redact, which Shopify typically sends 48 hours after uninstallation. Complete deletion of shop and customer data takes place within 30 days of receipt of this webhook and, due to the database structure (foreign keys with cascade delete), covers all dependent records including staff action logs and GDPR request tracking.

(2) At the controller's request, data may be provided to the controller in a common, machine-readable format (e.g. CSV or JSON) prior to deletion, to the extent technically feasible with reasonable effort.

(3) Deletion shall not take place where Union law or the law of the relevant Member State requires further storage — in particular accounting-relevant data under § 257(4) German Commercial Code (HGB) and § 147 German Fiscal Code (AO) with retention periods of up to ten years. During the active term of the Agreement, GDPR erasure requests therefore do not result in complete deletion of a record but rather anonymisation of the PII fields while retaining the invoicing and evidence data (see Section 12(1)).

(4) Documentation that serves as evidence of proper data processing (e.g. staff action audit logs, GDPR request tracking) is retained in line with statutory retention periods beyond the end of the contract, provided it contains no PII or the PII has been anonymised at the time of retention.

3.8 Evidence Obligations and Audit Rights (Art. 28(3)(h) GDPR)

Further details are set out in Section 10.

(1) Instructions are generally issued through the configuration and use of the applications (technical instructions). Further instructions require text form (email to [email protected]).

(2) The processor documents all instructions and their implementation.

(3) Persons authorised to issue instructions on the controller's side are the shop owner and all persons registered as administrators in the Shopify admin area.

(4) The person authorised to receive instructions on the processor's side is S. Timm (Managing Director), reachable at [email protected].

(1) The processor ensures that all employees and commissioned persons with access to personal data of the controller are bound in writing to confidentiality and have been informed of the data protection requirements before commencing their activity.

(2) The confidentiality obligation continues to apply after termination of the activity or the contractual relationship.

(3) The processor restricts access to personal data of the controller to those persons who require it for the performance of the contractual obligations (need-to-know principle).

(1) The processor has implemented the technical and organisational measures described in Annex 2 before the start of processing and shall maintain them throughout the term of the Agreement.

(2) The measures must ensure a level of security appropriate to the risk, taking into account the nature, scope, context and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons.

(3) The processor regularly reviews the effectiveness of the technical and organisational measures and adapts them to the state of the art as required. A level of protection below the agreed standard is not permitted.

(4) Material changes to the technical and organisational measures are communicated to the controller in text form.

(1) The controller hereby grants the processor general written authorisation to engage further processors (sub-processors) within the meaning of Art. 28(2) GDPR. The sub-processors approved at the time of conclusion of this Agreement are listed in Annex 3.

(2) The processor informs the controller at least 30 days in advance of any intended engagement or replacement of a sub-processor in text form (email is sufficient). The controller has the right to object to the engagement or replacement within 30 days of receiving the information.

(3) If the controller raises a reasoned objection, the Parties shall endeavour to reach an amicable solution. If no agreement is reached, the controller is entitled to a special termination right with respect to the Main Contract, to be exercised within 14 days of the failure of the negotiations.

(4) The processor ensures that each sub-processor is contractually bound to the same data protection obligations as set out in this DPA, in particular the obligation to implement appropriate technical and organisational measures (Art. 28(4) GDPR).

(5) The processor is liable to the controller for the careful selection and monitoring of sub-processors. Any further liability for breaches by a sub-processor that the processor was unable to prevent despite careful selection and monitoring is excluded.

(6) The processor keeps the current list of sub-processors available at all times at https://www.tg-ai.de/en/dpa/subprocessors or provides it on request by email.

(1) The processor assists the controller in fulfilling the data subject rights under Art. 12–22 GDPR, in particular:

• right of access (Art. 15 GDPR),
• right to rectification (Art. 16 GDPR),
• right to erasure (Art. 17 GDPR),
• right to restriction of processing (Art. 18 GDPR),
• right to data portability (Art. 20 GDPR),
• right to object (Art. 21 GDPR).

(2) If a data subject contacts the processor directly with claims under paragraph 1, the processor shall forward the request to the controller without undue delay and await the controller's instructions.

(3) The processor shall not act independently towards a data subject without express instructions from the controller.

(4) The processor logs all incoming GDPR requests from Shopify (customers/data_request, customers/redact, shop/redact) in a separate table with timestamp and completion status in order to transparently demonstrate compliance with the 30-day deadline under Art. 12(3) GDPR.

(1) The processor reports any personal data breach (Art. 4(12) GDPR) to the controller without undue delay, at the latest within 48 hours of becoming aware of it. This deadline is chosen so that the controller can meet its own reporting obligation under Art. 33 GDPR (72 hours after becoming aware) in a timely manner.

(2) The report contains at least the following information:

• a description of the nature of the breach, including, where possible, the categories and approximate number of data subjects and records affected,
• the name and contact details of the contact person for inquiries,
• a description of the likely consequences of the breach,
• a description of the measures taken or proposed to address and mitigate the consequences.

(3) The processor assists the controller in fulfilling the reporting obligation to the supervisory authority (Art. 33 GDPR) and the obligation to notify the data subject (Art. 34 GDPR).

(4) The processor documents all personal data breaches together with all related facts, effects and remedial measures taken.

(1) The processor makes available to the controller, on request, all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.

(2) The controller may verify compliance with the obligations under this DPA as follows:

(a) Self-assessment: The processor provides the controller, on request but no more than once per calendar year, with a written self-assessment on the implementation of the technical and organisational measures, the current sub-processor list, and compliance with the other obligations under this DPA. The assessment is provided within 30 days of receipt of the request.

(b) On-site inspection: In the event of a reasonable suspicion of a breach of the obligations under this DPA — in particular following a personal data breach — the controller has the right to carry out on-site inspections itself or through an appointed auditor. The inspection shall be announced at least 30 days in advance in text form, unless the urgency of a personal data breach requires a shorter period.

(3) The processor undertakes to cooperate to the extent necessary in justified reviews and inspections.

(4) Each Party bears its own costs in connection with the conduct of reviews and inspections.

(1) A transfer of personal data to a third country (outside the EEA) shall only take place if the specific requirements of Art. 44–49 GDPR are met.

(2) Data processing takes place primarily on servers within the European Union (Render: Frankfurt, Germany; Resend: Ireland, eu-west-1). Potential access to EU data by a sub-processor from a third country (e.g. for maintenance or support by US-based personnel) constitutes a data transfer within the meaning of the GDPR and is safeguarded by the transfer mechanisms listed in Annex 3.

(3) To the extent sub-processors are based in the USA and support access may originate from the USA, the transfer takes place on the basis of the EU-U.S. Data Privacy Framework (adequacy decision of the European Commission of 10 July 2023) where the relevant sub-processor is certified under the DPF. Where no DPF certification exists, the transfer takes place on the basis of the Standard Contractual Clauses of the European Commission (SCCs 2021/914) in conjunction with a transfer impact assessment.

(4) To the extent sub-processors are based in Canada, the transfer takes place on the basis of the adequacy decision of the European Commission for Canada (Decision 2002/2/EC).

(5) Should an adequacy decision be revoked or declared invalid, the processor shall, without undue delay, implement alternative transfer mechanisms under Art. 46 GDPR (in particular Standard Contractual Clauses) or cease transfers to the affected third country.

(6) The processor shall inform the controller without undue delay of any change in the legal basis for third country transfers.

(1) The processor deletes personal data according to the following periods:

Retractly (withdrawal management):

• Withdrawal records are automatically removed 365 days after creation by an application-integrated deletion process. The deletion process is triggered on administrative access to the application and is internally limited to an execution interval of at most once every 24 hours. At runtime, all records whose 365-day period has expired are deleted; the actual database operation typically takes a few seconds. The retention period is set at system level and is currently not configurable by the merchant.
• On a customer GDPR request (customers/redact) during the active term of the Agreement, the withdrawal record is anonymised immediately upon receipt of the webhook (no 24-hour delay): the PII fields (customerName, customerEmail, customerId, ipAddress, userAgent, reasonNote, rejectionReason, product title, variants, SKU, image URL) are set to null. Accounting-relevant fields (orderNumber, orderDate, orderTotal, withdrawalAmount, refundId, refundAmount, refundedAt, status, timestamps) are retained in order to fulfil the retention obligations under § 257(4) HGB and § 147 AO. The anonymised record is deleted together with the other records upon expiry of the 365-day period.
• On uninstallation of the application: full deletion of all shop and customer data via the Shopify webhook shop/redact (typically 48 hours after uninstallation), fully completed within 30 days of receipt of the webhook. The deletion covers cascade deletion across all dependent tables and is executed immediately — the 24-hour interval limitation of the ongoing retention deletion does not apply here.

PackFlow (returns portal):

• Customer PII (name, email, address): anonymisation six months after completion of the return.
• Return records in full: deletion two years after completion.
• Tracking analytics: deletion after 90 days.
• On uninstallation: full deletion of all data within 30 days of receipt of the Shopify deletion webhook.

(2) At the controller's request, data may be exported in a common format (CSV, JSON) prior to deletion.

(3) Technical backups are deleted in the regular backup rotation cycle of the cloud provider, but at the latest within 30 days of the deletion of the primary data.

(4) Staff action logs (audit log) and GDPR request tracking are cascade-deleted with the shop account via the shop/redact webhook and are not subject to the separate 365-day retention.

(1) The appointment of a data protection officer at the processor is currently not required under § 38 Federal Data Protection Act (BDSG), as the statutory conditions (at least 20 persons permanently engaged in the automated processing of personal data, core activity consisting of extensive regular monitoring or processing of special categories) are not met.

(2) Should the conditions change, the processor shall appoint a data protection officer without undue delay and inform the controller of the contact details.

(3) For data protection inquiries, the processor's privacy contact is available at [email protected].

(1) The liability of the Parties is governed by Art. 82 GDPR. Any controller or processor involved in processing is liable for damage caused by non-GDPR-compliant processing.

(2) A processor is liable for damage caused by processing only where it has not complied with obligations specifically directed at processors under the GDPR or where it has acted outside or contrary to lawful instructions of the controller (Art. 82(2) GDPR).

(3) The processor shall be released from liability if it proves that it is not in any way responsible for the event giving rise to the damage (Art. 82(3) GDPR).

(4) The processor's liability for contractual claims under this DPA is limited to the sum of the fees paid by the controller in the 12 months preceding the event giving rise to liability. This limitation does not apply to claims under Art. 82 GDPR or to intent and gross negligence.

(1) Should individual provisions of this DPA be or become invalid, this shall not affect the validity of the remaining provisions. The Parties undertake to replace the invalid provision with a regulation that comes closest to the economic and legal purpose of the invalid provision.

(2) In the event of any inconsistency between this DPA and the Main Contract or any other agreements between the Parties, the provisions of this DPA shall take precedence insofar as the protection of personal data is concerned.

(3) Amendments and supplements to this DPA require text form (email is sufficient).

(4) This Agreement is governed by the law of the Federal Republic of Germany. Exclusive place of jurisdiction, insofar as legally permissible, is Siegburg.

(5) This DPA takes effect upon installation of one of the applications by the controller and is electronically valid pursuant to Art. 28(9) GDPR.

A. Retractly — Withdrawal Management

Purpose of processing: Provision of a digital withdrawal form for end customers pursuant to § 356a BGB, processing and management of withdrawal declarations, sending of automated email notifications to end customers and merchant, refund management, fraud prevention.

Nature of processing: Collection, storage, retrieval, use, transmission (email dispatch, Shopify API calls), deletion, anonymisation.

Type of personal data (end customer data):

• First and last name of the end customer
• Email address of the end customer
• Shopify customer ID (where the end customer holds a customer account)
• IP address — the full IP is held only ephemerally in memory for the purpose of rate limiting; additionally a truncated version (IPv4 with zeroed last octet, IPv6 as /48 prefix) is stored with the withdrawal record, serves fraud detection, and is subject to the retention/anonymisation rules in Section 12
• User agent / browser and device information
• Storefront locale (language in which the form was completed)
• Order number
• Order date
• Order amount and withdrawal amount
• Delivery date (where available from Shopify fulfilment)
• Calculated withdrawal deadline
• Ordered products (title, variant title, SKU, image URL, quantity, price)
• Reason for withdrawal (optional, selected by the end customer)
• Free-text comment on the withdrawal (optional, entered by the end customer)
• Processing status and timestamps (submission, approval, rejection, refund)

Type of personal data (merchant staff data):

For each administrative action by a merchant staff member in the application (approval, rejection, refund, manual resolution) as well as for system-initiated actions (automatic expiry after deadline, GDPR anonymisation), the following data is logged in a staff action log (audit log):

• Shopify user ID of the staff member
• Name of the staff member
• Email address of the staff member
• IP address of the admin browser (full, not truncated, to ensure traceability of staff decisions; legal basis: Art. 6(1)(c) GDPR in conjunction with § 257(4) HGB and Art. 6(1)(f) GDPR — legitimate interest in abuse prevention)
• Type of action
• Timestamp

Categories of data subjects:

• End customers of the controller's online shop who submit a withdrawal
• Staff of the controller (on admin use)

B. PackFlow — DHL Returns Portal and Shipment Tracking

Purpose of processing: Provision of a self-service returns portal for end customers, automatic generation of DHL return labels and QR codes, shipment tracking, returns analytics.

Nature of processing: Collection, storage, retrieval, use, transmission (to DHL API and email dispatch), deletion, anonymisation.

Type of personal data:

• First and last name of the end customer
• Email address of the end customer
• Delivery address (street, postcode, city, country)
• IP address
• Geolocation data (based on the IP address)
• Browser and device information (user agent)
• Order number and order date
• Ordered products (title, variant, quantity, price, SKU, image URL)
• Reason for return (optional)
• Free-text notes on the return (optional)
• DHL shipment number (tracking number)

Categories of data subjects:

• End customers of the controller's online shop who submit a return or use shipment tracking
• Staff of the controller (on admin use: name, email, IP address, action log)

C. Automated Individual Decision-Making

None of the applications make automated decisions with legal effect on the end customer within the meaning of Art. 22 GDPR. The fraud detection integrated in Retractly merely flags suspicious patterns (e.g. repeated withdrawals from the same customer email or the same truncated IP address within 180 days) as a notice to the merchant; the decision on approval or rejection is made by the merchant manually.

Version: April 2026

1. Confidentiality

1.1 Physical access control

• Server infrastructure is operated exclusively at professional cloud providers (Render Services Inc., data centre Frankfurt, Germany).
• No physical access to servers by the processor is required.
• The cloud providers maintain certified data centres with physical access controls (SOC 2 / ISO 27001).

1.2 Logical access control

• Multi-factor authentication (MFA) for all administrative access (Render, Shopify Partner Dashboard, GitHub, Resend).
• Individual user accounts (no shared accounts).
• Password policy: at least 16 characters, use of a password manager.
• Automatic lock-out after failed login attempts.
• Encryption of all administrative devices (full disk encryption).

1.3 Data access control

• Role-based access control (RBAC) in all applications.
• Need-to-know principle: access to personal data only for authorised persons.
• Tenant separation: each shop has its own logical data area, access restricted to its own data (see 1.4).
• Logging of all administrative actions in an audit trail (AuditLog table).
• Regular review of access permissions.

1.4 Separation control

• Logical tenant separation at database level (row-level isolation via shopId columns in all relevant tables).
• Separation of production and development environments (separate databases, separate API credentials).
• No use of production data in test environments.

1.5 Pseudonymisation and data minimisation

• IP addresses are truncated at the point of storage: IPv4 with zeroed last octet (e.g. 192.0.2.0), IPv6 as /48 prefix (e.g. 2001:db8:abcd::/48). The full IP does not leave the ephemeral rate-limit memory.
• On GDPR erasure requests (customers/redact), the PII fields of a withdrawal record are set to null (nulling). The following fields are cleared: customerName, customerEmail, customerId, ipAddress, userAgent, reasonNote, rejectionReason, and the product-related metadata of each line item (title, variant title, SKU, image URL).
• Accounting-relevant fields (order number, order date, amounts, refund ID, status flags, timestamps) are retained to fulfil the HGB/AO retention obligations.

2. Integrity

2.1 Transmission control

• Transport encryption via TLS 1.2 / 1.3 for all connections (HTTPS enforced).
• Encrypted database connections (SSL/TLS).
• API authentication via OAuth 2.0 (Shopify), bearer tokens (Resend), and API keys (DHL).
• Rate limiting on all public endpoints to prevent abuse.
• No unencrypted transmission of personal data.
• Webhook signature verification (HMAC-SHA256) on all incoming Shopify webhooks.

2.2 Input control

• Audit trail (AuditLog table) for all security-relevant actions: approval, rejection, refund, manual resolution, bulk actions, GDPR anonymisation, automatic retention deletion.
• Individual user accounts enable traceability of all inputs.
• Webhook deduplication based on x-shopify-webhook-id prevents duplicate processing on parallel deliveries.
• Signed form data (HMAC-verified state encoding) prevents tampering in the multi-step withdrawal process.
• Input validation (Zod schemas) and sanitisation on all public endpoints to protect against XSS and injection.

3. Availability and Resilience

3.1 Availability control

• Hosting at professional cloud providers with contractual availability commitments (Render Services).
• Automatic database backups (Render PostgreSQL: daily automated backups; point-in-time recovery depending on the booked database tier).
• Automatic restart on application errors (health-check endpoints).
• DDoS protection via the cloud infrastructure.

3.2 Rapid recoverability

• Point-in-time recovery for the PostgreSQL database (depending on the active Render tier).
• Automated deployment pipeline via Git: rollback to a previous version is possible within minutes.
• Documented recovery procedures for various failure scenarios.

4. Procedure for Regular Review, Assessment and Evaluation

4.1 Data protection management

• Regular review and updating of the technical and organisational measures.
• Data-protection-compliant software development according to the principles of privacy by design and privacy by default (Art. 25 GDPR).
• Data minimisation: only the data required for the respective purpose is collected and processed.
• Application-integrated deletion and anonymisation routines in line with the retention periods defined in Section 12. The ongoing retention deletion is triggered on administrative access and internally limited to a 24-hour interval; the anonymisation of a withdrawal record following a GDPR erasure request (customers/redact) takes place immediately in the webhook handler.

4.2 Incident response management

• Documented process for personal data breaches.
• Report to the controller at the latest within 48 hours of becoming aware of the breach.
• Tracking of incoming GDPR webhooks in a dedicated GdprRequest table with timestamp and completion status to transparently comply with the 30-day deadline under Art. 12(3) GDPR.

4.3 Order control

• Contractual obligation of all sub-processors to equivalent data protection standards (separate DPA or data processing addendum with each sub-processor).
• Regular review of the DPF certifications or transfer mechanisms of all sub-processors not established in the EEA.

Version: April 2026

Note: Changes to this list will be communicated to the controller at least 30 days before taking effect in text form (Section 7(2)).

Persons authorised to issue instructions on the controller's side:

The shop owner and all persons registered as administrators in the Shopify admin area.

Person authorised to receive instructions on the processor's side:

S. Timm (Managing Director)
Email: [email protected]