Zentric Digital Logo

EU Withdrawal Button Privacy Policy

Last updated: 16 June 2026

1. Who this policy covers

This policy explains how Zentric Digital ApS, CVR 45784274, Amerika Plads 25, 2100 Copenhagen, Denmark ("Zentric", "we", "us") processes personal data in connection with the EU Withdrawal ButtonShopify app.

For ordinary website visits, sales inquiries, and direct communications with Zentric, Zentric is the data controller. For withdrawal requests submitted by a Shopify merchant's customers through the app, the merchant is the data controller and Zentric acts as processor under the in-app data processing agreement.

2. What the app does

The EU Withdrawal Button helps Shopify merchants provide an account-less storefront flow for consumer withdrawal/cancellation requests. The app verifies order number and email against Shopify order data, calculates configured deadlines, applies merchant-configured exclusions, stores a withdrawal record, generates a PDF confirmation, sends transactional emails, and provides a merchant dashboard and audit trail.

3. Personal data processed for withdrawal requests

Depending on the merchant's configuration and the consumer's submission, the app may process:

  • Shopify order id, order name/number, and order email;
  • deadline-relevant Shopify order, fulfillment, or delivery timestamps;
  • order line items, product/variant identifiers, SKUs, quantities, product tags, vendors, product types, and collection identifiers where needed for exclusion rules;
  • consumer-entered name, preferred contact method, optional phone number where phone is selected, and optional reason text;
  • selected items and quantities covered by the withdrawal request;
  • receipt time, deadline, status, internal merchant notes, deadline overrides, PDF/audit references, and email delivery status;
  • technical request data such as IP address, user agent, and request identifiers in transient infrastructure, security, or rate-limit logs.

The app does not intentionally collect payment card data, billing/shipping addresses, customer account passwords, browsing profiles, or special-category data. The optional reason field should not be used for sensitive health, religion, payment, identity-document, or similar details.

4. Purposes and legal basis

Zentric processes merchant customer data only on the merchant's documented instructions and for the app's purposes: verifying withdrawal requests, creating legal evidence, sending required confirmations, notifying the merchant, supporting merchant administration, securing the service, and assisting with GDPR requests.

The merchant determines the legal basis for its customer data. The baseline use case is usually connected to the merchant's legal obligations under consumer-withdrawal law and/or the establishment, exercise, or defence of legal claims. Merchants should confirm their own legal basis and retention period with counsel.

5. Sub-processors and recipients

For the app, Zentric uses the following key sub-processors:

  • Hetzner Online GmbH — EU hosting, database, and encrypted backups in Germany.
  • Brevo / Sendinblue SAS — transactional email delivery from France when the merchant uses Zentric platform email.

Shopify processes store and order data under the merchant's own agreement with Shopify. If a merchant configures its own SMTP provider, that provider is used under the merchant's own arrangement rather than as a Zentric sub-processor.

6. Transactional email and open tracking

The app sends statutory-style confirmation emails to the order email address on file and merchant notifications to the configured merchant recipient. When platform email is used through Brevo, Brevo may include an anonymized open-tracking pixel in transactional email. Merchants can choose to configure their own SMTP sender if they prefer their own email-delivery posture.

7. Retention and deletion

Withdrawal-record retention is configurable per merchant. The default technical retention period is 2,190 days, after which personal data can be redacted by automated retention jobs. Merchants are responsible for confirming their own lawful retention period.

Shopify privacy webhooks are used to handle customer data requests, customer redaction, and shop redaction events. After app uninstall, Shopify may require shop data deletion/redaction. Merchants should export any withdrawal evidence they need before uninstalling the app.

8. Security measures

The app uses technical and organizational measures including TLS in transit, encrypted EU-hosted storage and backups, application-level encryption for stored SMTP credentials, access controls, per-shop CORS allowlists, rate limiting, bot/replay protections, and a tamper-evident SHA-256 audit chain for withdrawal records.

9. International transfers

For the baseline app processing, storage, database, backups, and application processing are intended to stay in the EU through Hetzner in Germany and Brevo in France where platform email is used. Email routing to a consumer's or merchant's mailbox provider may involve systems outside Zentric's control. If Zentric uses a processor involving a third-country transfer, we use appropriate safeguards such as adequacy decisions, Standard Contractual Clauses, and supplementary measures where required.

10. Data subject rights

Merchant customers should normally contact the merchant store where they placed the order, because the merchant is the controller for withdrawal records. Zentric assists merchants as processor, including through Shopify GDPR webhooks and support processes. For data where Zentric is controller, such as direct inquiries or support messages sent to us, you can contact support@zentric.digital.

Depending on applicable law, you may have rights to access, rectification, deletion, restriction, objection, portability, and complaint to a supervisory authority. In Denmark, the supervisory authority is Datatilsynet: https://www.datatilsynet.dk/.

11. Cookies and analytics

The storefront withdrawal modal does not require non-essential marketing cookies. Zentric's public website may use cookies and analytics as described in the general Zentric Digital privacy policy and cookie preferences panel.

12. Changes

We may update this policy to reflect changes in the app, sub-processors, legal requirements, or operational practices. The latest version is published on this page.

Zentric Digital ApS
CVR: 45784274
support@zentric.digital