Privacy Policy
Withdrawly — EU Withdrawal Button for Shopify
Effective date: June 7, 2026
Last updated: June 7, 2026
This Privacy Policy explains how Withdrawly processes personal data in connection with the website, Shopify app, merchant dashboard, storefront withdrawal workflow, support, and related services. It is intended to provide information under Articles 13 and 14 GDPR.
Withdrawly is a technical workflow tool and does not provide legal advice.
1. Provider and Contact
Service provider: Withdrawly
Website: https://withdrawly.app
Email: support@withdrawly.app
2. Roles Under Data Protection Law
For end-customer withdrawal data processed through a merchant's store, Withdrawly acts as processor on behalf of the merchant. The merchant is the controller. This processing relationship is governed by the Data Processing Agreement at https://withdrawly.app/dpa.
For merchant account administration, support, billing, security, and service operations, Withdrawly acts as an independent controller.
3. Categories of Personal Data
Merchant data may include Shopify store identifiers, shop domain, app installation data, merchant email addresses, app configuration, plan and subscription status, support communications, technical logs, webhook metadata, and security events.
End-customer data processed for merchants may include email address, optional customer name, order number, Shopify order identifiers, selected line items, SKU, title, quantity, withdrawal declaration text, optional reason, submitted locale, timestamps, status history, email delivery metadata, and hashed rate-limit identifiers.
Withdrawly does not request or store customer address, phone, payment method details, or customer account credentials for the withdrawal workflow.
4. Sources of Personal Data
Merchant data is provided through Shopify, merchant configuration, billing systems, support communications, and technical service usage. End-customer data is submitted through the merchant's storefront withdrawal workflow or received from Shopify APIs and webhooks where the merchant has installed and configured the app.
5. Purposes of Processing
Withdrawly processes personal data to receive and manage withdrawal requests, match customer-submitted order details with Shopify order data where available, send confirmation and notification emails, provide the merchant dashboard, maintain timestamps and status history, support exports and retention controls, operate billing and support, maintain security, prevent abuse, and respond to Shopify privacy webhooks.
6. Legal Bases Where Withdrawly Is Controller
Where Withdrawly acts as controller, processing is based on contract performance, legal obligations, legitimate interests such as security and service reliability, or consent where requested. Where Withdrawly acts as processor for end-customer withdrawal data, the merchant determines the relevant legal basis.
7. Recipients and Service Providers
Withdrawly does not sell personal data and does not share personal data for advertising. Withdrawly uses Shopify for app platform services, Fly.io for application hosting, Supabase for PostgreSQL database hosting, Resend for transactional email delivery, and optional Sentry monitoring for error diagnostics. Subprocessor details are maintained at https://withdrawly.app/subprocessors.
8. International Transfers
Withdrawly's production application and database workflow is designed around EU/EEA infrastructure. Some providers are headquartered outside the EU/EEA or operate global support and account systems. Where personal data is transferred outside the EU/EEA, Withdrawly relies on appropriate safeguards such as adequacy decisions, EU Standard Contractual Clauses, EU-US Data Privacy Framework certification where applicable, or another lawful transfer mechanism.
9. Retention and Deletion
Withdrawal-related data processed on behalf of merchants is retained according to the merchant's app settings, plan limits, exports, deletion controls, uninstall settings, and Shopify privacy webhook obligations. Merchant account, billing, support, and security data is retained for as long as needed to provide the service, meet legal obligations, resolve disputes, maintain security, and defend claims.
10. Security Measures
Withdrawly uses Shopify authentication, App Proxy verification, webhook verification, tenant separation by shop, input validation, HTML escaping, rate limiting, secret management, encrypted transport, restricted production access, and sanitized error reporting. Additional security details are available at https://withdrawly.app/security.
11. Data Subject Rights
Where Withdrawly acts as controller, merchants may contact us to request access, correction, deletion, restriction, portability, or objection where applicable. Where end-customer data is processed on behalf of a merchant, end customers should generally direct requests to the merchant. Withdrawly assists merchants through app controls and Shopify privacy webhook handling where applicable.
12. Automated Decision-Making
Withdrawly does not carry out automated decision-making or profiling within the meaning of Article 22 GDPR.
13. Cookies and Similar Technologies
Withdrawly may use technically necessary cookies, sessions, or local storage to provide authentication, app navigation, security, and core functionality. Withdrawly does not use the withdrawal workflow to set advertising cookies for end customers.
14. Shopify Privacy Processes
Shopify App Store apps must handle mandatory privacy compliance webhooks. Withdrawly implements customer data request, customer redaction, and shop redaction workflows.
15. Data Processing Agreement
For end-customer personal data processed on behalf of merchants, Withdrawly provides a Data Processing Agreement at https://withdrawly.app/dpa.
16. Changes to This Privacy Policy
Withdrawly may update this Privacy Policy to reflect legal, product, infrastructure, or subprocessor changes. The updated version will be posted on this page with the updated date.
17. Contact
For privacy questions, contact support@withdrawly.app.