Last updated: 2026-05-08 • Effective: 2026-05-08
This Privacy Policy explains how EUcomply ("we", "us", or "our") processes Personal Data under Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and applicable national implementing law. Capitalised terms used here have the meaning given in GDPR Article 4.
Data Controller
EUcomply UG (haftungsbeschränkt) [trading name; replace with registered entity before App Store submission]
Registered address: Friedrichstr. 1, 10117 Berlin, Germany
Commercial register: HRB — [to be filled]
Email: privacy@eucomply.app
Data Protection Officer (DPO) — appointed under GDPR Art. 37
Email: dpo@eucomply.app
Postal: DPO, c/o EUcomply UG, Friedrichstr. 1, 10117 Berlin, Germany
EUcomply operates a B2B Software-as-a-Service product for cross-border e-commerce sellers. Within the Service:
eucomply.app (logs, cookie preferences), EUcomply is the Controller.| Category | Examples | Source |
|---|---|---|
| Account & identity | Email address, name, Shopify shop domain, role | You, Shopify OAuth |
| Shop credentials | Shopify access token (encrypted at rest), OAuth scopes | Shopify OAuth handshake |
| Product / catalogue data | SKUs, HS codes, product titles, manufacturer details, hazard class | Merchant input, Shopify Admin API |
| Responsible Person records | Legal name, EU address, contact email and phone of the GPSR Responsible Person | Merchant input |
| Order metadata | Order ID, destination country, line item HS codes and intrinsic value, currency, ordered-at timestamp. No buyer identity. | Shopify webhooks |
| Billing & payment | Stripe customer ID, last-4 of card, plan, invoice metadata. We never store the full card number. | Stripe |
| Usage & security logs | IP address (truncated), User-Agent, timestamps, audit trail of authenticated actions, rate-limit counters | Automatically collected |
For each purpose we identify the legal basis under GDPR Art. 6(1):
| Purpose | Legal basis |
|---|---|
| Generate GPSR safety documents in 5 languages, maintain Responsible Person registry, expose product compliance metadata at checkout. | Art. 6(1)(b) contract performance; Art. 6(1)(c) legal obligation — Regulation (EU) 2023/988 (GPSR) Art. 9 / Art. 16. |
| Calculate per-parcel customs duty for the post-2026-07-01 EU regime and reconcile monthly. | Art. 6(1)(b) contract performance; Art. 6(1)(c) legal obligation — EU customs duty rules effective 2026-07-01. |
| Aggregate IOSS VAT data per EU member state, generate the monthly export your fiscal intermediary submits. | Art. 6(1)(b) contract performance; Art. 6(1)(c) legal obligation — Council Directive 2006/112/EC (VAT Directive). |
| Provide, secure and improve the Service: authentication, audit log, abuse detection, rate limiting, error monitoring. | Art. 6(1)(b) and Art. 6(1)(f) legitimate interest — running a secure SaaS. |
| Subscription billing via Stripe. | Art. 6(1)(b) contract performance; Art. 6(1)(c) legal obligation — tax and accounting law. |
| Lifecycle & transactional emails (welcome, onboarding, payment failure, cancellation, regulatory deadline reminders). | Art. 6(1)(b) contract performance; for the 2026-07-01 cutoff reminder, also Art. 6(1)(c) and Art. 6(1)(f). |
| Marketing emails (product updates beyond the Service). | Art. 6(1)(a) consent — opt-in, withdrawable at any time. |
We do not use Personal Data for automated decision-making producing legal effects under GDPR Art. 22, and we do not sell or rent Personal Data.
We share Personal Data only with the following recipients, each bound by a written data-processing contract or by law:
| Recipient | Role | Location | Data exposed |
|---|---|---|---|
| Stripe Payments Europe, Ltd. | Sub-processor — subscription billing, card processing | Ireland (EU); onward to Stripe, Inc. (US) under SCCs | Email, billing address, plan, card token. Full PAN never seen by us. Stripe Privacy • Stripe DPA • Stripe sub-processors |
| Sentry GmbH | Sub-processor — error and exception monitoring | Germany / EU; some onward processing by Functional Software, Inc. (US) under SCCs | Stack traces, request method/path, shop ID, error metadata. PII filtered (sendDefaultPii: false). Sentry Privacy • Sentry DPA • Sentry sub-processors |
| Shopify International Ltd. | Source of merchant + order metadata; we read via OAuth | Ireland (EU); onward to Shopify Inc. (Canada) under adequacy / SCCs | OAuth scopes, shop domain, products, orders. Shopify Privacy • Shopify DPA |
| Resend, Inc. | Sub-processor — transactional and lifecycle email delivery | EU region (eu-west); onward to US under SCCs | Recipient email, name, message body. Resend Privacy • Resend DPA |
| Hetzner Online GmbH | Hosting — primary infrastructure | Germany (Falkenstein / Nuremberg) | All Service data at rest and in transit. Hetzner Privacy |
| EU TARIC database (European Commission) | Public-data lookup (HS code → duty rate) | EU | Only HS code + destination country pair. No Personal Data sent. |
| Competent authorities | Disclosure on lawful request | EU member states | Strictly limited to what is required by law (e.g. customs audit, court order). |
An up-to-date list of sub-processors is maintained at the URL above. We notify Controllers (merchants) at least 30 days before adding a new sub-processor, in line with our DPA.
Our primary infrastructure is in the European Union (Germany). Where Personal Data is transferred outside the EEA — for example to Stripe, Inc. (US), Functional Software, Inc. (US, Sentry), or Resend, Inc. (US) — we rely on:
You may request a copy of the safeguards we use by emailing dpo@eucomply.app.
| Data category | Retention | Reason |
|---|---|---|
| Account & identity | Duration of subscription + 30 days post-cancellation (export window) | Contract performance |
| Compliance & bookkeeping records (safety docs, IOSS aggregates, duty calculations, invoices) | 7 years after the close of the relevant fiscal year | EU tax / VAT bookkeeping (Council Directive 2006/112/EC); German § 147 AO |
| GPSR technical documentation | 10 years from the date the product is placed on the market | Regulation (EU) 2023/988 Art. 9(8) |
| Stripe billing data | Per Stripe DPA retention; we hold a customer ID and invoice references for the same 7-year fiscal window. | Stripe DPA & tax law |
| Audit log (security events) | 7 years | SOC 2 / ISO 27001 control alignment |
| Server access logs (IP truncated) | 90 days | Abuse defence (Art. 6(1)(f)) |
| Cookie consent records | 13 months from last refresh | EDPB Guidelines 05/2020 |
| Marketing email subscribers | Until consent is withdrawn + 30 days | Consent (Art. 6(1)(a)) |
If we process your Personal Data, GDPR Art. 12–22 grant you the following rights, exercisable free of charge:
GET /api/account/export in your authenticated dashboard.PATCH /api/account.POST /api/account/delete.GET /api/account/export?format=json.We respond within 30 days (extendable by 60 days for complex requests under Art. 12(3)). To verify your identity we may require proof reasonably proportionate to the request.
The marketing site (eucomply.app) uses only strictly necessary cookies by default. The cookie banner offered on first visit groups cookies into categories (essential, analytics, marketing) and sets non-essential cookies only after explicit opt-in. You can review and withdraw consent at any time via the "Cookie preferences" entry in the footer.
EUcomply is a B2B service intended exclusively for legal entities and adult professionals. We do not knowingly collect Personal Data from individuals under 16 (Art. 8). If we become aware that we have, we delete the data promptly.
We may update this Privacy Policy. Material changes affecting the legal basis, retention or recipients are notified by email and via an in-app notice at least 30 days before they take effect; non-material edits (formatting, contact details) are reflected by updating the "Last updated" date.
EUcomply UG (haftungsbeschränkt)
Friedrichstr. 1, 10117 Berlin, Germany
Privacy enquiries: privacy@eucomply.app
Data Protection Officer: dpo@eucomply.app
General: hi@eucomply.app