EUcomply
Home Terms DPA Imprint Install on Shopify

Privacy Policy

Last updated: 2026-05-08 • Effective: 2026-05-08

This Privacy Policy explains how EUcomply ("we", "us", or "our") processes Personal Data under Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and applicable national implementing law. Capitalised terms used here have the meaning given in GDPR Article 4.

1. Controller and Data Protection Officer

Data Controller
EUcomply UG (haftungsbeschränkt) [trading name; replace with registered entity before App Store submission]
Registered address: Friedrichstr. 1, 10117 Berlin, Germany
Commercial register: HRB — [to be filled]
Email: privacy@eucomply.app

Data Protection Officer (DPO) — appointed under GDPR Art. 37
Email: dpo@eucomply.app
Postal: DPO, c/o EUcomply UG, Friedrichstr. 1, 10117 Berlin, Germany

2. Scope and Processor / Controller Roles

EUcomply operates a B2B Software-as-a-Service product for cross-border e-commerce sellers. Within the Service:

  • For data of the merchant's end customers (order metadata processed for customs duty, GPSR safety documentation and IOSS aggregation), the merchant is the Controller and EUcomply is the Processor under GDPR Art. 28. This relationship is governed by our Data Processing Agreement.
  • For data of the merchant's authenticated user (account holder login, billing contact, support correspondence), EUcomply is the Controller.
  • For website visitors of eucomply.app (logs, cookie preferences), EUcomply is the Controller.

3. Categories of Personal Data Processed

CategoryExamplesSource
Account & identityEmail address, name, Shopify shop domain, roleYou, Shopify OAuth
Shop credentialsShopify access token (encrypted at rest), OAuth scopesShopify OAuth handshake
Product / catalogue dataSKUs, HS codes, product titles, manufacturer details, hazard classMerchant input, Shopify Admin API
Responsible Person recordsLegal name, EU address, contact email and phone of the GPSR Responsible PersonMerchant input
Order metadataOrder ID, destination country, line item HS codes and intrinsic value, currency, ordered-at timestamp. No buyer identity.Shopify webhooks
Billing & paymentStripe customer ID, last-4 of card, plan, invoice metadata. We never store the full card number.Stripe
Usage & security logsIP address (truncated), User-Agent, timestamps, audit trail of authenticated actions, rate-limit countersAutomatically collected

4. Purposes of Processing and Legal Basis

For each purpose we identify the legal basis under GDPR Art. 6(1):

PurposeLegal basis
Generate GPSR safety documents in 5 languages, maintain Responsible Person registry, expose product compliance metadata at checkout.Art. 6(1)(b) contract performance; Art. 6(1)(c) legal obligation — Regulation (EU) 2023/988 (GPSR) Art. 9 / Art. 16.
Calculate per-parcel customs duty for the post-2026-07-01 EU regime and reconcile monthly.Art. 6(1)(b) contract performance; Art. 6(1)(c) legal obligation — EU customs duty rules effective 2026-07-01.
Aggregate IOSS VAT data per EU member state, generate the monthly export your fiscal intermediary submits.Art. 6(1)(b) contract performance; Art. 6(1)(c) legal obligation — Council Directive 2006/112/EC (VAT Directive).
Provide, secure and improve the Service: authentication, audit log, abuse detection, rate limiting, error monitoring.Art. 6(1)(b) and Art. 6(1)(f) legitimate interest — running a secure SaaS.
Subscription billing via Stripe.Art. 6(1)(b) contract performance; Art. 6(1)(c) legal obligation — tax and accounting law.
Lifecycle & transactional emails (welcome, onboarding, payment failure, cancellation, regulatory deadline reminders).Art. 6(1)(b) contract performance; for the 2026-07-01 cutoff reminder, also Art. 6(1)(c) and Art. 6(1)(f).
Marketing emails (product updates beyond the Service).Art. 6(1)(a) consent — opt-in, withdrawable at any time.

We do not use Personal Data for automated decision-making producing legal effects under GDPR Art. 22, and we do not sell or rent Personal Data.

5. Recipients and Sub-Processors

We share Personal Data only with the following recipients, each bound by a written data-processing contract or by law:

RecipientRoleLocationData exposed
Stripe Payments Europe, Ltd.Sub-processor — subscription billing, card processingIreland (EU); onward to Stripe, Inc. (US) under SCCsEmail, billing address, plan, card token. Full PAN never seen by us. Stripe Privacy • Stripe DPA • Stripe sub-processors
Sentry GmbHSub-processor — error and exception monitoringGermany / EU; some onward processing by Functional Software, Inc. (US) under SCCsStack traces, request method/path, shop ID, error metadata. PII filtered (sendDefaultPii: false). Sentry Privacy • Sentry DPA • Sentry sub-processors
Shopify International Ltd.Source of merchant + order metadata; we read via OAuthIreland (EU); onward to Shopify Inc. (Canada) under adequacy / SCCsOAuth scopes, shop domain, products, orders. Shopify Privacy • Shopify DPA
Resend, Inc.Sub-processor — transactional and lifecycle email deliveryEU region (eu-west); onward to US under SCCsRecipient email, name, message body. Resend Privacy • Resend DPA
Hetzner Online GmbHHosting — primary infrastructureGermany (Falkenstein / Nuremberg)All Service data at rest and in transit. Hetzner Privacy
EU TARIC database (European Commission)Public-data lookup (HS code → duty rate)EUOnly HS code + destination country pair. No Personal Data sent.
Competent authoritiesDisclosure on lawful requestEU member statesStrictly limited to what is required by law (e.g. customs audit, court order).

An up-to-date list of sub-processors is maintained at the URL above. We notify Controllers (merchants) at least 30 days before adding a new sub-processor, in line with our DPA.

6. International Transfers

Our primary infrastructure is in the European Union (Germany). Where Personal Data is transferred outside the EEA — for example to Stripe, Inc. (US), Functional Software, Inc. (US, Sentry), or Resend, Inc. (US) — we rely on:

  • European Commission Standard Contractual Clauses (SCCs) Module 2 / Module 3 (Decision (EU) 2021/914), supplemented by additional technical and organisational measures (encryption in transit and at rest, access logging, key separation).
  • The EU-US Data Privacy Framework where the recipient is certified, alongside SCCs as a fallback.
  • Transfer Impact Assessments (TIAs) for each onward transfer per EDPB Recommendations 01/2020.

You may request a copy of the safeguards we use by emailing dpo@eucomply.app.

7. Retention

Data categoryRetentionReason
Account & identityDuration of subscription + 30 days post-cancellation (export window)Contract performance
Compliance & bookkeeping records (safety docs, IOSS aggregates, duty calculations, invoices)7 years after the close of the relevant fiscal yearEU tax / VAT bookkeeping (Council Directive 2006/112/EC); German § 147 AO
GPSR technical documentation10 years from the date the product is placed on the marketRegulation (EU) 2023/988 Art. 9(8)
Stripe billing dataPer Stripe DPA retention; we hold a customer ID and invoice references for the same 7-year fiscal window.Stripe DPA & tax law
Audit log (security events)7 yearsSOC 2 / ISO 27001 control alignment
Server access logs (IP truncated)90 daysAbuse defence (Art. 6(1)(f))
Cookie consent records13 months from last refreshEDPB Guidelines 05/2020
Marketing email subscribersUntil consent is withdrawn + 30 daysConsent (Art. 6(1)(a))

8. Your Rights as a Data Subject

If we process your Personal Data, GDPR Art. 12–22 grant you the following rights, exercisable free of charge:

  • Right of access (Art. 15) — request a copy of the data we hold about you. Self-service: GET /api/account/export in your authenticated dashboard.
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data. Self-service: account settings, PATCH /api/account.
  • Right to erasure / "right to be forgotten" (Art. 17) — subject to retention obligations above. Self-service: POST /api/account/delete.
  • Right to restriction of processing (Art. 18) — email dpo@eucomply.app.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (JSON). Self-service: GET /api/account/export?format=json.
  • Right to object (Art. 21) — in particular to processing based on legitimate interest, including direct marketing. Email dpo@eucomply.app or use the unsubscribe link in any marketing email.
  • Right to withdraw consent (Art. 7(3)) — the cookie banner exposes a one-click withdrawal entry; consent records are deleted immediately.
  • Right not to be subject to a solely automated decision (Art. 22) — we do not perform automated profiling with legal effects.
  • Right to lodge a complaint with a supervisory authority (Art. 77) — in particular the lead authority Berliner Beauftragte für Datenschutz und Informationsfreiheit (datenschutz-berlin.de), or any other authority listed by the European Data Protection Board (EDPB).

We respond within 30 days (extendable by 60 days for complex requests under Art. 12(3)). To verify your identity we may require proof reasonably proportionate to the request.

9. Security

  • TLS 1.2+ for all data in transit; HSTS preload-eligible.
  • AES-256 encryption at rest for the database volume; access tokens are stored encrypted with envelope keys rotated every 90 days.
  • Stripe-tokenised payment data — PAN never reaches our servers.
  • HMAC-SHA256 verification on every Shopify webhook; constant-time comparison.
  • JWT session cookies (httpOnly, Secure, SameSite=Lax), 1-hour TTL.
  • Per-IP rate limiting on auth and webhook endpoints; structured audit log.
  • Least-privilege access for personnel; quarterly access review.
  • Personal Data Breach notification to supervisory authority within 72 hours (Art. 33) and to affected Controllers (Art. 33(2)) without undue delay.

10. Cookies and Similar Technologies

The marketing site (eucomply.app) uses only strictly necessary cookies by default. The cookie banner offered on first visit groups cookies into categories (essential, analytics, marketing) and sets non-essential cookies only after explicit opt-in. You can review and withdraw consent at any time via the "Cookie preferences" entry in the footer.

  • Essential — session cookie, CSRF token, consent receipt. No consent required (Art. 6(1)(f) and ePrivacy Directive Art. 5(3) exception).
  • Analytics — aggregate pageview counters. Currently not enabled. Will require explicit opt-in if added.
  • Marketing — conversion pixels. Currently not enabled. Will require explicit opt-in if added.

11. Children's Data

EUcomply is a B2B service intended exclusively for legal entities and adult professionals. We do not knowingly collect Personal Data from individuals under 16 (Art. 8). If we become aware that we have, we delete the data promptly.

12. Changes to This Policy

We may update this Privacy Policy. Material changes affecting the legal basis, retention or recipients are notified by email and via an in-app notice at least 30 days before they take effect; non-material edits (formatting, contact details) are reflected by updating the "Last updated" date.

13. Contact

EUcomply UG (haftungsbeschränkt)
Friedrichstr. 1, 10117 Berlin, Germany
Privacy enquiries: privacy@eucomply.app
Data Protection Officer: dpo@eucomply.app
General: hi@eucomply.app

© 2026 EUcomply. All rights reserved. • Privacy • Terms • DPA • Imprint • Status • Changelog • Trust