Privacy Policy

EU Widerrufsbutton Privacy Policy - Information on the Collection of Personal Data on this Website and App

"EU Widerrufsbutton" (the "App") provides compliance tools for merchants who use Shopify to power their stores. This Privacy Policy describes how personal information is collected, used, and shared when you install or use the App in connection with your Shopify-supported store, as well as information regarding the general use of this website.

This document informs you about:

• what personal data 401layers UG (haftungsbeschränkt) (hereinafter "401layers") collects, processes, and uses on this website and through the App,
• for what purposes this is done, and
• how you can object to certain collections, processing, or uses of your personal data.

2. Personal Information the App Collects

2.1 Installation and Use of the EU Widerrufsbutton App

I. Description and Scope of Data Processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the calling computer.

The following data is collected:

• Information about the browser type and version used
• The operating system of your computer
• The internet service provider you use
• The IP address of your computer
• Date and time of access
• Websites from which you came to our website ("Referrer")
• Websites that are accessed by your system through our website

These data are temporarily stored in the log files of our system. Storage of this data together with other personal data does not take place.

II. Legal Basis for Data Processing

The legal basis for the temporary storage of data and log files is Art. 6 (1) (f) GDPR.

III. Purpose of Data Processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to your computer. For this purpose, the IP address of your computer must remain stored for the duration of the session. Storage in log files is done to ensure:

• the provision of a smooth connection to the website,
• the comfortable use of our website,
• the evaluation of system security and stability, and
• for other administrative purposes.

These purposes also constitute our legitimate interest in data processing according to Art. 6 (1) (f) GDPR.

IV. Duration of Storage

The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected.

In the case of data collection for providing the website, this is the case when the respective session has ended.

In the case of storing the IP address in log files, this occurs after no later than 7 days.

V. Right to Object and Request Deletion

The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, there is no option to object.

2.2 Statistical Analysis

PostHog

I. Description and Scope of Data Processing

We use PostHog, an analytics tool, to analyze user behavior on our website. Anonymized data about interactions such as mouse movements, clicks, scrolling, and time spent on pages are recorded. These data are used to create heatmaps that show which areas of the website are frequently viewed, as well as conversion funnels that provide insight into user flow. PostHog can also collect feedback from visitors to improve our offerings. Collection is carried out using technologies such as cookies or device fingerprinting to recognize users across sessions without storing personal data.

II. Legal Basis for Data Processing

The legal basis for processing this data is your consent according to Art. 6 (1) (a) GDPR. Consent is obtained via a pop-up upon your first visit to the website.

III. Purpose of Data Processing

The purpose of data processing is the analysis and optimization of our website to improve the user experience and tailor our offerings.

IV. Duration of Storage

The collected data are automatically deleted after 12 months.

V. Right to Object and Request Deletion

Data processing only takes place with your consent. You can revoke this consent at any time via the cookie banner or by contacting us. Upon revocation, the data will no longer be processed, and you can exercise your rights to information, correction, or deletion at any time.

2.3 Contact Opportunity via Chat

Crisp

I. Description and Scope of Data Processing

In order to help you as quickly as possible with questions, we use the chat service Crisp.

Upon consent and use of the chat function provided by Crisp, the following data is transmitted to the Crisp servers:

• Content of all sent and received chat messages
• Contextual information (e.g., the page where the chat was used)
• IP address
• Optional: Email address of the user (if provided by the user via the chat function)

II. Legal Basis for Data Processing

The legal basis for processing the data is your consent according to Art. 6 (1) (a) GDPR.

III. Purpose of Data Processing

The purpose of this processing is to facilitate the communication initiated by you.

IV. Duration of Storage

Personal data is kept as long as necessary to fulfill the purpose of processing. The data will be deleted as soon as they are no longer necessary for achieving the purpose.

V. Right to Object and Request Deletion

We do not collect data without your consent. You can revoke your consent at any time. You can also exercise all your rights mentioned below securely at any time regarding data processing.

3. Data Processing in Connection with the Use of Our App

3.1 Installation and Use of the EU Widerrufsbutton App

I. Description and Scope of Data Processing

When you install the App "EU Widerrufsbutton" via the Shopify App Store, 401layers gains access to certain types of information from your Shopify account provided by Shopify. These data include:

• Shop Name and Shop ID
• Email address of the store owner
• Other relevant information that is required for the functionality of the App (e.g., orders, products, or customer data, provided you grant these permissions).

These data are used to provide and operate the App. Storage only takes place insofar as it is necessary for fulfilling contractual obligations. After uninstalling the App or terminating the contract, the data will be deleted, unless statutory retention periods require longer storage.

II. Legal Basis for Data Processing

The legal basis for processing the data is Art. 6 (1) (b) GDPR (necessary for the performance of a contract).

III. Purpose of Data Processing

We use the personal information we collect from you in order to provide the Service and to operate the App, enabling you to use our services.

IV. Duration of Storage

Personal data is kept as long as it is necessary for the fulfillment of the contract and the service. After termination of the contract or uninstallation of the App, the data will be deleted after the expiration of tax and commercial retention periods.

V. Right to Object and Request Deletion

You can stop the data processing at any time by uninstalling the App in the Shopify App Store. Upon revocation, the data will no longer be processed, and you can exercise your right to information, correction, or requests to delete at any time.

4. Disclosure of Data and Processors

Data processing activities entrusted by us to external service providers, who support us with specific services, are only carried out on the basis of a data processing agreement. Subject to explicit consent (e.g., in a cookie banner) or contractually or legally required transmission, we process data only in third countries with a recognized level of data protection, under contractual obligation through standard contractual clauses of the EU Commission, in the presence of certifications, or binding internal data protection regulations (Art. 44 to 49 GDPR).

The following service providers may gain partial or complete access to your personal data:

• PostHog - To analyze your usage behavior on this website, we use PostHog, Inc., 2261 Market Street, Suite 4008, San Francisco, CA 94114, USA - https://posthog.com/privacy
• Amazon AWS - We host our App and parts of our Website via our processor Amazon Web Services, Inc., 410 Terry Ave N, Seattle, WA 98109-5210, USA. Personal data is processed for the purpose of providing our services and increasing operational security. – https://aws.amazon.com/privacy/
• Vercel - We host our Website via our processor Vercel, Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. Personal data is processed for the purpose of providing our services and increasing operational security. – https://vercel.com/legal/privacy-policy
• Crisp - We use Crisp, Crisp IM SARL, 2 Boulevard de Launay, 44100 Nantes, France, to communicate with you via our website. - https://crisp.chat/en/privacy/
• Shopify - Our App integrates with the Shopify platform. Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland. Data processing occurs as part of the app usage to provide agreed services. – https://www.shopify.com/legal/privacy

Additionally, we may also share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights.

5. Rights of Data Subjects

If your personal data is processed, you are a data subject within the meaning of the GDPR, and you have the following rights vis-à-vis us:

If you are a European resident, you have the right to access personal information we hold about you and to ask that your personal information be corrected, updated, or deleted. If you would like to exercise this right, please contact us through the contact information below.

Additionally, if you are a European resident we note that we are processing your information in order to fulfill contracts we might have with you (for example if you make an order or install the App), or otherwise to pursue our legitimate business interests listed above. Please note that your information may be transferred outside of Europe, including to Canada and the United States.

5.1. Right to Information

You have the right to demand confirmation from us as to whether personal data concerning you is processed by us.

If such processing takes place, you can request information from us about the following:

• the purposes for which the personal data are processed;
• the categories of personal data being processed;
• the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
• the planned duration of storage of your personal data or, if specific details are not possible, criteria for determining the retention period;
• the existence of a right to correction or deletion of your personal data, a right to restrict processing by the controller, or a right to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• any available information on the source of the data if the personal data are not collected from the data subject;
• the existence of automated decision-making including profiling in accordance with Art. 22 (1) and (4) GDPR and, at least in these cases, meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.

You have the right to request information on whether personal data concerning you is transferred to a third country or to an international organization. In this context, you can request to be informed of the appropriate guarantees under Art. 46 GDPR regarding the transfer.

5.2. Right to Rectification

You have a right to rectification and/or completion vis-à-vis us if the processed personal data concerning you is inaccurate or incomplete. We must make the correction without delay.

5.3. Right to Restriction of Processing

You can request the restriction of processing of personal data concerning you under the following conditions:

• if you dispute the accuracy of your personal data for a period enabling us to verify the accuracy;
• if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
• if we no longer need the personal data for the purposes of processing, but you need them for the establishment, exercise, or defense of legal claims; or
• if you have objected to processing pursuant to Art. 21 (1) GDPR and it has not yet been determined whether our legitimate reasons override yours.

5.4. Right to Erasure

a) Obligation to Erase

You may demand that your personal data be deleted immediately, and we are obliged to delete this data immediately, provided one of the following reasons applies:

• Your personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
• You revoke your consent, on which the processing was based under Art. 6 (1) (a) or Art. 9 (2) (a) GDPR, and there is no other legal basis for processing.
• You object to the processing in accordance with Art. 21 (1) GDPR, and there are no overriding legitimate reasons for the processing, or you object to processing under Art. 21 (2) GDPR.
• Your personal data was unlawfully processed.
• Erasure of personal data is necessary to fulfill a legal obligation under Union or Member State law to which we are subject.
• Personal data concerning you has been collected in relation to information society services offered in accordance with Art. 8 (1) GDPR.

b) Information to Third Parties

If we have made your personal data public and we are obliged to erase it under Art. 17 (1) GDPR, we will take reasonable steps, including technical measures, to inform other controllers processing the personal data that you have requested erasure of any links to, or copy or replication of, those personal data.

c) Exceptions

The right to erasure does not apply to the extent that processing is necessary:

• for exercising the right of freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject;
• for reasons of public interest in the area of public health;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
• for the establishment, exercise, or defense of legal claims.

5.5. Right to Notification

If you have asserted your right to rectification, erasure, or restriction of processing to us, we are required to communicate this rectification or erasure of data or restriction of processing to each recipient to whom your personal data was disclosed, unless this proves impossible or involves disproportionate effort. You have the right to be informed of these recipients upon request.

5.6. Right to Data Portability

You have the right to receive the personal data concerning you, which you provided to us, in a structured, commonly used and machine-readable format. Furthermore, you have the right to transmit those data to another controller without hindrance, where the processing is based on consent or a contract, and the processing is carried out by automated means.

5.7. Right to Object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 (1) (e) or (f) GDPR. We will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms or for the establishment, exercise or defense of legal claims.

5.8. Right to Withdraw Consent under Data Protection Law

You have the right to freely withdraw your data protection declaration of consent at any time. The withdrawal of consent does not affect the legality of the processing carried out on the basis of consent before the withdrawal.

5.9. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR. The supervisory authority will inform you on the progress and outcome of the complaint.

6. Changes to this Privacy Policy

We reserve the right to adapt this privacy policy so that it always complies with current legal requirements or to implement changes to our services in the privacy policy. For your renewed visit, the new privacy policy will then apply.

7. Contact Us

For more information about our privacy practices, if you have questions regarding the collection, processing, or use of your personal data, or if you would like to request information, correction, blocking, or deletion of data as well as revocation of granted consents or objection to a particular use of data, please contact us directly: