Privacy Policy — Dotcase – EU Compliance

Last updated: 25 June 2026

This Privacy Policy explains how Dotcase – EU Compliance (the "App") collects, uses, stores, and shares personal data. The App is a Shopify application that helps merchants comply with EU consumer-law obligations (the statutory right of withdrawal and the legal guarantee of conformity notice).

Note: This document is provided for transparency and general information. It is not legal advice. We recommend you have it reviewed by a qualified professional before relying on it.

1. Who we are (Data Controller)

The App is operated by:

Dotcase – Özgür Kadir Taşkesen
Nienburg, Germany
Contact: privacy@dotcaseglobal.com

For personal data that the App processes on behalf of a merchant (see Section 2), the merchant is the data controller and we act as a data processor. For data we process for our own purposes (for example, operating and securing the App, or merchant account data), we act as the data controller.

2. Who this policy covers

The App involves two groups of people:

Merchants — Shopify store owners who install and use the App.
Customers (end users) — shoppers of those merchants who submit a withdrawal request or view the legal guarantee notice on a merchant's store.

We process personal data of both groups, as described below.

3. What data we process

3.1 Customer (end-user) data

When a customer submits a withdrawal request, or when the App processes their order to manage such a request, the App may process:

Order number / order name
Customer name
Customer email address
The products selected for withdrawal (titles, quantities)
The reason or note the customer provides
Order, delivery, and fulfilment dates (retrieved from Shopify to calculate the statutory withdrawal period)
The language (locale) of the customer's browser
Request status and the dates of actions taken on the request (submitted, approved, rejected, retracted)

Some of this data is entered by the customer; some is retrieved automatically from Shopify (for example, the customer's name may be pre-filled on their order page to make the form easier to complete).

3.2 Merchant data

When a merchant installs and configures the App, we process:

Shop domain
Shopify authentication tokens (used to connect to the merchant's store)
Store name, time zone, and store contact email (retrieved automatically from Shopify)
An optional notification email address the merchant enters — used to send the merchant alerts and shown to the merchant's customers as the shop's contact address; if the merchant leaves it blank, the store's Shopify contact email is used for this
App configuration and plan/billing information

3.3 IP addresses (not stored)

If a merchant enables our optional location features ("show the form only to EU/EEA visitors" and/or "auto-select the visitor's language"), the App determines the visitor's country from their IP address. This lookup is performed locally, using a local copy of the MaxMind GeoLite2 database. The visitor's IP address is never sent to any third party for this purpose, and it is never stored in our database. It is held only briefly in memory to perform the lookup and is discarded.

If a merchant enables the optional anti-spam protection (Cloudflare Turnstile), the visitor's IP address and browser signals are processed by Cloudflare for bot detection. This happens only when the merchant turns that feature on.

4. Why we process this data and our legal basis

We process personal data to:

Allow customers to submit and track statutory withdrawal requests, and allow merchants to manage them (this is the core purpose of the App);
Display the EU legal guarantee of conformity notice;
Send transactional notifications related to a withdrawal request;
Operate, secure, and support the App.

The legal bases under the GDPR are:

Compliance with a legal obligation and the legitimate interests of merchants and customers in exercising and managing statutory consumer rights (Art. 6(1)(c) and (f) GDPR);
Contract performance for operating the App for merchants (Art. 6(1)(b) GDPR).

Where a merchant is the data controller, the legal basis for their customers' data is determined by the merchant.

5. Where data is stored

Personal data is hosted on Railway, in the European Union (Amsterdam, Netherlands), in a PostgreSQL database. Data is encrypted at rest by the hosting provider.

6. How long we keep data

Withdrawal requests: Once a request reaches a final state (approved, rejected, or retracted), it is automatically anonymised after 12 months. After anonymisation, the individual can no longer be identified from the record; only non-personal statistical and audit information remains. Requests that are still pending are not anonymised until they are resolved.
Merchant data: Kept for as long as the App is installed. When the App is uninstalled, the merchant's data is deleted (see Section 9).
Generated files (PDF/CSV exports): Created on demand and not stored on our servers.

7. Who we share data with (sub-processors)

We use the following third-party providers to operate the App. We share only the data necessary for each provider's function.

Provider	Location	Data shared	Purpose
Railway	EU (Amsterdam)	All stored data (hosting/database)	Hosting and database
Shopify	Global	Shop domain, authentication tokens, order/return data	Authentication, order verification, returns synchronisation, customer account features
Resend	USA (under Standard Contractual Clauses)	Customer name, email, order reference and products; merchant notification email	Sending transactional emails
Cloudflare (Turnstile)	Global	Visitor IP and browser signals	Optional bot/spam protection — only if the merchant enables it

We do not sell personal data, and we do not use it for advertising.

Where data is transferred outside the EU/EEA (for example, to Resend in the USA), the transfer is covered by appropriate safeguards such as the EU Standard Contractual Clauses.

8. Cookies and tracking

On the storefront (the part customers see), the App uses no cookies, no analytics, and no tracking pixels, and stores nothing in the customer's browser. The optional Cloudflare Turnstile anti-spam feature, if enabled by the merchant, may set its own client-side mechanisms for bot detection.

In the merchant admin area, the App stores only functional preferences in the browser (such as which table columns are shown). This contains no customer personal data.

9. Data deletion and your rights

9.1 Deletion mechanisms

Customer data deletion request: When Shopify sends a customer redaction request, the App fully anonymises all matching withdrawal requests so the individual can no longer be identified.
Automatic retention: Final-state requests are anonymised after 12 months (see Section 6).
App uninstall / shop deletion: When a merchant uninstalls the App (or Shopify sends a shop redaction request), all of that merchant's data is deleted.
Manual deletion: A merchant can delete individual withdrawal records from the App's dashboard.

9.2 Your rights under the GDPR

If you are in the EU/EEA, you have the right to access, rectify, erase, restrict, or object to the processing of your personal data, and the right to data portability. You also have the right to lodge a complaint with a supervisory authority.

If you are a customer of a merchant, please contact that merchant first, as they are the data controller for your data. You may also contact us and we will assist or forward your request.
To exercise your rights or ask a question, contact us at privacy@dotcaseglobal.com. We aim to respond within 30 days.

10. Data access permissions

To provide its features, the App requests the following Shopify permissions: reading orders (to verify requests and calculate deadlines), reading and writing returns (to create returns when a request is approved), writing content (to create the withdrawal page), and reading themes (to detect where the App is installed). The customer-account feature reads the customer's name and address to pre-fill the withdrawal form; this requires Shopify's protected customer data access.

11. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the latest version. Material changes will be communicated through the App where appropriate.

12. Security incident response

We monitor application and platform logs for security events. If a personal data breach occurs, we contain the affected systems, assess the scope, and notify affected merchants without undue delay. Where the breach is notifiable under GDPR Art. 33, we notify the competent supervisory authority within 72 hours and inform affected individuals where required under Art. 34. Each incident is documented for audit and prevention.

13. Contact

For any privacy question or request:

Dotcase – Özgür Kadir Taşkesen
Nienburg, Germany
privacy@dotcaseglobal.com