App Privacy Policy
Last updated: 23 June 2026 · Version 1.0
This Privacy Policy explains how CrossBox Digital LTD (“CrossBox Digital”, “ZackReturns”, “we”, “us”) collects, uses, shares and protects personal data in connection with the ZackReturns application (the “App”) — a returns, exchange and German right-of-withdrawal (Widerruf) app for Shopify stores. It is written primarily to meet the EU General Data Protection Regulation (GDPR), and is also intended to satisfy the UK GDPR, the Shopify App Store and Protected Customer Data requirements, and — for shoppers in the United States — the California Consumer Privacy Act (CCPA/CPRA).
This notice is separate from our website privacy policy (which covers visitors to zackreturns.com — cookies, analytics, contact forms) and from our Legal Notice.
1. Who we are (data controller)
CrossBox Digital LTD — Private Company Limited by Shares under Cypriot law
Griva Digeni & K. Chatzopoulou 28
1066 Nicosia
Cyprus
Company registration: HE 456544 (Registrar of Companies (DRCIP), Nicosia, Cyprus)
EU VAT ID: CY60054427U
Director: Stawros Koutis
Contact (incl. data-protection requests): support@zackreturns.com · +357 22 516617
Our lead supervisory authority is the Office of the Commissioner for Personal Data Protection, Cyprus. We have not appointed a statutory Data Protection Officer (not mandatory for our size and processing profile); all data-protection enquiries reach the people responsible at the contact above.
2. Our two roles: processor and controller
ZackReturns operates in a business-to-business-to-consumer model, so our legal role differs by data type. This determines your rights and who answers your requests.
- Shopper (end-customer) data — we are a processor. When a merchant installs the App, we process the personal data of that merchant's shoppers only on the merchant's behalf and on their instructions. For this data the merchant is the controller and we are the processor, governed by a Data Processing Agreement (DPA). Shoppers exercise their rights through the merchant they bought from (and through Shopify's built-in privacy mechanisms).
- Merchant account, configuration and billing data — we are the controller. For data about the merchant business and the staff who use the App (authentication, settings, support, billing/usage), we are the controller.
- A limited set of communications and security functions — we are an independent controller. For a narrow set of activities we act on our own account: sending the statutory Widerruf confirmation (Eingangsbestätigung) and merchant new-return/Widerruf alert emails through our own infrastructure; fraud, abuse, rate-limiting and security measures; and maintaining audit and compliance logs required by Shopify and Art. 30 GDPR.
3. The data we process
We are committed to data minimisation. As a core design principle the App does not cache most shopper personal data — wherever possible it stores only a Shopify customer ID reference and retrieves names, emails and addresses on demand from the Shopify Admin API at the moment a label or email is generated. The following is a complete list of the data categories the App touches.
3.1 Merchant account & authentication data (we are controller)
- Shopify store domain and shop ID — to identify the install. Legal basis: Art. 6(1)(b). Deleted on uninstall.
- Shopify offline access & refresh tokens, token expiry, staff user ID — to authenticate the embedded app and make Admin API calls. Stored in our database; expired sessions deleted after 30 days. We intentionally strip merchant staff name and email from session records — they are not retained.
- Subscription, plan, billing currency, usage/overage records — to manage the App subscription and metered usage (via the Shopify Billing API). Retained ~6 years for tax/accounting law.
3.2 Merchant configuration & stored credentials
- Return-policy & portal settings (windows, reasons, fees, branding, logo, languages, instructions, Widerruf configuration) — to configure the returns portal and Widerruf flow.
- Merchant return/warehouse address — the “ship-to” address on return labels (intended to be a business address only).
- Helpdesk, ERP and marketing credentials(Gorgias, Zendesk, Xentral, JTL, Weclapp, Plentymarkets, Billbee, and Klaviyo OAuth tokens) — to authenticate the merchant's chosen integrations. Stored encrypted at rest (AES-256-GCM); credential reads are audit-logged.
- Carrier and email-provider credentials(DHL, DPD, GLS, UPS, FedEx, Sendcloud, and any merchant Brevo API key) — to authenticate the merchant's carrier/email accounts. Stored access-controlled in our database and shared only with the respective provider.
3.3 Shopper identity & contact data (we are processor)
- Order number / Shopify order ID — to look up the order and link the return or Widerruf.
- Shopper email — to verify the lookup and send confirmation, status and statutory Widerruf emails. Not stored at rest for returns and Widerruf (fetched on demand from Shopify); held transiently in the email-delivery log, where recipient data is scrubbed after 90 days.
- Shopper name — to personalise forms/emails and as the sender field on return labels. For Widerruf it is not stored (fetched at send-time only).
- Shopper shipping address (street, city, postcode, country, phone) — to generate the return shipping label. Not stored in our database (fetched per label from Shopify); a May 2026 change removed stored addresses entirely.
- Shopper billing address — to show return context. Not stored (fetched on demand).
- Shopper phone number — carrier contact field on the label. Not stored (transient).
- Shopify customer ID — the minimisation key that links a return/Widerruf to the customer instead of storing their PII.
3.4 Order, financial & return-content data (we are processor)
- Order line items (title, variant, SKU, quantity, price) and product/variant IDs — to match returned items, calculate refunds and build exchanges.
- Financial/fulfillment status, payment transactions, suggested refunds — to determine refundability and prevent over-refunding. Not stored (transient).
- Refund amounts, refund/transaction IDs, total refunded — to process refunds to the original payment method (the refund record itself is owned by Shopify).
- Store-credit amounts (including any opt-in bonus) and store-credit transactions — to issue native Shopify store credit.
- Return reason (category + free text), item condition, and shopper notes — for eligibility checks, merchant review and analytics. Free-text notes are anonymised ~180 days after the return is resolved.
- Diminished-value deduction & reason, return shipping fee, merchant notes — to calculate the net refund and document the decision.
- Exchange/replacement selection (variant, titles, line items, upsell discount) — to build the exchange draft order.
- Refund-method / return-type choice (refund, store credit or exchange) — to determine the refund destination.
3.5 Return lifecycle & shipping data (we are processor)
- Return/RMA ID, status, type, currency, status history and timestamps — the core return state machine that drives the dashboard, emails and integration sync.
- Tracking number, carrier name, label PDF/URL, QR-code URL — to let the shopper track the return and as proof of return.
- Parcel weight, declared value (customs, non-EEA), parcel reference — for shipping-cost calculation, service selection and customs. Not stored (sent to the carrier).
3.6 German Widerruf (statutory right of withdrawal) data
The Widerruf flow creates statutory records under § 356a BGB and is subject to the commercial retention obligation of § 257 HGB.
- Withdrawal declaration, withdrawn items, partial selection, language — statutory documentation of the withdrawal. Legal basis: Art. 6(1)(c). Retained 8 years (§ 257 HGB).
- Unique Widerruf reference number and immutable submission timestamp — the proof-of-receipt identifier and the “deemed legally received” moment per § 356a BGB.
- Shopper name & email — fetched from Shopify only at the moment the Eingangsbestätigung email is sent; never stored on the Widerruf record.
On a valid erasure (Art. 17) request, the Widerruf record is not deleted — instead its personal identifiers are nulled and a redaction timestamp is set, relying on the Art. 17(3)(b) legal-obligation exception. On store uninstall the record is hard-deleted and the remaining archival obligation passes to the merchant.
3.7 Technical, security & audit data
- Widerruf submitter IP — SHA-256 hashed and salted, never stored in plaintext — for rate-limiting and fraud/abuse prevention. Legal basis: Art. 6(1)(f).
- User-agent — truncated to 500 characters — for abuse detection and diagnostics.
- Email-delivery metadata (provider message ID, delivery status, attempts, errors) — to track delivery and retries; recipient data scrubbed after 90 days, rows deleted after 180 days.
- Audit & compliance logs (staff access to returns, credential reads, GDPR-request handling) — our security/GDPR audit trail and Art. 30 records.
- Outbound integration event payloads — to deliver return events to ERP/helpdesk tools; PII-redacted before storage.
- Short-term server request logs — to operate and secure the service.
3.8 Consent records
- Per-shopper consent for optional purposes (e.g. marketing), with grant/withdraw timestamps. Core return processing relies on contract performance (Art. 6(1)(b)), not consent — consent is used only for genuinely optional purposes.
4. Legal bases (Art. 6 GDPR)
- Art. 6(1)(b) — performance of a contract: providing the returns/exchange service, generating labels, issuing refunds and store credit, and operating the App for merchants.
- Art. 6(1)(c) — legal obligation: the German Widerruf statutory records (§ 356a BGB), commercial and tax retention (§ 257 HGB), and responding to data-subject requests.
- Art. 6(1)(f) — legitimate interests: securing the service (fraud prevention, hashed-IP rate-limiting), reliable notification delivery, audit logging and maintaining the App.
- Art. 6(1)(a) — consent: optional marketing-related processing, withdrawable at any time.
For shopper data we process as a processor, the lawful basis is determined and warranted by the merchant (controller).
5. Return photos
Where a merchant requires condition photos, shoppers upload images through the returns portal. These images are stored in the merchant's own Shopify Files (cdn.shopify.com), not as files in our database — we keep only the Shopify file references. Photos are auto-deleted by a daily sweep after the merchant-configured retention window (7–365 days, default 90), for completed returns. On a valid erasure request, photos are deleted from Shopify Files and the references removed.
6. Recipients and sub-processors
We share personal data only with the parties below. Items marked “only when you connect them” occur solely when a merchant chooses to enable that carrier or integration. No sub-processor is permitted to use the data for its own purposes.
Always engaged (core infrastructure)
- Shopify (Canada/USA) — commerce platform and source of order/customer data; stores return photos; OAuth; delivers the mandatory privacy webhooks; powers the customer portal.
- Railway (cloud hosting) — hosts the App backend and its PostgreSQL database and Redis queue.
- Brevo (Sendinblue) (EU, France) — default transactional email: return and Widerruf emails, merchant alerts, GDPR export attachments and escalations.
Only when you connect them (opt-in)
- Brevo — merchant's own account(EU) — to send customer emails from the merchant's own domain.
- Klaviyo (USA) — marketing automation; receives return-lifecycle events and may own the Widerruf receipt when connected.
- Gorgias, Zendesk (USA) — helpdesk ticketing; receive shopper contact and return details to create/update tickets.
- Xentral, JTL, Weclapp, Plentymarkets, Billbee (EU/various) — ERP/accounting sync. These receive return/order IDs, status, items, reason and refund amount, and do not receive shopper name or email.
- DHL, DPD, GLS, UPS, FedEx, Sendcloud (EU; UPS/FedEx USA) — to generate return shipping labels; receive shopper name, address, phone/email and parcel details.
7. International data transfers
We are established in the EU (Cyprus) and process data primarily within the EEA where feasible. Some sub-processors (notably Shopify, Railway, Klaviyo, Gorgias, Zendesk, UPS and FedEx) are located in or process data in the United States or Canada. Where personal data is transferred outside the EEA/UK, we rely on appropriate safeguards under Art. 46 GDPR, including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and — where applicable — an adequacy decision or the EU-US Data Privacy Framework. A copy of the relevant safeguards is available on request at support@zackreturns.com.
8. Data retention
We keep personal data only as long as necessary, then delete or anonymise it. Key periods (automated where stated):
- Expired Shopify sessions/tokens — deleted at 30 days.
- Return photos (Shopify Files) — merchant-set 7–365 days (default 90), for completed returns.
- Notification recipient data — scrubbed at 90 days; delivery rows deleted at 180 days.
- Shopper free-text notes on returns — anonymised ~180 days after the return is resolved.
- Return-access audit logs — deleted at 365 days.
- Full return records — retained for the service relationship and up to ~24 months after completion, then deleted/anonymised.
- German Widerruf records — 8 years (§ 257 HGB); personal identifiers redacted earlier on erasure.
- Billing / usage / subscription records — ~6 years (Cyprus tax and accounting law).
- Consent records — up to 5 years.
- All merchant & shopper data on uninstall— hard-deleted following Shopify's shop/redact (~48 hours after uninstall) and in any event within ~30 days.
9. Your rights
If you are a shopper:under the GDPR/UK GDPR you have the right to access, rectification, erasure, restriction, objection and data portability, and to withdraw consent where processing is consent-based. Because we process your data on behalf of the merchant you bought from, please direct your request to that merchant (the controller); you may also use Shopify's built-in mechanisms. The App implements all three mandatory Shopify privacy flows:
- customers/data_request— we compile the shopper's return and Widerruf data for an access/portability request.
- customers/redact— we delete or anonymise the shopper's return data and delete their uploaded photos; statutory Widerruf records are redacted but retained per § 257 HGB.
- shop/redact— we hard-delete all of a store's data ~48 hours after the App is uninstalled.
If you are a merchant: for data where we are the controller (account, configuration, billing), contact us at support@zackreturns.com to exercise the same rights.
Right to complain: you may lodge a complaint with your local data-protection authority or with our lead authority, the Office of the Commissioner for Personal Data Protection, Cyprus (www.dataprotection.gov.cy).
10. Cookies and tracking
- The storefront returns portal sets no persistent cookies and no marketing/advertising pixels. It uses only browser sessionStorage (to recover an in-progress form, cleared when the browser closes) and URL fragments (for step navigation).
- The embedded admin app authenticates through Shopify App Bridge session tokens, not tracking cookies.
- We use no third-party analytics, advertising or session-replay tools inside the App (no Google Analytics, Meta Pixel, Sentry, PostHog, Segment, Mixpanel, Datadog or similar).
(Cookies on our marketing website are described separately in our website privacy policy.)
11. Data security
We apply technical and organisational measures appropriate to the risk, including: encryption in transit (TLS/HTTPS) for all data exchanged with Shopify, carriers, integrations and email providers; encryption at rest of sensitive third-party integration and marketing credentials using AES-256-GCM, with keys held only in environment secrets and credential reads audit-logged; data minimisation by design (shopper PII fetched on demand rather than cached); access controls and audit logging of staff access and GDPR-request handling; PII redaction of outbound integration payloads; and separation of platform secrets from application data.
We participate in Shopify's Protected Customer Data Program and commit, for protected customer data, to processing only the minimum data needed for the App's functionality, being transparent with merchants about what we process and why, honouring applicable consent and opt-out decisions, applying retention limits, encrypting data in transit and at rest, limiting and logging staff access, separating test and production data, and maintaining an incident-response process. No method of transmission or storage is perfectly secure, but we work continuously to protect personal data and to extend encryption-at-rest across all stored secrets.
12. Automated processing
The App can auto-approve returns below a merchant-configured value threshold to speed up processing. This is a convenience rule configured by the merchant; it has no legal or similarly significant effect on the shopper within the meaning of Art. 22 GDPR, and a merchant can review, override or disable it. We do not carry out profiling that produces legal effects.
13. Children's data
The App is a business tool for Shopify merchants and is not directed to children. We do not knowingly collect personal data from children under 16; shopper data we process is supplied by the merchant's store in the ordinary course of a purchase.
14. California & other U.S. residents (CCPA/CPRA)
If you are a California resident whose data is processed through the App, we act as a “service provider” to the merchant. We may process identifiers (name, email, order/customer ID), commercial information (order and return details) and limited internet/technical information (truncated user-agent, hashed IP), and we process address data transiently for labels. We do not sell or “share” personal information for cross-context behavioural advertising, and have not in the preceding 12 months; we honour opt-out preference signals where applicable. You have the rights to know/access, delete, correct, opt out of sale/sharing and limit use of sensitive data, without discrimination — submit requests to the merchant you bought from, or contact us at support@zackreturns.com and we will assist the merchant.
15. Changes to this policy
We may update this Privacy Policy to reflect changes in the App, the law or our sub-processors. We will revise the “Last updated” date and, for material changes, notify merchants through the App or by email.
16. Contact
CrossBox Digital LTD
Griva Digeni & K. Chatzopoulou 28, 1066 Nicosia, Cyprus
E-mail: support@zackreturns.com · Phone: +357 22 516617
Supervisory authority: Office of the Commissioner for Personal Data Protection, Cyprus — www.dataprotection.gov.cy