Skip to content
Zackreturns
← Back to home

Data Processing Agreement (DPA)

Last updated: 23 June 2026 · Version 1.0

This Data Processing Agreement (“DPA”) is entered into pursuant to Art. 28 of the EU General Data Protection Regulation (“GDPR”) between:

  • the Merchant — the natural or legal person operating the Shopify store on which the ZackReturns application (the “App”) is installed (the “Controller”); and
  • CrossBox Digital LTD, Private Company Limited by Shares under Cypriot law, Griva Digeni & K. Chatzopoulou 28, 1066 Nicosia, Cyprus, company registration HE 456544 (the “Processor”, “CrossBox Digital”, “we”).

This DPA forms part of, and is incorporated by reference into, the agreement under which the App is provided (the “Agreement”). By installing or using the App, the Merchant accepts this DPA. It governs our processing of personal data of the Merchant's shoppers and staff on the Merchant's behalf and reflects, in contractual form, the practices set out in our App Privacy Policy. A countersigned copy is available on request at support@zackreturns.com.

1. Definitions

“Personal Data”, “processing”, “controller”, “processor”, “sub-processor”, “data subject”, “personal data breach” and “supervisory authority” have the meanings given in the GDPR. “Shopper” means an end customer of the Merchant. “Data Protection Law” means the GDPR, the UK GDPR, and any other applicable data-protection law. Terms not defined here have the meaning given in the Agreement or the App Privacy Policy.

2. Roles and scope of processing

With respect to Shopper Personal Data processed through the App, the Merchant is the controller and CrossBox Digital is the processor. CrossBox Digital acts as the controller for its own merchant-account, billing and security data, as described in the App Privacy Policy; that data is outside the scope of this DPA. The subject matter, duration, nature and purpose of the processing, the types of Personal Data and the categories of data subjects are described in Annex I.

3. Obligations of the Processor

CrossBox Digital shall:

  • (a) Documented instructions.Process Shopper Personal Data only on the Merchant's documented instructions — including the Agreement, this DPA, the App's configuration/settings, and the Merchant's use of the App's features — unless required to do otherwise by EU or Member-State law (in which case we inform the Merchant, unless that law prohibits it). We will inform the Merchant if, in our opinion, an instruction infringes Data Protection Law.
  • (b) Confidentiality. Ensure that persons authorised to process the Personal Data are bound by an appropriate duty of confidentiality.
  • (c) Security. Implement the technical and organisational measures required by Art. 32 GDPR, as set out in Annex II.
  • (d) Sub-processors. Engage sub-processors only in accordance with Section 7 and Annex III.
  • (e) Data-subject rights. Taking into account the nature of the processing, assist the Merchant by appropriate technical and organisational measures, insofar as possible, to respond to requests to exercise data-subject rights (Section 5).
  • (f) Assistance. Assist the Merchant in ensuring compliance with its obligations under Art. 32–36 GDPR (security, breach notification, data protection impact assessments and prior consultation), taking into account the nature of processing and the information available to us.
  • (g) Deletion or return. At the end of the provision of services, delete or return Personal Data in accordance with Section 8.
  • (h) Audits. Make available the information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits, in accordance with Section 6.

4. Personal data breaches

CrossBox Digital shall notify the Merchant without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting Shopper Personal Data. The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed. We will cooperate with the Merchant and take reasonable steps to mitigate the breach. This does not, by itself, constitute an admission of fault.

5. Data-subject requests

Where a Shopper directs a request (access, rectification, erasure, restriction, portability or objection) to CrossBox Digital, we will, unless legally required to respond, refer the Shopper to the Merchant and — where we can identify the relevant store — notify the Merchant without undue delay. We support the Merchant's response primarily through Shopify's mandatory privacy mechanisms, which the App implements:

  • customers/data_request— we compile the Shopper's return and Widerruf data for an access/portability request.
  • customers/redact— we delete or anonymise the Shopper's return data and delete their uploaded photos from Shopify Files; statutory Widerruf records are redacted but retained where law requires (Section 8).
  • shop/redact— we delete a store's data following uninstallation (Section 8).

6. Audits

CrossBox Digital shall make available to the Merchant the information necessary to demonstrate compliance with its obligations as processor and allow for and contribute to audits, including inspections, conducted by the Merchant or an auditor it mandates. Audits may take place no more than once per twelve-month period (unless required by a supervisory authority or following a personal data breach), on reasonable prior written notice, during business hours, and subject to confidentiality. We may satisfy audit requests by providing relevant documentation, our security descriptions, or third-party certifications/reports where available.

7. Sub-processors

The Merchant grants CrossBox Digital a general written authorisation to engage sub-processors to process Shopper Personal Data. The sub-processors engaged at the date of this DPA are listed in Annex III; certain sub-processors are engaged only where the Merchant chooses to connect a corresponding carrier or integration.

  • We impose on each sub-processor data-protection obligations no less protective than those in this DPA, in particular as regards Art. 32 security, and we remain fully liable to the Merchant for the sub-processor's performance.
  • We will give the Merchant at least 30 days' prior notice (via the App or by email) of any intended addition or replacement of a sub-processor. The Merchant may object on reasonable data-protection grounds within that period. If the parties cannot resolve the objection, the Merchant may stop using the affected feature or terminate the Agreement; we will not engage the objected-to sub-processor for that Merchant for the affected processing where it is reasonably avoidable.

8. Deletion and return of data

At the Merchant's choice, on termination of the Agreement or uninstallation of the App, CrossBox Digital will delete or return the Shopper Personal Data and delete existing copies, except to the extent storage is required by EU or Member-State law. In particular:

  • Uninstalling the App triggers Shopify's shop/redact process (~48 hours after uninstall), upon which we hard-delete the store's data, and in any event within ~30 days.
  • Statutory German Widerruf records are retained for 8 years (§ 257 HGB) with personal identifiers redacted, relying on the Art. 17(3)(b) legal-obligation exception; after uninstallation this archival obligation rests with the Merchant.
  • Billing and usage records are retained by CrossBox Digital as controller for accounting/tax purposes (~6 years).

Where law requires continued storage, we protect such data and limit processing to what the obligation requires.

9. International transfers

CrossBox Digital is established in the EU (Cyprus). Where processing of Shopper Personal Data involves a transfer outside the EEA or the UK (including to certain sub-processors in Annex III located in the USA or Canada), such transfers are made under an appropriate transfer mechanism under Chapter V GDPR — in particular the European Commission's Standard Contractual Clauses (Module Two, controller-to-processor, and Module Three for onward transfers) and the UK International Data Transfer Addendum, or an adequacy decision / the EU-US Data Privacy Framework where applicable. The relevant Standard Contractual Clauses are hereby incorporated into this DPA by reference and prevail in case of conflict with other terms regarding such transfers.

10. Liability, governing law and precedence

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA is governed by the law that governs the Agreement; where the Agreement does not specify, the laws of the Republic of Cyprus apply, without prejudice to mandatory provisions of the Data Protection Law applicable to the Merchant as controller. In case of conflict between this DPA and the Agreement on matters of data protection, this DPA prevails. In case of conflict between this DPA and the incorporated Standard Contractual Clauses, the Clauses prevail.

11. Term

This DPA takes effect when the Merchant installs or uses the App and remains in force for as long as CrossBox Digital processes Shopper Personal Data on the Merchant's behalf, after which the obligations in Section 8 apply.

Annex I — Description of the processing

  • Controller (data exporter): the Merchant operating the Shopify store on which the App is installed, identified by the Shopify store domain and account details.
  • Processor (data importer): CrossBox Digital LTD, Griva Digeni & K. Chatzopoulou 28, 1066 Nicosia, Cyprus; contact support@zackreturns.com.
  • Subject matter: provision of the ZackReturns returns, exchange and statutory-withdrawal (Widerruf) service for Shopify stores.
  • Duration: for the term of the Agreement and until deletion/return under Section 8.
  • Nature and purpose:collecting, storing, organising, retrieving, using, transmitting and erasing Personal Data to operate returns, exchanges, refunds, store credit, return labels, customer notifications and the statutory Widerruf process, and to sync return events to the Merchant's connected tools.
  • Frequency: continuous, for the duration of the Agreement.
  • Categories of data subjects:the Merchant's shoppers (end customers) who initiate a return, exchange or withdrawal; and the Merchant's staff who use the App.
  • Categories of Personal Data:identifiers and contact data (name, email, order/customer ID); shipping and billing address and phone (processed transiently for labels); order and return content (line items, SKUs, prices, reason, condition, notes); return photos (stored in the Merchant's Shopify Files); financial/return data (refund and store-credit amounts, return type); shipping data (tracking, label, carrier); statutory Widerruf records (declaration, reference, timestamp, language); and technical/security data (hashed IP, truncated user-agent, delivery metadata, audit logs). Full detail is in the App Privacy Policy.
  • Special categories of data: none are intended or required; the Merchant must not configure the App to collect special- category data.
  • Retention: as set out in the App Privacy Policy and Section 8 of this DPA.

Annex II — Technical and organisational measures (Art. 32)

  • Encryption in transit: TLS/HTTPS for all data exchanged with Shopify, carriers, integrations and email providers.
  • Encryption at rest: sensitive third-party integration and marketing credentials and OAuth tokens are encrypted with AES-256-GCM, with keys held only in environment secrets; we are progressively extending encryption-at-rest across all stored secrets.
  • Pseudonymisation & minimisation: the App stores a Shopify customer-ID reference rather than caching Shopper PII, retrieving names/emails/addresses on demand; Widerruf records store no name/email; submitter IPs are SHA-256 hashed and salted; user-agents are truncated; outbound integration payloads are PII-redacted.
  • Access control & confidentiality: staff access to return data is restricted and audit-logged; credential reads are logged; authorised personnel are bound by confidentiality.
  • Resilience & integrity: hosted on managed cloud infrastructure with backups; idempotent refund and deletion operations.
  • Data deletion: automated retention sweeps and photo auto-deletion; deletion on Shopify redact webhooks (Section 8).
  • Separation: test and production data are kept separate; platform secrets are separated from application data.
  • Incident response & governance:a security incident-response process; audit and compliance logging (Art. 30); and participation in Shopify's Protected Customer Data Program.

Annex III — Sub-processors

Always engaged (core infrastructure)

  • Shopify (Canada/USA) — commerce platform, source of order/customer data, return-photo storage (Shopify Files), OAuth, and mandatory privacy webhooks.
  • Railway (cloud hosting) — hosts the App backend, the PostgreSQL database and the Redis queue.
  • Brevo / Sendinblue (EU, France) — transactional email (return and Widerruf emails, merchant alerts, data exports).

Engaged only when the Merchant connects them

  • Brevo (Merchant's own account)(EU) — sending customer emails from the Merchant's own domain.
  • Klaviyo (USA) — marketing automation.
  • Gorgias, Zendesk (USA) — helpdesk ticketing.
  • Xentral, JTL, Weclapp, Plentymarkets, Billbee (EU/various) — ERP/accounting sync (these do not receive shopper name or email).
  • DHL, DPD, GLS, UPS, FedEx, Sendcloud (EU; UPS/FedEx USA) — return shipping-label generation.

The current list is also reflected in our App Privacy Policy. Changes are notified in accordance with Section 7.