Privacy Policy — Codixio EU Withdrawal Button

DRAFT — FOR LEGAL REVIEW BEFORE PUBLICATION

The legally binding version of this privacy policy is the German version at https://legal.codixio.com/apps/eu-withdrawal-button/privacy. This English translation is provided for convenience only. Professional legal review is required before publication.

Last updated: 24 April 2026

1. Controller

The controller responsible for processing personal data within the meaning of Art. 4(7) GDPR is:

Matthias Jakisch Freelance software developer Hauptstr. 34, OT Etingen 39359 Oebisfelde-Weferlingen Germany

• Phone: +49 39059 974988
• Email (general): support@codixio.com
• Email (data protection): legal@codixio.com

Legal form: sole trader (no commercial-register entry). Tax status: small-business (§ 19 UStG).

2. Data Protection Officer

No Data Protection Officer has been appointed. Reason: the thresholds under Art. 37(1) GDPR and § 38(1) BDSG are not met. Codixio does not employ ten persons continuously processing personal data, performs no core activity involving extensive processing of special categories and does not systematically monitor data subjects on a large scale. Please direct data-protection questions to legal@codixio.com.

3. Scope

This privacy policy applies to:

• the Shopify App "Codixio EU Withdrawal Button" in all functions and tiers (Free, Starter, Pro, Max)
• the legal pages under https://legal.codixio.com/ (this privacy policy, DPA, imprint, terms, each in German and English)
• the app domain https://withdrawal.codixio.com/ including the storefront App Proxy route /apps/withdrawal/ and the merchant admin

Boundary with the Codixio marketing website: The marketing website https://codixio.com (and its language versions https://de.codixio.com, https://en.codixio.com) is operated on a separate WordPress instance. It is subject to its own privacy policy, which is linked there.

Boundary with Shopify: Use of the Shopify shop into which the App is installed is subject to the privacy policy of Shopify International Limited (https://www.shopify.com/legal/privacy). This privacy policy applies only to data processed by Codixio in the context of App use.

4. Categories of personal data processed

4.1. Consumer data (end-customers of merchant shops)

When a consumer uses the withdrawal form on a Shopify shop where the App is installed, the following personal data are processed:

• Email address (to verify order ownership and to deliver the legally required durable-medium confirmation under Art. 11(3) Directive 2011/83/EU)
• Name (first and last name; mandatory data point per Annex I Part B Directive 2011/83/EU — Model Withdrawal Form)
• Shipping address (street, house number, city, postal code, country; also mandatory per Annex I Part B)
• Phone number (only when the merchant's Max-tier SMS or WhatsApp feature is enabled AND the consumer has explicitly consented; off by default; available from v0.3.0; not used in v0.1.0)
• Withdrawal reason (optional; free-form text written by the consumer)
• Timestamp (date and time of the withdrawal submission)
• IP address: only as a pseudonymised SHA-256 hash with a per-shop salt, never stored in plaintext; used only for rate-limit enforcement and as a telemetry signal

4.2. Merchant data (shop operators)

When a merchant installs the App in their Shopify shop, the following data are processed:

• Shop domain (e.g. example-shop.myshopify.com)
• Merchant email (for notifications about new withdrawal requests and account matters)
• OAuth access token for communication with the Shopify Admin API (encrypted at rest; rotation by Shopify)
• Shop configuration (selected language, branding options, retention period, custom button text, optional SMTP configuration)
• Credit balance and transaction metadata in the Codixio credits service (credits.codixio.com), from v0.2.0 for AI features: top-up history, consumption history, current balance
• Billing data: these are managed exclusively by Shopify via the Shopify Billing API. Codixio only receives a transaction reference ID, no payment-method data (credit card, IBAN).

4.3. Technical data

When calling the legal pages (legal.codixio.com) and the App interface (withdrawal.codixio.com), the following technical data are processed:

• Access logs at the reverse proxy (Coolify/Traefik): IP address (anonymised to the first 3 octets for IPv4 or the 64-bit subnet for IPv6 after 7 days), user agent, HTTP method, URL, response status, timestamp
• Application-side error logs: error messages without PII, stack traces
• Language preference on legal-page access: the Accept-Language HTTP header is evaluated to serve the appropriate language version (DE or EN). No language cookies are set — language selection is purely URL-based (/privacy vs. /privacy.en).

Lawful basis: Art. 6(1)(f) GDPR (legitimate interest in technical function security, error diagnostics, abuse defence).

5. Lawful basis for processing

Processing of personal data is based on the following lawful bases:

5.1. Art. 6(1)(c) GDPR — legal obligation

Processing of consumer data (name, email, address) is necessary for the merchant to comply with their legal obligations under EU Consumer Rights Directive 2011/83/EU, as amended by Directive 2023/2673 (Art. 11a mandatory withdrawal function as of 19 June 2026), and the German §§ 355-357 BGB. The confirmation of the withdrawal declaration on a durable medium is a legal requirement (Art. 11(3) Directive 2011/83/EU).

5.2. Art. 6(1)(f) GDPR — legitimate interest

Matching the consumer-supplied email against the order's customer email serves fraud prevention (preventing third parties from submitting abusive withdrawals). Without this match, the App would be open to abuse and the merchant could be forced into unjustified refunds.

Balancing of interests (second half-sentence of Art. 6(1)(f) GDPR): the legitimate interest of the merchant and Codixio (abuse defence, property protection) outweighs the conflicting consumer interest because: (1) the match only checks an existing order email against the email provided by the consumer and therefore does not require additional data collection; (2) without this match, third parties could trigger withdrawals for other people's orders, impeding legitimate consumer withdrawals; (3) the consumer is informed transparently about the match on the withdrawal page.

5.3. Art. 6(1)(b) GDPR — contract performance

Processing of merchant data (shop domain, merchant email, OAuth token, configuration) is based on the usage contract concluded between Codixio and the merchant upon App installation.

5.4. Art. 6(1)(a) GDPR — consent

SMS and WhatsApp notifications on the Max tier (from v0.3.0) are based exclusively on the consumer's explicit consent, obtained on the storefront withdrawal form after double opt-in (merchant activation + consumer consent). Consent can be withdrawn at any time with effect for the future (Art. 7(3) GDPR).

6. Recipients / sub-processors

6.1. Recipients

• The merchant in whose shop the withdrawal request is submitted (they receive the request data to process the withdrawal in compliance with the law)
• The sub-processors listed below within the meaning of Art. 28 GDPR

6.2. Active sub-processors (v0.1.0)

• Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany Activity: hosting provider for application servers, Postgres database and object storage Processing location: data centres Falkenstein (DE) and Nuremberg (DE) Third-country transfer: no

• Sendinblue SAS (trading as „Brevo"), 7 rue de Madrid, 75008 Paris, France Activity: delivery of transactional emails (consumer confirmations, merchant notifications) Processing location: EU (France) Third-country transfer: no (EU-internal); no SCCs required

6.3. Future sub-processors (from v0.2.0)

• Anthropic, PBC, US-incorporated company Activity: AI inference for optional AI features on the Pro and Max tier Processing location: EU endpoints used where available Third-country transfer: yes (US seat); protection level via EU Standard Contractual Clauses (SCCs) per Decision 2021/914 Special feature: Anthropic receives only anonymised payloads with placeholders (see section 11). The Codixio sanitisation layer removes all PII before any outbound AI request. Activation: starts with v0.2.0 after a separate sub-processor change notification with 30 days' notice (DPA § 5.3).

6.4. Codixio-own infrastructure

• credits.codixio.com — central AI-budget management across all future Codixio Shopify apps Hosting: Germany, on Hetzner via Coolify Processes: only shop domain, credit balance and transaction metadata (transaction type, amount, app ID, feature ID, timestamp) No customer PII, no order data, no consumer email or address Classification: Codixio-own infrastructure, technically not a sub-processor within the meaning of Art. 28 GDPR; listed here for transparency.

• Coolify (open-source software) — self-hosted container orchestration on Hetzner, no external service provider.

7. Third-country transfers

In v0.1.0 there is no third-country transfer. All sub-processors are based in the EU:

• Hetzner Online GmbH (Germany) — hosting
• Sendinblue SAS / Brevo (France) — transactional email delivery

From v0.2.0, Anthropic, PBC (USA) is additionally engaged for AI inference — strictly with anonymised payloads without plaintext PII. As a protection mechanism under Art. 46 GDPR, the EU Standard Contractual Clauses per Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Module 2 „Controller to Processor") will then apply. They are integral to the DPA with Anthropic. The corresponding Transfer Impact Assessment (TIA) under ECJ ruling C-311/18 („Schrems II") is held internally and can be provided on request at legal@codixio.com.

8. Retention period

8.1. Withdrawal data

Retention is configurable per merchant. Default: 24 months. Adjustable range: 6 to 60 months. Enforced by a daily automated deletion job that permanently deletes withdrawal and audit-log records older than the configured threshold.

8.2. Uninstallation or shop/redact webhook

All shop and consumer data are fully deleted within 48 hours.

8.3. AI request artefacts

From v0.2.0, anonymised AI prompts may be cached up to 90 days; raw request logs are auto-purged after 7 days. No plaintext PII is ever cached or logged (anonymisation layer before outbound).

8.4. Technical access logs

Reverse-proxy access logs are IP-anonymised after 7 days and fully deleted after 90 days.

9. Data-subject rights

Data subjects have the following rights under GDPR:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure / "right to be forgotten" (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR; in particular against processing based on Art. 6(1)(f))
• Right to withdraw consent with effect for the future (Art. 7(3) GDPR; in particular for SMS and WhatsApp features)
• Right not to be subject to automated individual decision-making including profiling (Art. 22 GDPR) — Codixio does not perform automated individual decisions with legal effect (see section 11).

You can exercise these rights by emailing legal@codixio.com. Consumers can alternatively contact the Shopify merchant directly, who forwards the request to Codixio via the Shopify webhooks customers/data_request and customers/redact.

Response deadline: We respond to requests within the statutory period of one month under Art. 12(3) GDPR. For complex requests the period may be extended by two further months; in that case you will be informed within the first month.

10. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority for Codixio is:

Landesbeauftragter für den Datenschutz Sachsen-Anhalt Leiterstraße 9 39104 Magdeburg

• Phone: +49 391 81803-0
• Email: poststelle@lfd.sachsen-anhalt.de
• Website: https://datenschutz.sachsen-anhalt.de/

11. AI features and transparency (EU AI Act Art. 50)

11.1. Overview

The App offers optional AI-assisted workflow features for the merchant on the Pro tier (from v0.2.0, August 2026) and Max tier (from v0.3.0, October 2026): categorisation, sentiment analysis, translation, draft replies, anti-fraud scoring, value-compensation calculation. AI features can be enabled per merchant in settings; default at installation: disabled until v0.2.0 launch, enabled afterwards.

11.2. No plaintext PII to AI providers

Consumer personal data (plaintext PII) is NEVER transmitted to any AI provider (Anthropic Claude, OpenAI, Gemini or others).

A code-level anonymisation layer (app/services/ai-sanitize.server.ts) replaces every PII field with a token placeholder before any outbound AI request and remaps the placeholders back to PII server-locally on the response path. This layer is covered by unit tests that explicitly assert no plaintext PII can leak through.

Replaced PII fields:

• Customer email → {{CUSTOMER_EMAIL}}
• Name (first/last) → {{CUSTOMER_NAME}}
• Shipping address → {{CUSTOMER_ADDRESS}}
• Phone number (Max tier only) → {{CUSTOMER_PHONE}}
• Order number / ID → {{ORDER_REF}}

Data never sent to AI: IP address hash, session tokens, merchant API credentials.

Anonymised but contextual: order amount (numeric, no customer linkage), order date, withdrawal reason text (regex-scanned for stray emails/phones, redacted if found), product titles, quantities, shop name.

11.3. EU AI Act Art. 50 transparency obligations

Pursuant to Art. 50 Regulation (EU) 2024/1689 (AI Act):

• AI system interaction: For AI-generated draft replies, translations, categorisations, sentiment analyses and value-compensation calculations, the merchant is clearly informed that the output is AI-generated. None of these functions is directly interactive for the consumer.
• Synthetic content: AI-generated email drafts are marked as AI suggestions in the merchant UI. The merchant decides whether to accept, modify or discard the suggestion.
• No emotion recognition, no biometric categorisation, no prohibited use cases under Art. 5 AI Act.

Concrete UI implementation: From v0.2.0, the merchant is clearly informed on the first use of any AI feature in the App UI that the output is AI-generated (one-time info dialog). A persistent "AI-generated" label then accompanies every AI output in the merchant UI.

11.4. Codixio as Deployer of a General-Purpose AI Model (GPAI)

Codixio uses Claude as a General-Purpose AI Model (GPAI) provided by Anthropic, PBC. Codixio is a deployer within the meaning of Art. 3(4) of Regulation (EU) 2024/1689 (AI Act).

The AI features deployed by Codixio (text processing, classification, sentiment analysis, translation, draft replies, value-compensation calculation) do not fall under the high-risk definition in Annex III of the AI Act. The applicable obligations for Codixio are therefore:

• Art. 4 AI Literacy (effective since 02 February 2025): Codixio ensures that persons dealing with AI operation possess a sufficient level of AI literacy. For the current solo operation this is the company founder; future staff with AI access receive an internal AI briefing.
• Art. 50 transparency obligations (see § 11.3).

The deployer obligations for high-risk systems under Art. 26 AI Act and the Fundamental Rights Impact Assessment under Art. 27 AI Act are not applicable to Codixio's use, since no high-risk systems per Annex III are deployed. Should the App be extended with high-risk functions in the future (e.g. emotion recognition in customer service), a reassessment would be carried out.

11.5. No automated individual decision-making (Art. 22 GDPR)

The App does not make automated decisions with legal effect on consumers. In particular, AI-based auto-accept functions (from v0.2.0 Max tier) are only activated on explicit merchant opt-in, and the merchant can review and revoke every auto-accepted decision manually. The legally binding decision on the withdrawal is always made by the merchant, not by the AI.

12. Cookies and similar technologies (§ 25 TTDSG)

The App and the website use exclusively strictly necessary cookies required for proper operation (e.g. session cookies for OAuth authentication). Under § 25(2)(2) TTDSG, no consent is required because access to information on the user's end device is "absolutely necessary for the provider of a digital service to provide a digital service explicitly requested by the user".

No marketing cookies, no tracking pixels, no Google Analytics, no Facebook Pixel and no other third-party tracking are used.

Therefore, a cookie consent banner is not required on codixio.com.

13. Security measures (TOMs under Art. 32 GDPR)

13.1. Encryption

• PII fields at rest: AES-256-GCM encryption under per-shop Data Encryption Key (DEK), DEK in turn master-key-encrypted (Coolify secret). Master key rotated quarterly.
• IP addresses: only as SHA-256 hashes with per-shop salt, never in plaintext
• Data in transit: TLS 1.2+ mandatory (HTTPS, Let's Encrypt, auto-renewal); HSTS header with max-age ≥ 31,536,000 seconds

13.2. Access control

• Multi-factor authentication for all production access
• Least-privilege principle
• Audit log of all production access

13.3. Network security

• CSP, X-Content-Type-Options, Referrer-Policy headers
• Rate limit on API endpoints (10 submit/IP/h, 60 GET/IP/min on storefront)
• Scanner blocker middleware against known attack patterns

13.4. Backup and recovery

• Daily redundant database backups on Hetzner Object Storage
• Recovery tests quarterly

13.5. Monitoring and review

• Periodic security reviews per the Codixio Security Hardening Plan
• Dependency CVE monitoring via npm audit
• OWASP Top 10 (2025) applied as baseline

14. Data breaches (Art. 33/34 GDPR)

In the event of a personal data breach:

• Notification to the supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware, provided the breach is likely to result in a risk to the rights and freedoms of natural persons (Art. 33(1) GDPR). Notification is omitted if the breach is unlikely to result in such a risk.
• Communication to the data subjects without undue delay if a high risk is likely (Art. 34(1) GDPR). Communication may be omitted if the data are rendered unintelligible through appropriate encryption (Art. 34(3)(a) GDPR), subsequent measures mitigate the high risk (Art. 34(3)(b) GDPR) or a public communication would be more proportionate (Art. 34(3)(c) GDPR).
• Documentation of all incidents in the internal incident-response log (see docs/legal/incident-response-policy.md).
• Notification of the affected merchant for incidents touching shop data — in parallel with or before the supervisory notification.

15. Changes to this privacy policy

We reserve the right to adapt this privacy policy so that it always meets current legal requirements or to reflect changes in our services. Material changes will be announced with a 30-day notice period by email to the contact address stored for the merchant. The current version is available at https://legal.codixio.com/apps/eu-withdrawal-button/privacy.

Historical versions are versioned in the masterplan repository and available on request at legal@codixio.com.

16. Version and contact

Version: v1 (draft, requires legal review before publication) Last updated: 24 April 2026

For questions about data protection or to exercise your rights, please contact:

legal@codixio.com

Matthias Jakisch, Hauptstr. 34, OT Etingen, 39359 Oebisfelde-Weferlingen, Germany.