Overview
When merchants use EasyWiderruf, we process personal data of their end customers (consumers who submit a withdrawal request) on their behalf. Under the General Data Protection Regulation (GDPR), this requires a Data Processing Agreement (DPA).
This DPA takes effect when you install the app. No separate signature is required. Art. 28(3) GDPR expressly permits electronic form.
Important: As the merchant, you are the Data Controller under the GDPR. Maik Gossen (provider of EasyWiderruf) acts solely as Data Processor on your behalf and according to your instructions.
What the DPA covers
- Subject matter and duration of processing (tied to your use of the app)
- Types of personal data processed (name, email, order number, timestamp, status)
- Your right to issue instructions regarding data processing
- Our technical and organizational security measures (encryption, access controls, tenant isolation)
- Approved sub-processors and notification of changes
- Support with data subject rights (Art. 15 to 22 GDPR)
- Data breach notification procedures
- Data retention: 90 days by default on the Free Plan; configurable periods on the Pro Plan
- Data deletion upon termination (immediate deletion of withdrawal data when the app is uninstalled)
- Audit and accountability rights
Where is your data stored?
All primary data processing takes place within the European Union.
- Database SQLite on Fly.io Volume, Frankfurt, Germany
- Application Server Fly.io, Frankfurt (DE)
- Email Delivery Mailjet, France (EU)
EU Hosting: Both the database and the application server are located in Frankfurt, Germany. The email service operates in France (EU). No data is transferred to third countries.
Frequently Asked Questions
Do I need to sign the DPA separately?
No. The DPA takes effect when you install the app. This is in accordance with Art. 28(3) GDPR, which expressly permits electronic form.
Who is the Data Controller and who is the Data Processor?
You (the merchant) are the Data Controller for your end customers' personal data. We (Maik Gossen as app provider) act as Data Processor on your behalf.
How long do we store withdrawal data?
Free Plan: Withdrawal data is automatically deleted after 90 days. Pro Plan: You can configure the retention period in the app.
What happens to data when the app is uninstalled?
When the app is uninstalled, all withdrawal data processed on your behalf is deleted immediately. You can export a CSV file from the dashboard beforehand.
How will I be notified about changes to sub-processors?
We will notify you at least 14 days in advance by email or in-app notification.
Does the DPA apply to all EU member states?
Yes. The DPA is based on Art. 28 GDPR, which applies uniformly across the entire EU/EEA. The DPA is governed by German law.
Questions about the DPA?
For questions about data protection or data processing, please get in touch.
Get in touchThis document is governed by German law. The German version (AVV) is legally binding. This English translation is provided for informational purposes only. For specific legal questions, please consult a qualified attorney. Last updated: June 2026.