Privacy Policy

Last updated: July 2026. This Privacy Policy explains how herrlich media GmbH (“we”, “us”) processes personal data when you visit this website and when merchants use the EU Guard: Ultimate Compliance Shopify app (“EU Guard”, “the App”).

1. Controller

herrlich media GmbH
Labesstraße 7
27404 Zeven
Germany

General contact: info@herrlich-media.de
App support: shop-app@herrlich-media.de

2. Roles under the GDPR

For this marketing website, herrlich media GmbH is the data controller. For the EU Guard Shopify app, we generally act as a data processor on behalf of the merchant (shop owner), who remains the data controller for their shop, product, order, and customer data. End-customer personal data is primarily stored and managed in the merchant’s Shopify store, not in a separate customer database operated by us.

3. What EU Guard does

EU Guard helps Shopify merchants display and manage EU compliance information, including:

  • GPSR product safety (manufacturer, responsible person, safety information)
  • GARAN commercial warranty labels and disclosures
  • WEEE / ElektroG take-back information
  • EPR registration data by country
  • Digital Product Passport (DPP) links
  • EUDR supply-chain geodata references
  • EU AI Act disclosure labels
  • Green claims evidence, right-to-repair information, and related storefront widgets
  • Post-purchase compliance summaries on orders
  • Recall Center tools (Pro) to identify buyers and export data from Shopify
  • Compliance audit logs and bulk CSV import (Pro)

The App does not provide legal advice. Merchants are responsible for the accuracy and completeness of compliance information shown in their shop.

4. This website

When you visit this landing page, our hosting provider may process technical access data in server log files, such as:

  • IP address
  • Date and time of access
  • Requested page or file
  • Browser type and operating system
  • Referrer URL

This data is used to deliver the site securely and to troubleshoot technical issues. Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in operating a secure website).

This website uses self-hosted fonts. No third-party font requests are made. We do not use analytics or advertising cookies on this landing page.

5. Data processed in the App (our database)

When a merchant installs EU Guard, we store the following categories of data in our application database (MySQL) to operate the App:

  • Session and authentication data: shop domain, OAuth access tokens, granted API scopes, session expiry, and optional merchant staff profile fields provided by Shopify during login (e.g. name, email, locale, account role)
  • Shop settings: onboarding status, default manufacturer/responsible person details, WEEE/EPR configuration, and related shop-level compliance settings entered by the merchant
  • Legal acceptance records: accepted document versions, timestamp, and technical metadata (IP address and user agent) when the merchant accepts in-app legal terms
  • Compliance audit log: shop domain, product identifier and title, change action, source of change, and before/after snapshots of compliance data (which may include business contact details entered by the merchant)

We do not maintain a standalone database of end-customer profiles. Buyer personal data is accessed via Shopify only where a merchant uses features that require it (see section 6).

6. Data processed in Shopify

Most compliance data is stored in the merchant’s Shopify store as metafields and related shop data, including:

  • Product compliance data (namespace eu_compliance)
  • Shop-level defaults and subscription tier metafields
  • Order metafields written on order creation (compliance summaries, WEEE, warranty, DPP, and audit snapshots)

For certain features, EU Guard reads or writes Shopify data via the Shopify Admin API, including:

  • Orders: order ID, line items, customer locale, shipping/billing country — used for post-purchase compliance metafields
  • Customers (Recall Center, Pro): customer IDs, email addresses, and order history — used when merchants search for buyers affected by a recall, create segments/tags, or export CSV files. Email addresses are masked in the admin UI; full addresses may appear in Pro CSV exports initiated by the merchant
  • Products: product identifiers, titles, and compliance metafields — including monitoring of external ERP/WaWi updates via the products/update webhook

Storefront theme and checkout extensions display compliance information from product/shop metafields. They do not set analytics cookies and do not collect customer personal data on their own.

7. Shopify API permissions

EU Guard requests the following Shopify access scopes: read_locales, read_markets, read_products, read_themes, write_products, read_orders, read_all_orders, write_orders, read_customers, write_customers, and unauthenticated_read_product_listings.

These permissions are used solely to provide the compliance features described above (metafield management, multilingual texts, market-specific EPR settings, post-purchase order data, recall tools, and storefront display of product compliance data).

8. Webhooks

EU Guard subscribes to the following Shopify webhooks:

  • app/uninstalled — deletes app-held data for the shop
  • shop/redact, customers/redact, customers/data_request — GDPR compliance handling (see section 11)
  • app_subscriptions/update — subscription tier changes
  • app/scopes_update — session refresh after scope changes
  • products/update — compliance audit for external product updates
  • orders/create — post-purchase compliance metafield writes

9. Third-party services

  • Shopify: hosting of the merchant’s store, OAuth, APIs, webhooks, embedded admin, checkout, and storefront extensions
  • Hosting infrastructure: the App backend is deployed on servers operated by us or a hosting provider we select; exact hosting location depends on production deployment configuration
  • Redis (optional): short-lived rate-limit counters using anonymised IP-derived identifiers
  • Bugsnag (optional): if enabled, error reports may include shop domain, error message/stack trace, URL, and app version for debugging

We do not sell personal data. Data is shared only with processors necessary to operate the App and this website, under appropriate contractual safeguards where required.

10. Cookies and similar technologies

This website: no analytics or marketing cookies. No third-party cookies are set by this website.

Embedded App (Shopify Admin): authentication uses Shopify’s session mechanisms. We do not operate separate advertising trackers in the admin interface.

Storefront extensions: no cookies, local storage, or third-party analytics scripts are used in the theme compliance widgets.

11. Retention and deletion

App data in our database is retained for as long as the merchant keeps EU Guard installed and as needed to provide the service.

Data in our database is deleted when:

  • the merchant uninstalls the App (app/uninstalled webhook), or
  • Shopify sends a shop/redact request after uninstall (GDPR)

On shop redaction/uninstall we delete sessions, shop settings, legal acceptance records, and compliance audit logs held in our database.

For customers/data_request and customers/redact webhooks, we do not hold separate end-customer records in our database; such requests are acknowledged accordingly. Compliance data stored on orders and customers in Shopify remains under the merchant’s Shopify account and Shopify’s own retention and deletion processes.

Short-lived technical data (rate-limit counters, in-memory settings cache) is automatically discarded within minutes.

12. Your rights

If we process your personal data as controller (e.g. website visitors or merchant staff contacting us directly), you have the right to:

  • access your data (Art. 15 GDPR)
  • rectification (Art. 16 GDPR)
  • erasure (Art. 17 GDPR)
  • restriction of processing (Art. 18 GDPR)
  • data portability (Art. 20 GDPR)
  • object to processing (Art. 21 GDPR)
  • withdraw consent where processing is consent-based
  • lodge a complaint with a supervisory authority

If you are an end-customer of a Shopify store using EU Guard, please contact the store operator first. They are the data controller for your order and customer data. We will support merchants in fulfilling lawful requests where we act as their processor.

13. International transfers

Shopify and optional subprocessors may process data outside the European Economic Area. Where required, appropriate safeguards (such as Standard Contractual Clauses) apply under Shopify’s and the respective provider’s terms.

14. Security

We use technical and organisational measures appropriate to the risk, including encrypted connections (HTTPS), access controls, webhook verification, and rate limiting. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

15. Children

EU Guard is a business application for Shopify merchants and is not directed at children.

16. Changes to this policy

We may update this Privacy Policy when the App, legal requirements, or our processing activities change. The “Last updated” date at the top will be revised accordingly. Material changes within the App may also be communicated through in-app legal notices.

17. Contact

For privacy questions about this website or EU Guard, contact:
shop-app@herrlich-media.de
herrlich media GmbH, Labesstraße 7, 27404 Zeven, Germany