This is a non-binding convenience translation. Only the German version is legally binding. /avv
Data Processing Agreement (DPA)
Pursuant to Art. 28 GDPR
Last updated: March 2026
This is the complete Data Processing Agreement (DPA) pursuant to Art. 28 GDPR between WiderrufButton (processor) and the shop operator (controller). You can review it in full here and save or print it as a PDF at any time. By registering, the DPA is deemed concluded between you and WiderrufButton.
1. Subject matter of the processing
As a processor, WiderrufButton processes personal data on behalf of the shop operator (controller) that is submitted by end customers (consumers) in the course of a withdrawal declaration.
Purpose of the processing: Receipt, storage and forwarding of withdrawal declarations pursuant to § 356a of the German Civil Code (BGB), as well as sending an acknowledgement of receipt by email to the consumer.
2. Categories of personal data
The following categories of personal data are processed within the scope of the processing on behalf of the controller:
| Data category | Mandatory | Purpose |
|---|---|---|
| Consumer's name | Yes | Identification of the withdrawing person |
| Contact details (email/phone) | Yes | Acknowledgement of receipt, follow-up contact |
| Order reference | No | Allocation to the contract |
| Free-text message | No | Supplementary information |
| IP address (hashed) | – | Abuse protection (rate limiting) |
3. Data subjects
end customers (consumers) of the shop operator who submit a withdrawal declaration via the WiderrufButton widget.
4. Duration of the processing
The processing on behalf of the controller begins upon conclusion of the contract and ends upon termination of the usage relationship (cancellation of the WiderrufButton subscription).
After the contract ends, the withdrawal data is retained in accordance with the statutory retention obligations and subsequently deleted, unless the controller requests earlier deletion.
5. Technical and organisational measures (TOMs)
The processor implements the following measures to protect personal data:
Encryption
TLS/SSL encryption of all data transmissions. Database encryption at rest. IP addresses are hashed (SHA-256) before storage.
Access control
Authentication via magic link (passwordless). Role separation: shop operators only see their own data. Administrative access only for authorised personnel.
Hosting in Germany
All data is processed and stored on servers operated by Hetzner Online GmbH in German data centres. No transfer to third countries through the hosting.
Data backup
Daily automated backups of the database (pg_dump). Backups are stored encrypted on a separate Hetzner Storage Box.
6. Sub-processors
The following sub-processors are engaged to fulfil the contract:
| Company | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Server hosting, database | Germany |
| IONOS SE | Email delivery (transactional acknowledgements of receipt) | Germany |
The controller will be informed in advance of any changes to the sub-processors and will be given the opportunity to object.
7. Obligations of the processor
- Processing of the data exclusively on documented instructions from the controller.
- Ensuring that persons authorised to process the data have committed themselves to confidentiality.
- Implementation of all technical and organisational measures required under Art. 32 GDPR.
- Assisting the controller in fulfilling data subject rights (Art. 15–22 GDPR).
- Assistance with notification obligations (Art. 33, 34 GDPR).
- Deletion or return of all data after the end of the processing.
- Enabling audits and inspections by the controller.
8. Rights of the controller
- Right to information about the processed data.
- Right to review the technical and organisational measures.
- Right to issue instructions to the processor.
- Right to deletion or return of the data upon termination of the contract.
- Right to object to changes of sub-processors.
9. Complete DPA
This DPA is available to you here in full. Save it as a PDF or print it for your records. By registering, it is deemed concluded.
This Data Processing Agreement pursuant to Art. 28 GDPR is available here in full and can be saved as a PDF or printed. By registering, it is deemed concluded between the parties. Last updated: June 2026.