Privacy Policy — EU Compliance

Last updated: May 22, 2026

This Privacy Policy describes how EU Compliance (“we”, “us”, “our”) collects, uses, stores, and shares information when you install and use our Shopify application (the “App”).

If you have questions, contact us at lilee501@gmail.com.

1. Who we are

EU Compliance is a Shopify embedded application that helps merchants organize EU Deforestation Regulation (EUDR) traceability data (suppliers, geolocated land parcels, SKU-level components, compliance status, and export files for manual TRACES due diligence).

App backend: https://eudr.fanpail.com
Support email: lilee501@gmail.com

2. Our role

When you use the App, you (the merchant) are the data controller for the business and compliance information you enter. We act as a data processor / service provider that stores and processes that information on your instructions to operate the App.

We do not provide legal advice, customs clearance, or automatic submission to EU TRACES systems.

3. Information we collect

3.1 From Shopify (via OAuth and APIs)

When you install the App, Shopify shares information needed to authenticate your store and operate the App, such as:

Shop domain, shop name, and shop owner contact details
Staff user context for embedded admin sessions
Product and variant catalog data (titles, SKUs, identifiers, images, status)
Subscription / billing status related to the App
Order metadata where enabled for compliance features (we do not use orders to build a customer marketing database)

3.2 Information you and your team enter

Supplier profiles (names, addresses, registration identifiers, contacts)
Land parcel records and geospatial coordinates / polygons
SKU component and traceability mappings
EUDR certificates and TRACES reference numbers you record after filing
Operator / TRACES declarant profile fields stored on your shop record
Compliance notes, audit event logs, and export task metadata

3.3 Supplier portal (optional workflow)

If you share a secure supplier link, suppliers may submit parcel boundaries and related location data without a Shopify login. That data is stored in your shop’s tenant scope.

3.4 Shopify customer personal data

We do not store Shopify customer personal data (such as customer names, emails, or addresses) for App functionality.

We respond to Shopify mandatory GDPR webhooks (customers/data_request, customers/redact) by confirming that no customer PII is stored by the App.

3.5 Technical logs

We may process limited technical logs (errors, request metadata, webhook delivery logs) to secure and operate the service. These logs are not used for advertising.

4. How we use information

We use the information above to:

Provide EUDR traceability workflows inside Shopify Admin
Evaluate and display compliance status and missing-field indicators
Sync compliance tags and product metafields to your catalog
Generate export files (for example audit CSV and TRACES submission packs)
Operate billing, quotas, and support
Maintain append-only compliance audit logs
Secure the App and prevent abuse

5. Legal bases (EEA / UK merchants)

Where GDPR applies, we process data on the following bases:

Performance of a contract — to provide the App you installed
Legitimate interests — to secure, maintain, and improve the service
Legal obligation — to respond to valid data-subject and Shopify compliance requests
Your instructions — for compliance records you choose to store and export

We share data only as needed to run the App:

Recipient	Purpose
Shopify	Embedded app platform, OAuth, APIs, billing
Cloud hosting provider	Application servers (EU Compliance backend)
Object storage provider	Uploaded import files and generated export files
Map tile / geocoding providers (e.g. MapTiler, OpenStreetMap contributors, Esri fallback)	Supplier portal map display and location search

We do not sell your data. We do not share your compliance records with TRACES or EU authorities on your behalf in the current version of the App.

7. International transfers

Our infrastructure may process data outside your country. Where required, we rely on appropriate safeguards (such as standard contractual clauses or equivalent mechanisms) for cross-border processing by subprocessors.

8. Data retention

Compliance records you enter (suppliers, parcels, traceability links, certificates, audit logs, exports) are retained to provide continuity of service and auditability.
Export files attached to sync tasks are retained until you delete related tasks or we implement a published retention schedule.
On app uninstall (app/uninstalled): we remove Shopify access tokens and subscription authorization data. We retain EUDR business records so you can reinstall and continue working.
On shop deletion (shop/redact): we apply the same auth cleanup approach and retain EUDR business records unless a future published policy states otherwise.

Important: Under EUDR, merchants may have legal obligations to retain due diligence records. You remain responsible for statutory retention and for downloading export packages for your own archives.

9. Security

We use industry-standard measures including encrypted transport (HTTPS), tenant isolation by shop, access controls, and append-only audit logging for compliance events. No method of transmission or storage is 100% secure.

10. Your rights and merchant responsibilities

Depending on your location, you may have rights to access, rectify, erase, restrict, or export personal data we process about you as a merchant contact.

Because most App data is your business compliance data, requests about supplier or parcel records should generally be handled by you as the controller. Contact us if you need help locating data stored under your shop tenant.

If you are a supplier using a portal link, contact the merchant who invited you.

11. Shopify mandatory webhooks

We implement Shopify’s mandatory compliance webhooks:

customers/data_request — we confirm the App does not store customer PII
customers/redact — no customer PII deletion is required in the App
shop/redact — we clear App authorization credentials; EUDR business data retention is described in Section 8

12. Children

The App is a business-to-business service and is not directed to children.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will revise the “Last updated” date above. Material changes may also be communicated through the App or App Store listing.

14. Contact

Email: lilee501@gmail.com

Please use the same address shown in our Shopify App Store listing support section.