alt
Unzer
UnzerAI

UnzerAI

The responses generated by AI may include errors.

UnzerAI

Welcome to UnzerAI!

I'm here to help you with questions about Unzer's payment integration, APIs, and documentation.

Ask questions about Unzer and get help with your integration.

Privacy Policy — Unzer iDEAL | Wero Shopify App

Privacy Policy related to the Plugin Unzer iDEAL | Wero in the Shopify App according to Art. 13, 14 and 21 GDPR.

Effective date: 23.06.2026    Last updated: 23.06.2026

The security of your data and the protection of your personal rights are of great importance to us. We process your personal data exclusively in accordance with applicable data protection laws. Below, we provide information about how we process your personal data in connection with the Unzer iDEAL | Wero application (the “App”) that is made available to merchants (“Merchants”) through the Shopify App Store at https://apps.shopify.com/ideal-2, as well as your rights as a data subject under data protection laws.

The App enables Merchants to accept payments via the iDEAL | Wero payment method from their End-customers (“End-customers”) on Shopify-powered stores. The provision of the App and the processing of payments are governed by separate contractual arrangements. Payment services are provided independently by Unzer’s role as payment service provider under direct contractual relationship with the Merchant.

1. Contact information of the Data Controller and the Data Protection Officer

The Data Controller responsible for the processing of personal data described in this Policy, within the meaning of Art 4 Nr. 7 GDPR, is:

Unzer Luxembourg S.A (“Unzer”)
Parc d’Activité Syrdall 2
18 - 20 rue Gabriel Lippmann
5365 Munsbach
Luxembourg

Telephone: +352 - 2763 9919
Email: datenschutz-lu@unzer.com

You can contact our Unzer’s group-wide Data Protection Officer at dsb@unzer.com or by post at the postal address listed above.

2. Scope of this Policy

This Policy covers personal data that we process as part of the App, including:

  • personal data of End-customers that is transmitted through the App when an End-customer initiates an iDEAL | Wero payment in a Shopify checkout; and
  • transaction metadata generated by Shopify and forwarded to Unzer to enable, settle, and reconcile payments.

This Policy does not cover personal data that Shopify Inc. processes as the operator of the Shopify platform, nor personal data that the Merchant processes independently as the controller of its own online store. Please refer to Shopify’s privacy policy and to the Merchant’s own privacy notice for information about those processing activities.

3. Categories of personal data processed

3.1 Personal data collected through Shopify’s APIs and the App

When an End-customer selects iDEAL | Wero at checkout in a Merchant’s Shopify store, the App receives the following categories of personal data from Shopify and/or the End-customer’s bank in order to initiate and complete the payment:

  • End-customer’s payment data: the End-customer’s full name, the IBAN used for the payment, and the transaction amount.
  • Order and transaction metadata: the Shopify order identifier, the transaction identifier issued by Unzer, the order currency, the payment status (authorised, captured, failed, refunded), refund amounts and refund references, and timestamps of the payment events.

3.2 Personal data collected directly from the Merchant

The App does not ask the Merchant for personal data about the Merchant’s individual End-customers beyond what is required to process the iDEAL | Wero payment described in Section 3.1. For App installation and configuration, the App relies on identifiers and shop metadata that Shopify makes available through its APIs (such as the shop domain, shop ID, and the public Merchant contact information that the Merchant has set up in Shopify).

3.3 Personal data we do not collect

Within the App no tracking is conducted, and no data is collected of End-customers via cookies during the Shopify checkout. Furthermore, the App does not generate behavioural or marketing analytics about End-customers and no special categories of personal data within the meaning of Art. 9 GDPR shall be processed.

We process the personal data described above for the following purposes and on the following legal basis:

  • Payment initiation, authorization, settlement, and reconciliation. We process End-customer payment data and order/transaction metadata to execute the payment requested by the End-customer, to settle funds to the Merchant, and to reconcile the payment with the Shopify order. Legal basis: performance of a contract to which the End-customer is party, or pre-contractual measures taken at the End-customer’s request (Art. 6(1)(b) GDPR), and performance of the contract between Unzer and the Merchant (Art. 6(1)(b) GDPR).
  • Refunds, chargebacks, and dispute handling. We process transaction metadata and, where required, End-customer payment data to process refunds requested by the Merchant or the End-customer, and to investigate and respond to chargebacks or payment disputes. Legal basis: Art. 6(1)(b) GDPR and our legitimate interest in resolving payment disputes (Art. 6(1)(f) GDPR).
  • Fraud prevention and security of the App. We process transaction metadata and technical event data to detect, prevent, and investigate fraud, unauthorized transactions, and security incidents affecting the App or the payment infrastructure. Legal basis: our legitimate interest, and the legitimate interest of Merchants and End-customers, in a secure payment service (Art. 6(1)(f) GDPR), and compliance with legal obligations applicable to payment service providers (Art. 6(1)(c) GDPR).
  • Compliance with statutory obligations. We process the data to comply with applicable obligations under European Union and laws of Luxembourg, including anti-money-laundering, counter-terrorism financing, accounting, and tax retention obligations. Legal basis: Art. 6(1)(c) GDPR.
  • Defence of legal claims. We may process the data where necessary to establish, exercise, or defend legal claims. Legal basis: Art. 6(1)(f) GDPR.

We do not process the personal data collected through the App for any purposes other than those listed in this Section 4. We do not use the data for advertising, profiling, or automated decision-making with legal or similarly significant effects under Art. 22 GDPR.

5. Source of the personal data processed

We receive your personal data as described in Section 3 from Shopify, the End-customers’ bank and/or the Merchant. When an End-customer selects iDEAL | Wero as a payment method at checkout in a Merchant’s Shopify store, the App receives order and transaction metadata from Shopify via its Payments Apps API. This includes the Shopify order identifier, order currency, payment status, refund amounts, refund references, and relevant event timestamps. This data is required to initiate, process, and reconcile payment transactions.

Upon successful completion of the iDEAL | Wero payment transaction, the App receives payment confirmation data from the End-customer’s bank. This may include the End-customer’s full name, IBAN, and the transaction amount. This information is processed solely for the purpose of confirming the payment and ensuring the correct match to the corresponding order.

Merchants do not directly provide personal data relating to End-customers to the App. For the installation and configuration of the App, only shop-level information is made available via Shopify’s APIs. This includes the shop domain, shop ID, and the merchant’s publicly available contact information as configured within Shopify.

6. Duration of the processing of personal data and retention

The duration of the retention of your personal data depends on the purpose of processing. We retain personal data only for as long as is necessary to fulfil the purposes set out in Section 4, taking into account statutory retention obligations applicable to payment service providers under EU and the laws of Luxembourg.

  • Transaction data required for accounting and tax purposes: retained for 10 years in accordance with Art. 16 of the Luxembourg Commercial Code and other applicable Luxembourg laws (including the Law of 5 April 1993 on the financial sector and Art. 27 of the Law of 10 November 2009 on payment services, on the activity of electronic money institution and settlement finality in payment and securities settlement systems). The retention period starts from the end of the financial year to which they relate (which generally corresponds to the end of the calendar year).
  • Transaction data required for anti-money-laundering purposes: retained for 5 years in accordance with Art. 3(6) of the Luxembourg Law of 12 November 2004 on the fight against money laundering and terrorist financing, Art. 1(5) of the Grand-ducal Regulation and Art. 25 of the CSSF Regulation, calculated from the end of the business relationship, the date of an occasional transaction, or the date on which the customer or trader refused to enter into a business relationship. Personal data may be subjected to an additional period of 5 years where such retention is necessary to effectively implement internal measures for the prevention or detection of money laundering or terrorist financing, or where an additional retention period is required by the supervisory authorities.
  • Operational logs and technical event data: retained for a total of 1 year (3 months immediately accessible and the remaining period archived for compliance purposes), except where a longer period is necessary to investigate a security incident or to comply with a legal obligation.
  • Preservation of evidence within the framework of statutory prescription provisions (e.g. personal data for the exercise of a dispute or legal claim): retained until the dispute is resolved and any applicable limitation period has expired.

Once the retention period for a category of data has expired, the data is deleted accordingly. If the processing of your personal data is based on your consent, the personal data will be deleted as soon as you revoke that consent for the future. If data processing is carried out in our legitimate interest or that of a third party, the personal data will be deleted as soon as this interest no longer exists, unless one of the above-mentioned exceptions applies.

7. Recipients of your personal data

We share personal data only with the following categories of recipients, and only to the extent necessary:

  • Shopify Inc. and its group companies as the operator of the Shopify platform and as the channel through which the App is delivered to the Merchant. Solely a transaction status (“OK” or “NOT OK”) and a reference identifier (e.g. the Shopify-generated order ID) are returned to Shopify to enable the allocation of the response to the corresponding transaction.
  • The Merchant whose Shopify store initiated the payment, so that the Merchant can fulfil the order and reconcile the payment.
  • Banks, payment networks, and scheme operators, including the iDEAL | Wero scheme operator (European Payments Initiative), and the End-customer’s and Merchant’s banks, as required to route and settle the payment.
  • (Sub)-Processors engaged by Unzer to host, operate, and secure the App and the underlying payment infrastructure, under written agreements that comply with Art. 28 GDPR.
  • Unzer affiliated companies: Within our company, access to your personal data is granted to those entities that need it to fulfil the purpose of processing and our contractual and legal obligations.
  • Public authorities, supervisory authorities, and courts, where we are required by law to disclose the data (for example, financial supervisory authorities, tax authorities, or law-enforcement agencies acting under a valid legal request).
  • Professional advisers (such as auditors and lawyers), where necessary for the purposes described in Section 4 and subject to confidentiality obligations.

We do not sell personal data, and we do not share personal data for cross-context behavioural advertising.

8. Transfers of personal data to third countries

Personal data processed through the App is primarily stored and processed on servers located within the European Economic Area (“EEA”).

Where a transfer of personal data outside the EEA is necessary (for example, to a sub-processor located in a third country), we ensure that an appropriate transfer mechanism under Chapter V of the GDPR is in place. This may include:

  • a European Commission adequacy decision under Art. 45 GDPR;
  • Standard Contractual Clauses adopted by the European Commission under Art. 46(2) GDPR, supplemented where appropriate by additional technical and organizational measures; or
  • another transfer mechanism permitted by the GDPR.

9. Your rights under the GDPR

Subject to the conditions and limitations set out in the GDPR, you have the following rights in relation to your personal data:

  • Right of access (Art. 15 GDPR) — to obtain confirmation as to whether we process personal data about you, and to receive a copy of that data.
  • Right to rectification (Art. 16 GDPR) — to have inaccurate personal data corrected and incomplete data completed.
  • Right to erasure / “right to be forgotten” (Art. 17 GDPR) — to have personal data deleted where one of the grounds in Art. 17(1) GDPR applies, subject to the exceptions in Art. 17(3), including our obligation to retain transaction records under financial, accounting, and anti-money-laundering legislation.
  • Right to restriction of processing (Art. 18 GDPR).
  • Right to data portability (Art. 20 GDPR), in respect of data that you have provided to us and that is processed by automated means on the basis of consent or contract.
  • Right to object (Art. 21 GDPR), in particular to processing based on our legitimate interests. More information on the right to object is available at the end of this Policy.
  • Right to withdraw consent (Art. 7(3) GDPR), where processing is based on consent, without affecting the lawfulness of processing carried out before the withdrawal.
  • Right not to be subject to a decision based solely on automated processing (Art. 22 GDPR). The App does not carry out such automated decision-making.

To exercise any of these rights, please contact us via our contact details under Section 1. We will respond within the time limits required by the GDPR (in principle, within one month of receipt of the request, extendable by a further two months for complex requests in accordance with Art. 12(3) GDPR).

You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent authority for Unzer Luxembourg S.A. is:

National Commission for Data Protection
15 Boulevard du Jazz
4370 Belvaux
Luxembourg
Tél.: (+352) 26 10 60 -1

10. Security of processing

Unzer implements and maintains appropriate technical and organizational measures within the meaning of Art. 32 GDPR to ensure a level of security appropriate to the risk, including the protection of personal data processed through the App against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include (but are not limited to) encryption of payment data in transit and at rest, strict access controls on a need-to-know basis, network segmentation, logging and monitoring, and regular security testing.

As a regulated payment institution, Unzer Luxembourg S.A. is also subject to industry security standards applicable to payment services, including PCI-DSS where relevant.

11. Children

The App is not directed at children. We do not knowingly collect personal data from individuals under the age of 18 through the App. If you believe that we have inadvertently received personal data from a child, please contact datenschutz-lu@unzer.com.

12. Changes to this Policy

We may update this Policy from time to time to reflect changes in the App, in our processing activities, or in applicable law. The “Last updated” date at the top of this Policy indicates when it was most recently revised. We encourage you to review this Policy periodically. Material changes will be communicated through the App listing on the Shopify App Store and, where appropriate, directly to Merchants.

Information about your right to object

according to Art. 21 General Data Protection Regulation (GDPR)

  1. You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data that is carried out on the basis of Art. 6(1)(e) GDPR (data processing in the public interest) and Art. 6(1)(f) GDPR (data processing on the basis of a balancing of interests); this also applies to profiling based on this provision within the meaning of Art. 4 No. 4 GDPR.

    If you object, we will no longer use your personal data for these purposes, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims.

  2. You have the right to object — without limitation — to any kind of processing for direct marketing purposes in accordance with Art. 21(2) and (3) GDPR. You have the right to object at any time to the processing of your personal data for the purpose of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.

    If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.

The objection can be made in any form and should be addressed to:

Unzer Luxembourg S.A.
Parc d’Activité Syrdall 2
18 - 20 rue Gabriel Lippmann
5365 Munsbach
Luxembourg
Email: datenschutz-lu@unzer.com