alt
Unzer
UnzerAI

UnzerAI

The responses generated by AI may include errors.

UnzerAI

Welcome to UnzerAI!

I'm here to help you with questions about Unzer's payment integration, APIs, and documentation.

Ask questions about Unzer and get help with your integration.

Privacy Policy — Unzer PayU Shopify App

Effective date: 18/05/2026 Last updated: 18/05/2026

This Privacy Policy (“Policy”) explains how Unzer Group GmbH (“Unzer”, “we”, “us”, or “our”) collects, uses, stores, and discloses personal data in connection with the Unzer PayU application (the “App”) that is made available to merchants (“Merchants”) through the Shopify App Store at https://apps.shopify.com/payu.

The App enables Merchants to accept PayU payments from their shoppers (“Shoppers”) on Shopify-powered stores. Payment processing is performed by Unzer under separate contractual arrangements (the Unzer Payment Services Agreement) that govern Unzer’s role as a payment service provider.

This Policy is provided in addition to, and should be read together with, Unzer’s general data protection statement available at https://www.unzer.com/en/data-protection/.

1. Data controller and contact details

The data controller responsible for the processing of personal data described in this Policy, within the meaning of Article 4(7) of the EU General Data Protection Regulation (“GDPR”), is:

Unzer Group GmbH Schöneberger Str. 21 a 10963 Berlin, Germany Telephone: +49 30 837 93 000 Email: support@unzer.com

You can contact Unzer’s Data Protection Officer in all matters relating to the processing of your personal data and the exercise of your rights under the GDPR at:

Data Protection Officer Email: datenschutz@unzer.com Postal address: Data Protection Officer, Unzer Group GmbH, Schöneberger Str. 21 a, 10963 Berlin, Germany

2. Scope of this Policy

This Policy covers personal data that Unzer processes as part of the App, including:

  • personal data of Shoppers that is transmitted through the App when a Shopper initiates a PayU payment in a Shopify checkout; and
  • transaction metadata generated by Shopify and forwarded to Unzer to enable, settle, and reconcile payments.

This Policy does not cover personal data that Shopify Inc. processes as the operator of the Shopify platform, nor personal data that the Merchant processes independently as the controller of its own online store. Please refer to Shopify’s privacy policy (https://www.shopify.com/legal/privacy) and to the Merchant’s own privacy notice for information about those processing activities.

3. Personal data we collect

3.1 Data collected through Shopify’s APIs and the App

When a Shopper selects PayU at checkout in a Merchant’s Shopify store, the App receives the following categories of personal data from Shopify and/or the PayU payment network in order to initiate and complete the payment:

  • Shopper payment data: the Shopper’s full name, the payment credentials specific to the PayU payment method selected (which may vary by country and payment option), and the transaction amount.
  • Order and transaction metadata: the Shopify order identifier, the transaction identifier issued by Unzer, the order currency, the payment status (authorised, captured, failed, refunded), refund amounts and refund references, and timestamps of the payment events.

3.2 Data collected directly from the Merchant

The App does not ask the Merchant for personal data about the Merchant’s individual customers beyond what is required to process the PayU payment described in Section 3.1. For App installation and configuration, the App relies on identifiers and shop metadata that Shopify makes available through its APIs (such as the shop domain, shop ID, and the public Merchant contact information that the Merchant has set up in Shopify).

3.3 Data we do not collect

The App does not drop tracking cookies on Shoppers’ devices in the Shopify checkout, and the App does not generate behavioural or marketing analytics about Shoppers. The App does not collect special categories of personal data within the meaning of Article 9 GDPR.

We process the personal data described above for the following purposes and on the following legal bases:

  • Payment initiation, authorisation, settlement, and reconciliation. We process Shopper payment data and order/transaction metadata to execute the payment requested by the Shopper, to settle funds to the Merchant, and to reconcile the payment with the Shopify order. Legal basis: performance of a contract to which the Shopper is party, or pre-contractual measures taken at the Shopper’s request (Art. 6(1)(b) GDPR), and performance of the contract between Unzer and the Merchant (Art. 6(1)(b) GDPR).
  • Refunds, chargebacks, and dispute handling. We process transaction metadata and, where required, Shopper payment data to process refunds requested by the Merchant or the Shopper, and to investigate and respond to chargebacks or payment disputes. Legal basis: Art. 6(1)(b) GDPR and our legitimate interest in resolving payment disputes (Art. 6(1)(f) GDPR).
  • Fraud prevention and security of the App. We process transaction metadata and technical event data to detect, prevent, and investigate fraud, unauthorised transactions, and security incidents affecting the App or the payment infrastructure. Legal basis: our legitimate interest, and the legitimate interest of Merchants and Shoppers, in a secure payment service (Art. 6(1)(f) GDPR), and compliance with legal obligations applicable to payment service providers (Art. 6(1)(c) GDPR).
  • Compliance with statutory obligations. We process the data to comply with applicable obligations under European Union and German law, including anti-money-laundering, counter-terrorism financing, accounting, and tax retention obligations. Legal basis: Art. 6(1)(c) GDPR.
  • Defence of legal claims. We may process the data where necessary to establish, exercise, or defend legal claims. Legal basis: Art. 6(1)(f) GDPR.

We do not use the personal data collected through the App for any purposes other than those listed in this Section 4. We do not use the data for advertising, profiling, or automated decision-making with legal or similarly significant effects under Article 22 GDPR.

5. Data retention

We retain personal data only for as long as is necessary to fulfil the purposes set out in Section 4, taking into account statutory retention obligations applicable to payment service providers under EU and German law.

  • Transaction data required for accounting and tax purposes: retained for 8 years in accordance with § 257 (1) Nr. 4 and (4) HGB and § 147 (1) Nr. 4 and (3) AO, as amended by the Fourth Bureaucracy Relief Act (Viertes Bürokratieentlastungsgesetz) with effect from 1 January 2025. The retention period starts at the end of the calendar year in which the transaction occurred. Where a different German or EU statutory provision requires a longer retention period for a specific record (for example, the 10-year period that continues to apply to commercial books, opening balance sheets, annual financial statements, and inventories under § 257 (1) Nr. 1 HGB), that longer period applies to the records it covers.
  • Transaction data required for anti-money-laundering purposes: retained for 5 years in accordance with § 8 (4) of the German Anti-Money Laundering Act (Geldwäschegesetz – GwG) and equivalent EU rules, calculated from the end of the calendar year in which the transaction occurred or, where applicable, in which the business relationship ended. The data is destroyed no later than 10 years after that date.
  • Operational logs and technical event data: retained for 12 months and then deleted or anonymised, except where a longer period is necessary to investigate a security incident or to comply with a legal obligation.
  • Data processed to resolve a dispute or legal claim: retained until the dispute is resolved and any applicable limitation period has expired.

Once the retention period for a category of data has expired, the data is deleted or anonymised in accordance with our internal deletion procedures.

6. Recipients and disclosure of personal data

We share personal data only with the following categories of recipients, and only to the extent necessary:

  • Shopify Inc. and its group companies as the operator of the Shopify platform and as the channel through which the App is delivered to the Merchant.
  • The Merchant whose Shopify store initiated the payment, so that the Merchant can fulfil the order and reconcile the payment.
  • Banks, payment networks, and scheme operators, including the PayU network and the Shopper’s and Merchant’s banks, as required to route and settle the payment.
  • Sub-processors engaged by Unzer to host, operate, and secure the App and the underlying payment infrastructure, under written agreements that comply with Article 28 GDPR. A current list of sub-processors is available on request from datenschutz@unzer.com.
  • Public authorities, supervisory authorities, and courts, where we are required by law to disclose the data (for example, financial supervisory authorities, tax authorities, or law-enforcement agencies acting under a valid legal request).
  • Professional advisers (such as auditors and lawyers), where necessary for the purposes described in Section 4 and subject to confidentiality obligations.

We do not sell personal data, and we do not share personal data for cross-context behavioural advertising.

7. International data transfers

Unzer is established in Germany. Personal data processed through the App is primarily stored and processed on servers located within the European Economic Area (“EEA”).

Where a transfer of personal data outside the EEA is necessary (for example, to a sub-processor located in a third country), we ensure that an appropriate transfer mechanism under Chapter V of the GDPR is in place. This may include:

  • a European Commission adequacy decision under Article 45 GDPR;
  • Standard Contractual Clauses adopted by the European Commission under Article 46(2) GDPR, supplemented where appropriate by additional technical and organisational measures; or
  • another transfer mechanism permitted by the GDPR.

You can request a copy of the safeguards applied to a specific transfer by contacting datenschutz@unzer.com.

8. Your rights under the GDPR

Subject to the conditions and limitations set out in the GDPR, you have the following rights in relation to your personal data:

  • Right of access (Article 15 GDPR) — to obtain confirmation as to whether we process personal data about you, and to receive a copy of that data.
  • Right to rectification (Article 16 GDPR) — to have inaccurate personal data corrected and incomplete data completed.
  • Right to erasure / “right to be forgotten” (Article 17 GDPR) — to have personal data deleted where one of the grounds in Article 17(1) GDPR applies, subject to the exceptions in Article 17(3), including our obligation to retain transaction records under financial, accounting, and anti-money-laundering legislation.
  • Right to restriction of processing (Article 18 GDPR).
  • Right to data portability (Article 20 GDPR), in respect of data that you have provided to us and that is processed by automated means on the basis of consent or contract.
  • Right to object (Article 21 GDPR), in particular to processing based on our legitimate interests.
  • Right to withdraw consent (Article 7(3) GDPR), where processing is based on consent, without affecting the lawfulness of processing carried out before the withdrawal.
  • Right not to be subject to a decision based solely on automated processing (Article 22 GDPR). The App does not carry out such automated decision-making.

To exercise any of these rights, please contact datenschutz@unzer.com. We will respond within the time limits required by the GDPR (in principle, within one month of receipt of the request, extendable by a further two months for complex requests in accordance with Article 12(3) GDPR).

You also have the right to lodge a complaint with a supervisory authority (Article 77 GDPR). The competent authority for Unzer Group GmbH is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit Friedrichstr. 219, 10969 Berlin, Germany Website: https://www.datenschutz-berlin.de

You may also contact the supervisory authority in the EU/EEA member state of your habitual residence or place of work.

9. Security

Unzer applies appropriate technical and organisational measures within the meaning of Article 32 GDPR to protect personal data processed through the App against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include encryption of payment data in transit and at rest, strict access controls on a need-to-know basis, network segmentation, logging and monitoring, and regular security testing. As a regulated payment institution, Unzer is also subject to industry security standards applicable to payment services, including PCI-DSS where relevant.

10. Children

The App is not directed at children. We do not knowingly collect personal data from individuals under the age of 16 through the App. If you believe that we have inadvertently received personal data from a child, please contact datenschutz@unzer.com and we will delete the data without undue delay.

11. Changes to this Policy

We may update this Policy from time to time to reflect changes in the App, in our processing activities, or in applicable law. The “Last updated” date at the top of this Policy indicates when it was most recently revised. We encourage you to review this Policy periodically. Material changes will be communicated through the App listing on the Shopify App Store and, where appropriate, directly to Merchants.

12. Contact

If you have any questions about this Policy or about how we process personal data in connection with the App, please contact us at:

Unzer Group GmbH Schöneberger Str. 21 a 10963 Berlin, Germany Telephone: +49 30 837 93 000 Data protection: datenschutz@unzer.com

For Unzer’s general data protection statement, please see https://www.unzer.com/en/data-protection/.