Last updated: June 21, 2026
Returner ("we", "us", "our") is a returns management platform for e-commerce merchants, available as a Shopify application. The Service is operated by Friros AB, a company registered in Sweden (org. nr 559100-9047, VAT SE559100904701), with its registered office at Svampvägen 3A, 705 10 Örebro, Sweden. Friros AB is the Data Controller for the purposes described in Section 3.
This Privacy Policy describes how we collect, use, disclose, and protect personal information when you use the Returner platform, including our Shopify application, merchant dashboard, customer-facing return portal, and marketing website at returner.me (collectively, the "Service").
If you access our Service through the Shopify App Store or another third-party platform, we may receive information about you from that platform in accordance with your privacy settings and that platform's policies. Our processing of such information is governed by this Privacy Policy.
The distinction between Data Controller and Data Processor is central to understanding how personal data flows through our Service:
When processing End Customer data (names, email addresses, phone numbers, shipping addresses, order details, return information) on behalf of a Merchant, Returner acts as a Data Processor. The Merchant is the Data Controller for this data and determines the purposes and means of processing. Returner processes this data solely to provide the Service as instructed by the Merchant.
If you are an End Customer and wish to exercise your data protection rights regarding data held in connection with a Merchant's store, please contact the Merchant directly, as they are the Data Controller. We will assist the Merchant in fulfilling such requests in accordance with our obligations as a Data Processor.
Returner acts as a Data Controller for: (a) Merchant account information (business name, contact email, billing details); (b) usage data and analytics relating to how Merchants interact with the Service; and (c) data collected through our marketing website (returner.me), such as contact form submissions and newsletter sign-ups.
A Data Processing Agreement (DPA) is available upon request for Merchants who require one under applicable data protection law. Contact [email protected] to request a copy.
When a Merchant installs our Shopify application, we collect and store:
When an End Customer initiates a return through a Merchant's return portal, we collect the following on behalf of the Merchant:
When you access any part of the Service, we automatically collect certain technical information:
To operate, secure, and improve the Service we use privacy-respecting analytics. Our core analytics -- Plausible (an EU-based, cookieless web-analytics provider) and PostHog (cookieless product analytics) -- run at all times, set no cookies, and store no personal data. With your consent, given through our cookie banner, we also use Google Analytics 4 (web analytics) and, for advertising measurement and remarketing, Google Ads and the LinkedIn Insight Tag. Consent is collected via a banner implementing Google Consent Mode v2: these non-essential analytics and advertising tags do not load until you grant the relevant consent, and you can change or withdraw your consent at any time using the "Cookie settings" link in the footer.
On our marketing website we also set a first-party, first-touch attribution cookie that records the marketing channel a visitor first arrived from (such as the first UTM parameters, referrer, and landing page). This cookie is first-party only -- it is not shared with third parties and is not used for cross-site tracking. It simply helps us understand which channels bring merchants to Returner. See Section 13 for the full cookie inventory and Section 7 for the providers involved.
We process Personal Data for the following purposes, with the corresponding legal basis under GDPR Article 6:
| Purpose | Legal Basis |
|---|---|
| Provide, operate, and maintain the Service | Performance of contract (Art. 6(1)(b)) |
| Process returns, refunds, and exchanges on behalf of Merchants | Performance of contract (Art. 6(1)(b)) |
| Generate shipping labels and coordinate with carriers | Performance of contract (Art. 6(1)(b)) |
| Send transactional notifications (return status updates) | Performance of contract (Art. 6(1)(b)) |
| Provide analytics and reporting to Merchants | Legitimate interest (Art. 6(1)(f)) |
| Process billing and payments | Performance of contract (Art. 6(1)(b)) |
| Detect, prevent, and address fraud or security issues | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations (tax, data retention) | Legal obligation (Art. 6(1)(c)) |
| Improve the Service and develop new features | Legitimate interest (Art. 6(1)(f)) |
| Respond to support requests | Legitimate interest (Art. 6(1)(f)) |
Where we rely on legitimate interest, we have conducted balancing tests to ensure our interests do not override the rights and freedoms of data subjects.
We do not sell, rent, or trade Personal Data to third parties. We share information only in the following circumstances:
We share data with third-party service providers who assist in delivering the Service. Each provider processes data only for the specified purpose and under contractual obligations to protect Personal Data. See Section 7 for a complete list.
We sync return status, refund information, and store credit data back to Shopify to maintain consistency between the Returner platform and the Merchant's Shopify admin. This processing is governed by Shopify's own privacy policy and our API integration agreement.
When generating return shipping labels, we share the End Customer's name and address with the carrier selected by the Merchant (such as DHL, PostNord, FedEx, or Bring). This is necessary to fulfill the return shipment and is done on behalf of the Merchant.
We may disclose Personal Data if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, safety, or property of Returner, our Merchants, or others.
If Returner (Friros AB) is involved in a merger, acquisition, or sale of assets, Personal Data may be transferred as part of that transaction. We will notify affected parties of any change in ownership or control of their Personal Data.
We engage the following Sub-Processors to help deliver the Service. Some are used only when a related feature is enabled (for example, customer payment processing, AI-assisted features, analytics, or error monitoring) or when selected by the Merchant (for example, a shipping carrier). We may add, replace, or remove Sub-Processors as the Service evolves and will update this list accordingly:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Shopify Inc. | E-commerce platform, order/return data sync | Canada / USA |
| DigitalOcean LLC | Cloud infrastructure and database hosting | EU (Frankfurt) |
| Revolut Ltd | Payment processing (merchant subscription billing) | United Kingdom |
| Stripe, Inc. | Payment processing for customer top-up payments (e.g. exchange price differences), where a Merchant enables this feature with their own Stripe account | USA / EU |
| Resend, Inc. | Transactional email delivery (return notifications and verification codes) | USA |
| Anthropic, PBC | AI-assisted features (merchant support assistant and analytics). Only the data needed to fulfil a given request is sent, under Anthropic's commercial terms. Off by default — see our AI Policy for which surfaces use it, what data is sent, and how a merchant enables it. | USA |
| PostHog, Inc. | Cookieless product-usage analytics, where enabled | USA |
| Plausible Analytics OÜ | Cookieless web analytics; aggregated, pseudonymous traffic data only (no personal data, no order PII) | EU (Estonia) |
| Google Ireland Ltd | Google Analytics 4 web analytics; loads only after Analytics consent. Pseudonymous usage/event data and IP-based approximate location; no order PII | EU / USA (consent-gated) |
| Google Ireland Ltd | Google Ads advertising measurement & remarketing; loads only after Marketing consent. Pseudonymous conversion/event data; no order PII is shared with the ad network | EU / USA (consent-gated) |
| LinkedIn Ireland Unlimited Company | LinkedIn Insight Tag advertising measurement; loads only after Marketing consent. Pseudonymous usage/event data; no order PII is shared with the ad network | EU / USA (consent-gated) |
| Functional Software, Inc. (Sentry) | Application error monitoring, where enabled; personal data is scrubbed before transmission | USA |
| DHL International GmbH | Return shipping label generation and tracking | Germany |
| Bring (Posten Norge AS) | Return shipping label generation and tracking | Norway |
| FedEx Corporation | Return shipping label generation and tracking | USA |
| PostNord Group AB | Return shipping label generation and tracking | Sweden / Denmark |
We will update this list when Sub-Processors are added or changed. Merchants who require advance notification of Sub-Processor changes may request this by contacting [email protected].
Our primary database and application servers are hosted on DigitalOcean infrastructure in the European Union (Frankfurt, Germany). However, some data may be transferred to countries outside the EU/EEA as part of normal service operations, for example when syncing data with Shopify (Canada/USA) or generating shipping labels with carriers operating globally.
Where Personal Data is transferred outside the EU/EEA, we ensure adequate protection through:
You may request a copy of the relevant transfer mechanism by contacting [email protected].
We retain Personal Data in accordance with the following schedule:
| Data Category | Retention Period |
|---|---|
| Merchant account data | Duration of the Merchant's active account |
| End Customer data (orders, returns) | As determined by the Merchant's retention settings, or duration of account |
| Data after app uninstall | Deleted within 48 hours of uninstall, per Shopify requirements |
| Billing and invoice records | 7 years (Swedish Accounting Act, Bokforingslag 1999:1078) |
| Server logs | 30 days |
| GDPR request records | 3 years (for demonstrating compliance) |
When a Merchant uninstalls the Shopify application, we receive notification via webhook. All Merchant and associated End Customer data is permanently deleted within 48 hours. Anonymized or aggregated data that cannot be used to identify any individual may be retained for analytical purposes.
We implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include:
No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect Personal Data, we cannot guarantee absolute security.
Breach notification. Where we process data as a Data Processor on behalf of a Merchant, we will notify the affected Merchant (the Data Controller) of any confirmed Personal Data Breach affecting their data without undue delay after becoming aware of it, and provide the information reasonably needed to support the Merchant's own notification obligations. Where we act as Data Controller (for example, for Merchant account data), we will notify the relevant supervisory authority within 72 hours where the breach is likely to result in a risk to individuals' rights, and notify affected individuals without undue delay where the risk is high, in accordance with Articles 33 and 34 of the GDPR.
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):
The Service includes a configurable automation rules engine (which can, for example, auto-approve returns that meet Merchant-defined conditions) and risk/fraud signals that flag returns for review. These tools operate under parameters set and supervised by the Merchant (the Data Controller). They are designed to assist Merchant decision-making rather than to produce legal or similarly significant effects on an End Customer without human involvement, and a Merchant retains the ability to review, override, and manually decide any return. If an End Customer believes an automated outcome has significantly affected them, they may contact the Merchant to request human review of the decision.
The Service also offers optional AI-assisted features -- a merchant-facing support assistant and aggregated analytics -- that may process Merchant and order data to generate suggestions and insights. These features are advisory, are directed to the Merchant, and do not make automated decisions about End Customers. Where they rely on an AI Sub-Processor, that provider is listed in Section 7, and only the data needed to fulfil the request is sent.
For End Customers: if your data is processed through a Merchant's store, please contact the Merchant directly, as they are the Data Controller. We will assist the Merchant in fulfilling your request.
For Merchants: to exercise any of these rights, email [email protected]. We will respond within 30 days. If we need additional time, we will inform you within the initial 30-day period.
You also have the right to lodge a complaint with your local supervisory authority. In Sweden, this is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY), reachable at imy.se.
If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or other US states with comprehensive privacy legislation, you may have additional rights:
We do not collect Sensitive Personal Information as defined under the CPRA, and we do not use or disclose Personal Information for purposes that would require an opt-out. To exercise your rights, contact [email protected]. We will verify your identity before processing requests. You may also designate an authorized agent to make a request on your behalf. We will acknowledge receipt within 10 business days and respond to verifiable requests within 45 days, extendable by a further 45 days where reasonably necessary, with notice to you.
Residents of these states have similar rights to access, correct, delete, and opt-out. We honor all such requests in accordance with applicable state law. To exercise your rights or appeal a decision, email [email protected].
We use strictly-necessary cookies to run the Service and, on our marketing website and only with your consent, analytics and advertising cookies. The table below lists the cookies and similar technologies we use:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Authentication and session management for the merchant dashboard | Session (expires on browser close) |
| Shopify nonce | CSRF protection during OAuth installation flow | 10 minutes |
| Purchase token | Link pre-install payment to Shopify app installation | 7 days |
| returner_consent_v1 | Strictly necessary. Stores your cookie-consent choices (localStorage on the marketing website) so we know which non-essential tags you have allowed | Persistent (until you change or clear it) |
| _fr_attr | Marketing attribution (first-party, first-touch). Set on your first visit to record the channel you arrived from (first UTM parameters, referrer, landing page). Not shared, not used for cross-site tracking | 90 days |
| _ga, _ga_* | Google Analytics. Distinguishes visitors for web analytics. Set only after you grant Analytics consent | ~13 months |
| _gcl_au | Google Ads conversion linker. Measures ad-driven conversions. Set only after you grant Marketing consent | ~90 days |
| bcookie, lidc, UserMatchHistory | LinkedIn Insight Tag. Advertising measurement and remarketing. Set only after you grant Marketing consent | Up to ~1 year (varies by cookie) |
Our cookieless analytics providers (Plausible and PostHog) set no cookies and store no personal data.
Analytics and advertising cookies are used only after you consent. On our marketing website a cookie banner offers granular choices -- Accept all, Reject non-essential, or Customise (separately for Analytics and Marketing) -- and implements Google Consent Mode v2 with all non-essential consent denied by default. The relevant Google Analytics 4, Google Ads, and LinkedIn Insight Tag tags do not load until you grant the corresponding consent. You can change or withdraw your consent at any time using the "Cookie settings" link in the footer; withdrawing consent stops the corresponding tags from loading on future visits. Our cookieless analytics (Plausible and PostHog) carry no cookies and are unaffected by these choices.
Strictly-necessary cookies are exempt from consent under the ePrivacy Directive (2002/58/EC) and are always on; you may block them through your browser settings, but this may prevent the Service from functioning correctly. Our legal basis is your consent (Art. 6(1)(a) GDPR) for analytics and marketing cookies, and legitimate interest or performance of a contract (Art. 6(1)(f) / 6(1)(b) GDPR) for strictly-necessary cookies.
The Service is designed for business use by Merchants and is not directed at children under the age of 16. We do not knowingly collect Personal Data from children under 16. If we become aware that we have inadvertently collected such data, we will delete it promptly. If you believe a child has provided us with Personal Data, please contact [email protected].
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated policy.
Where an End Customer exercises the statutory EU/EEA right of withdrawal through a Merchant's return portal, Returner processes withdrawal-related data on behalf of the Merchant (who remains the Data Controller, as described in Section 3). This processing supports the Merchant's compliance with EU consumer law (Directive 2011/83/EU).
For this purpose we process, on the Merchant's behalf:
The legal basis for this processing is the Merchant's performance of contract and compliance with its legal obligations under consumer law; the audit trail may be retained to demonstrate compliance, subject to the retention rules in Section 9 and the Merchant's instructions. End Customers wishing to exercise data protection rights over this data should contact the Merchant, who is the Data Controller. Returner does not provide legal advice, and Merchants should confirm their own withdrawal obligations with legal counsel.
For privacy-related questions, requests, or complaints:
Friros AB
Svampvägen 3A, 705 10 Örebro, Sweden
Org. nr 559100-9047 · VAT SE559100904701
Privacy inquiries: [email protected]
General support: [email protected]
Supervisory authority: Integritetsskyddsmyndigheten (IMY)
Website: imy.se
Data Protection Officer. Given the nature and scale of our processing, we are not required to appoint a statutory Data Protection Officer under Article 37 of the GDPR. Our privacy contact point for all data protection matters is [email protected].
Representatives. Friros AB is established within the EU/EEA (Sweden) and is therefore not required to appoint an EU representative under Article 27 of the GDPR. Where we offer the Service to, or monitor, individuals in the United Kingdom and are required to do so under the UK GDPR, we will appoint a UK representative; please contact [email protected] for current representative details.