Returner
  • Exchanges Instant refunds Claims Automation Insights Fraud & risk EU compliance
  • Portal
  • Carriers
  • Developers
  • Pricing
Try the demo

Privacy Policy

Last updated: June 21, 2026

Contents

  1. Introduction & Scope
  2. Definitions
  3. Data Controller & Data Processor
  4. Information We Collect
  5. How We Use Information
  6. How We Share Information
  7. Sub-Processors
  8. International Data Transfers
  9. Data Retention
  10. Data Security
  11. Your Rights Under GDPR
  12. US State Privacy Rights
  13. Cookies & Tracking Technologies
  14. Children's Privacy
  15. Changes to This Policy
  16. EU Right of Withdrawal Data
  17. Contact Us

1. Introduction & Scope

Returner ("we", "us", "our") is a returns management platform for e-commerce merchants, available as a Shopify application. The Service is operated by Friros AB, a company registered in Sweden (org. nr 559100-9047, VAT SE559100904701), with its registered office at Svampvägen 3A, 705 10 Örebro, Sweden. Friros AB is the Data Controller for the purposes described in Section 3.

This Privacy Policy describes how we collect, use, disclose, and protect personal information when you use the Returner platform, including our Shopify application, merchant dashboard, customer-facing return portal, and marketing website at returner.me (collectively, the "Service").

If you access our Service through the Shopify App Store or another third-party platform, we may receive information about you from that platform in accordance with your privacy settings and that platform's policies. Our processing of such information is governed by this Privacy Policy.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • "Data Controller" means the entity that determines the purposes and means of Processing Personal Data.
  • "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller.
  • "Merchant" means a business that installs and uses the Returner Shopify application to manage returns.
  • "End Customer" means a consumer who interacts with the Returner return portal to initiate or track a return on a Merchant's store.
  • "Service" means the Returner platform, including the Shopify application, merchant dashboard, return portal, APIs, and associated websites.

3. Data Controller & Data Processor

The distinction between Data Controller and Data Processor is central to understanding how personal data flows through our Service:

Returner as Data Processor

When processing End Customer data (names, email addresses, phone numbers, shipping addresses, order details, return information) on behalf of a Merchant, Returner acts as a Data Processor. The Merchant is the Data Controller for this data and determines the purposes and means of processing. Returner processes this data solely to provide the Service as instructed by the Merchant.

If you are an End Customer and wish to exercise your data protection rights regarding data held in connection with a Merchant's store, please contact the Merchant directly, as they are the Data Controller. We will assist the Merchant in fulfilling such requests in accordance with our obligations as a Data Processor.

Returner as Data Controller

Returner acts as a Data Controller for: (a) Merchant account information (business name, contact email, billing details); (b) usage data and analytics relating to how Merchants interact with the Service; and (c) data collected through our marketing website (returner.me), such as contact form submissions and newsletter sign-ups.

A Data Processing Agreement (DPA) is available upon request for Merchants who require one under applicable data protection law. Contact [email protected] to request a copy.

4. Information We Collect

4.1 Information from Merchants

When a Merchant installs our Shopify application, we collect and store:

  • Account information -- Shopify store name, domain, owner email, staff email addresses, and user roles
  • Store configuration -- currency, timezone, locale, and Shopify plan type
  • Billing information -- email address for invoicing. Payment card details are processed directly by our payment provider (Revolut) and are never stored on our servers.
  • Return policy settings -- return windows, reasons, automation rules, branding preferences, and carrier configurations
  • Usage data -- pages viewed within the dashboard, features used, and frequency of access

4.2 Information from End Customers (on behalf of Merchants)

When an End Customer initiates a return through a Merchant's return portal, we collect the following on behalf of the Merchant:

  • Identity information -- name, email address, and phone number as associated with the original order
  • Order information -- order number, line items, prices, and fulfillment details (synced from Shopify)
  • Return details -- selected items, return reasons, condition descriptions, and uploaded photographs
  • Shipping information -- shipping address for return label generation
  • Store credit information -- credit balances, transaction history, and redemption records

4.3 Information collected automatically

When you access any part of the Service, we automatically collect certain technical information:

  • Device and browser information -- IP address, browser type and version, operating system, device type, and screen resolution
  • Usage information -- pages visited, time spent on pages, referral URLs, and interaction patterns
  • Cookies -- essential session cookies for authentication and functionality (see Section 13)

To operate, secure, and improve the Service we use privacy-respecting analytics. Our core analytics -- Plausible (an EU-based, cookieless web-analytics provider) and PostHog (cookieless product analytics) -- run at all times, set no cookies, and store no personal data. With your consent, given through our cookie banner, we also use Google Analytics 4 (web analytics) and, for advertising measurement and remarketing, Google Ads and the LinkedIn Insight Tag. Consent is collected via a banner implementing Google Consent Mode v2: these non-essential analytics and advertising tags do not load until you grant the relevant consent, and you can change or withdraw your consent at any time using the "Cookie settings" link in the footer.

On our marketing website we also set a first-party, first-touch attribution cookie that records the marketing channel a visitor first arrived from (such as the first UTM parameters, referrer, and landing page). This cookie is first-party only -- it is not shared with third parties and is not used for cross-site tracking. It simply helps us understand which channels bring merchants to Returner. See Section 13 for the full cookie inventory and Section 7 for the providers involved.

5. How We Use Information

We process Personal Data for the following purposes, with the corresponding legal basis under GDPR Article 6:

PurposeLegal Basis
Provide, operate, and maintain the ServicePerformance of contract (Art. 6(1)(b))
Process returns, refunds, and exchanges on behalf of MerchantsPerformance of contract (Art. 6(1)(b))
Generate shipping labels and coordinate with carriersPerformance of contract (Art. 6(1)(b))
Send transactional notifications (return status updates)Performance of contract (Art. 6(1)(b))
Provide analytics and reporting to MerchantsLegitimate interest (Art. 6(1)(f))
Process billing and paymentsPerformance of contract (Art. 6(1)(b))
Detect, prevent, and address fraud or security issuesLegitimate interest (Art. 6(1)(f))
Comply with legal obligations (tax, data retention)Legal obligation (Art. 6(1)(c))
Improve the Service and develop new featuresLegitimate interest (Art. 6(1)(f))
Respond to support requestsLegitimate interest (Art. 6(1)(f))

Where we rely on legitimate interest, we have conducted balancing tests to ensure our interests do not override the rights and freedoms of data subjects.

6. How We Share Information

We do not sell, rent, or trade Personal Data to third parties. We share information only in the following circumstances:

6.1 Service providers (Sub-Processors)

We share data with third-party service providers who assist in delivering the Service. Each provider processes data only for the specified purpose and under contractual obligations to protect Personal Data. See Section 7 for a complete list.

6.2 Shopify

We sync return status, refund information, and store credit data back to Shopify to maintain consistency between the Returner platform and the Merchant's Shopify admin. This processing is governed by Shopify's own privacy policy and our API integration agreement.

6.3 Shipping carriers

When generating return shipping labels, we share the End Customer's name and address with the carrier selected by the Merchant (such as DHL, PostNord, FedEx, or Bring). This is necessary to fulfill the return shipment and is done on behalf of the Merchant.

6.4 Legal requirements

We may disclose Personal Data if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, safety, or property of Returner, our Merchants, or others.

6.5 Business transfers

If Returner (Friros AB) is involved in a merger, acquisition, or sale of assets, Personal Data may be transferred as part of that transaction. We will notify affected parties of any change in ownership or control of their Personal Data.

7. Sub-Processors

We engage the following Sub-Processors to help deliver the Service. Some are used only when a related feature is enabled (for example, customer payment processing, AI-assisted features, analytics, or error monitoring) or when selected by the Merchant (for example, a shipping carrier). We may add, replace, or remove Sub-Processors as the Service evolves and will update this list accordingly:

Sub-ProcessorPurposeLocation
Shopify Inc.E-commerce platform, order/return data syncCanada / USA
DigitalOcean LLCCloud infrastructure and database hostingEU (Frankfurt)
Revolut LtdPayment processing (merchant subscription billing)United Kingdom
Stripe, Inc.Payment processing for customer top-up payments (e.g. exchange price differences), where a Merchant enables this feature with their own Stripe accountUSA / EU
Resend, Inc.Transactional email delivery (return notifications and verification codes)USA
Anthropic, PBCAI-assisted features (merchant support assistant and analytics). Only the data needed to fulfil a given request is sent, under Anthropic's commercial terms. Off by default — see our AI Policy for which surfaces use it, what data is sent, and how a merchant enables it.USA
PostHog, Inc.Cookieless product-usage analytics, where enabledUSA
Plausible Analytics OÜCookieless web analytics; aggregated, pseudonymous traffic data only (no personal data, no order PII)EU (Estonia)
Google Ireland LtdGoogle Analytics 4 web analytics; loads only after Analytics consent. Pseudonymous usage/event data and IP-based approximate location; no order PIIEU / USA (consent-gated)
Google Ireland LtdGoogle Ads advertising measurement & remarketing; loads only after Marketing consent. Pseudonymous conversion/event data; no order PII is shared with the ad networkEU / USA (consent-gated)
LinkedIn Ireland Unlimited CompanyLinkedIn Insight Tag advertising measurement; loads only after Marketing consent. Pseudonymous usage/event data; no order PII is shared with the ad networkEU / USA (consent-gated)
Functional Software, Inc. (Sentry)Application error monitoring, where enabled; personal data is scrubbed before transmissionUSA
DHL International GmbHReturn shipping label generation and trackingGermany
Bring (Posten Norge AS)Return shipping label generation and trackingNorway
FedEx CorporationReturn shipping label generation and trackingUSA
PostNord Group ABReturn shipping label generation and trackingSweden / Denmark

We will update this list when Sub-Processors are added or changed. Merchants who require advance notification of Sub-Processor changes may request this by contacting [email protected].

8. International Data Transfers

Our primary database and application servers are hosted on DigitalOcean infrastructure in the European Union (Frankfurt, Germany). However, some data may be transferred to countries outside the EU/EEA as part of normal service operations, for example when syncing data with Shopify (Canada/USA) or generating shipping labels with carriers operating globally.

Where Personal Data is transferred outside the EU/EEA, we ensure adequate protection through:

  • Adequacy decisions -- transfers to countries recognized by the European Commission as providing adequate data protection (e.g., Canada under PIPEDA)
  • Standard Contractual Clauses (SCCs) -- EU-approved contractual terms that bind the recipient to data protection obligations equivalent to those in the EU
  • UK International Data Transfer Addendum -- for transfers involving UK personal data

You may request a copy of the relevant transfer mechanism by contacting [email protected].

9. Data Retention

We retain Personal Data in accordance with the following schedule:

Data CategoryRetention Period
Merchant account dataDuration of the Merchant's active account
End Customer data (orders, returns)As determined by the Merchant's retention settings, or duration of account
Data after app uninstallDeleted within 48 hours of uninstall, per Shopify requirements
Billing and invoice records7 years (Swedish Accounting Act, Bokforingslag 1999:1078)
Server logs30 days
GDPR request records3 years (for demonstrating compliance)

When a Merchant uninstalls the Shopify application, we receive notification via webhook. All Merchant and associated End Customer data is permanently deleted within 48 hours. Anonymized or aggregated data that cannot be used to identify any individual may be retained for analytical purposes.

10. Data Security

We implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption in transit -- all connections use TLS 1.2 or higher. No unencrypted HTTP connections are accepted.
  • Encryption of credentials at rest -- sensitive credentials, including Shopify and other third-party access tokens, are encrypted at the application layer (AES-256-GCM) before they are stored. Data is held on access-controlled servers in the EU; database access requires credentials and is not exposed to the public internet.
  • Access controls -- database access is restricted to application services. Administrative access requires SSH key authentication on a non-standard port.
  • Webhook verification -- all incoming Shopify webhooks are verified using HMAC-SHA256 signatures to prevent tampering.
  • Session security -- Shopify session tokens are validated using JWT verification. Customer portal sessions use time-limited, single-use verification codes.
  • Security headers -- Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers are set on all responses.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect Personal Data, we cannot guarantee absolute security.

Breach notification. Where we process data as a Data Processor on behalf of a Merchant, we will notify the affected Merchant (the Data Controller) of any confirmed Personal Data Breach affecting their data without undue delay after becoming aware of it, and provide the information reasonably needed to support the Merchant's own notification obligations. Where we act as Data Controller (for example, for Merchant account data), we will notify the relevant supervisory authority within 72 hours where the breach is likely to result in a risk to individuals' rights, and notify affected individuals without undue delay where the risk is high, in accordance with Articles 33 and 34 of the GDPR.

11. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

  • Right of access (Art. 15) -- request a copy of the Personal Data we hold about you
  • Right to rectification (Art. 16) -- request correction of inaccurate or incomplete data
  • Right to erasure (Art. 17) -- request deletion of your Personal Data, subject to legal retention requirements
  • Right to restrict processing (Art. 18) -- request that we limit how we use your data
  • Right to data portability (Art. 20) -- receive your data in a structured, commonly used, and machine-readable format
  • Right to object (Art. 21) -- object to processing based on legitimate interest or direct marketing
  • Right to withdraw consent (Art. 7(3)) -- where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal
  • Right related to automated decision-making (Art. 22) -- you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (see "Automated processing" below)

Automated processing

The Service includes a configurable automation rules engine (which can, for example, auto-approve returns that meet Merchant-defined conditions) and risk/fraud signals that flag returns for review. These tools operate under parameters set and supervised by the Merchant (the Data Controller). They are designed to assist Merchant decision-making rather than to produce legal or similarly significant effects on an End Customer without human involvement, and a Merchant retains the ability to review, override, and manually decide any return. If an End Customer believes an automated outcome has significantly affected them, they may contact the Merchant to request human review of the decision.

The Service also offers optional AI-assisted features -- a merchant-facing support assistant and aggregated analytics -- that may process Merchant and order data to generate suggestions and insights. These features are advisory, are directed to the Merchant, and do not make automated decisions about End Customers. Where they rely on an AI Sub-Processor, that provider is listed in Section 7, and only the data needed to fulfil the request is sent.

For End Customers: if your data is processed through a Merchant's store, please contact the Merchant directly, as they are the Data Controller. We will assist the Merchant in fulfilling your request.

For Merchants: to exercise any of these rights, email [email protected]. We will respond within 30 days. If we need additional time, we will inform you within the initial 30-day period.

You also have the right to lodge a complaint with your local supervisory authority. In Sweden, this is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY), reachable at imy.se.

12. US State Privacy Rights

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or other US states with comprehensive privacy legislation, you may have additional rights:

California (CCPA/CPRA)

  • Right to know -- the categories and specific pieces of Personal Information we collect, the purposes of collection, and the categories of third parties with whom we share it
  • Right to delete -- request deletion of your Personal Information
  • Right to opt-out of sale -- we do not sell Personal Information. We do not share Personal Information for cross-context behavioral advertising.
  • Right to non-discrimination -- we will not discriminate against you for exercising your privacy rights

Categories of Personal Information collected (CCPA categories)

  • Identifiers (name, email, phone, IP address)
  • Commercial information (order history, return history, store credit balances)
  • Internet/electronic network activity (browser type, pages visited)

We do not collect Sensitive Personal Information as defined under the CPRA, and we do not use or disclose Personal Information for purposes that would require an opt-out. To exercise your rights, contact [email protected]. We will verify your identity before processing requests. You may also designate an authorized agent to make a request on your behalf. We will acknowledge receipt within 10 business days and respond to verifiable requests within 45 days, extendable by a further 45 days where reasonably necessary, with notice to you.

Virginia, Colorado, Connecticut, and other states

Residents of these states have similar rights to access, correct, delete, and opt-out. We honor all such requests in accordance with applicable state law. To exercise your rights or appeal a decision, email [email protected].

13. Cookies & Tracking Technologies

We use strictly-necessary cookies to run the Service and, on our marketing website and only with your consent, analytics and advertising cookies. The table below lists the cookies and similar technologies we use:

CookiePurposeDuration
Session cookieAuthentication and session management for the merchant dashboardSession (expires on browser close)
Shopify nonceCSRF protection during OAuth installation flow10 minutes
Purchase tokenLink pre-install payment to Shopify app installation7 days
returner_consent_v1Strictly necessary. Stores your cookie-consent choices (localStorage on the marketing website) so we know which non-essential tags you have allowedPersistent (until you change or clear it)
_fr_attrMarketing attribution (first-party, first-touch). Set on your first visit to record the channel you arrived from (first UTM parameters, referrer, landing page). Not shared, not used for cross-site tracking90 days
_ga, _ga_*Google Analytics. Distinguishes visitors for web analytics. Set only after you grant Analytics consent~13 months
_gcl_auGoogle Ads conversion linker. Measures ad-driven conversions. Set only after you grant Marketing consent~90 days
bcookie, lidc, UserMatchHistoryLinkedIn Insight Tag. Advertising measurement and remarketing. Set only after you grant Marketing consentUp to ~1 year (varies by cookie)

Our cookieless analytics providers (Plausible and PostHog) set no cookies and store no personal data.

Analytics and advertising cookies are used only after you consent. On our marketing website a cookie banner offers granular choices -- Accept all, Reject non-essential, or Customise (separately for Analytics and Marketing) -- and implements Google Consent Mode v2 with all non-essential consent denied by default. The relevant Google Analytics 4, Google Ads, and LinkedIn Insight Tag tags do not load until you grant the corresponding consent. You can change or withdraw your consent at any time using the "Cookie settings" link in the footer; withdrawing consent stops the corresponding tags from loading on future visits. Our cookieless analytics (Plausible and PostHog) carry no cookies and are unaffected by these choices.

Strictly-necessary cookies are exempt from consent under the ePrivacy Directive (2002/58/EC) and are always on; you may block them through your browser settings, but this may prevent the Service from functioning correctly. Our legal basis is your consent (Art. 6(1)(a) GDPR) for analytics and marketing cookies, and legitimate interest or performance of a contract (Art. 6(1)(f) / 6(1)(b) GDPR) for strictly-necessary cookies.

14. Children's Privacy

The Service is designed for business use by Merchants and is not directed at children under the age of 16. We do not knowingly collect Personal Data from children under 16. If we become aware that we have inadvertently collected such data, we will delete it promptly. If you believe a child has provided us with Personal Data, please contact [email protected].

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify Merchants via email or in-app notification at least 30 days before changes take effect
  • Post the revised policy on this page

Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated policy.

16. EU Right of Withdrawal Data

Where an End Customer exercises the statutory EU/EEA right of withdrawal through a Merchant's return portal, Returner processes withdrawal-related data on behalf of the Merchant (who remains the Data Controller, as described in Section 3). This processing supports the Merchant's compliance with EU consumer law (Directive 2011/83/EU).

For this purpose we process, on the Merchant's behalf:

  • The End Customer's name, order reference, and preferred contact details captured during the two-step withdrawal confirmation
  • Outbound delivery and tracking data used to calculate the 14-day withdrawal window
  • A record of the durable-medium email acknowledgement sent to the End Customer
  • An immutable, exportable audit trail of withdrawal events (initiation, confirmation, acknowledgement, and outcome)

The legal basis for this processing is the Merchant's performance of contract and compliance with its legal obligations under consumer law; the audit trail may be retained to demonstrate compliance, subject to the retention rules in Section 9 and the Merchant's instructions. End Customers wishing to exercise data protection rights over this data should contact the Merchant, who is the Data Controller. Returner does not provide legal advice, and Merchants should confirm their own withdrawal obligations with legal counsel.

17. Contact Us

For privacy-related questions, requests, or complaints:

Friros AB
Svampvägen 3A, 705 10 Örebro, Sweden
Org. nr 559100-9047 · VAT SE559100904701

Privacy inquiries: [email protected]
General support: [email protected]

Supervisory authority: Integritetsskyddsmyndigheten (IMY)
Website: imy.se

Data Protection Officer. Given the nature and scale of our processing, we are not required to appoint a statutory Data Protection Officer under Article 37 of the GDPR. Our privacy contact point for all data protection matters is [email protected].

Representatives. Friros AB is established within the EU/EEA (Sweden) and is therefore not required to appoint an EU representative under Article 27 of the GDPR. Where we offer the Service to, or monitor, individuals in the United Kingdom and are required to do so under the UK GDPR, we will appoint a UK representative; please contact [email protected] for current representative details.

Returner

Return portal infrastructure
for e-commerce.

Platform

  • Return portal
  • Exchanges
  • Claims
  • Carriers
  • Automation
  • Insights
  • Fraud & risk
  • EU compliance
  • Developers

Resources

  • Try the demo

Company

  • Contact
  • Privacy
  • AI Policy
  • Terms

© 2026 Returner. Friros AB, Örebro, Sweden.

returner.me