Data Security & Privacy
How REasy handles your shipment and VAT data
REasy processes order, shipment, and VAT transaction data on behalf of EU merchants as a data processor under GDPR. Here is exactly what we hold, why we hold it, who we share it with, and how long we keep it — without the boilerplate.
Designed with GDPR controls
TLS 1.3 in transit
EU-region storage
Designed with GDPR controls
Art. 6(1)(b) — contractual necessity processing
Encrypted in transit and at rest
TLS 1.3 in transit, AES-256 at rest
Least-privilege API access
Only the Shopify scopes fulfillment requires
GDPR & Privacy
Designed with GDPR controls
- Order and shipment data processed under Art. 6(1)(b) contractual necessity — no separate consent required for fulfillment
- No sale or transfer of your customer data to third parties beyond the carrier and customs authority required for DDP clearance
- Data retention limited to the period required for customs audit (typically 5 years per EU customs regulations)
- REasy applies GDPR Art. 25 data minimisation principles throughout its architecture. We do not hold a GDPR certification — no such third-party certification exists under EU law. Our privacy posture is documented in the Privacy Policy and available for your DPA on request.
- REasy maps VAT transaction data to the IOSS and OSS schemas accepted by the relevant EU tax authority (MOSS portal). We do not hold a tax-authority approval for any specific member state — VAT obligations remain with the merchant, and REasy pre-populates the filings for your review and submission.
Infrastructure
Encryption and access controls
Encryption in transit
All API traffic between REasy, your Shopify store, and carrier systems uses TLS 1.3.
Encryption at rest
Shipment records and VAT transaction data encrypted at rest in EU-region cloud storage.
Least-privilege access
REasy requests only the Shopify scopes required for order fulfillment — read orders, write fulfillments, no financial data access.
Shopify App Permissions
Only the permissions we need
REasy requests the minimum Shopify API scopes required to generate DDP labels and file customs declarations. We do not access financial data, payment methods, or customer login credentials.
| Shopify Scope | Permission | Why REasy needs it |
|---|---|---|
read_orders |
Read order data | Access product, destination, and value data to calculate duty and generate customs invoice |
write_orders |
Update order metadata | Attach DDP label URL and customs reference number to the order record |
read_products |
Read product catalogue | Access product HS code mappings and declared values for customs filing |
write_fulfillments |
Create fulfillment records | Mark orders as fulfilled with the DDP carrier tracking number after label generation |
read_customers |
Read delivery address | Determine destination country for duty rate calculation — no PII stored beyond the fulfillment period |