Security & Privacy

Germany-compliant. EU-hosted.

PackMate is built for German Shopify shops first — EU-only hosting, GDPR by default, encryption at rest, DHL data flowing through your own Geschäftskunden account. The boring layer your legal team will ask about, done right.

Six pillars

How we keep your data safe

Six concrete commitments. No marketing fluff, just the controls and the receipts.

EU hosting (Hetzner Frankfurt)

PostgreSQL and application servers in Frankfurt am Main. ISO 27001 certified data centre, EU-only data residency.

Hetzner FSN1 / NBG1 region (Germany)
ISO 27001:2022 certified data centre
No data leaves the EU — neither for backup nor analytics
Daily encrypted backups, 30-day retention

Encryption everywhere

TLS 1.3 in transit. Encrypted disks at rest. API keys SHA-256 hashed, session tokens via JWT with short TTL.

TLS 1.3 with strong cipher suites only
Disk encryption at rest (LUKS)
API keys hashed with SHA-256, never stored in plaintext
Session tokens via JWT, 15-minute TTL with rotation

GDPR by default

Full GDPR webhook implementation, 30-day data retention after uninstall, DPA available on request.

customers.redact + customers.data_request webhooks
shop.redact + app.uninstalled with full data deletion
30-day retention window post-uninstall
DPA (Auftragsverarbeitungsvertrag) on request for B2B

DHL data path

When you generate a DHL label, customer addresses go directly to DHL through your own Geschäftskunden API — we only store the resulting label PDF and tracking number.

Customer address sent direct to DHL, not stored by us
Only label URL + tracking number persisted
Your DHL business contract governs DHL's data handling
Encryption-in-transit for the entire DHL exchange

LUCID compliance

We capture packaging data on every pack so you can submit your LUCID Mengenmeldung. Aggregated, not per-customer — no PII is ever shared with LUCID.

Aggregate weight per material category, never per customer
CSV export ready for the official LUCID portal
Stored in your account, exported when you click — never auto-submitted
We're not a duales System — we just hand you the data

Audit trail

Every API key has last-used tracking. Every pack calculation is logged with a permanent ID. Multi-user changes are attributable to the Shopify staff member.

API key last-used + IP tracking
Pack calculation log with permanent IDs
Shopify staff attribution for every write
Audit-grade history retention on Business plans (3 years)

Subprocessors

Who else touches your data

Short list, by design. Each subprocessor is triggered by a specific feature — never automatically, never for analytics.

Processor	Purpose	Location	When
Hetzner Online GmbH Hosting provider	Database + application hosting	Frankfurt am Main, DE	Always
Shopify Inc. Platform host	App distribution + billing	EU (Shopify EU billing)	Always
Deutsche Post DHL Group Carrier	Label generation	DE	When you create a label
Anthropic / OpenAI / your AI provider AI inference	Your AI client (Claude, ChatGPT)	Per provider	When YOU initiate an AI request

Swipe to see more

AI providers are listed because PackMate exposes MCP tools to your AI client — but PackMate doesn't proxy AI requests. The AI provider only sees what you send through your own subscription.

Compliance badges

Standards we hit

We don't claim certifications we don't have. Here's the actual stack.

Compliance

GDPR

Full Article 28 DPA available on request. EU-only data residency, 30-day retention, redaction webhooks.

Infrastructure

EU hosting via ISO 27001

Hetzner Frankfurt — ISO 27001:2022 certified. Data residency in Germany, no third-country transfers.

Platform

Shopify App Store

Listed app, vetted via Shopify's app review process. GDPR webhooks mandatory and implemented.

Accessibility

WCAG 2.1 AA target

Admin UI built to WCAG 2.1 AA. Skip-to-content, focus-visible rings, prefers-reduced-motion respected.

Need a DPA or security questionnaire?

Email security@packmate.shop. We respond within 1–2 business days with the full DPA, security overview PDF, or answers to your questionnaire.

Email security@packmate.shop Read privacy policy