C ClearToMake← Back to website

1. Controller

The controller for this website and ClearToMake's own business operations is Maximilian Brückmann. Contact: support@cleartomake.com.

For customer and order data processed through the Shopify app, the relevant Shopify merchant generally remains the controller and ClearToMake acts as its processor.

2. Website access and server logs

When you access this website, technical request data may be processed, including IP address, timestamp, requested URL, response status, referrer, and browser information. This is necessary to deliver the site, diagnose errors, and protect the service against misuse. The legal basis is Article 6(1)(f) GDPR.

The public website does not use advertising or analytics cookies. Essential session and security technologies may be used when a merchant signs into the Shopify app.

3. Contact requests

If you contact us by email, we process your address, message, and related metadata to respond. The legal basis is Article 6(1)(b) GDPR for pre-contractual or contractual communication and Article 6(1)(f) GDPR for other business inquiries.

4. Shopify app data

The beta app processes only data needed for the approval workflow:

  • shop domain, authorised staff session, and app settings;
  • order reference, product title, customer name, and customer email;
  • proof files, proof versions, notes, and approval status;
  • decision timestamps, production-gate state, and approval receipts.

The merchant determines why this customer data is processed. The ClearToMake Data Processing Agreement forms part of the service terms and governs this processing.

5. Service providers

We currently use the following providers to operate ClearToMake:

  • Shopify for app authentication, order access, and embedded administration;
  • Railway for application hosting and database storage in an EU region;
  • Resend for transactional approval email, configured in its EU sending region;
  • Cloudflare for DNS management, support-email routing, and client-side encrypted backup storage in R2.

Some providers are headquartered outside the European Economic Area. Where personal data is transferred internationally, the provider's applicable transfer safeguards, such as an adequacy decision or standard contractual clauses, are used.

6. Retention and deletion

Approval records, proof files, and decision receipts are retained for up to 24 months after their last update. Prepared data-subject exports are retained for up to 30 days, and security access logs for up to 12 months. When a Shopify merchant uninstalls the app, its sessions, settings, approval requests, proof data, events, receipts, and access logs are deleted from the active database. Encrypted backup copies, when enabled, expire under the documented backup schedule.

7. Your rights

Subject to the conditions of the GDPR, you may request access, rectification, erasure, restriction, portability, or object to processing based on legitimate interests. You may also lodge a complaint with a competent data protection supervisory authority.

For data held by a Shopify merchant, please contact that merchant first. We assist merchants with valid data-subject requests.

8. Changes to this notice

We update this notice when the product, providers, or legal requirements change. The date shown at the top identifies the current version.