Subprocessors
Overview
Withdrawly uses subprocessors to provide the Shopify app, withdrawal request workflow, transactional email, hosting, database, security, and observability services.
This page supports the Data Processing Agreement. Withdrawly will keep the list current before public launch and after material infrastructure changes.
Production Subprocessors
| Provider | Purpose | Data involved | Region / transfer note |
|---|---|---|---|
| Shopify Inc. | Shopify app platform, OAuth, Admin API, App Proxy, webhooks, billing | Shop identifiers, order/customer data made available through Shopify APIs, app installation data | Shopify operates globally. Transfers are handled under Shopify's platform terms, data processing terms, adequacy decisions where available, and SCCs where needed. |
| Fly.io Inc. | Application hosting for the Shopify app and SaaS surfaces | App traffic, server logs, operational metadata | Production Fly apps are configured with Frankfurt, Germany (fra) as the primary region. Additional EU capacity may be run in Amsterdam (ams) or Frankfurt. |
| Supabase Inc. | Production PostgreSQL database hosting | Withdrawal requests, merchant settings, email logs, audit events, rate-limit records | Production PostgreSQL is intended to run in Supabase Central EU / Frankfurt (eu-central-1). Supabase DPA and transfer terms apply where relevant. |
| Resend Inc. | Transactional email delivery | Recipient email, email subject, confirmation and notification content, delivery metadata | Transactional email sending is intended to use Resend's EU domain region (eu-west-1, Ireland). Resend account and support processing may involve the US. |
| Functional Software, Inc. (Sentry) | Optional error monitoring and performance diagnostics | Technical error data after sanitization; no intentional end-customer PII | If enabled in production, Sentry should be configured in its EU region, with data hosted in Frankfurt, Germany. Sentry DPA and SCCs apply where relevant. |
Infrastructure Regions
Withdrawly's production target for EU merchants is:
- application hosting on Fly.io with Frankfurt (
fra) as the primary region; - PostgreSQL data storage on Supabase in Central EU / Frankfurt (
eu-central-1); - transactional email dispatch through Resend's EU domain region in Ireland (
eu-west-1); - optional error monitoring through Sentry's EU region in Frankfurt;
- Shopify platform processing through Shopify's global commerce infrastructure.
This means the primary application and database workflow is designed around EU/EEA infrastructure. Some providers are headquartered outside the EU/EEA or operate global support systems, so applicable DPAs, SCCs, adequacy decisions, or EU-US Data Privacy Framework certification may be used where relevant.
Change Notice
Withdrawly may add, replace, or remove subprocessors when needed to operate the service. Material changes will be announced by website update, email, or in-app notice where required by the DPA or applicable data protection law.
Merchants may object to a subprocessor change on reasonable data protection grounds by contacting support@withdrawly.app.
Data Minimisation
Withdrawly is designed to process only the data needed for the withdrawal workflow. The app does not request or store customer address, phone, payment method details, or customer account credentials for the withdrawal workflow.
Contact
Subprocessor questions can be sent to support@withdrawly.app.