The controller within the meaning of the General Data Protection Regulation (GDPR) is:
onetec GmbH
Vor dem Bardowicker Tore 6a
21339 Lüneburg
Germany
Email: hello@onetec.cloud
Website: https://www.onetec.cloud
Our Data Protection Officer can be reached at:
Alexander Raabe
Email: alex@onetec.cloud
We process personal data of our users only to the extent necessary to provide a functional website and our content and services. The processing of personal data is generally only carried out with the consent of the user. An exception applies in cases where prior consent cannot be obtained for practical reasons and the processing of data is permitted by law.
Where we obtain consent for the processing of personal data, Art. 6(1)(a) GDPR serves as the legal basis.
For the processing of personal data necessary for the performance of a contract, Art. 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations required for pre-contractual measures.
Where processing is necessary to protect a legitimate interest of our company or a third party, Art. 6(1)(f) GDPR serves as the legal basis.
The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may also take place if provided for by European or national legislators in EU regulations, laws, or other provisions. Data will also be blocked or deleted when a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or performance of a contract.
Each time our website is accessed, the web server automatically stores information in so-called server log files. This information includes:
This data cannot be attributed to specific persons. This data is not merged with other data sources.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure and stable provision of the website).
Retention period: 14 days, then automatic deletion.
If you send us inquiries via contact form or email, your details from the inquiry form, including the contact data you provided, will be stored for the purpose of processing the inquiry and in case of follow-up questions. We do not share this data without your consent.
Data collected: Name, email address, message content, company (if applicable).
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries), or Art. 6(1)(b) GDPR for pre-contractual inquiries.
Retention period: Until the inquiry has been conclusively processed, then deleted after the statutory retention period (generally 3–10 years, depending on content).
Our website uses cookies. These are small text files stored on your device.
We only use technically necessary cookies that are required for the operation of the website. These cookies do not require separate consent.
Legal basis: Art. 6(1)(f) GDPR.
Retention period: Varies by cookie type; session cookies are deleted when the browser is closed.
You can disable or delete cookies through your browser settings. Please note that this may limit the functionality of the website.
The onetec Connected Intelligence Platform is a SaaS solution for e-commerce logistics companies and fulfillment service providers. It provides warehouse management functions, shipping integration, and AI-powered tools.
Access to the platform is provided to our customers (businesses) on the basis of a contractual relationship. Within the platform, we process personal data exclusively on behalf of and according to the instructions of our customers (data processing pursuant to Art. 28 GDPR).
For the operation of the platform, we enter into a Data Processing Agreement (DPA) with our customers pursuant to Art. 28 GDPR. The respective customers remain the controllers within the meaning of the GDPR for the processed data.
Depending on the modules used, the following data categories may be processed:
For the creation of shipping labels and shipment tracking, address and order data is transmitted to the shipping carriers selected by the customer. Currently integrated carriers include DHL, DHL Express, DPD, GLS, UPS, FedEx, Swiss Post, Post AT, and additional carriers as required by the customer.
The transfer is made exclusively for the purpose of shipping fulfillment and on the basis of the Data Processing Agreement concluded with the customer. The shipping carriers act as independent controllers for their own data processing under their respective privacy policies.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 28 GDPR (data processing).
Each customer receives a fully isolated database environment. Mixing of customer data is technically excluded. Data is stored in a cloud environment that meets GDPR requirements.
Retention period: For the duration of the contractual relationship and subsequently in accordance with statutory retention periods (generally 10 years for tax-relevant data). After contract termination, data will be deleted or handed over upon customer request.
The onetec app is available in the Shopify App Store. By installing the app, the Shopify merchant agrees to this privacy policy and to onetec's terms of use.
For information about Shopify's privacy practices, please visit: https://www.shopify.com/legal/privacy
When installing and operating the onetec app in a Shopify store, the following data is processed:
mystore.myshopify.com)Note: onetec processes this customer data exclusively on behalf of the Shopify merchant for the purpose of shipping fulfillment. The Shopify merchant remains the controller within the meaning of the GDPR for their end customers' data.
Data processed via the Shopify app is used exclusively for the following purposes:
No data is shared with third parties other than the shipping carriers selected by the merchant for the purpose of delivery (e.g., DHL, DPD, GLS, UPS, etc.).
Legal basis: Art. 6(1)(b) GDPR (performance of a contract — processing is necessary for the provision of the contractually agreed service) and Art. 28 GDPR (data processing — onetec acts as a data processor on behalf of the Shopify merchant).
onetec implements the mandatory GDPR webhooks required by Shopify to protect the end customers of Shopify merchants:
customers/data_requestShopify sends this webhook when an end customer of the merchant requests access to their stored data pursuant to Art. 15 GDPR.
Our response: We provide the requesting merchant with all personal data of that end customer stored on the onetec platform, so the merchant can fulfill their disclosure obligation.
customers/redactShopify sends this webhook when an end customer of the merchant requests deletion of their data pursuant to Art. 17 GDPR.
Our response: We delete or anonymize all personal data of that end customer from our platform, unless statutory retention obligations prevent deletion.
shop/redactShopify sends this webhook 48 hours after the merchant uninstalls the app.
Our response: We completely delete all stored data of the affected shop from our systems, including OAuth tokens, order data, and all other shop-specific information.
Technical note: All GDPR webhooks are secured by Shopify with an HMAC signature. onetec validates this signature before processing to ensure the authenticity of the requests.
The onetec platform is operated on cloud infrastructure. The following infrastructure providers are used:
All infrastructure providers are contractually obligated to comply with the GDPR, and appropriate Data Processing Agreements have been concluded.
As part of shipping fulfillment, address and order data is transmitted to shipping carriers. The selection of the carrier is made by the respective merchant/customer. For more information, see Section 5.4.
As a data subject, you have the following rights:
You have the right to request confirmation as to whether we process personal data concerning you and to obtain information about that data as well as further details pursuant to Art. 15 GDPR.
You have the right to request the immediate rectification of inaccurate personal data or the completion of incomplete data.
You have the right to request the immediate deletion of personal data concerning you, provided one of the grounds specified in Art. 17 GDPR applies.
You have the right to request restriction of processing if one of the conditions of Art. 18(1) GDPR is met.
You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format.
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR.
If processing is based on consent, you have the right to withdraw your consent at any time. The lawfulness of processing carried out on the basis of consent before its withdrawal is not affected.
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for onetec is:
The State Commissioner for Data Protection of Lower Saxony
Prinzenstraße 5
30159 Hannover
We implement technical and organizational security measures to protect your data against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons. Our security measures are continuously improved in line with technological developments.
Data transfer between your browser and our platform is exclusively encrypted (TLS/HTTPS).
This privacy policy is currently valid as of March 1, 2026.
Due to the further development of our website and services or due to changed legal or regulatory requirements, it may be necessary to amend this privacy policy. The current privacy policy can be accessed and printed at any time on our website.
For inquiries about your privacy rights or the handling of your personal data, please contact:
onetec GmbH
Attn: Data Protection
Vor dem Bardowicker Tore 6a
21339 Lüneburg
Email: hello@onetec.cloud
We process privacy inquiries within 30 days of receipt.