GDPR Compliance
Last updated: June 1, 2026
Our GDPR Commitment
FlowsCheckout is fully committed to complying with the General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679. As a payment service provider operating from France and serving European merchants, GDPR compliance is at the core of our technical architecture and organizational processes.
Data Controller and Processor
Within the scope of our service, we establish a clear distinction between our roles:
- For your data (account, profile, usage): MirorPay acts as the data controller. We determine the purposes and means of processing your personal data.
- For your customers' data (via checkout pages): MirorPay acts as a data processor. You are the data controller. We process this data solely according to your instructions and for the sole purpose of providing the Service.
Legal Basis for Processing
| Processing | Legal Basis |
|---|---|
| Account management and service provision | Contract performance (Art. 6.1.b) |
| Billing and accounting | Legal obligation (Art. 6.1.c) |
| Security and fraud prevention | Legitimate interest (Art. 6.1.f) |
| Marketing communications | Consent (Art. 6.1.a) |
Privacy by Design and Default
We apply Privacy by Design and Privacy by Default principles across our entire infrastructure:
- Minimization: we only collect data strictly necessary for the service to function
- Encryption: all data in transit is encrypted via TLS 1.3; passwords are hashed with bcrypt
- Pseudonymization: internal identifiers are used whenever possible
- Limited retention: each data category has a defined and justified retention period
- Access control: data access based on least privilege principle, with access logging
Data Hosting
All your data and your customers' data is hosted on servers located in Germany at Hetzner (ISO 27001 certified data center). No payment or personal data is stored outside the European Union, except for static website content hosted via Vercel (United States, governed by SCCs).
Processing Register
In accordance with Article 30 of the GDPR, we maintain a register of our processing activities. This register is available upon request from our Data Protection Officer (DPO) at dpo@mirorpay.com.
Sub-processors
We use the following GDPR-compliant sub-processors:
| Sub-processor | Service | Location | Safeguard |
|---|---|---|---|
| Hetzner GmbH | VPS hosting | Germany | EU — adequate level |
| Stripe Inc. | Payments | Ireland (EU) | SCCs + certification |
| Vercel Inc. | Web hosting | United States | Approved SCCs |
| Directus | CMS and database | Germany | EU — adequate level |
Breach Notification
In accordance with Article 33 of the GDPR, we notify any personal data breach to the relevant data protection authority within 72 hours. If the breach poses a high risk to your data or your customers' data, we inform you without delay.
Your Rights
You can exercise your GDPR rights at any time:
- Email: privacy@mirorpay.com
- DPO (Data Protection Officer): dpo@mirorpay.com
- Response time: 30 days maximum
- Complaint: you can lodge a complaint with your local data protection authority
Shopify and WordPress Compliance
FlowsCheckout is designed to meet the compliance requirements of both the Shopify App Store and WordPress Plugin Directory. Our data handling practices comply with these platforms' privacy, security, and transparency requirements. We provide all necessary documentation during your application validation process.