Last updated June 2026
This Privacy Policy applies to all personal data collected and processed by Disputa in connection with:
This Policy applies to merchants who install and use the Disputa application (“Merchants”), and to the end customers of those Merchants whose personal data may be shared with us in connection with chargeback dispute cases (“End Customers”).
You must be at least 18 years of age to use the Service. We do not knowingly collect personal data from persons under the age of 18.
The data controller responsible for your personal data is N. Kallis & E. Lazarides LLC, a limited liability company registered under the laws of the Republic of Cyprus and trading as Disputa, with its registered office in Limassol, Cyprus.
For any questions about this Policy or about how We handle your personal data, or to exercise any of your rights described in Section 10, you may contact Us at support@disputaflow.com.
We collect personal data in the following categories depending on your relationship with us:
When you install and use the Disputa application as a merchant, we collect:
When a Merchant submits a chargeback case through the application, they may provide us with personal data relating to their End Customers. This may include:
We process this data solely for the purpose of preparing the requested chargeback rebuttal package on behalf of the Merchant. We do not use End Customer data for any other purpose, including marketing, profiling, or analytics.
We may also collect personal data you provide voluntarily when contacting us by email, completing forms, or communicating with our support team.
We process personal data only where we have a lawful basis to do so under the GDPR. The following table sets out the purposes for which we process personal data and the corresponding lawful basis:
| Purpose | Description | Lawful Basis |
|---|---|---|
| Service delivery | To process case submissions, prepare rebuttal packages, and manage your account. | Performance of a contract |
| Account management | To create and manage your Disputa account and onboarding. | Performance of a contract |
| Billing and payments | To process usage-based success fees and issue invoices via Shopify Billing. | Performance of a contract |
| Customer support | To respond to your queries, complaints, and requests. | Legitimate interests |
| Security and fraud prevention | To detect, investigate, and prevent fraudulent or abusive use of the Service. | Legitimate interests |
| Legal compliance | To comply with applicable laws, regulations, and court orders. | Legal obligation |
| Service improvement | To analyse usage patterns and improve the functionality of the application. We use anonymised and aggregated data only for this purpose. | Legitimate interests |
| Legal claims | To establish, exercise, or defend legal claims arising in connection with the Service. | Legitimate interests |
| Marketing (optional) | To send you updates about Disputa services if you have opted in. You may withdraw consent at any time. | Consent |
We do not use personal data for automated individual decision-making or profiling that produces legal or similarly significant effects.
The Disputa application and website use cookies and similar technologies to ensure the service functions correctly and to improve user experience. We use the following categories of cookies:
We do not use advertising or tracking cookies for third-party marketing purposes.
You can manage your cookie preferences through your browser settings. Please note that disabling certain cookies may affect the functionality of the application.
At this time, the Disputa application does not respond to browser Do Not Track signals. Where applicable, we honour Global Privacy Control (GPC) signals as an opt-out of personal data sharing in accordance with applicable law.
We do not sell personal data to third parties. We may share personal data with the following categories of recipients, strictly on a need-to-know basis and subject to appropriate contractual protections:
We engage trusted third-party service providers to support the operation of the Disputa service, including:
All service providers are contractually required to process personal data only on our instructions and to maintain appropriate security measures.
We may disclose personal data to governmental, regulatory, or law enforcement authorities where required by applicable law, court order, or regulatory obligation. Where permitted, we will notify you of such disclosure in advance.
We may share personal data with legal, financial, or professional advisers where necessary for the exercise or defence of legal claims or for compliance purposes, subject to professional confidentiality obligations.
In the event of a merger, acquisition, restructuring, or sale of assets involving N. Kallis & E. Lazarides LLC, personal data may be transferred to the relevant successor entity, subject to equivalent privacy protections. We will notify you of any such transfer in advance where reasonably practicable.
We have not sold, and do not sell, personal data to any third party. We do not share personal data for third-party advertising or commercial profiling purposes.
Our primary operations are based in the Republic of Cyprus, which is a Member State of the European Union. Personal data processed by Disputa is therefore subject to the protections of EU law by default.
Where we engage service providers located outside the European Economic Area (“EEA”), we ensure that appropriate safeguards are in place to protect your personal data, including:
You may request information about the specific safeguards we rely on for international transfers by contacting us at support@disputaflow.com.
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, unless a longer retention period is required or permitted by law. Our standard retention periods are as follows:
Where personal data is no longer required, we securely delete or anonymise it. You may request earlier deletion in accordance with Section 10 of this Policy.
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or disclosure. Our security measures include:
Notwithstanding the above, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security and shall not be liable for security incidents outside our reasonable control, provided we have implemented industry-standard measures.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Cyprus Commissioner for Personal Data Protection within 72 hours of becoming aware, and will notify affected individuals without undue delay where required by Article 34 of the GDPR.
Subject to applicable law, you have the following rights in respect of your personal data. To exercise any of these rights, please contact us at support@disputaflow.com. We will respond within one month of receiving your request, which may be extended by a further two months for complex or multiple requests.
We will respond to all requests free of charge unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or decline to act on the request.
If you are a resident of the United Kingdom, you have equivalent rights under the UK GDPR as described above. Complaints may be directed to the UK Information Commissioner’s Office (ICO) at www.ico.org.uk.
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
To exercise your California rights, please contact us at support@disputaflow.com. You may also designate an authorised agent to submit requests on your behalf, provided you supply written authorisation and we are able to verify your identity.
When Merchants share End Customer personal data with us in connection with a chargeback case, the Merchant acts as an independent Data Controller in respect of that data, and we process it as a separate Data Controller for the limited purpose of preparing the requested case documentation.
By submitting End Customer personal data to Disputa, Merchants represent and warrant that:
Merchants who require a Data Processing Agreement (DPA) in connection with our processing of End Customer data on their behalf may request one by contacting us at support@disputaflow.com.
The Disputa service is intended solely for use by merchants operating legitimate e-commerce businesses. It is not directed at or intended for use by persons under the age of 18. We do not knowingly collect personal data from individuals under 18.
If we become aware that we have inadvertently collected personal data from a person under 18, we will take prompt steps to delete that data. If you believe we may have collected data from a person under 18, please contact us at support@disputaflow.com.
The Disputa application may contain links to or integrations with third-party platforms and services, including Shopify, Supabase, and Railway. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you use in connection with Disputa before providing personal data to them.
We are not responsible for the privacy practices, content, or security of third-party platforms or websites.
We may update this Privacy Policy from time to time to reflect changes in our practices, the law, or the services we provide. When we make material changes to this Policy, we will:
Your continued use of the Disputa service after the effective date of any updated Policy constitutes your acceptance of the revised terms. If you do not agree with the changes, you should stop using the Service before the changes take effect.