§Disputa

Privacy Policy

Last updated June 2026

1. Scope of This Policy

This Privacy Policy applies to all personal data collected and processed by Disputa in connection with:

  • The Disputa application available on the Shopify App Store.
  • The Disputa website and any associated web pages.
  • Communications between you and Disputa via email or other channels.
  • Case submissions and related document preparation services.

This Policy applies to merchants who install and use the Disputa application (“Merchants”), and to the end customers of those Merchants whose personal data may be shared with us in connection with chargeback dispute cases (“End Customers”).

You must be at least 18 years of age to use the Service. We do not knowingly collect personal data from persons under the age of 18.

2. Who We Are

The data controller responsible for your personal data is N. Kallis & E. Lazarides LLC, a limited liability company registered under the laws of the Republic of Cyprus and trading as Disputa, with its registered office in Limassol, Cyprus.

For any questions about this Policy or about how We handle your personal data, or to exercise any of your rights described in Section 10, you may contact Us at support@disputaflow.com.

3. Personal Data We Collect

We collect personal data in the following categories depending on your relationship with us:

3.1 Data Collected from Merchants

When you install and use the Disputa application as a merchant, we collect:

  • Account information: your name, email address, and Shopify store details provided during installation and onboarding.
  • Business information: your store name, domain, and payment processor details relevant to chargeback management.
  • Billing information: usage-based success-fee charges and billing history, processed through the Shopify Billing API. We do not directly store payment card details.
  • Usage data: information about how you use the application, including pages accessed, features used, case submissions, and timestamps.
  • Technical data: IP address, browser type, device information, and session data collected automatically when you access the application.
  • Communications: any messages or emails you send to our support team.

3.2 Data Received from Merchants Relating to End Customers

When a Merchant submits a chargeback case through the application, they may provide us with personal data relating to their End Customers. This may include:

  • Name, email address, billing and shipping address of the End Customer.
  • Order details, transaction amounts, purchased items, and order dates.
  • Payment method information relevant to the dispute (e.g. card type, last four digits).
  • Correspondence or communications between the Merchant and the End Customer.
  • IP address or device information captured at the time of the transaction.
  • Any other information the Merchant considers relevant to the chargeback dispute.

We process this data solely for the purpose of preparing the requested chargeback rebuttal package on behalf of the Merchant. We do not use End Customer data for any other purpose, including marketing, profiling, or analytics.

3.3 Data You Provide Voluntarily

We may also collect personal data you provide voluntarily when contacting us by email, completing forms, or communicating with our support team.

4. How We Use Personal Data

We process personal data only where we have a lawful basis to do so under the GDPR. The following table sets out the purposes for which we process personal data and the corresponding lawful basis:

PurposeDescriptionLawful Basis
Service deliveryTo process case submissions, prepare rebuttal packages, and manage your account.Performance of a contract
Account managementTo create and manage your Disputa account and onboarding.Performance of a contract
Billing and paymentsTo process usage-based success fees and issue invoices via Shopify Billing.Performance of a contract
Customer supportTo respond to your queries, complaints, and requests.Legitimate interests
Security and fraud preventionTo detect, investigate, and prevent fraudulent or abusive use of the Service.Legitimate interests
Legal complianceTo comply with applicable laws, regulations, and court orders.Legal obligation
Service improvementTo analyse usage patterns and improve the functionality of the application. We use anonymised and aggregated data only for this purpose.Legitimate interests
Legal claimsTo establish, exercise, or defend legal claims arising in connection with the Service.Legitimate interests
Marketing (optional)To send you updates about Disputa services if you have opted in. You may withdraw consent at any time.Consent

We do not use personal data for automated individual decision-making or profiling that produces legal or similarly significant effects.

5. Cookies and Tracking Technologies

The Disputa application and website use cookies and similar technologies to ensure the service functions correctly and to improve user experience. We use the following categories of cookies:

  • Strictly necessary cookies: essential for the application to operate. These cannot be disabled.
  • Functional cookies: used to remember your preferences and settings within the application.
  • Analytics cookies: used to understand how the application is used in aggregate, using anonymised data. We use these only with your consent where required by law.

We do not use advertising or tracking cookies for third-party marketing purposes.

You can manage your cookie preferences through your browser settings. Please note that disabling certain cookies may affect the functionality of the application.

At this time, the Disputa application does not respond to browser Do Not Track signals. Where applicable, we honour Global Privacy Control (GPC) signals as an opt-out of personal data sharing in accordance with applicable law.

6. Who We Share Personal Data With

We do not sell personal data to third parties. We may share personal data with the following categories of recipients, strictly on a need-to-know basis and subject to appropriate contractual protections:

6.1 Service Providers

We engage trusted third-party service providers to support the operation of the Disputa service, including:

  • Cloud hosting and infrastructure providers (e.g. Railway, Supabase) for application hosting and secure file storage.
  • The Shopify platform for application delivery and billing processing.
  • Email service providers for support and operational communications.

All service providers are contractually required to process personal data only on our instructions and to maintain appropriate security measures.

6.2 Legal and Regulatory Authorities

We may disclose personal data to governmental, regulatory, or law enforcement authorities where required by applicable law, court order, or regulatory obligation. Where permitted, we will notify you of such disclosure in advance.

6.3 Professional Advisers

We may share personal data with legal, financial, or professional advisers where necessary for the exercise or defence of legal claims or for compliance purposes, subject to professional confidentiality obligations.

6.4 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of assets involving N. Kallis & E. Lazarides LLC, personal data may be transferred to the relevant successor entity, subject to equivalent privacy protections. We will notify you of any such transfer in advance where reasonably practicable.

6.5 No Sale of Data

We have not sold, and do not sell, personal data to any third party. We do not share personal data for third-party advertising or commercial profiling purposes.

7. International Transfers of Personal Data

Our primary operations are based in the Republic of Cyprus, which is a Member State of the European Union. Personal data processed by Disputa is therefore subject to the protections of EU law by default.

Where we engage service providers located outside the European Economic Area (“EEA”), we ensure that appropriate safeguards are in place to protect your personal data, including:

  • Transfers to countries recognised by the European Commission as providing an adequate level of data protection pursuant to Article 45 of the GDPR.
  • Where no adequacy decision exists, the use of Standard Contractual Clauses adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR.

You may request information about the specific safeguards we rely on for international transfers by contacting us at support@disputaflow.com.

8. How Long We Keep Your Data

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, unless a longer retention period is required or permitted by law. Our standard retention periods are as follows:

  • Case-related personal data (including End Customer data submitted with a case): deleted or anonymised within 12 months of the closure of the relevant case.
  • Merchant account data: retained for the duration of your subscription and for up to 12 months following termination or uninstallation, after which it is deleted.
  • Billing and invoicing records: retained for 7 years in accordance with Cyprus tax and accounting obligations.
  • Support communications: retained for up to 24 months from the date of the communication.
  • Application usage logs and technical data: retained for up to 6 months on a rolling basis.

Where personal data is no longer required, we securely delete or anonymise it. You may request earlier deletion in accordance with Section 10 of this Policy.

9. How We Protect Your Data

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or disclosure. Our security measures include:

  • All data in transit is encrypted using TLS (Transport Layer Security).
  • Case documents and uploaded files are stored in encrypted cloud storage with strict access controls.
  • Document download links are time-limited and expire automatically within 48 hours.
  • Our internal administrative systems are protected by multi-factor authentication.
  • Access to personal data is restricted to authorised personnel on a need-to-know basis.
  • We conduct periodic reviews of our security practices to ensure they remain appropriate.

Notwithstanding the above, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security and shall not be liable for security incidents outside our reasonable control, provided we have implemented industry-standard measures.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Cyprus Commissioner for Personal Data Protection within 72 hours of becoming aware, and will notify affected individuals without undue delay where required by Article 34 of the GDPR.

10. Your Rights

Subject to applicable law, you have the following rights in respect of your personal data. To exercise any of these rights, please contact us at support@disputaflow.com. We will respond within one month of receiving your request, which may be extended by a further two months for complex or multiple requests.

10.1 Rights Under the GDPR (EEA Residents)

  • Right of access: to receive confirmation of whether we process your personal data and to obtain a copy of it.
  • Right to rectification: to have inaccurate or incomplete personal data corrected.
  • Right to erasure: to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent and no other lawful basis applies.
  • Right to restriction: to request that we restrict processing of your personal data in certain circumstances.
  • Right to data portability: to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller, where processing is based on consent or contract and carried out by automated means.
  • Right to object: to object to processing based on legitimate interests, including any profiling for that purpose. You also have an absolute right to object to processing for direct marketing purposes.
  • Right to withdraw consent: where processing is based on your consent, to withdraw that consent at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: to lodge a complaint with the Cyprus Commissioner for Personal Data Protection (www.dataprotection.gov.cy) or any other competent supervisory authority in your country of residence.

We will respond to all requests free of charge unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or decline to act on the request.

10.2 Rights Under UK GDPR (UK Residents)

If you are a resident of the United Kingdom, you have equivalent rights under the UK GDPR as described above. Complaints may be directed to the UK Information Commissioner’s Office (ICO) at www.ico.org.uk.

10.3 Rights Under California Law (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to know: to request disclosure of the categories and specific pieces of personal data we have collected about you, the sources from which it was collected, the purposes for which it is used, and the categories of third parties with whom it is shared.
  • Right to delete: to request deletion of your personal data, subject to certain exceptions.
  • Right to correct: to request correction of inaccurate personal data.
  • Right to opt out of sale or sharing: we do not sell or share personal data for cross-context behavioural advertising. No opt-out is required, but we honour Global Privacy Control signals where applicable.
  • Right to non-discrimination: you will not be discriminated against for exercising your CCPA rights.
  • Right to limit use of sensitive personal information: we do not use sensitive personal information for purposes beyond those permitted by the CPRA.

To exercise your California rights, please contact us at support@disputaflow.com. You may also designate an authorised agent to submit requests on your behalf, provided you supply written authorisation and we are able to verify your identity.

11. Merchant Responsibilities Regarding End Customer Data

When Merchants share End Customer personal data with us in connection with a chargeback case, the Merchant acts as an independent Data Controller in respect of that data, and we process it as a separate Data Controller for the limited purpose of preparing the requested case documentation.

By submitting End Customer personal data to Disputa, Merchants represent and warrant that:

  • They have a lawful basis under the GDPR (or other applicable law) to share the relevant personal data with us.
  • They have provided End Customers with appropriate privacy notices, including information about the possibility of sharing their data with third-party service providers, in accordance with Articles 13 and 14 of the GDPR.
  • The personal data shared is accurate, relevant, and limited to what is necessary for the purpose of the chargeback case.

Merchants who require a Data Processing Agreement (DPA) in connection with our processing of End Customer data on their behalf may request one by contacting us at support@disputaflow.com.

12. Children’s Privacy

The Disputa service is intended solely for use by merchants operating legitimate e-commerce businesses. It is not directed at or intended for use by persons under the age of 18. We do not knowingly collect personal data from individuals under 18.

If we become aware that we have inadvertently collected personal data from a person under 18, we will take prompt steps to delete that data. If you believe we may have collected data from a person under 18, please contact us at support@disputaflow.com.

13. Links to Third-Party Services

The Disputa application may contain links to or integrations with third-party platforms and services, including Shopify, Supabase, and Railway. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you use in connection with Disputa before providing personal data to them.

We are not responsible for the privacy practices, content, or security of third-party platforms or websites.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the law, or the services we provide. When we make material changes to this Policy, we will:

  • Publish the updated Policy within the Disputa application and on our website.
  • Notify you by email or in-app notification at least 15 days before material changes take effect, in accordance with the EU Platform-to-Business Regulation (EU) 2019/1150.
  • Update the “Last updated” date at the top of this Policy.

Your continued use of the Disputa service after the effective date of any updated Policy constitutes your acceptance of the revised terms. If you do not agree with the changes, you should stop using the Service before the changes take effect.

← HomePrivacyTerms