#Intake B2B: Privacy Policy

Last updated: 2026-05-16

Roles. Throughout this policy, "the app" refers to the Intake B2B Wholesale Approval app and its operator (the legal entity that publishes and runs the service). "The merchant" is the Shopify store owner who installs the app. "The applicant" or "buyer" is the individual or business that submits the wholesale application form.

The app acts as a data controller for data the merchant provides to set up and operate the app on their store (notification email, form configuration, install record). The app acts as a data processor on the merchant's behalf for applicant-submitted data and for any of the merchant's customer data accessed via the Shopify Admin API; the merchant remains the data controller for that information and instructs the app via its in-admin settings.


#1. Data we collect

The app processes two categories of data on behalf of the merchant:

We do not collect analytics, tracking cookies, or third-party ad IDs.

#2. How we use your data (purposes of processing)

We use the data described in §1 only for the purposes the merchant has configured the app to perform. Specifically:

We do not use applicant or merchant data for advertising, profiling, analytics, or model training.

#3. Legal basis for processing (GDPR Article 6)

Our lawful bases for processing personal data depend on the role we occupy for that data and the processing activity in question:

For merchant configuration data (the merchant's notification email, form settings, install record — the app is the controller):

For applicant data and any merchant-customer data accessed via the Shopify Admin API (the merchant is the controller; the app is the processor):

The merchant determines the lawful basis for processing this data and documents it in their own privacy policy. The app processes such data only on the merchant's documented instructions, expressed through the app's settings and the actions the merchant takes in the admin (approve, reject, request information, retry sync, retry assignments, update notes / address). Common bases the merchant may rely on for wholesale-onboarding processing include:

If the applicant withdraws or the merchant identifies a different basis, the merchant should communicate that through their own privacy notice and, where appropriate, instruct the app to delete the data via the admin "Reject" action or by initiating a Shopify customer redaction.

#4. Where applicant documents are stored

Applicant document uploads (resale certificates, business licenses, tax documents, and any other files the applicant attaches to the form) are stored in a private Cloudflare R2 bucket. The bucket is not publicly accessible. No public object ACL, no public bucket policy, no published index.

Objects are encrypted at rest using Cloudflare R2's default server-side encryption.

Access to a document is granted through short-lived signed URLs (15-minute expiry) generated on demand when an authenticated merchant views the application detail page in the Shopify admin. The signed URL is not cached, not persisted, and not logged. A merchant who returns to the admin page after the URL expires receives a freshly generated URL.

Applicants themselves do not receive download URLs — the app never surfaces signed URLs on the buyer-facing pages (initial submission, resubmission, or confirmation).

#5. Where other data is stored

Non-document data (application records, status events, custom field values, merchant configuration) is stored in the application's primary PostgreSQL database. Backups and access controls are managed by the database host (e.g., Railway).

#6. Retention

Rejected applications. Applications that are rejected are retained for 60 days after rejection and then permanently deleted, including any uploaded documents. This retention window is enforced by a scheduled daily sweep that runs against the production database. Merchants can adjust the retention window for their deployment by setting the REJECTED_RETENTION_DAYS environment variable on the cron service; the default of 60 days is what the app ships with.

Uninstall cleanup. When a merchant uninstalls the app, session data is cleared immediately so the app stops attempting to use the revoked offline access token. Application data, documents, and merchant configuration are retained for approximately 48 hours per Shopify's GDPR contract — this window allows a merchant who reinstalls within that period to pick up where they left off without losing their application history. After the window elapses, Shopify delivers a shop/redact webhook and the app deletes all applications, uploaded documents, merchant configuration, and any remaining sessions associated with that shop. R2 objects are removed before the database rows so a retry leaves nothing behind.

Customer-initiated redaction (GDPR). On customers/redact, all applications and uploaded documents associated with the requested customer email are deleted from both R2 and the database.

Inactivity-based closure of in-progress applications. To keep applicant records from accumulating indefinitely, the same daily sweep that purges old rejected applications also closes applications that have sat in an in-progress state past a reasonable review window. A closed application moves to the rejected status, is marked internally as an auto-closure so the merchant can distinguish it from a manual rejection, and the applicant receives a neutral closure notification inviting them to reapply or reach out. Closed applications then follow the same 60-day rejected-retention clock described above before being permanently deleted.

The inactivity windows are:

After closure, the standard 60-day rejected-retention window applies before the record and any uploaded documents are permanently deleted. Merchants can disable the applicant-facing closure email by turning off applicant notifications in the app's settings; the application will still be closed, but no email will be sent.

#7. Third-party subprocessors

The list above is exhaustive. The app does not integrate with any third-party analytics, error-tracking, advertising, or marketing platform. The only outbound network call the app server makes — outside of the embedded Shopify Admin API client and the AWS S3 SDK call to Cloudflare R2 — is a single HTTPS POST to api.resend.com/emails to send a transactional email.

#8. Compliance webhooks

We implement all three Shopify-mandated compliance topics:

#9. Your data protection rights (GDPR)

If you are an individual whose personal data is processed by the app — either as a merchant operating the app, or as an applicant submitting the wholesale form on a merchant's storefront — you have the following rights under the EU General Data Protection Regulation and the UK GDPR:

Where to send a request. Because the merchant is the data controller for applicant data, requests by applicants about their wholesale-application information should be addressed to the merchant operating the storefront in the first instance — the merchant's own privacy notice will list a contact. The app will assist the merchant in fulfilling such requests on instruction (for example, by exporting or deleting the applicant's records on the merchant's behalf).

For data the app holds as a controller — i.e., your merchant account configuration and install record — please contact us directly using the details in §10.

#10. How to exercise your rights / contact us

To exercise any of the rights listed in §9, contact us at:

Privacy contact: [email protected]

When you contact us, please include:

We will acknowledge your request without undue delay and respond substantively within 30 days of receipt, in line with GDPR Article 12(3). If your request is complex or you have made multiple requests, we may extend this period by up to a further two months and will notify you of the extension and the reasons within the initial 30-day window.

We may need to verify your identity before responding to a request to ensure we are not disclosing your data to someone else. We will only ask for the minimum information necessary to do so.

#11. Cookies and tracking

The app does not set advertising or tracking cookies, does not use third-party analytics platforms (no Google Analytics, Segment, Mixpanel, PostHog, Amplitude, Heap, or similar), and does not use any cross-site tracking technologies. The app is embedded inside the Shopify admin and relies only on first-party session cookies set by Shopify for authentication; these cookies are governed by Shopify's own privacy and cookie policy.

The buyer-facing wholesale-application form is a server-rendered HTML page served via Shopify's App Proxy. It does not load third-party JavaScript, does not set any persistent cookies of its own, and does not beacon to any analytics endpoint.

#12. Security measures

We apply technical and organisational controls proportionate to the operational nature of the data we process:

No system is perfectly secure. We work to keep the controls above effective, and we will notify affected parties of any qualifying data breach per §15.

#13. GDPR compliance

We process personal data in accordance with the EU General Data Protection Regulation and the UK GDPR. As described above:

International transfers of personal data (for example, to subprocessors that operate outside the European Economic Area) are governed by the Standard Contractual Clauses or an equivalent transfer mechanism agreed with the relevant subprocessor.

#14. California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you the following rights with respect to personal information collected about you:

To submit a verifiable consumer request, contact us using the details in §10. We will verify your request by matching the email address you provide against the email on file in the application or merchant configuration record. We will respond within the timeframes required by the CCPA (typically 45 days, with one 45-day extension where permitted).

Service-provider role. With respect to applicant data submitted through a merchant's wholesale form, the app generally acts as a "service provider" to the merchant under the CCPA, processing the applicant's personal information solely on the merchant's behalf and under written terms with the merchant. Verifiable consumer requests about applicant data should be addressed to the merchant in the first instance; we will assist the merchant in responding.

#15. Data breach notification

In the event of a personal data breach affecting data we control or process, we will:

The notification will include, as far as reasonably possible, the nature of the breach (categories and approximate number of individuals and records affected), the contact point from whom more information can be obtained, the likely consequences, and the measures taken or proposed to address the breach and mitigate adverse effects.

#16. Children's data

The app is a business-to-business product designed for wholesale onboarding workflows. It is not directed at children, and we do not knowingly collect personal information from children under the age of 16 (the GDPR threshold for parental consent in many member states) or under the age of 13 (the COPPA threshold in the United States).

If we become aware that personal information about a child in either of these categories has been provided to the app — for example, because a child submitted the buyer-facing wholesale form — we will delete that information promptly. A parent or legal guardian who believes their child's personal information has been provided to the app can contact us using the details in §10 to request deletion.

#17. Changes to this policy

We maintain auditable version history for this policy. Material changes (new subprocessors, retention-timeline updates, new data categories) are recorded so the history of updates remains reviewable.

When we add a new subprocessor or change the role of an existing one, we update the subprocessor list in §7 and update the "Last updated" date at the top of this policy. Material changes remain part of that auditable policy history.