Privacy Policy

1. Information We Collect

Our app collects various types of data to provide comprehensive B2B wholesale management services. This data is collected through your use of the application, integration with Shopify, and voluntary submissions.

A. Shopify Store Data

When you install our app, we access specific data from your Shopify store through the Shopify Admin API:

• Product Information: Product titles, descriptions, SKUs, pricing, images, variants, inventory levels, categories, vendors, handles, tags, and SEO metadata
• Order Data: Order numbers, line items, quantities, prices, order status, fulfillment status, and associated timestamps
• Customer Information: Customer names, email addresses, phone numbers, billing and shipping addresses, and unique customer identifiers
• Inventory Data: Current stock levels, product variant information, pricing structures, and wholesale rates
• Store Configuration: Store locations, fulfillment settings, tax configurations, and shipping preferences

B. User-Generated Business Data

• Bundle Configurations: Product combinations, quantities, custom pricing rules, and bundle-specific metadata
• Wholesale Pricing Rules: Customer-specific pricing tiers, volume discounts, and special pricing configurations
• Order Processing Rules: Automated order processing conditions, triggers, and business logic
• Export Configurations: Custom data export templates, scheduling preferences, and email delivery settings
• Import Data: CSV and Excel files containing order data, product information, and customer details
• Purchase Order Data: Supplier information, expected delivery dates, and inventory forecasting data

C. Technical and Usage Data

• Authentication Data: Session tokens, access permissions, and Shopify app installation details
• Usage Analytics: Feature usage patterns, API call frequency, app interaction data, and performance metrics
• Device Information: Browser type and version, operating system, screen resolution, and device capabilities
• Network Data: IP addresses, geographic location (country/region level), and connection timestamps
• Error and Diagnostic Logs: Application errors, performance issues, and system diagnostic information

D. Audit and Security Data

• Comprehensive Audit Logs: All user actions, data modifications, access attempts, and system events with timestamps
• Security Events: Login attempts, permission changes, authentication failures, and suspicious activity detection
• Data Access Logs: Records of all data access, export activities, and bulk operations
• Compliance Records: Data retention logs, deletion records, and privacy request fulfillment documentation

E. Billing and Subscription Data

• Subscription Information: Plan type, billing cycle, trial periods, and subscription status
• Usage Metrics: Monthly product counts, order processing volumes, and feature usage for billing purposes
• Payment Processing: Billing handled by Shopify's secure payment system (we do not store credit card information)

F. Communication Data

• Support Communications: Email correspondence, support tickets, feature requests, and feedback
• Automated Notifications: Export delivery emails, system notifications, and status updates
• Marketing Communications: Product updates, feature announcements (with explicit consent)

8. International Data Transfers

As a Canadian company, we primarily process data within Canada and the United States. When we transfer your data internationally, we ensure appropriate safeguards are in place to protect your privacy rights.

A. Data Processing Locations

• Primary Processing: Canada (our headquarters and primary data centers)
• Shopify Integration: Data processed through Shopify's secure infrastructure (global)
• Email Services: SMTP services may be located in various jurisdictions
• Support Services: Customer support and technical services provided from Canada

B. Transfer Safeguards

• Adequate Jurisdiction: We prioritize processing in jurisdictions with adequate privacy protections
• Contractual Safeguards: Data processing agreements with third-party processors include privacy protection clauses
• Technical Safeguards: Data encryption in transit and at rest regardless of processing location
• Access Controls: Strict access controls and authentication requirements for all processing locations

C. Your Rights for International Transfers

• Right to Information: You can request information about where your data is processed
• Right to Object: You may object to transfers to specific jurisdictions where legally permitted
• Right to Safeguard Information: You can request details about the safeguards we use for international transfers

9. Children's Privacy

Our B2B wholesale management application is designed for business use and is not intended for use by children under the age of 13. We do not knowingly collect, use, or disclose personal information from children under 13.

• Age Verification: Our service requires users to be at least 18 years old or have legal authority to bind a business entity
• Business Context: All data collection occurs in the context of B2B wholesale operations
• Inadvertent Collection: If we discover we have collected information from a child under 13, we will delete it immediately
• Parental Rights: Parents who believe their child's information has been collected may contact us at [email protected]

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We are committed to providing you with clear notice of any material changes.

A. Types of Changes

• Material Changes: Changes that significantly affect how we collect, use, or share your data
• Legal Updates: Changes required by new laws or regulations
• Service Changes: Changes related to new features or services we offer
• Clarifications: Updates to make our practices clearer without changing our actual practices

B. Notice of Changes

• Email Notification: For material changes, we will email you at least 30 days before the changes take effect
• In-App Notification: Important changes will be highlighted when you next access the application
• Website Update: The updated policy will be posted on our website with a new "last updated" date
• Continued Use: Your continued use of our service after changes take effect constitutes acceptance of the updated policy

C. Your Options

• Review Changes: We encourage you to review any changes to understand how they affect you
• Contact Us: If you have questions about changes, contact us at [email protected]
• Discontinue Use: If you don't agree with changes, you may discontinue using our service
• Data Deletion: You may request deletion of your data if you choose to discontinue use due to policy changes

11. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the information below. We are committed to addressing your privacy concerns promptly and thoroughly.

A. Primary Contact

B. General Support

C. Response Times

• Privacy Requests: We will acknowledge receipt within 48 hours and respond within 30 days
• Data Deletion Requests: Processed within 30 days of verification
• Data Access Requests: Fulfilled within 30 days of identity verification
• General Inquiries: Typically responded to within 5 business days

D. Required Information

To help us process your privacy request efficiently, please include:

• Your Shopify store domain (e.g., yourstore.myshopify.com)
• Your email address associated with the account
• Detailed description of your request or concern
• Preferred response method (email reply, phone call, etc.)

12. Effective Date and Governing Law

This Privacy Policy is effective as of January 2025 and governs your use of our B2B wholesale management application from that date forward.

A. Governing Law

• Canadian Privacy Law: This policy is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA)
• Provincial Laws: Additional provincial privacy laws may apply based on your location
• International Compliance: We also comply with GDPR for EU users and CCPA for California users
• Jurisdiction: Any disputes will be resolved in the courts of Canada

B. Acknowledgment

By using our B2B wholesale management application, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this policy, please do not use our service.

2. How We Use Your Information

We process your information for specific, legitimate business purposes directly related to providing and improving our B2B wholesale management services. Our data usage is limited to what is necessary for these purposes.

A. Core Application Services

• Bundle Management: Creating, managing, and synchronizing product bundles with your Shopify store, including inventory tracking and availability calculations
• Wholesale Pricing: Implementing customer-specific pricing rules, volume discounts, and automated pricing calculations
• Order Processing: Importing, processing, and managing wholesale orders, including automated rule application and order fulfillment
• Inventory Management: Real-time inventory tracking, stock level monitoring, and automated inventory adjustments
• Data Export and Reporting: Generating business reports, export files, and analytical insights based on your sales and inventory data

B. Platform Integration and Synchronization

• Shopify Integration: Bidirectional data synchronization with your Shopify store for products, orders, customers, and inventory
• Webhook Processing: Real-time processing of Shopify webhooks to maintain data consistency and trigger automated workflows
• Draft Order Creation: Creating and managing draft orders in Shopify based on wholesale order processing
• Product Bundle Publishing: Publishing and managing product bundles directly in your Shopify catalog

C. Business Intelligence and Analytics

• Sales Analytics: Analyzing sales patterns, customer behavior, and product performance to provide business insights
• Inventory Forecasting: Predicting inventory needs based on historical data and sales trends
• Performance Monitoring: Tracking bundle performance, wholesale pricing effectiveness, and order processing efficiency
• Custom Reporting: Generating tailored reports based on your specific business requirements and export configurations

D. Account Management and Support

• Authentication and Security: Managing user sessions, access permissions, and security protocols
• Subscription Management: Processing billing, managing plan changes, and tracking usage against subscription limits
• Customer Support: Providing technical assistance, troubleshooting issues, and responding to feature requests
• Account Administration: Managing user preferences, notification settings, and application configurations

E. Security and Compliance

• Fraud Prevention: Monitoring for suspicious activities, unauthorized access attempts, and security threats
• Audit and Compliance: Maintaining comprehensive audit logs for regulatory compliance and security investigations
• Data Protection: Implementing and monitoring data protection measures, encryption, and access controls
• Privacy Rights Fulfillment: Processing data subject requests for access, correction, deletion, and portability

F. Service Improvement and Development

• Performance Optimization: Analyzing usage patterns to improve application performance and user experience
• Feature Development: Using aggregated usage data to guide new feature development and improvements
• Bug Detection and Resolution: Identifying and resolving technical issues through error logs and diagnostic data
• Capacity Planning: Monitoring system usage to ensure adequate infrastructure and performance scaling

3. Information Sharing and Disclosure

We maintain strict controls over data sharing and do not sell, rent, or trade your personal or business information to third parties for marketing purposes. Data sharing is limited to specific operational necessities and legal requirements as outlined below.

A. Shopify Platform Integration

Our app operates within the Shopify ecosystem and requires specific data sharing for core functionality:

• Shopify Admin API: Bidirectional synchronization of products, orders, customers, and inventory data
• Shopify Billing API: Subscription management and usage tracking for billing purposes
• Shopify Webhook System: Real-time notifications for data updates and changes
• App Bridge Integration: Secure authentication and embedded app functionality within Shopify Admin

B. Service Providers and Infrastructure

• Database Hosting: PostgreSQL database hosted on secure cloud infrastructure for data storage and processing
• Email Service Providers: SMTP services for automated export delivery and system notifications (configurable)
• Application Hosting: Cloud hosting services for application deployment and performance monitoring
• Backup Services: Secure data backup and disaster recovery services to ensure data protection

C. Business Operations

• Export Recipients: Data exports sent to email addresses specified by you for business operations
• Customer Support: Sharing relevant data with our support team to resolve technical issues and provide assistance
• Professional Services: Limited data sharing with authorized personnel for account management and technical consulting

D. Legal and Compliance Requirements

• Legal Obligations: Disclosure when required by law, court orders, or regulatory requirements
• Rights Protection: Sharing data to protect our rights, property, or safety, or that of our users or the public
• Fraud Prevention: Sharing information with law enforcement or security services to prevent fraud or illegal activities
• Business Transfers: Data may be transferred in connection with mergers, acquisitions, or asset sales (with notice)

E. Data Sharing Safeguards

• Contractual Protections: All service providers bound by strict data protection agreements
• Purpose Limitation: Data shared only for specific, documented purposes
• Access Controls: Minimum necessary access granted to authorized personnel only
• Audit Trails: Comprehensive logging of all data sharing activities
• Encryption: All data shared using industry-standard encryption protocols

4. Data Security and Protection Measures

We implement comprehensive technical, administrative, and physical security measures designed to protect your information against unauthorized access, alteration, disclosure, or destruction. Our security framework follows industry best practices and is regularly updated to address evolving threats.

A. Technical Security Controls

• Encryption: TLS 1.3 encryption for all data in transit and AES-256 encryption for sensitive data at rest
• Authentication: Multi-factor authentication (MFA) for administrative access and secure OAuth integration with Shopify
• Access Controls: Role-based access control (RBAC) with principle of least privilege and regular access reviews
• Network Security: Firewalls, intrusion detection systems, and secure network architecture with segmentation
• Database Security: Encrypted database connections, parameterized queries to prevent SQL injection, and regular security patches
• Application Security: CSRF protection, input validation, XSS prevention, and secure coding practices

B. Infrastructure Security

• Secure Hosting: Cloud infrastructure with SOC 2 Type II compliance and 24/7 security monitoring
• Data Centers: Physically secure facilities with biometric access controls and environmental monitoring
• Backup and Recovery: Encrypted automated backups with geographically distributed storage and tested recovery procedures
• System Hardening: Regular security updates, vulnerability scanning, and configuration management

C. Monitoring and Incident Response

• Security Monitoring: 24/7 automated monitoring for suspicious activities and security events
• Audit Logging: Comprehensive logging of all system access, data operations, and administrative actions
• Incident Response: Documented incident response procedures with notification protocols for security breaches
• Vulnerability Management: Regular security assessments, penetration testing, and prompt remediation of identified vulnerabilities

D. Administrative Safeguards

• Personnel Security: Background checks for personnel with access to sensitive data and regular security training
• Security Policies: Comprehensive information security policies and procedures regularly reviewed and updated
• Vendor Management: Due diligence and security requirements for all third-party service providers
• Compliance Audits: Regular internal and external security audits to verify compliance with security standards

E. Data Protection by Design

• Privacy by Design: Security and privacy considerations integrated into all system development and operational processes
• Data Minimization: Collection and processing limited to data necessary for specified purposes
• Secure Development: Security testing throughout the development lifecycle and regular code reviews
• Breach Prevention: Proactive measures to prevent data breaches and minimize potential impact

5. Data Retention and Deletion

We retain your information only for as long as necessary to fulfill the purposes outlined in this privacy policy, comply with legal obligations, resolve disputes, and enforce our agreements. Our retention practices are designed to balance operational needs with privacy principles.

A. Automatic Data Retention Periods

• Active Account Data: Maintained while your Shopify app subscription is active and for 48 hours after app uninstallation
• Business Transaction Records: Order data, billing records, and financial information retained for 7 years to comply with tax and accounting regulations
• Audit and Security Logs: Security events, access logs, and audit trails retained for 3 years for compliance and investigation purposes
• Usage and Analytics Data: Aggregated usage patterns and performance metrics retained for 2 years for service improvement
• Support Communications: Customer support interactions and correspondence retained for 3 years
• Marketing Communications: Email marketing data retained until consent is withdrawn or 2 years of inactivity

B. Automatic Deletion Processes

• App Uninstallation: All shop-specific data automatically deleted 48 hours after app removal from your Shopify store
• Session Data: Authentication sessions and temporary data cleared after 24 hours of inactivity
• Temporary Files: Uploaded files and export data cleared within 30 days of creation
• Error Logs: Detailed error logs purged after 90 days, summary data retained for analysis

C. Legal and Compliance Retention

• Legal Hold: Data retention extended when subject to legal proceedings, investigations, or regulatory inquiries
• Compliance Requirements: Certain data retained longer when required by applicable laws, regulations, or industry standards
• Tax Records: Financial and transaction data retained in accordance with Canadian and applicable international tax requirements

D. User-Initiated Deletion

• Right to Deletion: You may request immediate deletion of your personal data subject to legal and operational constraints
• Partial Deletion: Specific data categories can be deleted upon request while maintaining essential business records
• Anonymization: Personal identifiers removed from retained business data when legally permissible
• Verification Process: Identity verification required for deletion requests to prevent unauthorized data removal

6. Your Privacy Rights and Controls

We respect your privacy rights and provide comprehensive controls over your personal and business data. The specific rights available to you may vary depending on your location and applicable privacy laws, including GDPR (EU), CCPA (California), and PIPEDA (Canada).

A. Data Access and Transparency Rights

• Right to Access: Request a complete copy of all personal data we hold about you, including source, processing purposes, and recipients
• Data Categories: Detailed breakdown of data types collected, retention periods, and legal basis for processing
• Processing Activities: Information about how your data is used, automated decision-making, and profiling activities
• Third-Party Sharing: List of all third parties who have received your data and the purposes for sharing

B. Data Correction and Update Rights

• Right to Rectification: Correct inaccurate or incomplete personal information
• Account Management: Update profile information, contact details, and preferences through your account settings
• Business Data Updates: Modify product configurations, pricing rules, and export settings
• Verification Process: Identity verification required for significant account changes

C. Data Deletion and Erasure Rights

• Right to Erasure: Request complete deletion of your personal data ("right to be forgotten")
• Selective Deletion: Delete specific data categories while maintaining essential business records
• Account Termination: Permanent account deletion with secure data wiping procedures
• Legal Limitations: Some data may be retained for legal compliance, fraud prevention, or legitimate business interests

D. Data Portability and Transfer Rights

• Data Export: Receive your data in structured, commonly used, machine-readable formats (CSV, JSON)
• Direct Transfer: Where technically feasible, direct transfer of data to other service providers
• Business Data Export: Export configurations, pricing rules, and historical data for business continuity
• Shopify Integration: Data portability coordinated with Shopify platform requirements

E. Processing Restriction and Objection Rights

• Restrict Processing: Limit how we process your data while maintaining basic service functionality
• Object to Processing: Object to processing based on legitimate interests, direct marketing, or profiling
• Automated Decision-Making: Opt-out of automated decision-making and profiling activities
• Marketing Opt-Out: Unsubscribe from marketing communications while maintaining essential service notifications

F. Consent and Preference Management

• Consent Withdrawal: Withdraw consent for processing activities that require consent
• Communication Preferences: Granular controls over notification types, frequency, and delivery methods
• Cookie Controls: Manage cookie preferences and tracking technologies through browser settings
• Feature Controls: Disable specific application features that involve optional data processing

G. Exercising Your Rights

To exercise these rights, contact our privacy team at [email protected] with:

• Identity Verification: Sufficient information to verify your identity and account ownership
• Specific Request: Clear description of the right you wish to exercise and any specific requirements
• Response Timeline: We will respond within 30 days (or as required by applicable law)
• Appeal Process: If unsatisfied with our response, you may appeal or contact relevant data protection authorities

7. Legal Compliance and Regulatory Framework

Our privacy practices are designed to comply with applicable data protection laws and regulations worldwide. We regularly review and update our practices to maintain compliance as laws evolve.

A. Applicable Privacy Laws

• PIPEDA (Canada): Personal Information Protection and Electronic Documents Act compliance for Canadian operations
• GDPR (European Union): General Data Protection Regulation compliance for EU users and data subjects
• CCPA (California): California Consumer Privacy Act compliance for California residents
• Provincial Privacy Laws: Compliance with applicable Canadian provincial privacy legislation

B. Legal Basis for Processing

• Contractual Necessity: Processing required to fulfill our service agreement with you
• Legitimate Interests: Processing for legitimate business purposes that do not override your privacy rights
• Legal Compliance: Processing required by applicable laws, regulations, or legal processes
• Consent: Processing based on your explicit consent for specific purposes

C. Cross-Border Data Transfers

• Adequacy Decisions: Transfers to countries with adequate data protection as determined by relevant authorities
• Standard Contractual Clauses: Use of approved contractual clauses for international data transfers
• Shopify Integration: Data transfers subject to Shopify's global infrastructure and compliance frameworks
• Safeguards: Additional technical and organizational measures to protect data during international transfers

7. Shopify Integration

Our app integrates with Shopify and processes data in accordance with Shopify's terms:

• We access only the Shopify data necessary for app functionality
• Data synchronization follows Shopify's API guidelines
• We comply with Shopify's Partner Program requirements
• Your Shopify data remains subject to Shopify's privacy policy

8. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for international transfers, including:

• Standard contractual clauses approved by regulatory authorities
• Adequacy decisions for certain countries
• Your explicit consent where required

9. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If you become aware that a child has provided us with personal information, please contact us immediately.

10. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we may provide additional notice such as email notification.

11. Contact Information

If you have any questions about this privacy policy or our data practices, please contact us: