← Back

Privacy Policy

Last updated: April 4, 2026

B2B Order Flow ("we", "our", "the app") is a purchase order processing tool that helps merchants convert purchase order documents into Shopify draft orders. This policy explains what data we collect, why, and how we protect it.

1. Data We Collect

Account data

• Username and email address (provided at registration)
• Password (stored as a one-way bcrypt hash — we cannot retrieve your password)

Shopify store data

• Store domain (e.g., your-store.myshopify.com)
• Shopify API access token (encrypted with AES-256-GCM at rest)
• Product catalog (names, SKUs, prices, inventory levels) — used for order matching
• Customer records (name, email, address) — used to match or create customers on draft orders

Purchase order data

• Uploaded PDF files and their extracted content
• Extracted order information: PO number, item names, SKUs, quantities, shipping/billing addresses, contact details, and special instructions

Business configuration

• Your business info (name, company, address, email, phone) — used to distinguish your info from customer info during extraction
• Payment/remittance instructions (may include bank account numbers, routing numbers, SWIFT codes) — stored in the database and included in Shopify draft order notes
• Custom AI instructions — sent to the AI model with each extraction

Automatically collected

• IP address (for rate limiting and security logging)
• Session cookies (for authentication — see Section 7)
• Audit logs of account actions (login, logout, data access) — retained for 90 days

2. How We Use Your Data

• Purchase order processing — extracting data from uploaded documents, matching products to your Shopify catalog, and creating draft orders
• AI-powered extraction — uploaded PO content (text and images) is sent to AI models to extract structured order data (see Section 3)
• Customer matching — comparing extracted contact info against your Shopify customer database to find or create customer records
• Account management — authentication, password changes, and settings storage
• Security — detecting unauthorized access, rate limiting, and audit logging

We do not use your data for advertising, analytics profiling, or any purpose unrelated to purchase order processing.

3. Third-Party AI Services

To extract data from purchase orders and match products, the app sends information to third-party AI providers. This includes:

• Purchase order content (extracted text and page images from uploaded documents)
• Your Shopify product catalog (names, SKUs, descriptions, prices)
• Customer information from your Shopify store (names, emails, addresses)
• Your business information and custom AI instructions from Settings

AI providers we may use

The app currently uses and may use any of the following AI services, and may add additional providers in the future:

• OpenAI (GPT models) — Privacy Policy
• Anthropic (Claude models) — Privacy Policy
• xAI (Grok models) — Privacy Policy
• Google (Gemini models) — Privacy Policy

How AI providers handle your data

Once data is sent to a third-party AI provider, it is governed by that provider's own privacy policy and terms of service. We have no control over how AI providers store, process, use, or retain your data after it is transmitted to them. Specifically:

• Model training: AI providers may use data submitted through their APIs to train, improve, or fine-tune their models. This means your purchase order content, customer information, and product data could be incorporated into AI training datasets and may influence model outputs provided to other users. While some providers offer opt-out mechanisms or enterprise tiers with different data policies, we cannot guarantee that your data will not be used for training.
• Data retention: AI providers may retain your data for varying periods according to their own policies, even after we no longer need it.
• Data exposure: Information processed by AI models may theoretically surface in outputs provided to other users of the same AI service. We cannot prevent or control this.

Your responsibility

By using the app, you acknowledge that sensitive business data (customer names, addresses, emails, order details, product information) will be shared with third-party AI services. If you have confidentiality obligations regarding this data, you should evaluate whether use of this app is appropriate.

4. Shopify

We connect to your Shopify store via their API to read products and customers, and to create draft orders. Data exchanged with Shopify is governed by Shopify's Privacy Policy. We request only the permissions necessary for the app to function: product read/write, customer read/write, and draft order read/write.

We do not sell, rent, or share your data with any parties other than those listed above.

5. Data Security

• Encryption in transit — all connections use HTTPS/TLS
• Passwords — bcrypt hashed (one-way; cannot be retrieved)
• Shopify API tokens — AES-256-GCM encrypted at rest
• Session cookies — HttpOnly, SameSite=Lax, Secure flag in production
• CSRF protection — token-based validation on all state-changing requests
• Rate limiting — authentication endpoints are rate-limited to prevent brute-force attacks
• Security headers — Content-Security-Policy, HSTS, X-Frame-Options, and others on every response
• Audit logging — authentication and data access events are logged for security review

Data not encrypted at rest

The following data is stored without encryption at rest. While access is protected by authentication and server-level controls, the data itself is stored in plaintext:

• Uploaded purchase order PDF files
• Extracted PO data (JSON files containing order details, customer names, addresses, emails)
• User settings, including payment/remittance instructions (which may contain bank account details)
• Custom AI instructions
• Audit log files (which may contain usernames, IP addresses, and action metadata)

6. Data Retention

• Account data — retained until you delete your account
• Purchase order files and extracted data — retained until you delete your account
• Audit logs — automatically deleted after 90 days
• OAuth states — temporary, automatically cleaned up after 5 minutes

7. Your Rights

You have the right to:

• Access your data — view your settings, connected stores, and processed PO history through the app
• Delete your account — available in the Account tab. This permanently removes your user record, settings, connected store credentials, and associated data from our database
• Disconnect your store — remove the Shopify connection at any time from Settings, which deletes the stored API token
• Opt out of AI processing — you can stop using the app at any time. No data is processed without your explicit action (uploading a PO)

8. Cookies & Sessions

We use a single session cookie for authentication. This cookie is essential for the app to function (keeping you logged in). We do not use advertising cookies, tracking pixels, or third-party analytics.

9. Data Processing for Shopify Merchants

When you connect your Shopify store, the app accesses customer personal data (names, emails, addresses) solely to match purchase order contacts against your existing Shopify customers and to populate draft orders. This data is:

• Accessed only when you initiate a PO processing action
• Used only for customer matching and draft order creation
• Not stored beyond what is necessary for the processed purchase order
• Shared with third-party AI providers (see Section 3) as part of the extraction process, and with Shopify (your own store) for order creation

10. Children's Privacy

This app is a B2B tool designed for business use. We do not knowingly collect data from anyone under the age of 18.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated through the app. The "Last updated" date at the top reflects the most recent revision.

12. Contact

If you have questions about this privacy policy or your data, contact us: