Privacy Policy
Last updated: 2026-07-16
B2B Triage is a Shopify app that lets a merchant publish a wholesale registration form, review the applications it receives, and — on approval — create the corresponding native Shopify B2B records. This page describes exactly what data the app handles, where it is stored, who else touches it, and how it is deleted.
The app is operated by Human After All. For anything on this page, contact us.
Our role
The merchant who installs B2B Triage decides what their registration form asks for and what happens to the applications. In data-protection terms the merchant is the controller and we are a processor acting on their instructions. If you applied for a wholesale account with a store, that store is the party that holds your relationship — and the first place to send a request about your data. We will act on any request they pass to us, and you can also contact us directly using the form above.
What the app stores
Applicant data (from the registration form)
When someone submits a wholesale registration form, we store the submission. The merchant builds the form, so the merchant decides the fields, and the app supports fields that commonly carry personal and business data:
- Name, email address, and phone number
- Company name, business address, and country
- Tax and VAT registration identifiers
- Any additional fields the merchant added to their own form, plus their answers
Some of this belongs to people who are not Shopify customers and may never become one — an application that is still pending, or that was declined, is data we hold and the merchant’s Shopify store does not. That is why the app answers data requests and deletion requests itself rather than deferring to Shopify, and it is described under Your rights below.
Merchant and store data
- The store’s
myshopify.comdomain - Form definitions and settings the merchant creates
- An audit record of approval decisions: which staff member decided, when, and which Shopify records were created
- A Shopify access token, so the app can act in the store. This token is encrypted by us with AES-GCM before it is stored.
What the app does not store
- Passwords. The app does not offer a password field and never collects one. Approved applicants set their own password through Shopify’s own account-activation email.
- Payment details. The app never sees or handles them.
- Uploaded files. The current version does not store files. If file uploads are enabled in a future version, files will be stored in Cloudflare R2 and this page will be updated before that ships.
- Visitor IP addresses. See below.
- Analytics or advertising trackers, on the storefront form or anywhere else. There are none. We do not sell data, and we do not use it to train models.
IP addresses and bot protection
To stop a single script from flooding a merchant’s form, the app rate-limits submissions. It does this without storing the IP address: the address is hashed (SHA-256, with a salt unique to each store) the moment the request arrives, and only that hash is used as a counter key. The hash expires within about a minute. The IP itself is never written to a database and never written to a log.
The applicant’s browser loads nothing from any third party when it renders the form. There is no CAPTCHA widget, no analytics, no tracker, no font, and no script from any other company. Spam is handled by a hidden field that real applicants never see and by the rate limit described above — both run on our own server, and neither profiles anybody.
Where data is stored, and who processes it
| Processor | What it handles |
|---|---|
| Cloudflare (Workers, D1, KV) | Runs the app and stores every record described above. Form submissions and audit records live in Cloudflare D1; rate-limit counters live in Cloudflare KV. |
| Shopify | The merchant’s store. On approval, the app writes customer and company records into it (see below). |
| Cloudflare Email Sending | Delivers the app’s emails. It receives the recipient’s email address and the content of the message — nothing else from the application. It is listed separately from the row above because it is a different service doing a different thing: sending a message out to an inbox, rather than storing a record. It is operated by the same company, so no additional company receives your data. See Emails the app sends below. |
There are no other sub-processors. The app uses no analytics provider and no advertising network. No company other than Cloudflare and Shopify handles this data. Until July 2026 the app was built to send its email through Postmark, a separate provider; that was changed before the app was released and no application data was ever sent to them.
Emails the app sends
The app can send up to three emails, and a merchant chooses which ones their form sends. All of them are off unless the merchant turns them on.
- A confirmation to the applicant when they submit. It does not repeat their answers back to them.
- A notification to the merchant’s staff that an application is waiting. It contains the applicant’s email address and a link to the application in the merchant’s Shopify admin — not their address, tax identifier, or other answers.
- A message to a declined applicant, written by the merchant. The app does not write it and does not add a reason of its own.
The app never sends email as the merchant’s own domain. Messages come from an address belonging to B2B Triage and are labelled as sent on the store’s behalf; replies go to the store’s contact address. We do this so that no merchant has to hand us control of their domain’s email, and so that nobody receiving one of these messages is misled about who sent it.
A fourth email — the account invitation sent when an application is approved — is sent by Shopify, from the merchant’s own store, and does not pass through the app or through Cloudflare Email Sending.
These messages carry no tracking. There is no open-tracking pixel and no click-tracking redirect, so the app does not learn whether a message was opened or a link was followed.
🔴 An email, once sent, is outside our reach. Deleting an application from the app removes it from our systems; it cannot remove a message already delivered to someone’s inbox, and it cannot remove the delivery record the email service keeps. This is stated plainly rather than left for you to infer from the table above: it is a real limit on the deletion promise made under Your rights.
Encryption — stated precisely
- Shopify access tokens are encrypted by the app (AES-GCM) before being written to the database.
- Form submissions are not encrypted by the app. They are stored in Cloudflare D1 and protected by Cloudflare’s infrastructure controls and by the access controls on our account. We state this plainly rather than claim a protection we do not apply.
What happens when an application is approved
Approval writes native Shopify records into the merchant’s own store: a customer, a company, a company location, and the contact link between them, along with tags, payment terms, tax exemptions, and metafields derived from the application.
Those records belong to the merchant and are governed by the merchant’s privacy policy and Shopify’s, not this one. They are deliberately not tied to our app: if the merchant uninstalls B2B Triage, their companies and customers remain, because they were always theirs. The corollary is that removing our data does not remove those Shopify records — a deletion request that must also reach them has to be actioned in Shopify, by the merchant.
Tax and VAT identifiers written to metafields are configured so they are not exposed to the storefront and are visible only inside the merchant’s admin.
Retention and deletion
- While the app is installed, submissions are retained so the merchant can review pending applications and keep a record of the decisions they made — and then, 24 months after an application was last acted on, the app automatically erases the applicant’s personal data: their name, email address, phone number, business address and any tax or VAT identifier. This happens on a schedule, whether or not anyone asks. What remains afterwards is a record that carries no personal data — whether the application was approved or declined, the dates, and which staff member decided — so the merchant can still account for the Shopify records the decision created.
- When the app is uninstalled, the Shopify access token is deleted immediately. Other data is kept for a short window, because merchants reinstall and losing their forms and history on an accidental uninstall would be its own harm.
- 48 hours after uninstall, Shopify sends a
shop/redactrequest and the app deletes all remaining data for that store — forms, submissions, and audit records. - On a customer deletion request (
customers/redact), the app erases that person’s personal data as described below.
Your rights, and how the app answers them
Shopify sends every app three mandatory privacy requests. This is exactly what B2B Triage does with each one.
Request to see your data (customers/data_request)
The app finds every application matching your email address — including pending and declined ones, which exist only in our records — and records that the request arrived, together with the identifiers of the applications that answer it. The merchant can then read the full application in the app and provide it to you. Requests are actioned within 30 days.
Request to delete your data (customers/redact)
The app erases the personal data from every application matching your email address: your email, every answer you gave (including name, address, and any tax identifier), and the internal processing detail that could quote them.
What deliberately remains is an anonymous skeleton: that an application was received on a date, what was decided, by which staff member, and which company record it produced. It names no one. The merchant needs it because approval created a real business relationship — a company with pricing and payment terms — that continues to exist and that they must be able to account for. There is nothing in that skeleton that identifies you.
Store deletion (shop/redact)
Everything the app holds for that store is deleted, as described above.
Contacting us directly
Contact us through our form and we will action any access or deletion request, or pass you to the merchant where the data is theirs to release. If you are the merchant, you can also remove any application from the app at any time.
Data transfers
Cloudflare runs the app across its global network, and data may be processed outside your country. Cloudflare and Shopify each publish their own data protection terms and transfer safeguards, which govern the parts of the service they operate.
Changes
If what the app does with data changes, this page changes with it, and the date at the top moves. Material changes will be described here rather than quietly folded in.