Privacy Policy

Last updated: June 3, 2026

B2B Guardrail is a Shopify app that monitors and protects the B2B and wholesale pricing of your store. This policy explains what data the app processes, why, and the rights you have over it. We keep our data footprint deliberately small: we operate on store-level configuration, not on your individual customers’ personal data.

1. Data Controller

The controller responsible for processing this data is:

If you are located in the European Economic Area, the relevant supervisory authority is the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD).

2. Information We Collect

When you install B2B Guardrail we collect and store the following store-level data:

Store account data

• Your store’s myshopify domain and Shopify shop ID.
• Your current plan tier (Free, Starter, or Pro).
• The OAuth access token Shopify issues to the app, stored encrypted at rest and used only to read the store resources you authorized.
• Optional alert settings you configure: a notification email address and/or a Slack webhook URL.
• Your monitoring preferences (check interval, whether monitoring is active) and install/update timestamps.

Audit and findings data

• Audit records: timestamps, what triggered each audit (install, manual, scheduled, or webhook), its status, the computed health score, and the number of findings.
• Findings: details about your store’s B2B and wholesale pricing configuration: affected product IDs, the type and severity of each issue (e.g. price leaks or rule conflicts), and our recommendations. These describe your store’s configuration, not your customers.
• Alert records: delivery status of the notifications we send to your configured email or Slack.
• Compliance requests: an audit trail of the mandatory GDPR webhooks Shopify sends us (data request, customer redaction, and shop redaction), kept to demonstrate compliance.

3. Data We Do Not Collect

• We do not store your customers’ personal data. The app requests the read_customers permission to analyze B2B and wholesale customer pricing while an audit runs, but that customer data is processed transiently in memory to produce findings and is never written to our database. We persist only product and price-rule references.
• We never see your payment details. Billing is handled entirely by Shopify through Shopify App Pricing; we do not collect or store any payment card data.
• We do not use advertising or tracking cookies, and we do not sell or rent any data.

4. How We Use Data

We process the data above solely to operate the app, specifically to:

• Run audits and detect B2B price leaks, rule conflicts, and pricing drift.
• Send you alerts about critical findings via email or Slack.
• Manage your subscription tier and the features available to it.
• Maintain the security and integrity of the service.

5. Legal Basis for Processing

Under the GDPR, we rely on the performance of a contract (providing the app you installed), our legitimate interest in operating and securing the service, and compliance with legal obligations (such as Shopify’s mandatory data-protection webhooks).

6. Sub-processors and Data Sharing

We share data only with the infrastructure providers required to run the app. We do not sell, rent, or trade your data.

• Shopify Inc.: the platform that authenticates the app (OAuth), provides store data via its API, and processes billing.
• Supabase: managed PostgreSQL database hosting, in the European Union region.
• Vercel: application hosting and serverless execution.
• Slack: only if you configure a Slack webhook, used to deliver the alerts you opt into.

7. International Transfers

Your store data is stored within the European Union. Where a sub-processor processes data outside the EEA, that transfer is covered by appropriate safeguards such as the European Commission’s Standard Contractual Clauses.

8. Data Retention and Deletion

We retain your store data for as long as the app is installed. When you uninstall B2B Guardrail, Shopify notifies us and we delete your store’s data (audits, findings, and alerts are removed together with the store record). Approximately 48 hours after uninstall, Shopify also sends a shop redaction request, which we honor to guarantee complete deletion. You may request deletion of your data at any time by contacting us.

9. Your Rights

If you are in the European Economic Area, you have the right to access, rectify, erase, restrict, or port your data, and to object to its processing. To exercise any of these rights, email privacy@bwebstudio.com. You also have the right to lodge a complaint with the AEPD or your local supervisory authority.

10. Security

We protect your data with industry-standard measures: OAuth access tokens are stored encrypted at rest, all traffic is served over HTTPS, and every webhook we receive from Shopify is verified with an HMAC signature before it is processed.

11. Children’s Privacy

B2B Guardrail is a business tool for Shopify merchants and is not directed to children. We do not knowingly collect data from anyone under the age of 16.

12. Changes to This Policy

We may update this policy from time to time. When we do, we will revise the “Last updated” date above. Material changes will be communicated through the app or by email where appropriate.

13. Contact

For any question about this policy or your data, contact Bweb Studio at privacy@bwebstudio.com.