WholesaleKit

Privacy Policy

Last updated: June 3, 2026

1. Information We Collect

WholesaleKit ("we", "us", "our") collects the following information from merchants who install our app and their wholesale buyers:

  • Merchant store domain and account owner email
  • Buyer email addresses and company names
  • Wholesale order history (items, quantities, totals)
  • Hashed passwords (never stored in plain text)
  • Sales representative names and email addresses
  • Shopify customer IDs for data synchronization

We do not collect payment card information. All payment processing is handled by Shopify.

2. How We Use Your Data

  • Process and track wholesale orders
  • Send transactional emails (order confirmations, payment reminders, invitations)
  • Manage tiered pricing and customer groups
  • Authenticate buyers and sales representatives
  • Enforce subscription tier feature access

We do not sell, rent, or share your personal data with third parties for marketing purposes.

3. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

  • Contract performance — processing necessary to provide the wholesale ordering service you signed up for
  • Legitimate interest — security measures (rate limiting, password hashing), fraud prevention, and service improvement
  • Legal obligation — responding to GDPR data subject requests and retaining transaction records as required by law

4. Data Controller & Processor

For merchant data: WholesaleKit acts as the data controller. We determine the purposes and means of processing your store and account data.

For buyer/customer data: the merchant is the data controller and WholesaleKit acts as a data processor, processing buyer data on behalf of the merchant to provide the wholesale ordering service.

5. Data Storage & Security

Data is stored in a PostgreSQL database hosted by Neon in the United States (US-East region) with encryption at rest. Passwords are hashed using bcrypt with a cost factor of 10. All connections use TLS encryption. Session cookies are HTTP-only, SameSite=Lax, and Secure in production.

We implement rate limiting on authentication endpoints to prevent brute-force attacks and use timing-safe comparison for token validation.

6. International Data Transfers

Your data may be transferred to and processed in the United States, where our database infrastructure is hosted. If you are located in the European Economic Area (EEA), United Kingdom, or other regions with data transfer restrictions, we rely on:

  • Standard Contractual Clauses (SCCs) with our sub-processors
  • The EU-U.S. Data Privacy Framework where applicable

By using our service, you acknowledge that your data will be transferred to and processed in the United States.

7. Third-Party Services (Sub-processors)

ServicePurposeLocation
ShopifyPlatform integration, customer and product data syncCanada / Global
ResendTransactional email deliveryUnited States
NeonDatabase hostingUnited States
VercelApplication hostingUnited States

8. Cookies & Tracking

WholesaleKit uses only essential cookies required for the service to function:

  • Portal session cookie — authenticates wholesale buyers (7-day expiry)
  • Rep session cookie — authenticates sales representatives (7-day expiry)

We do not use analytics cookies, advertising trackers, or any third-party tracking scripts. We do not participate in cross-site tracking.

9. Data Retention

  • Active accounts: data is retained for the duration of your subscription
  • App uninstall: all shop data (settings, customer groups, price rules, orders, buyer accounts) is permanently deleted within 48 hours via cascading deletion
  • Buyer account deletion: individual buyer records are deleted immediately upon request via Shopify GDPR webhooks or merchant action
  • Invite tokens: expire after 7 days and are cleared on use

10. Your Rights (GDPR/CCPA/PIPEDA)

Depending on your jurisdiction, you have the right to:

  • Access — request a copy of your stored data
  • Rectification — correct inaccurate information
  • Erasure — request deletion of your data
  • Portability — receive your data in a machine-readable format
  • Restriction — limit how we process your data
  • Objection — object to processing based on legitimate interest
  • Non-discrimination (CCPA) — we will not treat you differently for exercising your rights

Data access and deletion requests from Shopify are handled automatically via mandatory GDPR webhooks. You may also contact us directly to exercise any of these rights. We will respond within 30 days.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority.

11. Do Not Sell or Share My Personal Information

WholesaleKit does not sell, rent, or share your personal information with third parties for monetary or other valuable consideration. We do not engage in cross-context behavioral advertising. This applies to all users regardless of jurisdiction.

If you are a California resident, you have the right under the California Consumer Privacy Act (CCPA) to opt out of the sale or sharing of your personal information. Because we do not sell or share personal information, no opt-out action is required.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify merchants of material changes via email or an in-app banner at least 14 days before the changes take effect. Continued use of the App after changes constitutes acceptance.

13. Contact

For privacy-related inquiries, data subject requests, or complaints:

We aim to respond to all requests within 30 days.