Last updated: May 2026
Keystone B2B ("we", "our", or "us") operates a Shopify application that helps merchants sync their store data with our platform. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our Shopify app.
By installing and using our app, you agree to the collection and use of information in accordance with this policy.
When you install our app, we collect only the information necessary to provide our services through Shopify's APIs. Below we explain what data we collect and the specific purpose for each data type:
| Data | Purpose |
|---|---|
| Store name and domain | To identify your store and display it in your dashboard |
| Store owner email | To create your admin account and send important notifications |
| Store plan type | To enable features appropriate to your Shopify plan (e.g., B2B) |
| Currency and timezone | To display data in your preferred format and generate accurate reports |
| Data | Purpose |
|---|---|
| Order numbers and amounts | To track sales, generate reports, and calculate commissions |
| Line items | To provide product-level sales analytics and inventory insights |
| Shipping and fulfillment status | To track order progress and send shipment notifications |
| Payment status | To reconcile payments and generate accurate financial reports |
| Data | Purpose |
|---|---|
| Product titles and SKUs | To identify products in orders and generate sales reports |
| Pricing information | To calculate margins, commissions, and revenue analytics |
| Inventory levels | To provide inventory visibility and availability information |
| Product variants | To enable detailed size/color level reporting and ordering |
The following data is classified as protected customer data under Shopify's policies and receives additional security protections:
| Data | Purpose |
|---|---|
| Customer names | To identify customers and personalize communications |
| Email addresses | To send order confirmations and shipment notifications |
| Phone numbers | For shipping carrier requirements and urgent delivery notifications |
| Shipping addresses | To fulfill orders and calculate shipping costs |
| Billing addresses | To generate invoices and process payments |
| Order history | To provide customer purchase analytics and reorder suggestions |
| B2B company associations | To manage wholesale accounts and company-level purchasing |
We only collect and process the minimum data necessary to provide our services. We do not collect or store sensitive information such as payment card details, Social Security numbers, or government IDs. Payment processing is handled entirely by Shopify.
We use the collected information to:
We take the security of your data seriously. Your information is:
We use Supabase for data storage, which employs encryption at rest and in transit. Access tokens are stored securely and are only used to communicate with Shopify's APIs on your behalf.
We retain different types of data for different periods based on business necessity and legal requirements:
| Data Type | Retention Period |
|---|---|
| Active merchant data | Duration of app installation |
| Customer data after uninstall | Deleted within 30 days of erasure request |
| Compliance and audit logs | 7 years (legal requirement) |
| System logs | 90 days |
When you uninstall the app:
Under applicable data protection laws (including GDPR and CCPA), you have the right to:
To exercise any of these rights, please contact us at privacy@keystoneb2b.io. Storefront customers should typically contact the merchant whose store they purchased from; Shopify forwards such requests to us via the customers/data_request webhook and we deliver the gathered data to the merchant within 30 days.
We use the following third-party services to process your data. Each sub-processor is contractually bound to protect your data:
| Service | Purpose | Location |
|---|---|---|
| Shopify | Accessing your store data via APIs | United States |
| Supabase | Secure database and authentication | United States |
| Vercel | Application hosting | United States |
| AWS EventBridge | Real-time webhook processing | United States |
Each sub-processor maintains SOC 2 certification and encryption standards. We have Data Processing Agreements in place with all sub-processors.
By using our app, you enter into a Data Processing Agreement (DPA) with us that governs our processing of personal data on your behalf. The DPA includes Standard Contractual Clauses for international data transfers and details our security measures. For a copy of the DPA, please contact us at privacy@keystoneb2b.io
Our app uses essential cookies to manage your session during the installation and onboarding process. These cookies are necessary for the app to function and do not track you across other websites. We do not use advertising or analytics cookies.
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. Your continued use of the app after any changes constitutes acceptance of the new policy.
If you have any questions about this Privacy Policy or our data practices, please contact us:
Email: privacy@keystoneb2b.io
Support: support@keystoneb2b.io