Draper: B2B Wholesale Pricing

Privacy Policy

Effective date: 2026-07-07

This Privacy Policy explains how Aniruddha Kale ("we", "us", "the developer") handles information in connection with the Shopify app Draper: B2B Wholesale Pricing ("Draper", "the App"). It applies to the App only, and not to any Shopify store, website, or service that uses it.

Draper adds wholesale pricing, quotes, net payment terms, and B2B onboarding to a merchant's existing Shopify store. To provide those features the App accesses and stores certain information from the merchant's Shopify store and from that store's buyers. This policy describes what we access, why, where it is stored, how long we keep it, and the rights available to the people the data concerns.

1. Our role

If you are a buyer on a store that uses Draper and want to exercise a privacy right, please contact that store directly — they are the controller of your data. We will assist the merchant with any such request (see Section 10).

2. Information we access and process

2.1 Store and account data (from the merchant)

When the App is installed, Shopify provides, and we store, the information the App needs to authenticate and operate:

2.2 Store catalog and order data (accessed via Shopify APIs)

To calculate wholesale prices and power buyer tools, the App reads the following from the merchant's store through Shopify's Admin API, under the permissions the merchant grants at install:

2.3 Buyer-submitted data (from the storefront)

When a buyer uses one of the App's storefront features, they submit information directly to the App through Shopify's authenticated app-proxy. We store:

2.4 Technical and diagnostic data

2.5 Protected Customer Data

Shopify classifies customer names, emails, and related fields as Protected Customer Data. Draper accesses this data solely to:

We process the minimum fields needed for these purposes, do not use Protected Customer Data for any other purpose, and do not share it with third parties except the infrastructure providers listed in Section 7, which act on our behalf.

2.6 Information we do not collect

3. How we use information

We use the information described above only to:

4. Legal bases for processing (GDPR / UK GDPR)

Where the EU/UK GDPR applies, we process personal data as a processor acting on the merchant's instructions. The merchant, as controller, is responsible for establishing a legal basis for the processing — typically the performance of a contract with its business customers, its legitimate interests in operating a wholesale channel, or consent where required. We process the data only as needed to provide the App and to meet our legal obligations.

5. Where data is stored

6. Data security

We take reasonable and appropriate measures to protect the information we process, including:

No method of transmission or storage is completely secure, but we work to protect information consistent with industry practice.

7. Sharing and subprocessors

We do not sell or rent personal information. We share information only with the service providers ("subprocessors") that host and operate the App on our behalf, and only to the extent needed to run it:

SubprocessorPurposeData involved
Shopify Hosts the merchant's store and the platform the App runs on; source and destination of all store/buyer data. All store, customer, and order data, per the app's permissions.
Railway Application and PostgreSQL database hosting (United States). All data the App stores (Section 2.1–2.3).
Sentry Error and crash monitoring. Diagnostic error data with personal data excluded (Section 2.4).

Each subprocessor is bound by its own data-protection and security obligations. We may also disclose information if required by law, to protect our legal rights, or in connection with a business transfer, in which case we will require the recipient to honor this policy.

8. International transfers

The App and its database are hosted in the United States. Where personal data of individuals in the EU, UK, or other regions is transferred to the United States, that transfer is carried out under the safeguards our subprocessors provide (such as Standard Contractual Clauses) and as instructed by the merchant controller.

9. Data retention and deletion

These deletions are automatic and require no manual step from the merchant.

10. Your rights

Depending on where you live, you may have rights to access, correct, delete, port, or restrict the processing of your personal data, and to object to certain processing, under laws such as the GDPR/UK GDPR and the California Consumer Privacy Act (CCPA/CPRA). Because we act as a processor:

We do not sell personal information, so there is no "sale" to opt out of under the CCPA. We will not discriminate against anyone for exercising a privacy right.

11. Children

The App is a business-to-business tool intended for merchants and their business customers. It is not directed to children, and we do not knowingly collect personal data from anyone under the age of 16.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective date" above and, where appropriate, notify merchants through the App or the App Store listing. Continued use of the App after a change takes effect constitutes acceptance of the updated policy.

13. Contact us

For any question about this policy or about how the App handles data, or to make a privacy request, contact:

Aniruddha Kale
Email: anikale@gmail.com

Draper is an independent application and is not created, endorsed, or supported by Shopify. Shopify is a trademark of Shopify Inc.