Draper: B2B Wholesale Pricing
Privacy Policy
Effective date: 2026-07-07
This Privacy Policy explains how Aniruddha Kale ("we", "us", "the developer") handles information in connection with the Shopify app Draper: B2B Wholesale Pricing ("Draper", "the App"). It applies to the App only, and not to any Shopify store, website, or service that uses it.
Draper adds wholesale pricing, quotes, net payment terms, and B2B onboarding to a merchant's existing Shopify store. To provide those features the App accesses and stores certain information from the merchant's Shopify store and from that store's buyers. This policy describes what we access, why, where it is stored, how long we keep it, and the rights available to the people the data concerns.
1. Our role
- The merchant is the data controller. When a store installs Draper, the merchant decides what wholesale features to run and remains the controller of its customers' personal data.
- We act as a data processor (service provider). We access and process store and buyer data only to provide the App's features to that merchant, on the merchant's instructions, and never for our own independent purposes.
- We do not sell personal information, and we do not use it for advertising, profiling, or any purpose unrelated to operating the App.
If you are a buyer on a store that uses Draper and want to exercise a privacy right, please contact that store directly — they are the controller of your data. We will assist the merchant with any such request (see Section 10).
2. Information we access and process
2.1 Store and account data (from the merchant)
When the App is installed, Shopify provides, and we store, the information the App needs to authenticate and operate:
- The store's myshopify.com domain and Shopify-issued access token (used to make authorized API calls on the merchant's behalf).
- App configuration the merchant creates: price lists, discount rules, volume and order-value tiers, quantity rules, shipping overrides, catalog visibility rules, and the internal IDs of the Shopify discount/validation objects the App manages.
2.2 Store catalog and order data (accessed via Shopify APIs)
To calculate wholesale prices and power buyer tools, the App reads the following from the merchant's store through Shopify's Admin API, under the permissions the merchant grants at install:
- Products and variants (
read_products) — titles, prices, and collection membership, to build and display pricing rules. This contains no personal data. - Customers (
read_customers,write_customers) — a customer's ID, name, email, and tags, used to determine which wholesale price list applies to a buyer, to display the correct prices, to auto-tag approved wholesale applicants, and (where the merchant enables it) to set a customer's Shopify tax-exempt flag. This is Protected Customer Data — see Section 2.5. - Orders (
read_orders) — a signed-in buyer's recent order history (the most recent orders, limited by Shopify to roughly the last 60 days) is read on demand to power the "Reorder" feature. We do not store this order history. - Draft orders, discounts, payment terms, validations, and
delivery customizations (
write_draft_orders,write_discounts,write_payment_terms,write_validations,write_delivery_customizations) — used to apply wholesale pricing at checkout, create net-terms and quote orders, and enforce order minimums and quantity rules. These operations carry order and pricing data, not additional personal data beyond the customer already associated with the order.
2.3 Buyer-submitted data (from the storefront)
When a buyer uses one of the App's storefront features, they submit information directly to the App through Shopify's authenticated app-proxy. We store:
- Quote requests — business name, contact name, email, phone number, and any note the buyer writes, plus the buyer's Shopify customer ID if they are signed in.
- Wholesale applications — company name, contact name, email, phone number, an optional self-declared Tax ID / VAT number, and any note.
- Shopping lists — a signed-in buyer's saved list of products, associated with their Shopify customer ID.
2.4 Technical and diagnostic data
- The App logs operational events and errors (for example, a failed sync or a server error) to help us keep the App reliable. Error reports are sent to our error-monitoring provider (see Section 7) configured to exclude personal data — request query strings and buyer identifiers are stripped before an error is recorded.
- The App's storefront scripts use the browser's short-lived
sessionStorageto cache product data within a single browsing session for performance. This is cleared when the tab closes and is not used for tracking.
2.5 Protected Customer Data
Shopify classifies customer names, emails, and related fields as Protected Customer Data. Draper accesses this data solely to:
- resolve which wholesale price list applies to a customer (by their tags or by the specific customers a merchant targets),
- display the correct wholesale prices and net-terms options to that customer,
- let the merchant search for and select customers when building a price list,
- auto-tag and (optionally) set tax exemption for approved wholesale applicants.
We process the minimum fields needed for these purposes, do not use Protected Customer Data for any other purpose, and do not share it with third parties except the infrastructure providers listed in Section 7, which act on our behalf.
2.6 Information we do not collect
- We never access, store, or process payment card numbers or financial account details — all checkout and payment is handled by Shopify.
- We do not build advertising or cross-site tracking profiles.
- We do not collect data from stores that have not installed the App.
3. How we use information
We use the information described above only to:
- authenticate the App and make authorized API calls to the merchant's store;
- calculate and display per-customer wholesale pricing, volume and order-value discounts, and net payment terms;
- accept, store, and manage quote requests, wholesale applications, and shopping lists on the merchant's behalf;
- enforce order minimums and quantity rules and apply shipping overrides at checkout;
- operate, secure, debug, and improve the App.
4. Legal bases for processing (GDPR / UK GDPR)
Where the EU/UK GDPR applies, we process personal data as a processor acting on the merchant's instructions. The merchant, as controller, is responsible for establishing a legal basis for the processing — typically the performance of a contract with its business customers, its legitimate interests in operating a wholesale channel, or consent where required. We process the data only as needed to provide the App and to meet our legal obligations.
5. Where data is stored
- App data is stored in a PostgreSQL database hosted by our infrastructure provider (Railway) on servers located in the United States.
- The developer is based in India.
- If you access the App from outside the United States, your information may be transferred to and processed in the United States. See Section 8.
6. Data security
We take reasonable and appropriate measures to protect the information we process, including:
- all data transmitted over encrypted HTTPS/TLS connections;
- storefront requests authenticated by Shopify's signed app-proxy HMAC, and admin requests authenticated by Shopify OAuth session tokens;
- buyer-specific data scoped and queried per store and per customer, so one store or buyer cannot read another's data;
- error reports configured to exclude personal data;
- access to production systems limited to the developer.
No method of transmission or storage is completely secure, but we work to protect information consistent with industry practice.
7. Sharing and subprocessors
We do not sell or rent personal information. We share information only with the service providers ("subprocessors") that host and operate the App on our behalf, and only to the extent needed to run it:
| Subprocessor | Purpose | Data involved |
|---|---|---|
| Shopify | Hosts the merchant's store and the platform the App runs on; source and destination of all store/buyer data. | All store, customer, and order data, per the app's permissions. |
| Railway | Application and PostgreSQL database hosting (United States). | All data the App stores (Section 2.1–2.3). |
| Sentry | Error and crash monitoring. | Diagnostic error data with personal data excluded (Section 2.4). |
Each subprocessor is bound by its own data-protection and security obligations. We may also disclose information if required by law, to protect our legal rights, or in connection with a business transfer, in which case we will require the recipient to honor this policy.
8. International transfers
The App and its database are hosted in the United States. Where personal data of individuals in the EU, UK, or other regions is transferred to the United States, that transfer is carried out under the safeguards our subprocessors provide (such as Standard Contractual Clauses) and as instructed by the merchant controller.
9. Data retention and deletion
- Merchant-managed data (quotes, wholesale applications, price lists, and related configuration) is retained until the merchant deletes it in the App or the App is uninstalled.
- On uninstall, the App deletes the store's session and
configuration, and Shopify sends a
shop/redactrequest (approximately 48 hours later) upon which we erase all remaining data for that store, including all quotes, wholesale applications, shopping lists, visibility rules, price lists, and configuration. - Per-customer erasure: when a merchant or Shopify sends
a
customers/redactrequest, we delete all data we hold about that specific customer (their quotes — whether they were signed in or a guest — their wholesale application, and their shopping lists), matched by customer ID and email. - Data-access requests: when Shopify sends a
customers/data_request, the merchant can view all data the App holds about that customer directly in the App's admin (Quotes and Applications pages) and provide it to the customer.
These deletions are automatic and require no manual step from the merchant.
10. Your rights
Depending on where you live, you may have rights to access, correct, delete, port, or restrict the processing of your personal data, and to object to certain processing, under laws such as the GDPR/UK GDPR and the California Consumer Privacy Act (CCPA/CPRA). Because we act as a processor:
- Merchants can exercise these rights, and request export or deletion of their store's data, by contacting us at anikale@gmail.com — and can delete most data directly within the App.
- Buyers should contact the store they purchased from (the controller of their data). We will support the merchant in fulfilling any verified request, including deletion via the mechanisms in Section 9.
We do not sell personal information, so there is no "sale" to opt out of under the CCPA. We will not discriminate against anyone for exercising a privacy right.
11. Children
The App is a business-to-business tool intended for merchants and their business customers. It is not directed to children, and we do not knowingly collect personal data from anyone under the age of 16.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective date" above and, where appropriate, notify merchants through the App or the App Store listing. Continued use of the App after a change takes effect constitutes acceptance of the updated policy.
13. Contact us
For any question about this policy or about how the App handles data, or to make a privacy request, contact:
Aniruddha Kale
Email: anikale@gmail.com
Draper is an independent application and is not created, endorsed, or supported by Shopify. Shopify is a trademark of Shopify Inc.