1Introduction
This Privacy Policy describes how Zilancer LLC ("we", "us", "our") collects, uses, stores, and protects personal information in connection with the ZS B2B Gateway application ("the App") for the Shopify platform.
This policy applies to two groups of people: (a) Shopify merchants who install and use the App on their store, and (b) wholesale applicants — the customers of those merchants who submit wholesale applications through the App on the merchant's storefront.
Quick summary: We collect only the data needed to make the App work — merchant settings, wholesale applications submitted on your store, and standard technical logs. We don't sell your data, we don't show ads, and we don't profile your customers. You stay in control.
Who we are
- Data controller
- Zilancer LLC
- Registered in
- United States of America
- Contact email
- contact@zilancer.com
- Privacy inquiries
- contact@zilancer.com
2Information we collect
From Shopify merchants
When you install ZS B2B Gateway on your Shopify store, we receive the following information from Shopify through their API:
- Shop domain (e.g., yourstore.myshopify.com)
- Shop owner email and primary contact name
- Shop plan (Plus, Standard, etc.) and country
- Currency, locale, and timezone settings
- Catalogs, publications, and customer segments (read access only — required to assign wholesale customers and sync segments)
- Customer records created or updated by the App during approval workflows
- Discount and price rule data created by the App on your behalf
We also store any preferences and settings you configure inside the App (form fields, pricing rules, tagging rules, email templates, visibility rules, etc.).
From wholesale applicants
When a customer submits a wholesale application on a merchant's storefront, we collect the data they enter into the form:
- Contact information: first name, last name, email address
- Company information: company name and any custom fields the merchant configured (tax ID, business type, country, annual revenue, etc.)
- Uploaded files: documents such as resale certificates, tax forms, or business licenses (if the merchant enables file upload fields)
- Submission metadata: IP address, user agent (browser), referrer URL, timestamp
This data is stored on behalf of the merchant — they are the data controller for these records, and we act as a data processor.
Technical and usage data
Like most web applications, our servers automatically collect technical information when the App is used:
- Server access logs (request URL, timestamp, response status)
- Error logs and exception traces (for debugging)
- Performance metrics (response times, database query durations)
- Authentication events (login, session creation, token refresh)
We do not use third-party advertising trackers, fingerprinting libraries, or session replay tools inside the App.
3How we use information
We use the information we collect for the following purposes:
- Service delivery — to operate the App, process wholesale applications, sync customer tags and segments, create Shopify discounts, and deliver transactional emails to merchants and applicants.
- Notifications — to send approval emails, rejection emails, application receipts, and merchant admin notifications via our email provider.
- Security & abuse prevention — to monitor for fraud, spam submissions, brute-force attacks, and other malicious activity.
- Service improvement — to fix bugs, improve performance, and develop new features. We use only aggregated and anonymized data for this purpose.
- Legal compliance — to comply with applicable laws, respond to lawful requests, and enforce our Terms of Service.
- Customer support — to respond to merchant questions and troubleshoot issues.
We do not use your data — or your customers' data — for advertising, profiling, automated decision-making with legal consequences, training AI/ML models, or selling to third parties.
4Legal basis for processing (GDPR)
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, our legal basis for processing your personal data depends on the data and the context:
- Performance of a contract — to provide the App's core functionality as agreed in our Terms of Service.
- Legitimate interest — for service improvement, security, and limited operational analytics that don't override your rights.
- Legal obligation — when required by applicable law (tax records, lawful enforcement requests).
- Consent — for any optional processing that requires consent (such as marketing emails, if applicable). You can withdraw consent at any time.
5Sub-processors
To operate the App, we use a small number of trusted third-party service providers. Each is contractually bound to protect your data and act only on our instructions.
| Sub-processor | Purpose | Location |
|---|---|---|
| Shopify Inc. | App platform, OAuth authentication, customer and order data exchange | Canada / Global |
| Fly.io | Application hosting and compute infrastructure | United States / EU |
| Neon | PostgreSQL database hosting (encrypted at rest) | United States / EU |
| Upstash | Redis queue for background jobs (approval processing, email delivery) | United States / EU |
| Cloudflare R2 | File storage for documents uploaded through wholesale forms | Global edge network |
| Resend | Transactional email delivery (application receipts, approvals, rejections, admin notifications) | United States |
Each sub-processor is selected for its security standards, data protection commitments, and compliance with GDPR/SCCs where applicable. We will update this list when we add or change sub-processors.
6Data sharing and disclosure
We do not sell personal data. We share personal data only in the limited circumstances below:
- With Shopify — application data, customer records, tags, segments, and discount rules are written back to your Shopify store. This is the App's core function.
- With sub-processors — as listed in Section 5, strictly to deliver the service.
- Legal compliance — when required by valid legal process (subpoena, court order). We will notify you when permitted by law.
- Business transfer — in the event of a merger, acquisition, or sale of Zilancer LLC, your data may transfer to the successor entity under the same privacy commitments.
- With your consent — in any other case where you have specifically asked us to share data.
7Data retention
We keep data only as long as needed for the purposes outlined in this policy:
- Merchant settings
- Retained while the App is installed. Deleted within 48 hours of uninstall.
- Wholesale applications
- Retained while the merchant has the App installed, or as long as the merchant chooses to keep them. Deleted on uninstall (see below).
- Uploaded files
- Stored in Cloudflare R2 for the duration of the merchant's subscription. Deleted on uninstall.
- Server logs
- 30 days, then rotated and deleted.
- Database backups
- 90 days, encrypted, then deleted.
- Audit logs
- 12 months for security and compliance review.
When a merchant uninstalls the App, we honor Shopify's mandatory webhook flow: within 48 hours of uninstall we trigger deletion of all personal data associated with the shop, except where retention is required by law (such as billing records).
A merchant can also request earlier or full data erasure at any time by emailing contact@zilancer.com.
8Data security
We implement industry-standard security measures to protect personal data against unauthorized access, alteration, disclosure, and destruction:
- Encryption in transit — All connections to the App use TLS 1.2 or higher.
- Encryption at rest — Databases and file storage are encrypted at rest using AES-256.
- Access controls — Production access is limited to authorized engineers with multi-factor authentication.
- Secrets management — API keys and credentials are stored in encrypted secret managers, never in source code.
- Webhook verification — All Shopify webhooks are HMAC-verified before processing.
- OAuth scopes — The App requests only the minimum scopes needed for its features.
- Vulnerability monitoring — Dependencies are regularly scanned for known vulnerabilities, with security patches applied promptly.
No system is 100% secure. If we ever discover a breach affecting your personal data, we will notify affected merchants and, where applicable, supervisory authorities within 72 hours, as required by GDPR.
9Your rights
Depending on your location, you may have the following rights regarding your personal data:
GDPR (EU, UK, EEA, Switzerland)
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — request deletion of your data.
- Right to restrict processing — limit how we use your data in specific cases.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests.
- Right to lodge a complaint — with your local supervisory authority (in the EU, your national Data Protection Authority).
CCPA / CPRA (California, USA)
- Right to know what personal information is collected, used, shared, or sold.
- Right to delete personal information collected from you.
- Right to correct inaccurate personal information.
- Right to opt-out of the sale or sharing of personal information. We do not sell personal information.
- Right to non-discrimination for exercising your rights.
How to exercise your rights
Send a written request to contact@zilancer.com with the subject line "Privacy Request" and include enough information for us to identify you. We will respond within 30 days (or as required by applicable law).
Wholesale applicants: If you submitted a wholesale application on a merchant's store and want your data deleted, please contact the merchant first — they are the controller of your application data. We will assist the merchant in fulfilling your request.
10International data transfers
ZS B2B Gateway is operated from the United States, and some sub-processors are located in the US, EU, and other jurisdictions. When personal data is transferred outside your country of residence, we rely on appropriate safeguards including:
- EU Standard Contractual Clauses (SCCs) for transfers from the EEA to non-adequate countries.
- UK International Data Transfer Agreement (IDTA) for transfers from the United Kingdom.
- Adequacy decisions where the destination country offers an equivalent level of protection under EU law.
You can request a copy of the safeguards we use by emailing us.
12Children's privacy
ZS B2B Gateway is a business-to-business tool intended for use by Shopify merchants and their wholesale customers. The App is not directed at children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided personal data to us, please contact us and we will delete it.
13Changes to this policy
We may update this Privacy Policy from time to time to reflect changes to our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Notify merchants by email and through the App's admin interface.
- Maintain a versioned changelog of significant revisions, available on request.
Continued use of the App after a policy update constitutes acceptance of the revised policy. If you do not agree with the changes, you may uninstall the App and request deletion of your data.
14Contact us
If you have any questions about this Privacy Policy, want to exercise your rights, or report a concern, please contact us:
- General privacy inquiries
- contact@zilancer.com
- Data subject requests
- contact@zilancer.com (subject: "Privacy Request")
- Security reports
- contact@zilancer.com (subject: "Security")
- Postal address
- Zilancer LLC
(available on request)
Still have questions?
Our team replies to every privacy inquiry within 2 business days. We're happy to walk you through our data practices in detail.
📩 contact@zilancer.com