Checkout AI: B2B Checkout
Privacy Policy
Effective July 6, 2026 · Smith Crafts LLC
Checkout AI: B2B Checkout (the “App”) is a Shopify app provided by Smith Crafts LLC (“we”, “us”). This policy explains what data the App accesses, why, and how we handle it. The App is an admin tool for authoring B2B checkout rules that run inside Shopify’s Functions runtime. We do not inject scripts or trackers into your storefront, and we do not store your customers’ names, postal addresses, email addresses, phone numbers, or payment details.
What we store today
- Shop identity & access tokens. Your shop domain and the offline access token Shopify issues at install, used to authenticate the App to your store. Kept while the App is installed and deleted on uninstall / shop redaction.
- Merchant-staff session data. The App uses Shopify’s Prisma session-storage adapter. Its schema includes columns for the Shopify staff user who installed or authorized the App —
userId,firstName,lastName,email,locale,accountOwner,collaborator, andemailVerified. The App itself does not read these fields for any feature; they may be populated by Shopify during authentication. They are deleted together with the rest of the shop’s sessions on uninstall and on Shopify’sshop/redactwebhook. - Rule configuration. The checkout rules you build (conditions, actions, messages) and the compiled function configuration — merchant-authored, not personal data. Published configuration lives with your store as Shopify metaobjects and function-owner metafields; the App database also stores drafts and working copies so the concierge and simulator can operate.
- B2B targeting metafields we read to run rules. Company, company location, customer tags, and the buyer-segment metafield
custom.b2bcc_segmentthat you set. These are read at rule-evaluation time. The App never requests or reads customer names, addresses, emails, or phone numbers. - Support submissions. If you send a message through the App’s help form, we store the message you typed, the shop domain, and any contact address you provided so we can reply. Optionally forwarded to a merchant-configured webhook if
B2BCC_SUPPORT_FORWARD_URLis set. - AI rule drafts (optional). If you use the draft-a-rule-with-AI feature, the rule description you type is sent to our AI sub-processor (Anthropic) to generate a draft. The text you typed and the drafted rule are stored per-store so you can review, edit, and publish them. No customer data is sent to the AI provider.
- AI usage counters and plan state. Per-shop AI call counts, the detected billing plan handle, subscription id, and the current billing-period start, used to enforce plan-based quotas.
- Review-prompt state. Whether we have already prompted you to review the App and whether you dismissed the prompt.
- Order telemetry (dormant at this time). The App’s database contains an
OrderTelemetrytable that was built to record per-order aggregates — order id and name, timestamps, totals, currency, line-item count, and derived B2B booleans. The correspondingorders/createwebhook is currently disabled inshopify.app.toml; no orders are being written to this table today. It is included here for transparency and because it is a candidate to activate once Shopify approves our PCD Level 1 request (see next section). No customer names, addresses, emails, or payment details are ever written to this table.
Revenue Leak Finder — data processing on Platinum (activates only after Shopify PCD approval)
Our forthcoming Platinum tier (“Concierge in the Product”) includes a feature called Revenue Leak Finder, which reviews completed orders against the checkout rules you have published to detect rules that failed to apply, discount stacks that leaked revenue, and rules that no longer match any orders. This feature does not turn on automatically. It activates for your shop only when both of the following are true:
- Shopify has approved our Protected Customer Data (PCD) Level 1 request for this App; and
- You have subscribed to the Platinum plan.
When both apply, the App will process order data as described below. Until then, no order data reaches our servers.
- Order webhook subscriptions. On activation, the App subscribes to
orders/createandorders/updatedusing theread_ordersandread_all_ordersAdmin API scopes. A one-time 90-day backfill scan of orders that pre-date activation is performed so the detector has recent history to reason about. - Order-audit snapshot (what we store). For each order we process, we write a sanitized snapshot to a table called
OrderAuditSnapshot. The snapshot contains: the order’s Shopify GraphQL id (GID) and order number, timestamp, sales channel, currency, per-line product/variant ids, product tags used for rule targeting, quantities and prices, discount applications, purchasing company and company-location references, and the shape of the runtime input Shopify sent to our Function. The snapshot schema is constructed so that customer name, postal address, email address, and phone number cannot be written to it. This constraint is enforced by a test that will run in continuous integration. - What is not stored. Customer name, billing or shipping address, email address, phone number, payment method details, and IP address. None of the corresponding protected customer fields are requested, read, or stored.
- Purpose limitation. Order-audit snapshots are used only to compute leak findings, to replay a leaked order against a proposed rule fix inside the App’s proof-pack simulator, and to measure detection coverage for the shop that generated them. They are not used for analytics on other shops, not shared, and not sold.
- Rule-configuration versioning. To replay an order against the rules that were live when the order was placed, the App stores an append-only
RuleConfigVersionrecord for every publish — the compiled shards, the underlying intent JSON, and a content hash. This is merchant-authored configuration, not personal data. - Leak findings and alerts. Findings are stored per shop with their lifecycle state (open, fix proposed, fixed, verified, intended). Alert-delivery records track which channels a finding was sent to (in-app card and, once we launch a delivery-tested email path, email) and per-shop alert preferences. No customer identifiers are stored in findings or alerts.
- Retention. Order-audit snapshots are retained for up to 90 days after the order is placed and are then deleted by an automated sweep. Leak findings are retained for the lifetime of the App installation so you can see the history of what was fixed and verified; individual findings can be deleted on request. All of this data is deleted for your shop within the Shopify-required window when we receive a
shop/redactwebhook, and any snapshot linked to a customer redaction request is deleted immediately on thecustomers/redactwebhook. - PCD level requested. Level 1 (order and B2B company data) only. We are not requesting Level 2 protected customer fields (name, address, email, phone).
What we do not do
- We do not store your customers’ names, postal or shipping addresses, email addresses, phone numbers, IP addresses, or payment details.
- We do not sell, rent, or share your data with third parties for their marketing.
- We do not use your shop’s data to train AI models.
- We do not inject scripts or tracking pixels into your storefront. Rules run inside Shopify’s own Functions runtime.
Sub-processors
- Shopify (Shopify Inc.) — hosts the platform, issues the OAuth tokens the App uses, sends the webhooks we subscribe to, and processes billing for our paid plans.
- DigitalOcean, LLC — hosts the App’s compute (App Platform, U.S. East / New York region). Traffic to the App is served over TLS.
- Neon, Inc. — provides the managed PostgreSQL database where the tables described above are stored. Data is encrypted at rest and in transit.
- Anthropic, PBC — provides the large-language-model API used by the optional draft-a-rule-with-AI feature. Only the merchant-typed rule description is sent; no customer data.
- Merchant-configured support-forwarding endpoint (optional). If the merchant sets
B2BCC_SUPPORT_FORWARD_URL, support submissions are also POSTed to that URL. The merchant chooses and controls this endpoint. - Transactional email (not yet in use). The App does not currently send transactional email. When Revenue Leak Finder’s email-alert channel launches, we will add the chosen email provider to this list before enabling it.
How data is protected
- Encryption in transit. All traffic to the App and to our sub-processors is served over HTTPS/TLS.
- Encryption at rest. The PostgreSQL database (Neon) encrypts data at rest, as does the underlying App Platform storage (DigitalOcean).
- Access control. Production database and hosting credentials are held only by Smith Crafts LLC operators, are stored as hosting-provider secrets rather than in source control, and are rotated on personnel change.
- Minimum-necessary scope. The App’s installed OAuth scopes are limited to what today’s features require and are listed in our public app configuration. We do not hold any Shopify scope we do not currently use in code.
Data retention & deletion
We retain installation, session, and rule data while the App is installed. When you uninstall, Shopify sends the App’s app/uninstalled webhook and we delete the shop’s Session rows immediately (including the merchant-staff fields listed above). About 48 hours later Shopify sends the mandatory shop/redact webhook, at which point we delete all remaining app-database records for the shop: AI rule drafts, support submissions, order-telemetry rows, AI usage counters, review-prompt state, and — once Platinum is active — order-audit snapshots, rule configuration versions, leak findings, and alert-delivery records.
When Shopify sends a customers/redact webhook, we delete any order-telemetry or order-audit-snapshot rows for the redacted customer’s orders identified in the payload.
When Shopify sends a customers/data_request webhook, the App responds with an inventory of the categories of data it may hold that reference a customer’s orders. Because the App never stores customer names, addresses, emails, or phone numbers, that inventory contains order-referenced records only. You may also email us at the address below to request deletion or a copy of the data we hold for your shop.
Your rights
Depending on your jurisdiction (including the EU/UK GDPR and the California CCPA/CPRA), you may have rights to access, correct, port, or delete data we hold that relates to you. Merchants can exercise these rights via the Shopify privacy webhooks described above or by emailing [email protected]. We respond within the timeframes required by applicable law. End customers of a merchant’s store should direct requests to the merchant, who is the data controller for their store’s customer data; we act as a processor on the merchant’s behalf.
International transfers
The App is operated from the United States. If you access it from elsewhere, your data may be transferred to and processed in the U.S. under the safeguards required by applicable law.
Changes
We may update this policy; material changes will be reflected by the effective date above and, where features that change data handling are added, in a same-release update. Continued use of the App after an update constitutes acceptance of the revised policy.
Contact
Smith Crafts LLC · Data-protection contact: [email protected].