Privacy Policy

This Privacy Policy explains how Mentilead ("we", "us", "our") collects, uses, stores, and protects personal data when you use the OrderFlow application ("the App", "OrderFlow"). OrderFlow is a Shopify application that provides B2B quick ordering functionality for Shopify merchants and their customers.

We are committed to protecting the privacy of merchants who install our App and the end customers who interact with the quick order page. This policy applies to all data processed through OrderFlow, whether you are a merchant (the data controller) or an end customer (the data subject).

By installing or using OrderFlow, you agree to the practices described in this Privacy Policy. If you do not agree, please uninstall the App and discontinue use.

This Privacy Policy is supplemented by our Terms of Service and Data Processing Agreement (DPA).

Under the General Data Protection Regulation (GDPR), data processing roles are defined as follows:

• Data Controller: The Shopify merchant who installs OrderFlow. The merchant determines the purposes and means of processing their customers' personal data.
• Data Processor: Mentilead (company behind OrderFlow). We process personal data on behalf of merchants according to their instructions and the functionality of the App.
• Data Controller (for merchant data): Mentilead acts as a data controller for the merchant's own data (e.g., account information, billing details, app settings).

Our processing of end-customer data is governed by our Data Processing Agreement (DPA), which is incorporated by reference into our Terms of Service.

Company Information

• Company: Mentilead
• Address: Denmark
• Email: privacy@mentilead.com
• Website: mentilead.com

Merchant Data (we are the controller)

• Shopify store domain and shop information
• Merchant notification email address
• OAuth access tokens and session data
• App settings and branding configuration
• Billing plan and subscription status

End-Customer Data (we are the processor)

• Order history: Customer name, email address (encrypted at rest), Shopify customer ID, order details (line items, quantities, totals), order timestamps
• Saved lists: List name, product selections, creation date, associated customer ID
• Cart sessions: Current cart contents, customer ID (TTL: 7 days, automatically deleted)
• B2B company context: Company name, company ID, location ID, catalog assignments, payment terms (TTL: 24 hours, automatically deleted)

Product Data (no personal data)

• Product cache: SKU, title, price, variant ID, image URL (TTL: 1 hour)
• This data contains no customer PII and is used solely for product search and display

Technical Data

• Server-side logs (with PII redaction): request metadata, error logs, performance metrics
• Audit logs: actor, action, resource type/ID, timestamp (retained for 7 years)
• Browser localStorage: tour-seen flag and cart state (no PII)

Statutory and Contractual Requirements

Providing your email address and customer information is necessary to use OrderFlow's ordering functionality. Without this data, OrderFlow cannot process orders or provide saved list features. You are not legally obligated to provide this data, but it is required to use the service.

We process personal data under the following legal bases as defined by GDPR Article 6(1):

We use personal data exclusively to provide, maintain, and improve the OrderFlow service:

• Providing the service: Processing orders, managing saved lists, maintaining cart sessions, displaying order history, and enabling product search
• B2B functionality: Detecting B2B company context, displaying catalog pricing, applying payment terms, and creating draft orders for approval
• Merchant administration: Managing app settings, branding configuration, billing plans, and usage tracking
• Transactional communications: Sending order confirmations, export completion notifications, and billing-related emails via Resend
• Security and compliance: Maintaining audit logs, detecting unauthorized access, and fulfilling GDPR data subject requests
• Service improvement: Analyzing anonymized usage metrics (via CloudWatch EMF) to improve reliability and performance

We do not:

• Sell, rent, or trade personal data to third parties
• Use personal data for our own marketing or advertising purposes
• Profile end customers or build behavioral profiles
• Use personal data for automated decision-making or profiling as defined by GDPR Article 22

OrderFlow does not set any HTTP cookies. We use browser localStorage for two items:

Neither localStorage item contains personally identifiable information.

Optional: Google Analytics 4

If the merchant enables Google Analytics 4 (GA4) integration, GA4 may set its own cookies. GA4 cookies are only activated after the end customer's consent is verified via Shopify's Privacy API (Customer Privacy consent mechanism). The merchant is responsible for configuring GA4 and ensuring their privacy policy covers GA4 data collection.

Infrastructure Location

All data is stored and processed within the European Union:

• Region: AWS eu-central-1 (Frankfurt, Germany)
• Database: Amazon DynamoDB (single-table design)
• File storage: Amazon S3 (for data exports and uploaded files)
• Message queues: Amazon SQS (for async processing)

Security Measures

• Encryption at rest: All DynamoDB tables and S3 buckets use AWS-managed encryption (AES-256)
• Encryption in transit: All communications use HTTPS/TLS 1.2+
• Email encryption: Customer email addresses are encrypted at rest in the database
• PII redaction in logs: Server-side logs automatically redact email addresses and other PII
• Access control: IAM least-privilege policies for all service components
• S3 access: Private buckets with pre-signed URLs (time-limited access)
• Backups: Daily automated backups retained for 90 days
• Monitoring: AWS CloudWatch for alerts, AWS X-Ray for tracing, CloudWatch Logs Insights for analysis

We retain data only as long as necessary for the purposes described in this policy:

After Uninstall

When a merchant uninstalls OrderFlow, OAuth sessions are deleted immediately. All remaining data is retained for 12 months to allow for reinstallation. After 12 months, Shopify's shop/redact webhook triggers permanent deletion of all DynamoDB items and S3 objects for the shop. Merchants who need immediate deletion can use Settings > Danger Zone > Delete All Data before uninstalling.

We use the following sub-processors to provide the OrderFlow service:

We will notify merchants of any changes to our sub-processor list by updating this Privacy Policy and, where appropriate, by email notification. Merchants may object to a new sub-processor within 30 days of notification.

Our primary data processing occurs within the EU (AWS eu-central-1, Frankfurt). However, some sub-processors are based in the United States:

• Shopify: Transfers are governed by Shopify's own data processing terms and their participation in recognized data transfer mechanisms
• Resend: Email delivery requires transfer of email addresses and content. Resend processes data under Standard Contractual Clauses (SCCs)
• GitHub: No customer data is transferred — only source code

For all international transfers, we ensure appropriate safeguards are in place as required by GDPR Chapter V, including Standard Contractual Clauses (SCCs) approved by the European Commission, and we conduct transfer impact assessments where necessary.

In the event of a personal data breach, we will:

1. Notify the affected merchant(s) without undue delay and within 72 hours of becoming aware of the breach
2. Provide details of the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to mitigate the breach
3. Assist the merchant in fulfilling their own breach notification obligations to supervisory authorities and data subjects
4. Document the breach in our internal records regardless of whether notification to the supervisory authority is required

Report suspected breaches to privacy@mentilead.com.

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Article 15): Request a copy of the personal data we hold about you
• Right to rectification (Article 16): Request correction of inaccurate personal data
• Right to erasure (Article 17): Request deletion of your personal data ("right to be forgotten")
• Right to restriction (Article 18): Request restriction of processing in certain circumstances
• Right to data portability (Article 20): Receive your data in a structured, commonly used, machine-readable format
• Right to object (Article 21): Object to processing based on legitimate interest

For Merchants

Exercise your rights by contacting privacy@mentilead.com. You can also export your data via Settings > Danger Zone > Export Data, or delete all data via Settings > Danger Zone > Delete All Data.

For End Customers

End customers should direct data subject requests to the merchant (data controller) who installed OrderFlow. The merchant can then use OrderFlow's built-in tools to fulfill the request, or contact us for assistance. We respond to requests processed through Shopify's mandatory GDPR webhooks (customers/data_request, customers/redact) automatically.

We will respond to all rights requests within 30 days. If a request is complex, we may extend this by an additional 60 days with notification.

As a small organization, Mentilead is not legally required to appoint a Data Protection Officer under GDPR Article 37. However, all privacy matters are handled directly by the company owner. For any data protection queries, contact:

• Email: privacy@mentilead.com
• Response time: Within 5 business days

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:

• Authority: Datatilsynet (Danish Data Protection Agency)
• Website: datatilsynet.dk
• Email: dt@datatilsynet.dk

You may also contact the supervisory authority in your own EU member state.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• The "Last updated" date at the top of this page will be revised
• For material changes, we will notify merchants via email and/or an in-app notification
• Continued use of OrderFlow after notification constitutes acceptance of the updated policy

We encourage you to review this policy periodically.

If you have questions about this Privacy Policy or our data practices, contact us:

• Privacy inquiries: privacy@mentilead.com
• General support: support@mentilead.com
• Website: mentilead.com

The following table provides the specific information required by GDPR Articles 13 and 14 in a concise format: