Legal

Privacy Policy

B2B2GO — B2B Popup Offers  ·  ProductivityByPhil  ·  ABN 48 721 872 764
Effective date: 9 June 2026  ·  Version 1.1

1. About this policy

This Privacy Policy explains how ProductivityByPhil (ABN 48 721 872 764, "we", "us") collects, uses, stores, and discloses personal information in connection with the B2B2GO — B2B Popup Offers Shopify app ("the App"). We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). We adopt privacy best practice regardless of annual turnover threshold, consistent with the 2024 amendments to the Privacy Act.

2. Who this policy covers

• Merchants (Person A): Wholesale businesses that install the App via the Shopify App Store.
• Buyers (Person B): The Merchant's wholesale buyer accounts who interact with popups on the Merchant's storefront.
• Website visitors: Anyone who visits our public pages at b2b2go.productivitybyphil.org.

3. What data we collect

From Merchants:

• Shopify store domain and OAuth access token (read-only, scoped to read_companies, read_customers, read_orders)
• Popup configurations (title, message, discount code, expiry, target accounts)
• Billing information processed via Shopify Billing API

From Buyers (via Merchant's storefront):

• Shopify customer account ID and company account ID (used to match popups)
• Email address (used to identify the buyer account)
• Popup engagement events: impressions, clicks, dismissals, and timestamps

We do not receive, store, or process payment transaction data, order values, or financial information relating to purchases made through the Merchant's storefront.

We do not collect sensitive information as defined under the Privacy Act 1988 (Cth), including health information, financial account credentials, racial or ethnic origin, religious beliefs, sexual orientation, or biometric data.

4. How we use data

Data is used solely to deliver the App's core service:

• Matching active popup offers to the correct buyer accounts at login
• Recording engagement events for the Merchant's analytics dashboard
• Managing the Merchant's app session and subscription

We do not use personal data for advertising, direct marketing, profiling, AI or machine learning model training, or any purpose beyond operating the App. We do not sell personal data to third parties.

5. Read-only Shopify access

The App accesses the Merchant's Shopify store in read-only mode via OAuth credentials granted by the Merchant at installation. We do not place orders, modify inventory, alter pricing, or write any data to the Merchant's Shopify store.

6. Data storage and residency

• Database: Neon Postgres — AWS ap-southeast-2 (Sydney, Australia)
• Serverless compute: Vercel — configured to ap-southeast-2 (Sydney)
• Billing: Shopify Billing API

All personal data is stored and processed within Australian data centres.

7. Cross-border data transfers (APP 8)

While personal data is hosted in Australian data centres, our infrastructure providers are incorporated in the United States:

• Vercel Inc — serverless compute platform
• Neon / Databricks Inc — managed Postgres database

Both maintain SOC 2 Type II certification and enforceable data processing agreements. Before engaging these providers, we took reasonable steps under APP 8.1 to satisfy ourselves that each provider is bound by privacy obligations substantially similar to the APPs.

8. Security measures

• All data in transit is encrypted via TLS 1.2+
• Database data is encrypted at rest using AES-256
• Shopify OAuth access tokens are stored encrypted, scoped to minimum required permissions, and rotated on re-authorisation
• Access to production infrastructure is restricted to authorised personnel
• Third-party providers are evaluated for SOC 2 compliance prior to engagement

If you suspect unauthorised access to your account or data, contact us immediately at p.vieyra@cybersecurityguy.org.

9. Cookies and local storage

The App's storefront widget uses browser localStorage to remember whether a buyer has dismissed a popup offer, preventing the same offer from being repeatedly displayed. No persistent cookies are set by the App. No localStorage data is transmitted to our servers.

10. Data retention

• Merchant account data: subscription duration + 7 years
• Buyer engagement events: 24 months, then deleted
• Shopify OAuth credentials: deleted within 30 days of app uninstall
• Server logs: 90 days

11. Data deletion

We comply with Shopify's mandatory privacy webhooks. Upon receiving a shop/redact or customers/redact webhook, all relevant data is deleted within 30 days. Merchants may also request deletion directly.

12. Notifiable Data Breaches

In the event of a data breach likely to cause serious harm, we will notify affected Merchants and the Office of the Australian Information Commissioner (OAIC) within 72 hours, in accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth).

13. Your rights

Under the Privacy Act 1988 (Cth), you have the right to request access to, correction of, or deletion of personal information we hold about you. Contact us at p.vieyra@cybersecurityguy.org. We will respond within 30 days at no charge.

If you are not satisfied with our response, you may lodge a complaint with the OAIC at www.oaic.gov.au.

14. Merchant disclosure guidance

Merchants are encouraged to disclose to their buyers that a third-party tool is used to deliver personalised promotional notifications. Suggested wording:

"We use B2B2GO — a third-party B2B notification tool — to deliver personalised offers to your account at login. B2B2GO records whether you have viewed or dismissed these offers. For details, see the B2B2GO Privacy Policy."

15. Data Processing Agreement

Merchants who require a formal Data Processing Agreement (DPA) may request one by contacting us at p.vieyra@cybersecurityguy.org.

16. Changes to this policy

We may update this policy from time to time. The current version and effective date are shown at the top of this page. Continued use of the App after changes constitutes acceptance of the updated policy.

17. Contact