Frequently Asked Questions

B2B Onboard collects the following data when a prospective B2B customer submits a registration form on your storefront:

• Business contact information: company name, contact name, email address, and phone number
• Custom form fields: any additional fields you configure in the form builder (e.g., VAT number, company size, industry)
• Uploaded documents: files submitted through file upload fields (e.g., trade licenses, tax certificates)
• Technical metadata: IP address and user agent string, collected automatically at submission time
• reCAPTCHA token: a verification token from Google reCAPTCHA if spam protection is enabled
• Pseudonymized analytics data: collected server-side via Google Analytics 4 for service improvement. No directly identifying personal data is transmitted

The app does not collect payment information, passwords, or any data beyond what is submitted through the registration form.

All data is stored within the European Union, specifically in the AWS eu-central-1 region (Frankfurt, Germany).

• Application records and form configurations are stored in Amazon DynamoDB with encryption at rest
• Uploaded documents are stored in Amazon S3 with server-side encryption (AES-256) and are only accessible via time-limited signed URLs
• All data in transit is encrypted using TLS 1.2 or higher

No data is stored on our own servers. We use AWS managed services with enterprise-grade security and compliance certifications.

When you uninstall B2B Onboard from your Shopify store:

1. Shopify notifies our system via a webhook that the app has been uninstalled
2. Your data is retained for 12 months to allow for re-installation recovery (see our Data Processing Agreement, Section 9 for full details). This includes:
   • All registration forms and their configurations
   • All application records and their history/timeline
   • All uploaded documents
   • All email template customizations
   • All branding and settings
3. After the 12-month grace period, all data is permanently deleted
4. Audit logs (containing application metadata, IP addresses, timestamps, and status changes) are retained for 7 years as required by the Danish Bookkeeping Act (bogføringsloven), regardless of uninstallation. These logs contain limited personal data and are retained solely for regulatory compliance
5. You can request immediate deletion at any time by contacting us at privacy@mentilead.com
6. Shopify customer accounts that were created through the approval process are not affected by uninstallation — they remain in your Shopify store

Tip: If you reinstall within 12 months, all your forms, applications, and settings will be right where you left them. We still recommend exporting your data before uninstalling, just in case.

B2B Onboard provides a built-in data export function accessible from the Settings page within the app:

1. Navigate to Settings in the app sidebar
2. Scroll to the Data Export section
3. Click Export Applications to download a CSV file containing all your application data

The export includes all application records with their submitted data, status, timestamps, and associated form information. Uploaded documents can be downloaded individually from each application's detail page.

B2B Onboard itself does not set any first-party cookies on your customers' browsers. The public registration forms operate without our own cookies or client-side tracking.

Exception — Google reCAPTCHA: if you enable CAPTCHA protection on a registration form, Google reCAPTCHA v3 may set third-party cookies (such as _GRECAPTCHA) to distinguish humans from bots. This is entirely optional — you can disable CAPTCHA in your form settings at any time. For details, see Google's Privacy Policy.

Google Analytics 4 is used server-side via the Measurement Protocol and does not set any cookies on your customers' browsers.

Any other cookies present on pages where the registration form appears are set by the Shopify storefront, your theme, or other apps you have installed — not by B2B Onboard.

Within the Shopify admin (where you manage applications), Shopify handles session management through its own authentication system. The app does not set additional cookies in the admin either.

As the data controller, you are responsible for responding to GDPR requests from applicants who submitted data through your registration forms. Here is how to handle common requests:

Right of Access (Article 15)

Open the applicant's record in the app and use the information displayed to provide them with a copy of their data. You can also use the data export feature to generate a CSV.

Right to Rectification (Article 16)

Edit the applicant's record directly in the application detail view to correct any inaccurate information.

Right to Erasure (Article 17)

Contact us at privacy@mentilead.com to request deletion of an applicant's data. Additionally, when Shopify processes a customer data erasure request, the associated application data and uploaded documents are removed automatically via GDPR webhooks.

Note: Audit logs containing the applicant's application metadata are retained for 7 years under the Danish Bookkeeping Act and are exempt from erasure requests under Article 17(3)(b).

Right to Restriction of Processing (Article 18)

If an applicant disputes the accuracy of their data or objects to processing, you can suspend processing by changing the application status while the matter is resolved. Contact us if you need the data restricted at the infrastructure level.

Right to Data Portability (Article 20)

Export the applicant's data using the CSV export and provide it to them in a machine-readable format.

Right to Object (Article 21)

If an applicant objects to processing of their data, assess whether you have compelling legitimate grounds to continue. If not, request erasure of their data as described under the Right to Erasure above.

Response timeframe: Under GDPR, you must respond to data subject requests within one month of receipt. This can be extended by two further months for complex requests, but you must inform the data subject within the first month.

If you need assistance processing a GDPR request that cannot be handled through the app's interface, contact us at privacy@mentilead.com and we will assist you. See our Privacy Policy for full details on how we process personal data.

Related: GDPR compliance for Shopify B2B apps

B2B Onboard works with all Shopify plans that support App Proxy, which includes Basic Shopify, Shopify, Advanced Shopify, and Shopify Plus. The app does not require any specific Shopify plan features beyond the standard app integration capabilities.

Related: Will a B2B app break my theme?

No. B2B Onboard uses Shopify's App Proxy feature to serve registration forms on your storefront. This means:

• No code is injected into your theme
• No Liquid files are modified
• No ScriptTag or theme app extensions are used
• The registration form inherits your theme's header, footer, and base styling automatically

You can uninstall the app at any time with zero cleanup required on your theme.

Related: Will a B2B app break my theme?

Yes. B2B Onboard integrates with Shopify Flow for workflow automation.

Triggers (all plans): Registration Submitted, Registration Approved, Registration Rejected, Information Requested.

Actions (Growth and Pro plans): Approve Registration, Reject Registration, Tag B2B Customer.

Example use cases: auto-approve applications from known domains, send Slack notifications, auto-tag customers.

Flow is optional and works alongside the manual review process. For a full walkthrough, see the Shopify Flow Guide.

Trigger payloads include application metadata only: application ID, company name, contact name, form ID, timestamps, and (for approvals) Shopify customer/company IDs.

No sensitive personal data (email, phone, address, uploaded documents) is included in trigger payloads.

Data is processed by Shopify under their existing privacy terms.

Open a form in the Form Builder and switch to the Style tab. On Growth plans and above you can set colors, typography, shape, and layout. Pro plans unlock advanced fine-tuning, custom header/footer content, and a live preview panel. You can also import colors from your store's theme or choose from 7 pre-built presets. Logo upload is in Settings → Branding.

Yes. Each form has its own confirmation page settings in the form editor's Confirmation page section. You can customize:

• Confirmation heading — the main heading shown after submission
• Success message — the message below the heading
• "What happens next" steps — up to 3 numbered steps, each with a title and optional subtitle

New forms come with sensible defaults. If you remove all steps, the "What happens next" section is hidden from customers entirely. See the Form Builder Guide for details.

Yes, Growth and Pro plans include auto-approval rules. You can auto-approve when VAT is verified or when the applicant's email matches an allowed domain. Auto-approval is configured per-form in the Form Builder's Settings tab — see the Form Builder Guide.

EU member states are supported. VAT numbers are verified in real time via the VIES database during form submission.

Related: GDPR compliance for Shopify B2B apps

Yes. On Shopify Plus stores with B2B enabled, approving an application automatically creates a B2B Company with a contact, location, and optional catalog assignment.

Related: Will a B2B app break my theme?

Yes. Select applications using checkboxes on the Applications page and use the bulk Approve or Reject buttons. Each application is processed individually with its own email notification and timeline entry.