Privacy Policy
Last updated: March 8, 2026
1. Introduction
This Privacy Policy describes how Mentilead Commerce ("we", "us", "our"), a trade name of Aggregatit, CVR 35963022, a Danish company, collects, processes, and protects personal data through the B2B Onboard application ("the App"). We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and applicable Danish data protection law.
Depending on the processing activity, we act as either a data processor on behalf of Shopify merchants or as an independent data controller. For details on when each role applies, see Section 2 below.
2. Controller and Processor Roles
The table below clarifies our role for each processing activity under the GDPR:
| Processing Activity | Our Role | Data Controller |
|---|---|---|
| B2B registration data collection and storage | Processor | Merchant |
| Email notifications (approval, rejection, info requests) | Processor | Merchant |
| Shopify customer account creation | Processor | Merchant |
| Anti-spam protection (Google reCAPTCHA) | Processor | Merchant |
| Account management and support | Controller | Mentilead |
| Service analytics (pseudonymized) | Controller | Mentilead |
| Audit logging (regulatory compliance) | Processor (legal obligation) | Mentilead |
| Shopify Flow workflow automation (triggers and actions) | Processor | Merchant |
Where we act as a processor, the terms of our Data Processing Agreement apply.
3. Data We Collect
The App collects the following categories of personal data from B2B customer registration form submissions:
- Business contact information: company name, contact name, email address, phone number
- Custom form fields: any additional fields configured by the merchant (e.g., VAT number, business license number, company size)
- Uploaded documents: files submitted through file upload fields (e.g., trade licenses, tax certificates)
- Technical data: IP address and user agent string, collected automatically at the time of submission
- Anti-spam data (when enabled): when a merchant enables CAPTCHA protection, Google reCAPTCHA v3 collects a verification token, IP address, and browser behavior signals. The token is verified server-side and immediately discarded
- Server-side analytics data: pseudonymized shop identifiers (SHA-256 hashed) and operational event types, used for service improvement. No personal data is transmitted to the analytics provider
4. Purpose of Processing and Legal Basis
The following table sets out the purposes for which we process personal data, the data involved, and the legal basis under the GDPR:
| Purpose | Data | Legal Basis |
|---|---|---|
| B2B registration processing | Form data, uploaded documents | Art. 6(1)(b) — contractual necessity |
| Shopify customer account creation | Name, email, phone, company | Art. 6(1)(b) — contractual necessity |
| Email notifications | Email address, contact name | Art. 6(1)(b) — contractual necessity |
| Spam protection (reCAPTCHA) | IP address, browser signals | Art. 6(1)(f) — legitimate interest |
| Audit logging | Actor, action, timestamp | Art. 6(1)(f) — legitimate interest; Art. 6(1)(c) — legal obligation (Danish Bookkeeping Act) |
| Service analytics | Pseudonymized shop identifier | Art. 6(1)(f) — legitimate interest |
| Technical operation and security | IP address, user agent | Art. 6(1)(f) — legitimate interest |
| VAT/Tax ID validation | VAT number, country code | Art. 6(1)(b) — contractual necessity |
| Workflow automation via Shopify Flow | Application metadata (ID, company name, contact name, status, timestamps) | Art. 6(1)(b) — contractual necessity |
A Legitimate Interest Assessment (LIA) has been conducted for all processing based on Article 6(1)(f) and is available on request by contacting privacy@mentilead.com.
Automated Decision-Making
The App includes optional auto-approval rules that merchants can configure to automatically approve B2B registration applications based on criteria such as verified VAT numbers or allowed email domains. When enabled by a merchant, these rules process applications without manual review. Merchants retain full control over whether to enable or disable auto-approval and can override any automated decision at any time from the application detail page. The logic of auto-approval is transparent: applications are approved when they match the specific criteria the merchant has configured. No profiling or automated decision-making with legal or significant effects occurs without the merchant's explicit configuration.
5. Cookies and Third-Party Scripts
B2B Onboard itself does not set any first-party cookies on end-user browsers.
Google reCAPTCHA (when enabled by the merchant)
If a merchant enables CAPTCHA protection on their registration form, Google reCAPTCHA v3 is loaded on the form page. Google may set third-party cookies (including _GRECAPTCHA) and collect IP addresses, browser characteristics, and interaction patterns to distinguish humans from bots. This is an optional feature that merchants can disable at any time in their form settings. For details, see Google's Privacy Policy.
Shopify and merchant cookies
Any other cookies present on pages where the registration form appears are set by the Shopify storefront, the merchant's theme, or other apps installed by the merchant — not by B2B Onboard. Within the Shopify admin, session management is handled by Shopify's own authentication system; the App does not set additional cookies in the admin.
6. Data Storage and Security
All data is stored within the European Union, specifically in the AWS eu-central-1 region (Frankfurt, Germany).
- Application data (form submissions, application records) is stored in Amazon DynamoDB with encryption at rest
- Uploaded documents are stored in Amazon S3 with server-side encryption (AES-256) and accessed only via time-limited signed URLs
- All data in transit is encrypted using TLS 1.2 or higher
- Access to infrastructure is restricted through role-based access controls (IAM)
7. Data Retention
We retain personal data only for as long as necessary for the purposes described in this policy. Specific retention periods are as follows:
| Data Category | Retention Period | Basis |
|---|---|---|
| Application data (form submissions, records) | Account lifetime + 12 months after uninstallation | Contractual |
| Uploaded documents | Same as application data | Contractual |
| Technical data (IP address, user agent) | 90 days | Legitimate interest |
| Audit logs | 7 years | Danish Bookkeeping Act (bogføringsloven §§ 3, 10) |
| Sessions | 30 days | Technical necessity |
| Export files | 7 days | Temporary processing |
Upon App uninstallation, all merchant data (forms, applications, uploaded files) is retained for 12 months to allow for re-installation recovery, after which it is permanently deleted. Audit logs are retained for the full 7-year period regardless of uninstallation, as required by law.
8. Sub-processors
We use the following sub-processors to deliver the service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure (DynamoDB, S3, Lambda, SQS, CloudFront CDN) | EU (Frankfurt) |
| Resend, Inc. | Transactional email delivery: application status notifications containing recipient email addresses and names | EU (via US provider; EU-US DPF) |
| Google LLC (reCAPTCHA) | Spam and abuse protection on registration forms (when enabled by the merchant) | Global |
| Google LLC (GA4 Measurement Protocol) | Server-side pseudonymized analytics (no personal data transmitted) | Global (US) |
| Shopify Inc. | E-commerce platform, customer account creation | Global |
| European Commission (VIES) | EU VAT number validation | EU |
Sub-processor change notification
We will notify merchants by email at least 30 days in advance of any intended addition or replacement of sub-processors. If you object to a new sub-processor, you may terminate your use of the App before the change takes effect.
9. International Data Transfers
In accordance with Articles 44-49 of the GDPR, the following safeguards are in place for transfers of personal data outside the European Economic Area (EEA):
| Recipient | Country | Transfer Mechanism |
|---|---|---|
| Amazon Web Services (AWS) | EU (Frankfurt) | No transfer outside EEA |
| Resend, Inc. | United States | EU-US Data Privacy Framework (DPF) |
| Google LLC (reCAPTCHA) | United States | EU-US Data Privacy Framework (DPF) |
| Google LLC (GA4) | United States | EU-US Data Privacy Framework (DPF); pseudonymized data only |
| Shopify Inc. | Canada | EU adequacy decision + Standard Contractual Clauses (SCCs) |
Copies of safeguard documentation, including Standard Contractual Clauses, are available on request by contacting privacy@mentilead.com.
10. Data Breach Notification
In the event of a personal data breach, we will comply with the notification obligations under Articles 33 and 34 of the GDPR:
- Supervisory authority (Datatilsynet): notification within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals (Article 33)
- Affected merchants (data controllers): We will notify the merchant within 48 hours of becoming aware of a breach, enabling them to meet their obligations under Article 33. The notification will include details of the nature of the breach, likely consequences, and measures taken or proposed to mitigate the breach
- Affected individuals: where a breach is likely to result in a high risk to individuals' rights and freedoms, we will assist the merchant (as data controller) in notifying the affected individuals without undue delay (Article 34)
Our internal breach response procedures are documented and reviewed regularly. For more information, contact privacy@mentilead.com.
11. Your Rights Under GDPR
If you are an individual whose data has been submitted through a B2B registration form, you have the following rights under the GDPR:
- Right of access (Article 15) — request a copy of the personal data held about you
- Right to rectification (Article 16) — request correction of inaccurate data
- Right to erasure (Article 17) — request deletion of your data ("right to be forgotten")
- Right to restriction of processing (Article 18) — request that processing of your data be limited
- Right to data portability (Article 20) — receive your data in a structured, machine-readable format
- Right to object (Article 21) — object to processing based on legitimate interests
Where processing is based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (Article 7(3)).
As the merchant is the data controller, GDPR requests should first be directed to the merchant from whom you submitted your application. If the merchant is unable to assist, or if you wish to contact us directly, please email privacy@mentilead.com.
12. Data Protection Officer
Under Article 37 of the GDPR, a Data Protection Officer (DPO) is not required for our organization. Our core activities do not involve large-scale systematic monitoring of individuals, nor large-scale processing of special categories of personal data.
For any data protection inquiries, please contact us at privacy@mentilead.com.
13. Data Protection Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the relevant supervisory authority. Our lead supervisory authority is:
Datatilsynet (Danish Data Protection Agency)Carl Jacobsens Vej 35
2500 Valby, Denmark
www.datatilsynet.dk
14. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when the policy was last revised.
For material changes (such as new categories of data collection, new sub-processors, or changes to legal basis), we will notify merchants by email at least 30 days in advance of the change taking effect. Notifications will include a summary of changes and a link to the updated policy.
15. Contact
For any questions or concerns about this Privacy Policy or our data processing practices, please contact us at:
Mentilead Commerce (a trade name of Aggregatit)Strindbergsvej 82, 1
2500 Valby, Denmark
CVR: 35963022
Email: privacy@mentilead.com