Privacy Policy

B2B Registration Form & Approval

Effective date: May 16, 2026

This Privacy Policy applies to the B2B Registration Form & Approval app ("the App") published by HELTRA LLC ("we", "us", "our"). It covers data collected by this specific app. Shared commitments that apply across every Culsin app - sub-processors, international transfers, DPA availability, CCPA, security incidents, change notification - are described on the Culsin Privacy index.

By installing the App you agree to this policy. Your use of Shopify is governed by Shopify's own legal documents; this policy only applies to the App.

Who we are

HELTRA LLC
254 Chapman Rd, Ste 208 #17026
Newark, Delaware 19702, United States

Privacy inquiries: privacy@culsin.com

Data we collect

The App stores data that customers submit through the B2B registration form. This includes:

  • Full name and email address
  • Company name
  • VAT number or tax ID
  • Country
  • Any additional fields the merchant configures (for example, phone number, business type)

The App also stores the Shopify customer ID and application status (pending, approved, rejected). No payment information or passwords are collected.

How we use this data

Submission data is used solely to operate the App: displaying applications to the merchant, processing approvals and rejections, and tagging customers in Shopify. We do not use the data for marketing, analytics, or any purpose beyond providing the App's functionality.

We process this data on the legal basis of contract performance - it is necessary to fulfil the service the merchant has installed the App to provide. The merchant is the data controller; HELTRA LLC acts as a data processor under the merchant's instructions.

VAT and tax ID validation

When a customer provides a VAT or tax ID, the App may transmit it to the relevant public registry to confirm format and validity. The registries we use are:

  • VIES - the European Commission's VAT Information Exchange System, used to validate EU VAT numbers.
  • HMRC - the UK government's VAT registration check service, used to validate UK VAT numbers.
  • Format checks for US Employer Identification Numbers (EIN) and Canadian Business Numbers (BN). These checks are computational only; the App does not contact the IRS or CRA.

The App transmits only the VAT or tax ID itself to these registries, along with the country code. The customer's name, email, address, and other application fields are never sent. Validation responses are stored alongside the application so the merchant can see the result during review.

Data storage

Submission data is stored in a Turso database (LibSQL). Turso runs on AWS infrastructure. Data is stored per-shop and is not shared between merchants. Data in transit is encrypted via TLS; data at rest is encrypted by the database provider.

Who has access

Only the Shopify merchant who installed the App can view submission data, through the App interface inside their Shopify admin. We do not sell or share submission data with any third party, except as described under Sub-processors below.

Data retention

Data is retained for as long as the App is installed. When the App is uninstalled, all submission data for that shop is permanently deleted within 48 hours, in line with Shopify's GDPR requirements.

Your rights

The App honours Shopify's mandatory GDPR webhooks:

  • customers/redact - submission records for a customer are anonymised or deleted within 30 days of a merchant-initiated erasure request.
  • shop/redact - all shop data is permanently deleted within 48 hours of uninstall.
  • customers/data_request - the merchant can retrieve a customer's submission records on request.

If you are a store customer and want to request access to or deletion of your data, contact the merchant whose store you applied through. If you cannot reach them, contact us at privacy@culsin.com. We will respond within 30 days.

Sub-processors

The App uses the following sub-processors:

  • Turso (ChiselStrike, Inc.) - database hosting. Stores submission data on AWS infrastructure.
  • Cloudflare, Inc. - hosts the App backend. Processes request metadata in transit.
  • VIES (European Commission) - EU VAT number validation. Receives the submitted VAT number and country code only.
  • HMRC (UK Government) - UK VAT number validation. Receives the submitted VAT number only.
  • Mantle (Charged Commerce, Inc.) - billing and subscription management. Does not have access to customer submission data.
  • Axiom, Inc. - application logging for debugging. May include shop domains and request metadata; does not include customer submission content.

See the Culsin Privacy index for our sub-processor change notification commitment.

Cookies

The App does not set cookies or use tracking technologies on the storefront. The Shopify admin interface is governed by Shopify's own privacy policy.

DPA, transfers, CCPA, security

Data processing addendum availability, international transfer mechanisms (SCCs), California (CCPA/CPRA) rights, and security incident notification are covered on the Culsin Privacy index - they apply to this app the same way they apply to every Culsin app.

Contact

privacy@culsin.com