Privacy Policy
Last updated: June 13, 2026
Dunwell ("Dunwell", "we", "us") is an accounts-receivable automation app for Shopify B2B merchants, operated by TwoOneFive Ventures LLC. This policy explains what data the app processes, why, and how we protect it.
Our role
When you install Dunwell on your Shopify store, you (the merchant) are the data controller of your customers' information, and Dunwell acts as a data processor that handles that information on your behalf and on your instructions, solely to provide the collections features you configure. We do not use your customers' data for our own purposes.
What we process
| Data | Why |
|---|---|
| Your store domain and an encrypted Shopify access token | To connect to your store's Shopify Admin API |
| Company & company-location records, and the billing contact email for each | To know who to send invoice reminders to. Email is the only protected customer field we request. |
| Orders that use payment terms: amounts, due dates, outstanding balance, payment-schedule status | To build your AR ledger, compute aging, and time reminders and charges |
| Vaulted payment mandate references (never card numbers) | To charge the buyer's saved card on the due date, through Shopify |
| Records of reminders sent and charges attempted | The per-invoice audit trail and ROI stats |
| Your app settings (dunning ladder, grace days, credit limits, your reply-to email) | To run collections the way you configured |
We never store, log, or transmit card numbers, only the secure mandate reference Shopify provides. We do not request customer names, addresses, or phone numbers.
How we use it
Strictly to provide the service: syncing your net-terms invoices, sending reminder emails on your behalf (from our domain, with your store name and your email as reply-to), charging vaulted cards on their due dates when you have enabled auto-capture, surfacing your aging dashboard, and recording an audit trail. We do not sell data, and we do not make automated decisions producing legal effects about individuals.
Subprocessors
We share data only with the infrastructure providers needed to run the app:
- Shopify: the platform your store and customer data live on; we read and act via its Admin API.
- Neon: managed PostgreSQL hosting (United States), where your app data is stored, encrypted at rest with encrypted backups.
- Resend: transactional email delivery for the reminders we send on your behalf.
Data retention & deletion
We keep your data while the app is installed, so the ledger and audit trail remain available. We honor Shopify's mandatory compliance webhooks:
- customers/redact: we anonymize that customer's contact email and any reminder-recipient records we hold.
- shop/redact: about 48 hours after you uninstall, we permanently purge all data for your shop.
You can trigger deletion at any time by uninstalling the app.
Security
Access tokens and stored data are encrypted at rest. The app runs on access-controlled infrastructure, partitions every query by shop, and never writes card data or secrets to logs. Buyer-facing emails are sent from an authenticated domain (SPF/DKIM/DMARC).
Your customers' rights
Because you are the data controller, requests from your customers to access or delete their data should come to you; we will assist you in fulfilling them, including via Shopify's data-request and redaction flows.
Changes
We may update this policy as the app evolves. Material changes will be reflected by the "last updated" date above.
Contact
Questions about this policy or your data: hello@getdunwell.com (TwoOneFive Ventures LLC, Philadelphia, PA, USA).