Tierlane

Tierlane Privacy Policy

Effective Date: 2026-06-01 Last Updated: 2026-06-01 Version: 1.0

1. Introduction

This Privacy Policy explains how Tierlane ("Tierlane", "we", "us", or "our") collects, uses, discloses, and protects personal information when you interact with our website at tierlane.app, our embedded Shopify application at app.tierlane.app, and the services we provide through them (collectively, the "Service"). Tierlane is a business based in Toronto, Ontario, Canada.

Tierlane is an AI-powered Shopify B2B application that reads wholesale order requests sent to Shopify merchants by email, PDF, or spreadsheet attachment, and parses those requests into Shopify draft orders that the merchant reviews before approval. Because of this design, Tierlane sits in an unusual place in the data flow: we process both the merchant's own business information and the personal information of the merchant's wholesale buyers that happens to be inside the inbox we are reading. Section 3 explains this dual role in detail.

This Privacy Policy is written to comply with privacy laws in every jurisdiction where our merchants and their buyers are located, including Canada (PIPEDA, Quebec Law 25), the United States (CCPA/CPRA and twenty other state laws), the United Kingdom (UK GDPR and the Data Use and Access Act 2025), the European Union and EEA (GDPR), Australia (Privacy Act 1988), New Zealand (Privacy Act 2020), Singapore (PDPA), and Brazil (LGPD). Jurisdiction-specific addendums appear in Section 16.

If you are visiting our marketing website and have not installed Tierlane, only Sections 1, 2, 4 (limited), 8, 9, 13, 14, and 16 are likely relevant to you. If you are a Shopify merchant using Tierlane, the entire policy applies. If you are a wholesale buyer whose email was parsed by Tierlane on behalf of a merchant, Section 3.2 and Section 9 explain your rights and how to exercise them.

For questions about this policy or to exercise any of the rights described in Section 9, contact our Privacy Officer:

Privacy Officer, Tierlane Email: privacy@tierlane.app

A Cookie Policy is published separately at tierlane.app/legal/cookies and a current list of our sub-processors is published at tierlane.app/subprocessors. Both are incorporated into this policy by reference.

2. Summary of Key Points

  • We collect three main categories of data: (a) information you give us when you install and use Tierlane (your merchant account information), (b) information about how the Service is used (technical and usage data), and (c) personal information about your wholesale buyers that arrives inside the inboxes you connect to Tierlane.
  • We use automated systems, including a third-party large language model provided by Anthropic, PBC, to parse buyer emails and attachments into draft orders. Section 4.3 describes this in plain English.
  • We do not sell personal information. We do not use personal information for cross-context behavioural advertising. We do not allow any of our sub-processors to use the data we send them to train their own models.
  • We act as a "data controller" for the information about you (the merchant) and as a "data processor" or "service provider" for the personal information of your wholesale buyers that we process on your behalf.
  • We retain parsed email content for 90 days, billing records for 7 years, account profile data until you delete your account (plus 30 days for backups), and audit logs for 90 days.
  • You have rights under the privacy law of your jurisdiction. Section 9 explains those rights in detail and how to exercise them.
  • We use Standard Contractual Clauses, the UK International Data Transfer Addendum, and Brazilian SCCs (as applicable) to transfer personal information internationally. Section 10 explains transfers.
  • For data breach matters, we notify supervisory authorities within 72 hours where required and notify affected individuals promptly. Section 12 sets out our commitments.
  • This policy may change. We will tell you about material changes at least 30 days before they take effect. Section 14 explains how.

3. Our Two Roles: Controller and Processor

Tierlane has two distinct legal roles depending on whose personal information is being processed. Both EU/UK GDPR and Quebec Law 25 require us to be explicit about this.

3.1 Tierlane as Controller (for Merchant data)

When you install Tierlane and use it as a Shopify merchant, we are the controller (in GDPR/UK GDPR/Quebec terminology) or "business" (in CCPA terminology) of the personal information about you and the people you authorise to use Tierlane on your behalf. This includes your name, business name, email address, Shopify shop identifier, billing history, support correspondence, and Service usage information.

We decide why and how this information is processed. We process it to provide the Service, bill you, support you, secure the Service, and comply with our legal obligations.

3.2 Tierlane as Processor (for Buyer data inside Merchant inboxes)

When Tierlane reads the inboxes you connect to the Service, those inboxes contain emails from your wholesale buyers. Those emails contain personal information about your buyers (typically a name, business email, sometimes a phone number, sometimes a shipping or billing address, plus the buyer's order content). Tierlane parses this into a Shopify draft order.

For that buyer personal information, you (the merchant) are the controller and Tierlane is the processor (GDPR/UK GDPR/Quebec) or service provider (CCPA). We process buyer personal information only on your documented instructions to deliver the Service to you. Our Data Processing Agreement (DPA), available at tierlane.app/legal/dpa and incorporated by reference into our Terms of Service (Section 4 of the ToS), sets out the contractual terms required by Article 28 GDPR, CCPA §1798.140(ag), Quebec Law 25, the UK GDPR, LGPD, and other comparable laws.

If you are a wholesale buyer who has received this Privacy Policy via a merchant who uses Tierlane, please direct your privacy rights requests in the first instance to the merchant that emailed you. We will support the merchant's response. If you cannot reach the merchant, you may also contact us at privacy@tierlane.app, and we will help route your request.

4. What Information We Collect

4.1 Merchant Data (Tierlane as controller)

When you install Tierlane and create an account, we collect:

  • Account identifiers: your Shopify shop ID and myshopify.com domain; the email address Shopify provides as the primary contact for the shop; the shop's store name and country.
  • Authentication tokens: OAuth access and refresh tokens issued by Shopify, Google (Gmail), Microsoft (Outlook / Microsoft 365), Intuit (QuickBooks), and Xero, in each case only with the scopes you grant. We store these tokens encrypted at rest.
  • Billing information: Tierlane subscriptions are billed via the Shopify Billing API, so Shopify (not Tierlane) processes your payment method. We receive from Shopify the records needed to reconcile your subscription: plan, charge IDs, charge amounts, dates, top-up purchases, and refunds (if any). We do not receive your credit card number.
  • Settings and preferences: your parsing configuration, trusted-sender list, catalog matching preferences, notification preferences, and the user accounts you authorise inside Tierlane.
  • Support correspondence: messages you send us by email or in-app, and our replies, including any attachments you choose to send.
  • Service usage and technical data: pages viewed inside the embedded admin app, features used, error reports, device and browser metadata, IP address (discarded immediately on ingestion for product analytics, briefly retained in security logs — see Section 7), and the timestamps of these events.

4.2 Buyer Data inside Merchant inboxes (Tierlane as processor)

When the Service reads the inbox you have connected to Tierlane, it processes:

  • Email envelope data: sender address, recipient address, subject line, date, headers needed for threading.
  • Email body content: the parts of the email body that Tierlane needs to identify and parse a wholesale order.
  • Attachments: PDFs, spreadsheets, Word documents, and images that may contain wholesale order details. Tierlane extracts text and tables from these attachments to identify line items.
  • Resulting personal information of the buyer: the buyer's name (often the signature block); the buyer's business email address; sometimes a phone number; sometimes a billing or shipping address; the buyer's company name; the buyer's product preferences as expressed in the order.

We do not target or filter inboxes for individuals' personal data outside the order-parsing function. We do not read messages that the parser does not classify as containing a wholesale order, beyond what is necessary to make that classification.

Tierlane uses an automated system to do this parsing. Section 5 explains the AI processing in plain language.

4.3 Marketing website data

When you visit tierlane.app without being a merchant, we collect:

  • Pages visited, referral source, approximate region (derived from IP address and immediately discarded after region derivation), browser and device type, and timestamps. These events are sent to a self-hosted PostHog analytics instance in the EU, pseudonymised at ingestion, and IP addresses are discarded.
  • If you fill in a contact form, the name, email address, business name, and message you provide.
  • If you accept the cookie banner, the cookies described in our Cookie Policy.

5. How We Use Information (Including Automated Decision-Making and AI Disclosure)

5.1 Purposes for which we use Merchant Data (as controller)

  • To provide, operate, and maintain the Service: authenticate you to Shopify and your other connected services; route inbound emails to the correct merchant account; render the embedded admin app inside the Shopify Admin.
  • To bill you: reconcile your subscription, top-ups, and refunds against Shopify's records and to maintain books and records required by Canadian tax law.
  • To communicate with you: send transactional emails (welcome, billing receipts, parsing results, security notices), respond to support, and, where you have separately opted in, send product updates.
  • To improve the Service: aggregate and pseudonymised usage analytics to understand which features are used, where users encounter friction, and to prioritise development.
  • To detect, prevent, and respond to security events, abuse, and fraud.
  • To comply with legal obligations and to defend ourselves in legal proceedings.

5.2 Purposes for which we process Buyer Data (as processor)

We process buyer personal information only to perform the parsing service for the merchant: classify the inbound email as an order request, extract line items, match products to the merchant's catalog, produce a draft order in Shopify for the merchant to review, and route notifications and audit logs. We do not use buyer data for any purpose beyond the merchant's instructions. We do not enrich it with third-party data. We do not use it for advertising. We do not use it to train our own or anyone else's machine learning models.

5.3 Automated decision-making and AI parsing disclosure

We use automated systems, including a large language model provided by Anthropic, PBC (Claude), to parse the text of wholesale order emails and the contents of attached PDFs and spreadsheets into structured draft orders. This processing is automated. The result of the processing is a draft Shopify order that the merchant must review and approve manually. Tierlane does not, by itself, finalise an order, charge a buyer, ship goods, or take any action with legal or similarly significant effect on the buyer without human review by the merchant.

In plain language: the AI reads the email, guesses what was ordered, and writes the guess into a draft for a human to approve.

Because the AI is probabilistic, it can be wrong. It may misidentify products, misread quantities or prices, omit items, or attribute the wrong buyer to an order. Merchants are required by our Terms of Service to review every draft before approval. Tierlane is not a substitute for human review.

We disclose this AI processing in our Privacy Policy and at our merchants' onboarding screens, consistent with Article 50 of the EU AI Act (transparency obligations effective 2 August 2026), the automated decisions disclosure under Australian Privacy Principle 1.4 (effective 10 December 2026), California's Automated Decision-Making Technology rules (effective 1 January 2026), and Quebec Law 25's automated decision-making requirements.

Affected individuals may, where their local law provides for it (notably the EU/UK GDPR Article 22, Quebec Law 25, and California's ADMT rules), request human review of, an explanation of, or a contest of an automated decision that significantly affects them. Because a Tierlane draft order is always reviewed by a human merchant before having any effect, the strict Article 22 prohibition does not normally apply. Nevertheless, on request, we will (i) explain to a data subject the categories of input data we processed; (ii) explain that the output is a draft for human review; and (iii) coordinate with the relevant merchant to provide a human review of the draft. Requests should be sent to privacy@tierlane.app.

Anthropic's commitments to Tierlane. Anthropic has signed a Data Processing Agreement with Tierlane and undertakes (a) not to train its models on the data we send it through its API, (b) to delete API inputs and outputs after a maximum of 7 days unless we have specifically asked for longer retention (we have not), and (c) to apply EU Standard Contractual Clauses to international transfers. Anthropic's current commitments are at privacy.claude.com.

5.4 Legal bases for processing (GDPR, UK GDPR, Quebec Law 25, LGPD)

Where the law of your jurisdiction requires us to identify a legal basis for processing, the following apply:

| Processing activity | Legal basis (GDPR / UK GDPR) | Quebec / LGPD analog | |---|---|---| | Providing the Service to you (the merchant) | Article 6(1)(b) — performance of a contract with you | Contractual necessity | | Processing buyer data on the merchant's instructions | Article 28 — processing on behalf of the controller | Service mandate; LGPD operator role | | Billing you and keeping financial records | Article 6(1)(c) — legal obligation (tax law) | Legal obligation | | Securing the Service and detecting fraud | Article 6(1)(f) — legitimate interest in operating a secure service | Legitimate interest | | Sending transactional emails (receipts, notifications) | Article 6(1)(b) — contract | Contract | | Sending product update emails | Article 6(1)(a) — consent, where you have opted in | Consent | | Improving the Service using aggregated usage analytics | Article 6(1)(f) — legitimate interest in product improvement | Legitimate interest | | Defending and complying with legal claims | Article 6(1)(c) and (f) | Legal obligation |

In the UK we also rely, where applicable, on the Recognised Legitimate Interest basis introduced by the Data Use and Access Act 2025. We do not rely on consent as a legal basis for any processing that you would reasonably expect us to perform as part of providing the Service, except for marketing communications.

You have the right to object to processing based on legitimate interest. See Section 9.

6. Who We Share Information With

We do not sell personal information.

We share personal information only with the following categories of recipients, and only for the purposes described in this policy:

  • Service sub-processors. Companies we have engaged to provide hosting, AI parsing, transactional email, error monitoring, analytics, accounting integrations, payments, DNS/CDN, and similar infrastructure. We list the categories below; the full, current, named list (with locations and DPA links) is at tierlane.app/subprocessors and incorporated into this policy by reference.

    | Category | What we use them for | |---|---| | AI/ML | Parsing the text of emails and attachments into structured order data | | Hosting & compute | Running the web application and worker functions | | Database & storage | Storing your settings, draft orders, audit logs, and short-term parsed content | | Transactional email | Sending receipts, security notices, and parsing notifications | | Error monitoring | Detecting and diagnosing failures in the Service | | Product analytics | Pseudonymised event analytics | | Payments | Subscription billing via the Shopify Billing API | | DNS, CDN, inbound email routing | Resolving domains, accelerating page loads, routing inbound mail | | Email integration | Read-only access to inboxes that you have connected | | Accounting integration | Optional sync of completed orders to QuickBooks or Xero | | Tierlane business email | Microsoft 365 for our own staff inbox |

    We notify merchants by email at least 15 days before we add a new sub-processor that processes personal data, and we publish updates to the sub-processor list on the same schedule. Merchants may object during the notification period; if a reasonable objection cannot be resolved, the merchant may terminate the affected portion of the Service.

  • Shopify. Tierlane runs on the Shopify platform. The merchant's installation of Tierlane is governed by Shopify's app permissions and APIs. Shopify is named in our sub-processor list as the platform and billing operator.

  • Connected services that you choose to authorise. When you connect Gmail, Outlook/Microsoft 365, QuickBooks, or Xero, Tierlane exchanges data with those services on your behalf. Each of those providers has its own privacy policy.

  • Professional advisors. Our accountants, auditors, and lawyers, under duties of confidentiality.

  • Public authorities. Where required by valid legal process, court order, regulatory request, or to protect our rights or the safety of others, we will disclose information to public authorities. Where legally permitted, we will tell the affected merchant before disclosing.

  • Acquirers or successors. If Tierlane is involved in a merger, acquisition, financing, bankruptcy, or sale of all or substantially all of its assets, personal information may be transferred as part of that transaction. Acquirers must continue to honour this Privacy Policy or notify users of material changes consistent with Section 14.

7. Data Retention

We retain personal information only as long as necessary to provide the Service and to comply with our legal obligations. Specifically:

| Category | Retention period | Reason | |---|---|---| | Parsed email content (subject, body, extracted attachment text) | 90 days after parsing | Short-term diagnostics and merchant re-runs | | Buyer personal information inside parsed content | 90 days, then deleted | Same as above; deletion propagates to sub-processors within 30 days | | Draft order records (line items, mapped product references) | Lifetime of merchant account, then 30 days after deletion | Merchant audit and reconciliation | | Account profile (shop ID, settings, OAuth tokens) | Until merchant deletes the account, then 30 days of soft-delete before permanent deletion | Recovery window; cleanup | | Authentication tokens (OAuth refresh tokens) | Until the user revokes the connection, the token expires, or the account is deleted | Required to operate the integration | | Billing records | 7 years | Canadian tax retention requirements (CRA) | | Security and access audit logs | 90 days | Breach forensics and security review | | Backups | Up to 35 days encrypted, then purged | Disaster recovery | | Support correspondence | 24 months after the last interaction | Quality and dispute resolution | | Marketing email list (opted-in addresses) | Until you unsubscribe; suppression list retained indefinitely | To honour your unsubscribe | | PostHog analytics events | 90 days | Product analytics | | Sentry error events (PII-scrubbed) | 90 days | Error monitoring |

When the retention period ends, or when we receive a valid deletion request (Section 9.3), we delete the data from our primary systems within 30 days and instruct our sub-processors to do the same. Encrypted backups containing the data are purged on the rolling backup schedule above (maximum 35 days). After all backups have rotated, the data is unrecoverable.

For requests received via Shopify's customers/redact or shop/redact webhooks, deletion is completed within 30 days as required by Shopify's compliance program.

Some data may be retained beyond these periods where required to comply with a legal hold, an active investigation, or to establish, exercise, or defend legal claims.

8. Cookies and Tracking Technologies

Our use of cookies is described in detail in our Cookie Policy at tierlane.app/legal/cookies, which is incorporated into this Privacy Policy by reference. In summary:

  • The marketing website (tierlane.app) sets a small number of first-party cookies. In jurisdictions that require it (EU, UK, Quebec, Brazil), we ask for your consent through a cookie banner before any non-strictly-necessary cookie is set.
  • The embedded admin app (app.tierlane.app, served inside the Shopify Admin) sets only strictly-necessary first-party cookies for authentication and session management.
  • We do not use third-party advertising cookies. We do not participate in cross-context behavioural advertising.
  • We honour the Global Privacy Control (GPC) signal as an opt-out of sale and sharing (we do not sell or share, but we honour the signal anyway).

9. Your Rights

Depending on where you live and which law applies to you, you have some or all of the following rights with respect to your personal information. We will respond to any verified request within the time limits set out by the applicable law (commonly 30 days; 45 days in California, extendable by 45; 3 calendar days for Singapore breach assessment notifications; 30 days for PIPEDA and Quebec).

9.1 Rights summary (all jurisdictions)

  • Right to know / access. Receive a copy of the personal information we hold about you and information about how we process it.
  • Right to correct / rectify. Ask us to correct inaccurate or out-of-date personal information.
  • Right to delete / erase. Ask us to delete your personal information, subject to limits (legal retention obligations, legitimate business purposes).
  • Right to portability. Receive your personal information in a structured, commonly used, machine-readable format and transmit it to another controller.
  • Right to restrict processing. Ask us to pause processing while a dispute about accuracy or legitimacy is resolved.
  • Right to object. Object to processing based on legitimate interest, including profiling.
  • Right to withdraw consent. Withdraw any consent you previously gave; withdrawal does not affect lawful processing before withdrawal.
  • Right not to be subject to a solely automated decision that has legal or similarly significant effects. (Tierlane's drafts are always reviewed by a human merchant before any effect.)
  • Right to opt out of sale, sharing, or targeted advertising. We do not engage in any of these, but you have the right to be told and to opt out.
  • Right to limit the use of sensitive personal information (California). Email content is "contents of mail/email" — sensitive PI. We use it only for the parsing function and for no secondary purpose.
  • Right to non-discrimination for exercising any of these rights.
  • Right to lodge a complaint with the supervisory authority in your jurisdiction (Section 16).

9.2 Jurisdiction-specific notes

  • GDPR / UK GDPR (Articles 15-22, plus Article 77 right to lodge complaint with a supervisory authority). All of the above. We respond within one month; we may extend by two further months for complex requests and will tell you.
  • CCPA / CPRA and other US state laws (CA, VA, CO, CT, UT, IA, TN, MT, OR, TX, FL, DE, NH, NJ, NE, MD, IN, KY, MN, RI). Right to know (including specific pieces of personal information collected in the last 12 months), delete, correct, opt out of sale/share/targeted advertising, limit use of sensitive PI, and non-discrimination. We honour the Global Privacy Control signal as an opt-out of sale/share. Two methods of submission: privacy@tierlane.app and the webform at tierlane.app/privacy-choices. Verification by signed-in account, or, if you are a buyer, by coordination with the merchant whose inbox we processed.
  • PIPEDA (Canada). Right of access and correction under Principle 9. Complaints first to our Privacy Officer; escalation to the Office of the Privacy Commissioner of Canada.
  • Quebec Law 25. Access, correction, deletion, withdrawal of consent, data portability (effective September 2024), and the right to know about and contest a decision based exclusively on automated processing. Tierlane's Privacy Officer (privacy@tierlane.app) is the designated point of contact. A Privacy Impact Assessment has been completed for the cross-border transfer of personal information processed by Tierlane and is available on request from enterprise customers.
  • Australia (APP 12 / APP 13). Access and correction. We respond within 30 days. Complaints to OAIC.
  • New Zealand (Privacy Act 2020, IPP 6 / IPP 7). Access and correction. Complaints to NZ OPC.
  • Singapore (PDPA, Access and Correction). Designated Data Protection Officer: Privacy Officer, Tierlane (privacy@tierlane.app). Complaints to PDPC.
  • Brazil (LGPD, Article 18). Confirmation of processing, access, correction, anonymisation/blocking/deletion of unnecessary or excessive data, portability, information about shared parties, information about consent options, withdrawal of consent. Complaints to ANPD.

9.3 How to exercise your rights

  1. Self-service. Merchants can export and delete their account data using the in-app Privacy & Data settings page (Section 7 retention applies; deletion is propagated to sub-processors within 30 days).
  2. Email. Send your request to privacy@tierlane.app. Include enough information to verify your identity and to scope the request (account email, shop domain, or, if you are a buyer, the email address used to contact the merchant). We acknowledge within 24 hours and resolve within the legally required timeline.
  3. Shopify webhook flow. Requests arriving via Shopify's customers/data_request, customers/redact, or shop/redact webhooks are handled automatically alongside any direct request.
  4. Buyer requests routed through the merchant. If you are a buyer, please contact the merchant first. We will support the merchant in providing your information and complying with the request.
  5. Webform. A request webform is available at tierlane.app/privacy-choices.

If we cannot fulfil your request (because, for example, the law allows us to refuse), we will tell you why and what your further options are, including your right to complain to a supervisory authority.

10. International Data Transfers

Tierlane is based in Toronto, Ontario, Canada. Our sub-processors operate from the United States, the European Union, Australia, and globally. By using the Service, you understand that your personal information may be transferred to, stored in, and processed in countries outside your own.

Where the law of your jurisdiction restricts cross-border transfers, we use the following safeguards:

  • From the EU/EEA to non-adequate jurisdictions (such as the US): the European Commission's Standard Contractual Clauses (Decision 2021/914) plus a Transfer Impact Assessment per Schrems II. Where the importer is certified under the EU-U.S. Data Privacy Framework, we rely on that mechanism as a supplemental layer.
  • From the UK to non-adequate jurisdictions: the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, plus a Transfer Risk Assessment.
  • From Switzerland: the Swiss Federal Data Protection and Information Commissioner's recognised SCCs.
  • From Canada: disclosure under PIPEDA Principle 1 and Quebec Law 25 (we disclose, in this policy and via the sub-processor list, that personal information may be transferred outside Canada and Quebec and may, while abroad, be subject to lawful access by foreign authorities).
  • From Brazil: ANPD-approved Brazilian Standard Contractual Clauses for transfers to the US; we rely on the EU-Brazil mutual adequacy decision (in force 27 January 2026) for transfers between Brazil and the EU.
  • From Australia / New Zealand: contractual safeguards under APP 8 and IPP 12 with each overseas recipient.

A copy of the SCCs in force for any specific transfer is available on request to enterprise customers at privacy@tierlane.app, subject to redaction of commercially sensitive terms.

11. Security

We use commercially reasonable technical and organisational measures to protect personal information, including:

  • Encryption in transit. All communications between you and Tierlane, and between Tierlane and its sub-processors, are encrypted with TLS 1.2 or higher.
  • Encryption at rest. Personal information and OAuth tokens stored in our database are encrypted at rest. OAuth tokens are additionally encrypted with application-layer keys.
  • Access controls. Production systems are accessible only to authorised Tierlane personnel using strong authentication (passkeys or hardware security keys plus MFA), with role-based access controls and full audit logging. Vendor access follows the same principle.
  • Network controls. Firewall rules, rate limiting, bot protection, and DDoS mitigation at our DNS and CDN provider.
  • Logging and monitoring. Production application and security events are logged and monitored. PII is scrubbed before events are sent to our error-monitoring provider.
  • Secure development. Code review, dependency scanning, automated security checks, and least-privilege secret management.
  • Backups and disaster recovery. Encrypted, point-in-time backups with periodic recovery testing.
  • Vendor management. Sub-processors are reviewed for their security and privacy posture before onboarding and re-reviewed periodically.
  • Personnel. All personnel are bound by written confidentiality obligations and trained in privacy and security basics.

No system is perfectly secure. If you believe your account or information has been compromised, contact us immediately at security@tierlane.app.

12. Data Breach Notification

If we become aware of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will:

  • Notify the lead supervisory authority within 72 hours of becoming aware, as required by Article 33 GDPR and UK GDPR.
  • Notify affected individuals without undue delay where there is a likely high risk to their rights and freedoms, as required by Article 34 GDPR / UK GDPR.
  • Notify the Office of the Privacy Commissioner of Canada as soon as feasible where there is a "real risk of significant harm" under PIPEDA, and keep a breach register for 24 months.
  • Notify the Quebec Commission d'accès à l'information and affected individuals where there is a "risk of serious injury" under Law 25.
  • Notify the OAIC and affected individuals within 30 days of assessing notifiability under the Australian Notifiable Data Breaches scheme.
  • Notify Singapore's PDPC within 3 calendar days of assessing notifiability under the PDPA Data Breach Notification Obligation.
  • Notify the ANPD (Brazil) within a reasonable period under LGPD.
  • Notify affected US state attorneys general as required by applicable US state breach notification laws.

Where Tierlane is acting as processor (Section 3.2), we will notify the affected merchant without undue delay and assist the merchant in complying with the merchant's own notification obligations as controller.

13. Children's Privacy

Tierlane is a business-to-business service intended for use by Shopify merchants and their authorised personnel. The Service is not directed at children, and we do not knowingly collect personal information from individuals under the age of 16. If you believe a child has provided personal information to us, contact us at privacy@tierlane.app and we will delete it.

The COPPA (US) restrictions on collecting data from children under 13 do not apply by design.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will:

  • Update the Effective Date and Version at the top of this policy.
  • For material changes (changes to the categories of data collected, the purposes of processing, the categories of recipients, retention periods, or your rights), notify merchants by email at least 30 days before the change takes effect.
  • For non-material changes (clarifications, formatting, contact-detail updates), the updated policy takes effect when posted, but a change log is maintained at tierlane.app/legal/privacy/changes.

Your continued use of the Service after a change takes effect constitutes acceptance of the updated policy. If you do not agree, you may terminate your subscription as set out in the Terms of Service (Section 16) before the effective date.

15. Contact

For any privacy question, request, or complaint, contact our Privacy Officer (Privacy Officer, Tierlane):

Tierlane 2727 Steeles Ave West, Unit 103-901 Toronto, ON M3J 3G9, Canada

  • Privacy inquiries: privacy@tierlane.app
  • Legal inquiries: legal@tierlane.app
  • Security incidents: security@tierlane.app
  • General contact: support@tierlane.app
  • Subject-access webform: tierlane.app/privacy-choices

Tierlane has not yet appointed an Article 27 representative in the EU or UK because we do not yet "regularly" process personal data of EU/UK data subjects at the scale that triggers Article 27. When a representative is appointed, their contact details will be published here.

16. Jurisdiction-Specific Addendums

16.1 European Union and European Economic Area

  • Controller identity: Tierlane, Toronto, Ontario, Canada. Contact: privacy@tierlane.app.
  • Data Protection Officer: not required under Article 37 at Tierlane's current scale; the Privacy Officer is the contact for data protection.
  • Article 27 representative: to be appointed; see Section 15.
  • Legal bases: Section 5.4.
  • International transfers: EU SCCs (2021/914) + Transfer Impact Assessment. See Section 10.
  • Automated decision-making (Article 22): AI parsing produces a draft for human review. See Section 5.3.
  • Right to lodge a complaint with a supervisory authority: you may complain to any EU/EEA supervisory authority. A list is at edpb.europa.eu/about-edpb/about-edpb/members_en. We will work with the lead authority where one is designated.

16.2 United Kingdom

  • Statutory framework: UK GDPR + Data Protection Act 2018 + Data Use and Access Act 2025 (effective 5 February 2026 for most provisions).
  • Lawful bases: seven bases including the new Recognised Legitimate Interest under the DUAA.
  • International transfers: UK IDTA or UK Addendum to EU SCCs + Transfer Risk Assessment.
  • Supervisory authority: Information Commissioner's Office, ico.org.uk.

16.3 California (CCPA / CPRA, including 2026 regulations)

For California residents, this section is the disclosure required by Cal. Civ. Code § 1798.100 et seq. and the 2026 CCPA regulations.

  • Categories of personal information collected (in the last 12 months): identifiers (account email, shop domain, user ID); commercial information (subscription tier, billing history); internet or other electronic network activity (logs, pages viewed); geolocation (approximate region, derived from IP and immediately discarded); inferences (none); and, for buyer data processed on behalf of merchants, sensitive personal information: the contents of mail or email.
  • Categories of sources: directly from you; from Shopify; from your authorised email provider; from your authorised accounting integration; from connected services you authorise.
  • Business or commercial purposes: as set out in Section 5.
  • Categories of third parties: see Section 6.
  • Categories of service providers and contractors: see Section 6 and the sub-processor list.
  • Sale or sharing of personal information: we do not sell and we do not share for cross-context behavioural advertising. We honour the Global Privacy Control signal as an opt-out.
  • Right to limit use of sensitive personal information: email content is used only for the parsing function and for no secondary purpose. Submitting a "limit" request is therefore equivalent to terminating the Service for that data.
  • Right to know / delete / correct / opt out: Section 9.
  • Two methods to submit a request: email to privacy@tierlane.app and the webform at tierlane.app/privacy-choices.
  • Authorised agents: an authorised agent may submit a request on your behalf with verifiable authority.
  • Retention: Section 7.
  • Notice at collection: this policy.
  • Risk assessments and cybersecurity audits required by the 2026 regulations are conducted internally; summaries available to enterprise customers under DPA.
  • Automated Decision-Making Technology (ADMT): Section 5.3.

16.4 Other US States (VA, CO, CT, UT, IA, TN, MT, OR, TX, FL, DE, NH, NJ, NE, MD, IN, KY, MN, RI, OK, AL)

Residents of these states have rights substantially similar to those in California, including the rights to access, correct, delete, opt out of targeted advertising, opt out of profiling that has legal or similarly significant effects, and (where applicable) opt out of the sale of personal information. Maryland MODPA residents additionally benefit from our absolute commitment not to sell sensitive personal information. Submit requests as set out in Section 9.

16.5 Quebec (Law 25)

  • Privacy Officer (Personne responsable de la protection des renseignements personnels): Privacy Officer, Tierlane (privacy@tierlane.app).
  • Confidentiality policy: this Privacy Policy.
  • Automated decision-making disclosure: Section 5.3. You may request human review of an automated decision that produces legal or similarly significant effects.
  • Privacy Impact Assessment: completed for the cross-border transfers Tierlane performs. Summary available to enterprise customers on request.
  • Right to data portability (in force since 22 September 2024): see Section 9.
  • Cross-border transfers outside Quebec are disclosed in Section 10 and the sub-processor list.
  • Complaint: Commission d'accès à l'information du Québec, cai.gouv.qc.ca.

16.6 Canada (PIPEDA)

The ten Fair Information Principles in Schedule 1 of PIPEDA are reflected in this policy as follows: accountability (Sections 1 and 15); identifying purposes (Section 5); consent (Section 5.4); limiting collection (Section 4); limiting use, disclosure, retention (Sections 5, 6, 7); accuracy (Section 9 right to correct); safeguards (Section 11); openness (publication of this policy); individual access (Section 9); challenging compliance (Section 15; OPC escalation at priv.gc.ca).

16.7 Australia (Privacy Act 1988, APPs)

  • APP 1 openness: this policy.
  • APP 5 notification of collection: this policy and onboarding.
  • APP 8 cross-border disclosure: Section 10; the overseas recipients are listed in the sub-processor list with locations.
  • APP 11 security: Section 11.
  • APP 12 / 13 access and correction: Section 9.
  • Automated decisions disclosure (effective 10 December 2026): Section 5.3.
  • Notifiable Data Breaches scheme: Section 12.
  • Statutory tort for serious invasions of privacy (effective June 2025): we operate in a manner intended to avoid serious invasions of privacy.
  • Complaint: Office of the Australian Information Commissioner, oaic.gov.au.

16.8 New Zealand (Privacy Act 2020)

  • 13 Information Privacy Principles reflected throughout this policy.
  • IPP 12 cross-border disclosure: Section 10.
  • Breach notification: Section 12.
  • Complaint: Office of the Privacy Commissioner, privacy.org.nz.

16.9 Singapore (PDPA)

  • Designated Data Protection Officer: Privacy Officer, Tierlane (privacy@tierlane.app).
  • Consent, purpose limitation, notification: Sections 4 and 5.
  • Access and correction: Section 9.
  • Protection and retention: Sections 11 and 7.
  • Transfer Limitation Obligation: Section 10.
  • Data Breach Notification Obligation (within 3 calendar days of assessing notifiability): Section 12.
  • Complaint: Personal Data Protection Commission, pdpc.gov.sg.

16.10 Brazil (LGPD)

  • Encarregado (DPO): Privacy Officer, Tierlane (privacy@tierlane.app).
  • Legal bases (Article 7): see Section 5.4.
  • Data subject rights (Article 18): see Section 9.
  • International transfers: Brazilian SCCs for transfers to the US (Section 10). EU-Brazil mutual adequacy in force from 27 January 2026.
  • Authority: Autoridade Nacional de Proteção de Dados, gov.br/anpd.