← Back to PO Field
Privacy Policy
Last updated: March 3, 2026
Summary: PO Field stores the minimum data necessary to capture and track Purchase Order numbers. We do not store customer email addresses, phone numbers, physical addresses, or payment information.
What we store:
- Store domain, name, and owner email (from OAuth)
- PO order records (order ID, PO number, customer name, order total, status)
- Configuration settings (validation rules, tag rules)
What we do NOT store:
- Customer emails, phone numbers, or addresses
- Payment or billing information
- Product details, inventory, or pricing
- Cookies, tracking pixels, or behavioral analytics
1. Who We Are
PO Field is operated by Beemlo ("we", "us", "our"). For data protection purposes, Beemlo acts as a data processor on behalf of merchants (data controllers) who install the application.
2. Information We Collect
Store Information
When you install PO Field, we collect your myshopify.com domain, store name, and store owner email address through Shopify's OAuth flow. This is used for authentication and communication.
PO Order Data
When a POS order includes a Purchase Order number, our webhook processes the following from the order payload:
- Order ID and order name (e.g., "#1042")
- PO number (from cart note attributes)
- Customer first and last name
- Order total, currency, and financial status
- Order creation timestamp
Configuration Data
Settings you configure in the admin dashboard: validation rules (format, length, uniqueness) and customer tag rules (required/optional behavior).
What We Do NOT Collect
- Customer email addresses, phone numbers, or physical addresses
- Payment or credit card information
- Product details, images, descriptions, pricing, or inventory
- Order line items or shipping details
- Location or IP address data
- Browser or device information
- Cookies, tracking pixels, or behavioral analytics
3. Shopify API Permissions
| Scope | Purpose | Access Level |
|---|
| read_orders | Read order data in webhooks and extension | Read only |
| write_orders | Write PO number to order metafield | Metafield write only |
| read_customers | Read customer tags for PO field behavior | Read only |
4. How We Use Your Data
- Service delivery: To capture, validate, and store PO numbers on orders
- Dashboard: To display PO order history, search, and export functionality
- Settings: To apply validation rules and tag-based behavior in the POS extension
- Communication: To respond to support requests and send service-critical notices
5. Legal Basis for Processing (EEA/UK)
- Contract performance (GDPR Article 6(1)(b)): Processing necessary to deliver the Service
- Legitimate interest (GDPR Article 6(1)(f)): Service diagnostics and fraud prevention
- Legal compliance (GDPR Article 6(1)(c)): Responding to legal obligations and data subject requests
6. Infrastructure and Security
- Compute and storage: Cloudflare Workers and D1 databases (global edge network)
- Encryption in transit: TLS 1.2+ on all connections
- Encryption at rest: Cloudflare platform-level encryption
- Authentication: Shopify OAuth tokens stored in Cloudflare KV (encrypted at rest)
- Webhook verification: HMAC-SHA256 signature validation on all incoming webhooks
- API authentication: App Bridge session token JWT verification for all admin API requests
- Secrets management: API keys stored as Cloudflare Worker secrets, never in source code
7. Data Sharing
We do not sell your data. We do not share your data with third parties for marketing or advertising purposes.
We use the following subprocessors:
| Subprocessor | Purpose | Location |
|---|
| Cloudflare | Compute, storage, CDN, DDoS protection | Global edge network |
We will provide at least 30 days advance notice before adding new subprocessors.
8. International Data Transfers
Your data may be processed in the United States and other countries where Cloudflare operates edge infrastructure. For transfers from the EEA/UK, we rely on Standard Contractual Clauses (EU Commission Decision 2021/914) with supplementary technical measures including encryption and access controls. Copies of SCCs are available upon request.
9. Data Retention and Deletion
- Active subscription: Data retained for the subscription duration
- Post-cancellation: Permanently deleted after 30 days
- Post-uninstall: Shopify's
shop/redact webhook triggers permanent deletion within 48 hours
- Early deletion: Email [email protected]; processed within 10 business days
10. Shopify Mandatory Webhooks
- customers/data_request: We acknowledge the request. PO order records containing the customer's name are included in any data export.
- customers/redact: Customer names are anonymized (set to null) on PO order records associated with the redacted customer's orders.
- shop/redact: All store data (settings, PO orders, access tokens) is permanently deleted within 48 hours.
11. Your Rights
All Merchants
- Access and export your PO order data via the admin dashboard CSV export
- Delete your data by uninstalling the app or contacting us
- Correct your data by contacting us
EEA/UK (GDPR)
You have the right to: access, rectification, erasure, restrict processing, data portability, object to processing, withdraw consent, and lodge a complaint with a supervisory authority.
California (CCPA/CPRA)
You have the right to: know what data we collect, request deletion, opt out of sale (we do not sell data), and non-discrimination for exercising your rights.
12. Data Breach Notification
In the event of a data breach affecting your data, we will notify you via email within 72 hours, including the nature of the breach, affected data categories, and mitigation measures taken.
13. Cookies and Tracking
PO Field does not use cookies, tracking pixels, local storage, or any form of behavioral analytics. We do not use third-party analytics, advertising trackers, or social media pixels.
14. Children's Privacy
The Service is not intended for use by individuals under 18 years of age. We do not knowingly collect data from children.
15. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days in advance.
16. Contact
Beemlo
Email: [email protected]
For data protection inquiries: [email protected]