Now available for Australian wholesale brands

Privacy Policy

Last updated: March 2026

1. Introduction

This Privacy Policy explains what data WholesaleOS ("we", "us", "our") collects, why we collect it, and how we protect it. This policy applies to:

  • The WholesaleOS marketing website (wholesaleos.com)
  • The admin portal (app.wholesaleos.com)
  • All tenant buyer portals (*.wholesaleos.com)
  • The WholesaleOS API

By using any of these services, you agree to the collection and use of data as described in this policy. For terms governing the use of our platform, see our Terms of Service.

2. Data We Collect

From Tenant Admins (Brands)

  • Account information: name, email address, password (stored hashed, never in plain text), phone number
  • Business information: company name, tax ID (if provided), logo, brand settings, store configuration
  • Usage data: pages visited, features used, login times, API calls

From Buyers (via Tenant Portals)

  • Registration information: name, email, password (stored hashed), business name, phone number
  • Address data: shipping and billing addresses
  • Order data: order history, cart contents, quote requests
  • Communication: order notes, quote request messages

What We Do NOT Collect

Payment Card Information: WholesaleOS does not collect, store, or process credit card data on our servers.

  • For SaaS Subscriptions: All subscription billing and credit card processing for WholesaleOS tenants is handled securely by our Merchant of Record, Lemon Squeezy.
  • For Wholesale Orders: We do not process wholesale transactions between brands and buyers. All B2B payments occur via bank transfer or third-party gateways entirely outside of the WholesaleOS platform.

Automatically Collected

  • Device information: IP address, browser type and version, operating system, device type
  • Usage information: pages visited, time on page, referral source, click patterns
  • Cookies: session identifiers and preference cookies (see Cookies section below)

3. How We Use Data

We use collected data to:

  • Provide the service: operate your portal, process orders, generate invoices, calculate shipping and tax
  • Facilitate net terms invoicing: generate and track invoices between tenants and buyers
  • Send transactional emails: order confirmations, invoice notifications, shipping updates, account alerts
  • Improve the platform: usage analytics, error tracking, performance monitoring
  • Communicate updates: service changes, maintenance notices, security alerts

We do NOT sell your personal data to third parties. We do not use your data for advertising, behavioral targeting, or any purpose beyond providing and improving the WholesaleOS service.

4. Data Sharing

We share data only with third-party providers necessary to operate the service:

  • Merchant of Record — Lemon Squeezy (US) — to process subscription payments, manage billing, and issue tax-compliant invoices for our SaaS fees
  • Email provider — Resend (US) — to send transactional emails (order confirmations, invoices)
  • Cloud hosting — Railway (US), Vercel (US), Neon (US), Cloudflare (US) — for application hosting, database, and CDN
  • Shipping provider — EasyPost (US) — for real-time carrier rate calculation (when enabled by tenant)
  • File storage — Cloudflare R2 (US) — for product images, PDF invoices, and line sheets

We may also disclose data if required by law — in response to a valid legal request, court order, or government investigation.

Tenant access to buyer data: Tenants can access their buyers' registration information, addresses, and order history. This is necessary for the service to function — tenants need this data to fulfill orders and manage their wholesale relationships.

5. Payment Processing

Subscription payments are processed by Lemon Squeezy, LLC, which acts as our Merchant of Record. When you provide payment information to subscribe to WholesaleOS:

  • Your payment details are collected and stored by Lemon Squeezy, not by WholesaleOS
  • Lemon Squeezy is PCI DSS compliant and processes payments securely
  • Lemon Squeezy handles applicable sales tax, VAT, and GST collection based on your location
  • Lemon Squeezy's privacy practices are governed by their own Privacy Policy

For wholesale payments between tenants and their buyers: WholesaleOS does not process these transactions. All wholesale payments occur outside the platform (e.g., via bank transfer) and are managed directly between the tenant and buyer.

6. Data Retention

  • Active accounts: data retained while your account is active and in good standing
  • Cancelled accounts: data retained for 30 days after cancellation for export, then permanently deleted
  • Invoices and order records: retained for 7 years to comply with applicable tax and financial record-keeping requirements
  • Server logs: retained for 90 days, then automatically purged
  • Backups: encrypted backups may contain your data for up to 30 days after deletion

7. Data Security

We take the security of your data seriously. Our measures include:

  • Password hashing: all passwords are hashed with bcrypt — we never store plain-text passwords
  • Encryption in transit: all traffic is encrypted via HTTPS/TLS
  • Encryption at rest: databases are encrypted at rest
  • Secrets management: API keys and credentials are stored in environment variables, never in code
  • Access control: access to production systems is limited to authorized personnel with multi-factor authentication
  • Regular updates: dependencies and infrastructure are regularly updated for security patches

In the event of a data breach that is likely to result in harm to affected individuals, we will notify affected users and relevant authorities as required by applicable law, and in any event within 72 hours of confirming the breach.

8. Cookies

WholesaleOS uses a minimal set of cookies:

  • Session cookies (required) — maintain your login session. Without these, you cannot use the platform.
  • Preference cookies (functional) — remember your theme, currency, and display preferences

We do not use:

  • Third-party advertising cookies
  • Tracking pixels from ad networks
  • Cross-site tracking cookies

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: you may request access to the personal information we hold about you. We will respond within 30 days.
  • Correction: you may request that we correct personal information that is inaccurate, out of date, incomplete, or misleading.
  • Deletion: you may request that we delete your account and personal data, subject to any legal retention obligations.
  • Export: you can download your data in standard, machine-readable formats (CSV, JSON) at any time from your dashboard.
  • Objection: you may opt out of non-essential communications at any time.

To exercise any of these rights, contact us at hello@getwholesaleos.com. We will respond within 30 days.

For EU/UK Users (GDPR)

If you are in the European Union or United Kingdom, you have additional rights under the General Data Protection Regulation, including the right to data portability and the right to lodge a complaint with your local data protection authority.

For California Users (CCPA)

If you are a California resident, you have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell personal information.

10. Cross-Border Disclosure (APP 8)

In accordance with APP 8, we disclose that your personal information is processed by our core team located in India, and is hosted and processed by service providers in the United States. Our infrastructure partners include:

  • Railway (US) — application hosting
  • Vercel (US) — frontend hosting and CDN
  • Neon (US) — database hosting
  • Cloudflare (US) — CDN and file storage
  • Resend (US) — transactional email delivery
  • Lemon Squeezy (US) — subscription payment processing

Before disclosing personal information to these overseas recipients, we take reasonable steps to ensure they maintain appropriate data protection practices and security measures that align with the Australian Privacy Principles.

11. Children's Privacy

WholesaleOS is a B2B platform intended for use by businesses and professionals. The Service is not intended for anyone under 18 years of age. We do not knowingly collect personal information from minors.

If you believe a minor has provided us with personal data, please contact us at hello@getwholesaleos.com and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days notice via email. The "Last updated" date at the top of this page reflects the most recent revision.

Continued use of the Service after the notice period constitutes acceptance. If you disagree with the changes, you may close your account.

13. Data Controller vs Data Processor

Understanding who is responsible for your data:

  • For tenant (brand) data: WholesaleOS is the data controller. We determine how and why your account and usage data is processed.
  • For buyer data: the tenant is the data controller and WholesaleOS is the data processor. Tenants decide what buyer data to collect and how to use it. WholesaleOS processes this data on the tenant's behalf.
  • For payment data: Lemon Squeezy is the data controller for all payment information collected during the subscription billing process.

Tenants are responsible for informing their buyers about data collection practices and ensuring their use of buyer data complies with applicable privacy laws.

14. Contact

For any privacy-related questions, requests, or complaints, contact us at hello@getwholesaleos.com.

We will acknowledge your inquiry within 5 business days and provide a substantive response within 30 days.

See also: Terms of Service · Refund Policy