Bark & Bitter

Privacy Policy

Effective date: June 7, 2026

1. Who we are

This dashboard ("the Application," "we," "us," or "our") is operated by Crown Cocktail Co. Inc. (operating as "Bark & Bitter"), based in St. Catharines, Ontario, Canada. It is a private, internal tool used by Bark & Bitter staff.

If you have any questions about this policy or about how we handle information, contact us at nick@crowncocktail.co.

For the purposes of Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Crown Cocktail Co. Inc. is the organization responsible for the personal information described below.

2. About this Application

The Application is an internal sales-analytics dashboard. It is used by a single organization — Crown Cocktail Co. Inc. — so that authorized staff can view and analyze that organization's own sales data.

It is not a multi-tenant product, a marketplace app, or a public service. There is no self-service sign-up: only pre-provisioned staff accounts can sign in. The Application is not advertising-funded, and we do not provide it to outside customers.

To produce its reports, the Application connects to two business systems that the organization already uses — QuickBooks Online (Intuit) and Shopify — and reads sales information from them on a scheduled basis (typically once daily).

3. Information we collect

3.1 Data from QuickBooks Online (Intuit)

When an authorized user connects the organization's QuickBooks Online company, the Application uses Intuit's OAuth 2.0 authorization to read the following from that company, via the Intuit Accounting API:

  • Company / connection identifiers: the QuickBooks company ("realm") identifier associated with the connection.
  • Accounts: account ID, name, account number, and classification.
  • Items (products/services): ID, name, SKU, type (e.g., Inventory, Non-Inventory, Service), active status, description, and income-account reference.
  • Sales transactions (Invoices, Credit Memos, and Refund Receipts): transaction ID, date, currency and exchange rate, the sales channel/class reference, last-updated time, and line-item details (amount, item reference, quantity, unit price, and discounts).
  • Customer references on those transactions: the QuickBooks customer ID and the customer name.

To establish and maintain this connection, we also receive and store Intuit OAuth credentials (an access token and a refresh token) together with the company ("realm") identifier. These are held only on the server side, as described in Section 7.

We focus on B2B direct product-sales transactions and the related refunds. We do not collect customer email addresses from QuickBooks Online — that field is deliberately discarded in code and never stored.

3.2 Data from Shopify

The Application reads the following from the organization's Shopify store, via the Shopify Admin API:

  • Orders: order ID, name/number, creation date, currency information, subtotals, channel information (the sales channel an order came through, e.g., D2C, Faire, or Airgoods), line-item details (SKU, title, quantity, unit price, discounts), and refund details.
  • Products: product ID, title, type, status, tags, bundle indicators, and variant details (variant ID, SKU, title, and options such as size).
  • Customer information on orders: the Shopify customer ID, display name, and email address.

Unlike the QuickBooks integration, the Shopify integration does collect and store the customer email address associated with an order.

3.3 Authentication data

Sign-in is passwordless. To sign in, a staff member enters their email address and receives a one-time "magic link." In connection with authentication we process:

  • the staff member's email address;
  • their user account identifier and, if provided, their name (stored in a staff profile record together with an assigned role);
  • session information needed to keep them signed in (held in secure, HTTP-only session cookies).

New accounts cannot be self-created; sign-in is limited to email addresses we have provisioned in advance.

3.4 Operational data

We store limited operational information needed to run the Application, such as synchronization state (when data was last pulled, progress cursors, and status). This does not include additional personal information about you.

4. How we use information

We use the information described above only to operate the internal sales-analytics dashboard — that is, to import, organize, and display the organization's sales, refund, product, and customer information so that authorized staff can analyze performance.

We want to be clear and specific about what we do not do:

  • We do not sell, rent, or trade any of this information.
  • We do not share QuickBooks Online / Intuit data with third parties, and we do not make it available to or visible to anyone other than the authorized staff of the connected organization. It is not provided to outside parties through external API calls or by any other means, except to the service providers listed in Section 6 that host and store the data on our behalf.
  • We do not use the data for advertising, marketing to consumers, profiling, or behavioral targeting.
  • We do not use QuickBooks or Shopify data to train machine-learning or AI models.
  • We do not export, save, or store QuickBooks data for any purpose other than the functional operation of this Application.

The service providers listed in Section 6 process data only on our behalf and only to provide their part of the service.

5. Legal basis and consent (PIPEDA)

We collect and use this information on the basis of the organization's consent and for the legitimate, internal business purpose of analyzing its own sales data. Connecting QuickBooks Online and Shopify is an authorized act performed by staff using the organization's own credentials.

Consent for the QuickBooks Online connection can be withdrawn at any time by disconnecting that connection (see Section 9), which stops any further access to QuickBooks data.

6. Third-party service providers (sub-processors)

We rely on the following service providers to deliver the Application. Each processes data only to perform its function, and each stores or processes information outside Canada, primarily in the United States:

  • Intuit (QuickBooks Online) — source system and OAuth provider for accounting/sales data. Involves the Intuit OAuth authorization code and access/refresh tokens, and the accounting and sales data described in Section 3.1.
  • Shopify — source system for e-commerce sales data. Involves the order, product, and customer data described in Section 3.2. The Shopify Admin access token is held by us as a server-side configuration secret (see Section 7); it is not stored in our database.
  • Supabase — database (PostgreSQL) and authentication. Stores the imported sales/customer/product data; staff email, profile, and session data; and the stored QuickBooks Online OAuth tokens and realm identifier.
  • Vercel — application hosting and scheduled jobs. Hosts the Application, runs the scheduled daily data-sync jobs, holds server-side configuration secrets (including the Shopify Admin access token), and provides encrypted (HTTPS) transport.
  • Resend — transactional email delivery. Delivers magic-link sign-in emails from the sales.barkandbitter.com subdomain; processes the recipient's email address.

We do not use third-party advertising, analytics, or tracking services in the Application.

7. Storage and security

We take reasonable measures to protect the information we handle:

  • Encryption in transit. All connections to Intuit, Shopify, and the Application itself use HTTPS/TLS.
  • Encryption at rest. Stored data — including imported records and the integration tokens — is held in a managed PostgreSQL database (Supabase) that encrypts data at rest at the infrastructure level (AES-256).
  • Server-side tokens. The QuickBooks Online OAuth tokens and company ("realm") identifier are handled and stored only on the server side and are accessed only through a privileged service credential. They are never exposed to the browser, included in client-side code, or written to client logs. Intuit-issued refresh tokens are rotated and updated as Intuit requires. The Shopify Admin access token is held only as a server-side environment secret with our hosting provider and is likewise never exposed to the browser.
  • Access controls. Data is stored in a Supabase PostgreSQL database with row-level security (RLS) enabled on all tables. Sales, customer, and product data is readable only by authenticated staff. The table holding the QuickBooks integration tokens has RLS enabled with no read access granted to signed-in users or to the browser; it is reachable only through privileged server-side (service-role) access.
  • Restricted sign-in. Only pre-provisioned staff accounts can authenticate, using passwordless magic links. Unauthenticated visitors are redirected to the sign-in page and cannot reach dashboard data.

No method of transmission or storage is completely secure, but we work to protect information consistent with its sensitivity and with our obligations under PIPEDA.

8. International data transfers

Our service providers — including Intuit, Shopify, Supabase, Vercel, and Resend — store or process information on servers located outside Canada, primarily in the United States. When information is processed in another country, it may be subject to the laws of that country, including lawful access by courts, law-enforcement, and government authorities there. By using the Application, you acknowledge that information may be transferred to and processed in jurisdictions outside Ontario, including the United States.

9. Disconnecting QuickBooks Online

You can disconnect the QuickBooks Online connection at any time. You may do this from the Application's Sync page using the Disconnect button; from within your QuickBooks Online / Intuit account, on the "Apps" (Connected Apps / My Apps) page, by selecting the Application and choosing to disconnect it; or you may email us at nick@crowncocktail.co to request disconnection.

Disconnecting revokes the Application's authorization and stops any further access to your QuickBooks Online data. Disconnecting does not by itself delete data already imported; to have previously imported data deleted, see Section 11.

10. Data retention

We retain imported sales, refund, product, and customer data, and staff account data, for as long as the organization uses the Application for its analytics purpose. Authentication and integration tokens are retained while a connection remains active.

We do not keep personal information longer than necessary for the purposes described in this policy. Because this is an internal tool, retention is open-ended and deletion is not performed on a fixed automated schedule; instead, data is deleted on request or by an administrator (see Section 11).

11. Access, correction, and deletion

To request access to, correction of, or deletion of personal information held by the Application — including imported customer data or your own staff account data — contact us at nick@crowncocktail.co. An administrator will action reasonable requests, including removing imported data and clearing stored integration tokens.

12. Your rights under PIPEDA

Subject to applicable law, you have the right to:

  • access the personal information we hold about you and be told how it is used;
  • request correction of inaccurate or incomplete information;
  • withdraw consent (for QuickBooks data, by disconnecting as described in Section 9), subject to legal or contractual restrictions; and
  • request deletion of your personal information.

To exercise any of these rights, email nick@crowncocktail.co. If you are not satisfied with how we have handled your information or your request, you may contact the Office of the Privacy Commissioner of Canada (www.priv.gc.ca).

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will revise the "Effective date" above and publish the updated policy at its public address under sales.barkandbitter.com. Continued use of the Application after an update constitutes acknowledgment of the revised policy.

14. Contact us

Crown Cocktail Co. Inc. (operating as "Bark & Bitter"), St. Catharines, Ontario, Canada. Email: nick@crowncocktail.co.