C+F WinRetail Supplier B2B Extension — Privacy Policy

Last updated: 2026-05-11

Who we are

We are Corby + Fellas, the developer of the WinRetail EPOS system. This Chrome extension is one of the integrations we provide to our existing WinRetail customers — it bridges supplier B2B trade sites with the customer’s own WinRetail point-of-sale system, for use by their buying teams. The extension is distributed unlisted, by invitation only, and is not a publicly-discoverable tool.

What data the extension handles

The extension reads:

• Product identifiers (barcodes, supplier stock codes, manufacturer codes) from supplier website pages and supplier API responses.
• Basket line data (product description, cost, pack quantity, unit quantity, supplier reference where present).
• The URL of the currently-active browser tab — used only to decide whether the toolbar popup shows the WinRetail status badge or the bookmark list. Not stored, transmitted, or aggregated as history.
• An authentication Bearer token that the supplier site itself sets, observed in normal supplier-site requests, stashed in browser sessionStorage and used only to re-fetch order JSON from the same supplier site during a Purchase Order preview. Cleared on tab close.

The extension stores in browser-local storage (chrome.storage.local):

• WinRetail server connection details (host, port, shop number, API key) — entered by the user in the Options dialogue.
• Per-supplier preferences (enabled flag, WinRetail supplier number, product identifier choice).
• A cached copy of the layout-scraping configuration received from the customer’s WinRetail server.
• The most recently created Purchase Order’s number, so the supplier site’s confirmation page can be auto-filled on the next visit.

Where the data goes

• Product identifiers and basket data are transmitted only to the user’s own WinRetail server — the address entered in the extension’s Options dialog. In typical deployments this server is reachable only inside the customer’s company network, and the user reaches it via their own internal VPN. The extension does not route through any intermediary.
• Supplier-site Bearer tokens are sent only back to the supplier site that issued them, never elsewhere.
• Nothing is sent to Corby + Fellas servers, third parties, advertisers, analytics providers, or any other destination outside the customer’s own network.

What we don’t collect

• No personally identifiable information (names, addresses, emails, phone numbers).
• No health information.
• No consumer financial or payment information.
• No personal communications.
• No location data.
• No browsing history, clickstream, keystroke or mouse-position logs.

Data retention

Browser-local storage persists across sessions until the user uninstalls the extension or explicitly clears its data. The Bearer token in sessionStorage is cleared automatically when the supplier-site tab closes. The extension does not maintain any external storage.

Changes to this policy

If we change the data the extension handles, we’ll update this page and bump the “Last updated” date above. Material changes will be called out in the Chrome Web Store release notes.

Contact

For questions about this policy or the extension, contact support@corbyfellas.com.