diff --git a/site/src/components/intake/Wizard.astro b/site/src/components/intake/Wizard.astro
index 99cc43e..bc15409 100644
--- a/site/src/components/intake/Wizard.astro
+++ b/site/src/components/intake/Wizard.astro
@@ -338,10 +338,37 @@ const STEP_LABELS: Record<string, string> = {
     const params = urlParams;
     const token = params.get("token");
     const frn = params.get("frn");
-    if (!token) return;
+    const orderParam = params.get("order");
+    if (!token && !orderParam) return;
 
     const API = (window as any).__PW_API || "";
     try {
+      // Pre-fill from ?order=CO-xxx (e.g. from confirmation email link)
+      if (!token && orderParam) {
+        const state = loadState();
+        try {
+          const r = await fetch(`${API}/api/v1/compliance-orders/${orderParam}`);
+          if (r.ok) {
+            const data = await r.json();
+            const order = data.orders ? data.orders[0] : data;
+            if (order.customer_name && !state.name) state.name = order.customer_name;
+            if (order.customer_email && !state.email) state.email = order.customer_email;
+            const orderNum = order.order_number || orderParam;
+            state.order_number = orderNum;
+            state.intake_data = { ...state.intake_data, order_number: orderNum };
+            if (order.intake_data) {
+              const intake = typeof order.intake_data === "string" ? JSON.parse(order.intake_data) : order.intake_data;
+              state.intake_data = { ...state.intake_data, ...intake };
+              if (intake.frn && !state.entity?.frn) {
+                state.entity = { ...state.entity, frn: intake.frn };
+              }
+            }
+            saveState(state);
+          }
+        } catch {}
+        renderStep(state.step_index || 0);
+        return;
+      }
       // Decode the token to get order_id + email — no server call needed for basic info
       // The token is a JWT with {order_id, order_type, email}
       const payload = JSON.parse(atob(token.split(".")[1]));