Loading...
Skip to main content

Last Updated: 2026-06-10

1. Introduction

This Acceptable Use Policy ("AUP") sets out the rules for using WB Connect (the "App"), a free Shopify connector that links your Shopify store to a third-party logistics ("3PL") fulfillment warehouse running the Warehouse Bridge warehouse management system.

The App is operated by Flag Eagle LLC, a Nevada limited liability company (United States) registered with the Nevada Secretary of State, with its registered address at 401 Ryland Street STE-200, Reno, NV 89502, United States, trading as "Warehouse Bridge" with the Shopify-merchant-facing sub-brand "WB Connect" ("we," "us," or "our"). The App is listed in the Shopify App Store as "Warehouse Bridge v3" and is presented to merchants as "WB Connect" within the listing.

This AUP is incorporated into, and forms part of, our Terms of Service. By installing or using the App, you agree to comply with this AUP. If you do not agree, you must uninstall the App from your Shopify store.

Tone note: WB Connect is free to install and exists to make your fulfillment relationship with your 3PL warehouse work smoothly. The rules below are the standard set we need to keep the App safe, lawful, and reliable for every merchant who uses it — they are not intended to be adversarial.

2. Scope

This AUP applies to:

  • Shopify merchants who install or use the App ("you" or "Merchant")
  • Authorized staff, agencies, consultants, and collaborators acting on a Merchant's behalf
  • Any automated systems, scripts, or integrations that interact with the App, our APIs, or our webhooks
  • Any 3PL Warehouse Customer that connects to a Merchant's store through the App, to the extent they interact with the App surface

This AUP governs Merchant use of the App. The personal data of the Merchant's end customers (shoppers) is processed under our Privacy Policy and applicable data protection law; end customers are not themselves parties to this AUP but their data flows through the App in the course of fulfillment.

3. What WB Connect Is (and Is Not)

WB Connect is a connector. It moves data between your Shopify store and a 3PL fulfillment warehouse that uses Warehouse Bridge as its WMS. Specifically:

  • Inbound from Shopify (via the Shopify API and webhooks): order data, line items, customer shipping and billing addresses, product catalog, inventory levels, fulfillment status, and store metadata.
  • Outbound to Shopify: fulfillment events, tracking numbers, and inventory updates.

App architecture (non-embedded). WB Connect is a non-embedded Shopify app (embedded = false in our shopify.app.toml). It uses Shopify OAuth 2.0 access tokens for API authentication. It does not use Shopify App Bridge session tokens because session tokens are an embedded-app construct that does not apply to non-embedded apps. This architecture is permitted by the Shopify App Store and is consistent with other approved non-embedded fulfillment/3PL connector apps.

OAuth scopes requested. At install time, the App requests the minimum scopes needed to operate a fulfillment connector. The exact set declared in our shopify.app.toml and requested at install is:

  • read_orders and write_orders — to receive new orders from your store and to mark fulfillment-related status against them.
  • read_fulfillments and write_fulfillments — to create fulfillment records when the 3PL ships a package and to attach tracking numbers.
  • read_products and write_products — to mirror your product catalog so the 3PL has SKU and variant data, and to write back catalog identifiers (e.g., barcode / SKU normalization) where the 3PL needs them to ship accurately.
  • read_inventory and write_inventory — to read current Shopify inventory and to push warehouse stock levels back to Shopify so your storefront stays accurate.
  • read_locations — to identify which Shopify Location maps to the 3PL warehouse so inventory and fulfillment are written against the correct location.
  • read_merchant_managed_fulfillment_orders and write_merchant_managed_fulfillment_orders — to read fulfillment orders assigned to a merchant-managed location (the 3PL Location) and to accept, close, or update them as the 3PL fulfills the order. These two scopes are the modern Shopify-native fulfillment-order workflow and are required for a connector that actually fulfills orders rather than just reading them.

We do not request scopes beyond what the connector actually uses. If we ever need additional scopes, Shopify will prompt you to re-approve the scope set before any new permission takes effect.

Mandatory Shopify privacy-law compliance webhooks. Shopify designates exactly three webhooks as the mandatory privacy-law compliance webhooks: customers/data_request, customers/redact, and shop/redact. The App implements all three. We additionally implement the app/uninstalled lifecycle webhook (which is a separate Shopify-required webhook for app lifecycle management, not part of the privacy-law compliance set) so that we can promptly revoke tokens and begin our shop-redact retention timer. See Section 10 for where these are wired on our infrastructure.

Shopify Billing at install. On install, the OAuth callback creates a $0/month recurring AppSubscription via the Shopify Billing API. This creates a real, merchant-visible billing record in your Shopify Admin under Settings → Apps → Charges and satisfies Shopify App Store policy 1.2.1. You are never charged by Flag Eagle LLC through Shopify or off-platform for use of the App. All billing for the App itself flows through the Shopify Billing API; no off-platform payment instrument is ever requested or charged by Flag Eagle LLC for App functionality.

If we ever introduce paid features. If we ever decide to introduce paid features within WB Connect, we will require your separate, affirmative opt-in consent through a clear Shopify Billing API flow before any charge is created. We will not unilaterally convert the existing $0/month AppSubscription into a paid plan. Any paid upgrade will be billed through the Shopify Billing API in accordance with policy 1.2.1 — not off-platform.

3PL fees are separate and outside the App. Any fulfillment, storage, pick-pack, or per-shipment fees you pay your 3PL warehouse are billed by that 3PL under a separate B2B contract that exists independently of WB Connect. That contract is between you and your 3PL — it predates or operates without reference to the App, it is not a fee for use of the App, it is not collected, invoiced, processed, or remitted by Flag Eagle LLC, and it is not subject to the Shopify Billing API because it is not an App fee. WB Connect simply passes order and fulfillment data between the two systems; it does not generate, mediate, or collect 3PL fulfillment charges.

4. Permitted Use

You may use the App to:

  • Connect a Shopify store you own or are authorized to manage to a 3PL fulfillment warehouse that runs Warehouse Bridge
  • Send order, customer, product, and inventory data to that 3PL for legitimate fulfillment of orders placed by your customers
  • Receive fulfillment events, tracking numbers, and inventory updates back from that 3PL
  • Manage your store's fulfillment workflow within the features the App provides

For clarity, agencies, consultants, freelancers, and multi-store operators may install and configure the App on stores they are authorized to manage on behalf of their clients or affiliated entities. That is permitted use, not prohibited redistribution.

Use of the App must always comply with these rules, our Terms of Service, our Privacy Policy, Shopify's Acceptable Use Policy (https://www.shopify.com/legal/aup), Shopify's API Terms, and all laws and regulations that apply to you and your business.

5. Prohibited Activities

The following activities are not permitted. We have organized them by topic so they are easy to scan. Throughout this section, "knew or should reasonably have known" applies to compliance obligations that depend on facts a merchant could not be expected to discover through ordinary diligence.

5.1 Illegal Goods and Conduct

You must not use the App to:

  • Sell, ship, or fulfill goods or services that are unlawful in the jurisdiction where your store is established or in the destination jurisdiction shown on the order, or that you knew or should reasonably have known are unlawful in a transit jurisdiction your shipment will pass through
  • Sell or ship products that are restricted or regulated without holding every license, permit, age verification, or compliance approval that applies — including but not limited to firearms and ammunition, controlled substances, prescription medicines, tobacco and vaping products, alcohol, CBD and hemp-derived products where restricted, hazardous materials, live animals, and counterfeit goods
  • Process orders for, or fulfill, any product Shopify's own Acceptable Use Policy prohibits
  • Facilitate money laundering, terrorist financing, sanctions evasion, customs fraud, tax evasion, or any other financial crime
  • Violate any export-control, sanctions, or trade-embargo law of the United States or any other applicable jurisdiction

We will apply a good-faith standard when assessing transit-jurisdiction compliance. We do not expect merchants to audit the import laws of every transit country a carrier may route through; we do expect merchants to act in good faith on information they have or could readily obtain.

5.2 Intellectual Property and Consumer Protection

You must not use the App to:

  • Fulfill orders for counterfeit, pirated, or trademark-infringing products
  • Misrepresent product origin, authenticity, ingredients, safety information, or country of manufacture
  • Engage in deceptive or unfair commercial practices, false advertising, or fraud against consumers
  • Process orders that infringe any third party's copyrights, trademarks, patents, trade secrets, publicity rights, or privacy rights

5.3 Abuse of the Integration

You must not:

  • Make excessive, automated, or abusive calls to the App's endpoints, our APIs, or our webhooks in a way that degrades service for other merchants or breaches Shopify's API rate limits
  • Scrape, harvest, or bulk-export data from the App or from Shopify through the App for purposes unrelated to legitimate fulfillment
  • Attempt to access, query, view, modify, or interact with the data of any other Shopify merchant connected to WB Connect
  • Use the App to circumvent Shopify's platform policies, billing requirements, app permission scopes, or API authentication requirements
  • Use the App from a Shopify store you do not own or are not authorized to administer
  • Re-use OAuth tokens or API credentials obtained through the App for any purpose other than operating the App on the store they were issued for
  • Resell, sublicense, white-label, or otherwise redistribute the App or access to it to unaffiliated third parties without our prior written consent. For clarity, this does not prevent agencies, consultants, operators, or merchant teams from installing and configuring the App on stores they are authorized to manage on behalf of their clients or affiliated entities — that is Permitted Use under Section 4.

5.4 Security and Reverse Engineering

You must not:

  • Probe, scan, or test the security of the App, our APIs, the app surface at app.warehousebridge.com, or our infrastructure without our prior written authorization
  • Attempt to gain unauthorized access to any account, system, server, network, or data
  • Circumvent, disable, or interfere with any security feature or access control
  • Reverse engineer, decompile, disassemble, or attempt to derive the source code, architecture, or design of the App or any underlying software, except to the extent this restriction is prohibited by applicable law (including, where applicable, interoperability rights under EU Directive 2009/24/EC or comparable rights under other applicable law)
  • Introduce malware, viruses, ransomware, worms, trojans, or any other malicious code into the App or our systems
  • Launch a denial-of-service attack, send malformed payloads, or otherwise attempt to disrupt, overload, or impair the App
  • Use the App to attack, probe, or exfiltrate data from any third-party system

5.5 Personal Data and Customer Privacy

WB Connect is operated from the United States. The primary privacy framework that applies to Flag Eagle LLC and the App is United States federal and state privacy law — including the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), Nevada NRS 603A, the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), the Texas Data Privacy and Security Act (TDPSA), the Oregon Consumer Privacy Act (OCPA), and other applicable US state privacy statutes (including, without limitation, those in force in Montana, Iowa, Delaware, New Jersey, Indiana, and Tennessee as of the date of this AUP). The UK GDPR and EU GDPR apply only to data subjects who are resident in the United Kingdom or the European Economic Area respectively, when their personal data is processed through the App. Where both US and UK/EU frameworks apply to a given data subject, we honor the more protective set of rights for that data subject.

As a merchant, you must not:

  • Use customer personal data received through the App for any purpose other than processing and fulfilling the order it relates to, plus directly related customer-service, returns, tax, and accounting purposes
  • Sell, rent, or share customer personal data received through the App with third parties for their own marketing purposes (as "sell" and "share" are defined under CCPA/CPRA and equivalent US state privacy laws)
  • Retain customer personal data longer than you need it for the purposes above and your legal record-keeping obligations
  • Ignore valid data subject requests (access, deletion, correction, portability, opt-out of sale, sharing, or targeted advertising, opt-out of profiling, etc.) made to you under applicable US state privacy laws — including CCPA/CPRA (California), Nevada NRS 603A, VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), TDPSA (Texas), OCPA (Oregon), and other applicable US state privacy statutes — or, where applicable to the data subject, under the UK GDPR or EU GDPR

What Flag Eagle LLC commits to (we hold ourselves to the same standard):

  • We process customer personal data received through the App only as necessary to deliver the connector service and to comply with law. We do not use customer personal data for our own marketing, profiling, targeted advertising, AI / machine-learning model training, analytics resale, or any purpose beyond delivering the App.
  • We do not use merchant business data (order volumes, SKU catalogs, fulfillment patterns, sales metrics, customer addresses you process through the App) for AI / machine-learning model training, cross-merchant benchmarking, or competitive analytics. Aggregated, fully de-identified service telemetry may be used to operate, secure, and improve the App, but never in a way that exposes one merchant's data to another.
  • We do not sell or share (as those terms are defined under the CCPA/CPRA and equivalent US state privacy laws) personal data received through the App. We act as a service provider to the merchant for the limited business purpose of operating the App and we do not retain, use, or disclose personal data for any commercial purpose other than performing the connector service and complying with law.
  • We share customer personal data with the merchant's connected 3PL Warehouse Customer only to the extent necessary for that 3PL to fulfill the order — typically: order ID, line items, ship-to name and address, contact details for delivery notifications, and chosen shipping method. We do not share unrelated catalog, financial, or behavioural data with the 3PL.

5.6 Third-Party Platform Policies

The App is built on top of Shopify and exchanges data with a 3PL warehouse. You must:

  • Comply with Shopify's Terms of Service, Acceptable Use Policy, API License and Terms of Use, and Partner Program Agreement
  • Comply with the carrier terms of any shipping carrier whose tracking events flow through the App
  • Comply with your own contractual obligations to the 3PL Warehouse Customer that fulfills your orders

A breach of Shopify's policies that affects WB Connect, or that Shopify asks us to act on, may also be treated as a breach of this AUP.

6. Use of Our APIs and Webhooks

When you interact with our APIs or receive webhooks from us, you agree to:

  • Respect published rate limits and any documented retry-and-backoff guidance
  • Authenticate every request and protect your API credentials
  • Implement webhook signature verification and idempotent handling
  • Avoid polling patterns that duplicate data already delivered by webhook
  • Cache data where it is reasonable to do so, rather than re-fetching on every page view
  • Not systematically use our APIs to reverse-engineer the App's functionality for the purpose of creating a directly competing connector product offered to third parties

Internal merchant tooling is expressly permitted. Nothing in this section prevents you, or a developer acting on your behalf, from building internal tools, custom reporting layers, dashboards, or operational integrations that overlap with App functionality for your own store(s) or stores you are authorized to manage. The restriction above is narrowly aimed at building a directly competing third-party product, not at legitimate merchant-side tooling.

7. Your Responsibilities

You are responsible for:

  • Keeping your Shopify account, your store's user accounts, and any credentials issued through the App secure
  • Actions taken by your staff, agencies, consultants, and authorized collaborators using the App on your store
  • Using reasonable care when selecting third-party apps and services you connect to your store, and disconnecting any that you become aware are introducing vulnerabilities
  • Making sure your authorized users and any 3PL partner you connect comply with this AUP
  • Telling us promptly if you suspect any unauthorized access, security incident, or material breach of this AUP that involves your store
  • Keeping the contact details you provide to us current so we can reach you about security, abuse, or compliance issues

This is not absolute strict liability for "everything that happens" — it is responsibility for the things you control or can reasonably influence.

8. Monitoring and Enforcement

8.1 Our Rights

We may, to the extent reasonable and lawful:

  • Monitor App usage and traffic patterns for security, fraud-prevention, abuse-detection, and compliance purposes
  • Investigate suspected violations of this AUP
  • Disable, throttle, or remove access to specific features, endpoints, or data flows
  • Suspend or terminate your access to the App
  • Cooperate with Shopify, law enforcement, regulators, and other authorities where we are legally required to do so or where we reasonably believe it is necessary to do so

Limits on monitoring. We retain monitoring data only as long as necessary for the purposes stated above and in accordance with our Privacy Policy. We do not use monitoring data for advertising, behavioural profiling, AI / machine-learning model training, or resale. "Compliance purposes" means our own compliance with Shopify policies, applicable law, and this AUP — not open-ended behavioural analysis.

8.2 Enforcement Actions

Depending on the severity, frequency, and impact of a violation, we may take one or more of the following actions:

  1. Notice and request to remedy — we contact you, describe the issue, and ask you to fix it.
  2. Rate limit or feature restriction — we limit specific endpoints or features while we investigate.
  3. Temporary suspension — we disconnect the App from your store while we investigate.
  4. Termination — we uninstall and disconnect the App, revoke OAuth tokens, and the associated $0/month Shopify AppSubscription is cancelled (either by us via the Shopify Billing API or automatically by Shopify on uninstall, whichever applies first).
  5. Referral — we refer the matter to Shopify, law enforcement, or another competent authority where appropriate.

Where it is safe and lawful to do so, we will give you notice and a reasonable opportunity to fix the issue before taking the more severe steps above. We may act without prior notice where we reasonably believe immediate action is needed to protect customers, other merchants, Shopify, or our systems — for example, a credible security incident, active abuse, a regulator or court order, or a Shopify directive.

Post-action notice and appeal. Where we take an emergency action without prior notice, we will (subject to legal restrictions) send you written notice within 48 hours explaining what we did and why. You may appeal any enforcement action by emailing legal@warehousebridge.com within 30 days. We will acknowledge appeals within 5 business days and provide a human review and written decision within 15 business days, save where law enforcement, a court, a regulator, or Shopify directs otherwise.

Data export window. Following any termination or suspension (except where prohibited by law, court order, or a Shopify or regulator directive), we will preserve and make available for export — for at least 30 days — your order history, fulfillment events, tracking history, inventory state, shipping rules and carrier mappings, integration configuration, and any other merchant-supplied settings held in the App, so you can meet your tax, returns, customer-service, and record-keeping obligations and migrate to another connector if you wish. Export will be in a commonly readable format (CSV or JSON). Request export by emailing support@warehousebridge.com.

8.3 Effect on Shopify Billing

The App itself is free. Termination cancels the $0/month Shopify AppSubscription via the Shopify Billing API (or relies on Shopify's automatic cancellation on uninstall) and revokes OAuth tokens. There is nothing to refund because no charge ever occurred. Flag Eagle LLC never charges merchants for the App through Shopify or off-platform; all App billing — including the $0 subscription — flows through the Shopify Billing API in accordance with App Store policy 1.2.1.

9. Reporting Abuse

If you see something that breaks this AUP — for example, a store that looks fraudulent, a security issue, suspected unauthorized access, or content you believe is illegal — please tell us.

Abuse reports: abuse@warehousebridge.com

If you can, please include:

  • A short description of what you saw
  • The Shopify store domain or App account involved, if known
  • Approximate date and time
  • Any screenshots, headers, request IDs, or other evidence that would help us investigate
  • How we can reach you for follow-up

We treat abuse reports seriously and investigate every credible one. We will not share your identity with the reported party unless we are legally required to do so.

For data subject requests, privacy questions, or our Data Protection point of contact, write to privacy@warehousebridge.com. For legal notices, write to legal@warehousebridge.com. For everything else, support@warehousebridge.com is the best address.

10. Privacy-Law Compliance Webhooks and Data Subject Requests

Shopify designates exactly three webhooks as the mandatory privacy-law compliance webhooks: customers/data_request, customers/redact, and shop/redact. The App implements all three. We additionally implement the app/uninstalled lifecycle webhook (a separate Shopify-required webhook for app lifecycle management, not part of the privacy-law compliance set) so that we can revoke tokens and start our shop-redact retention timer. All four — the three compliance webhooks plus the uninstall lifecycle handler — are served from /shopify/webhooks/compliance on the app surface at app.warehousebridge.com.

If you receive a data subject request that relates to data we process on your behalf as part of operating the App, please forward it promptly to privacy@warehousebridge.com so we can assist you in responding within the statutory timeframes that apply. Those timeframes vary by framework:

  • United States (primary framework for the App): CCPA/CPRA (45 days, extendable by 45 days), Nevada NRS 603A, VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), TDPSA (Texas), OCPA (Oregon), and other applicable US state privacy statutes — these are the primary frameworks for Flag Eagle LLC and apply to data subjects in the relevant US states. Response windows under most US state regimes are 45 days, with a permitted extension.
  • United Kingdom (when the data subject is UK-resident): UK GDPR (one month, extendable by two months).
  • European Economic Area (when the data subject is EEA-resident): EU GDPR (one month, extendable by two months).

Where both US and UK/EU frameworks could apply to a single request, we will honor the more protective right and the shorter response window.

11. Data Hosting, Sub-Processors and Cross-Border Transfers

11.1 Where data is processed

Application data exchanged through the App is processed and stored on Amazon Web Services in the eu-west-2 (Ireland) region. We chose Ireland because our underlying Warehouse Bridge WMS platform is operated from that region and consolidating processing in one AWS region simplifies security, audit, and incident response. This applies regardless of where the merchant or the merchant's end customer is located — i.e., a US merchant's data is also processed in eu-west-2. This is an explicit choice and is disclosed here so merchants and reviewers can assess it.

We do not operate a separate US data center for WB Connect. If we introduce US regional segregation in future, we will update this AUP and our Privacy Policy and notify affected merchants.

Processing data in eu-west-2 does not change the privacy rights US data subjects hold under CCPA/CPRA, Nevada NRS 603A, VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, or any other applicable US state privacy law. Flag Eagle LLC remains a US entity subject to US federal and state privacy law regardless of the AWS region in which data is stored. The choice of region is operational (consolidation with the upstream WMS), not a regulatory-shopping decision.

11.2 Sub-processors

Our sub-processors for WB Connect are:

  • Shopify, Inc. / Shopify International Limited — as the source platform (you are already a Shopify merchant; data originates there).
  • The 3PL Warehouse Customer's WMS (Warehouse Bridge instance) — the destination warehouse you chose to connect to, for the limited purpose of fulfilling your orders.
  • Amazon Web Services EMEA SARL / Amazon Web Services, Inc. — compute and storage in the eu-west-2 (Ireland) region.
  • AWS SES (Amazon Simple Email Service) — transactional email delivery (e.g., abuse / compliance notifications to merchants).

We do not use Stripe as a sub-processor for WB Connect. Shopify Billing API is the sole billing channel for the App and flows entirely through Shopify; no payment data leaves Shopify into Stripe for WB Connect purposes. (Flag Eagle LLC operates other products, such as DockSnap, that do use Stripe — but those are separate services governed by their own terms and are not part of WB Connect.)

11.3 Cross-border data transfers and our role

Flag Eagle LLC, established in the United States, acts as the data importer for transfers from the United Kingdom and the European Economic Area to the United States. For App data, we act as a processor for merchant customer data (the merchant is the controller) and as a controller for a limited set of operational categories — namely Shopify billing-record administration, security and abuse monitoring, audit logging of App access, and aggregate service telemetry. The SCC modules cited below (Module 2 controller-to-processor; Module 3 processor-to-processor) are selected to match this split.

Such transfers are made under:

  • The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (controller to processor) for merchant-customer personal data where the merchant is the controller and Flag Eagle LLC is the processor, and Module 3 (processor to processor) where the data originates upstream of the merchant from another EU controller; and
  • The UK International Data Transfer Addendum to the EU SCCs (or the UK International Data Transfer Agreement, where used) issued by the UK Information Commissioner's Office, for transfers originating in the United Kingdom;

together with the supplementary technical and organizational measures recommended by the European Data Protection Board in Recommendations 01/2020 — including encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, least-privilege engineering access, audit logging, vendor management, and a published policy on transparency about government access requests.

US-origin data flowing to eu-west-2 and back. Because we host in Ireland, US-origin merchant and end-customer personal data is transferred from the United States to eu-west-2 (Ireland) for storage. That intra-Flag-Eagle flow is governed by our Data Processing Addendum with Amazon Web Services. Data may subsequently flow back into the United States when Flag Eagle LLC personnel access it for support, debugging, security incident response, or other operational purposes; such access is governed by role-based controls, least-privilege provisioning, and audit logging. None of these flows change the applicability of CCPA/CPRA, Nevada NRS 603A, or any other US state privacy law to Flag Eagle LLC as a US entity.

11.4 US state privacy law

US state privacy laws are the primary framework that governs Flag Eagle LLC's processing of App data. The relevant statutes in force as of the date of this AUP include:

  • California: California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)
  • Nevada: Nevada NRS 603A
  • Virginia: Virginia Consumer Data Protection Act (VCDPA)
  • Colorado: Colorado Privacy Act (CPA)
  • Connecticut: Connecticut Data Privacy Act (CTDPA)
  • Utah: Utah Consumer Privacy Act (UCPA)
  • Texas: Texas Data Privacy and Security Act (TDPSA)
  • Oregon: Oregon Consumer Privacy Act (OCPA)
  • Other US states: including, without limitation, the comprehensive privacy statutes now in force in Montana, Iowa, Delaware, New Jersey, Indiana, and Tennessee, and any further US state privacy statutes that come into force during the life of this AUP

We notify of security breaches in accordance with applicable US state breach-notification laws, including Nevada NRS 603A.220. Where the affected individual resides in a US state other than Nevada, we will additionally comply with that state's breach-notification statute — for example, California Civil Code 1798.82, Virginia Code 18.2-186.6, Colorado Revised Statutes 6-1-716, Connecticut General Statutes 36a-701b, Texas Business and Commerce Code 521.053, and equivalent statutes in other states.

No sale or sharing. Flag Eagle LLC does not sell or share (as those terms are defined under the CCPA/CPRA and equivalent US state privacy laws) personal data received through the App. We process such data only as a service provider to merchants for the limited business purpose of operating the App and complying with law.

11.5 Retention

We retain personal data only for as long as needed to operate the App and meet legal obligations.

  • End-customer (shopper) personal data: purged within 30 days of receipt of a Shopify customers/redact webhook, or sooner where required.
  • Shop-level data on uninstall: we begin shop-data redaction on receipt of the Shopify shop/redact webhook (which Shopify dispatches approximately 48 hours after uninstall) and complete redaction within 90 days of that webhook. The 90-day window accommodates accidental-uninstall reactivation flows, dispute and chargeback finalization on the Shopify side, and audit-log finalization. We will redact sooner where required by law, regulator order, or an explicit merchant request.
  • Operational and audit logs: pseudonymized — shop domain may be retained as a key to allow security investigation, but end-customer PII is purged on the schedule above. Pseudonymized logs are retained up to 24 months for security, fraud-prevention, and compliance investigations.
  • Shopify Billing API administrative records (the $0/month AppSubscription metadata): retained for the duration of the subscription plus a minimum 12 months for audit purposes. We do not retain payment-card or financial-instrument data because the App is free and no charge is ever processed by Flag Eagle LLC.

This complies with CCPA/CPRA Section 1798.100(c) and equivalent US state law provisions (retention limited to disclosed purposes). Full retention schedules are in our Privacy Policy.

11.6 Cookies, trackers, and analytics

The app surface at app.warehousebridge.com and the marketing site at wbconnect.app use a deliberately small set of cookies and trackers:

  • Strictly necessary cookies (always set): OAuth session, CSRF token, login session, and security cookies needed for the App to function. These cannot be disabled without breaking the App.
  • Aggregate service telemetry (where used): privacy-respecting, first-party aggregate analytics that count pageviews and error rates in a non-identifying way. We do not use cross-site advertising trackers, fingerprinting libraries, or behavioural advertising pixels on either domain.
  • No advertising or cross-context behavioural tracking. We do not set cookies, pixels, or trackers for cross-context behavioural advertising, and we do not sell or share personal information through cookies for the purposes of cross-context behavioural advertising as those concepts are defined under CCPA/CPRA and equivalent US state privacy laws.

For UK and EU visitors, any non-essential cookies are subject to consent under the UK Privacy and Electronic Communications Regulations (PECR) and the EU ePrivacy Directive (2002/58/EC, as amended), and we present an appropriate consent prompt before any non-essential cookie is set.

Full details, including the current cookie inventory and how to manage preferences, are in our Cookie Policy, with further context in our Privacy Policy.

12. Changes to This Policy

We may update this AUP from time to time — to reflect new features, new threats, new sub-processors, new Shopify policies, or new legal requirements. When we make a material change we will publish the updated AUP at https://wbconnect.app/acceptable-use-policy/ and update the "Last Updated" date at the top.

Material changes take effect no earlier than 30 days after publication. During that 30-day window you may uninstall the App without penalty if you do not accept the change. Where the change is significant we will also notify you through the App surface, by email to the address on your account, or both. Your continued use of the App after the effective date of an update means you accept the updated policy.

Non-material changes (typos, formatting, clarifying cross-references) may take effect on publication.

13. Governing Law and Dispute Resolution

13.1 Governing law

This AUP is governed by the laws of the State of Nevada, United States, without regard to its conflict-of-laws rules.

13.2 Dispute resolution — primary path

Any dispute, claim, or controversy arising out of or relating to this AUP — including its existence, validity, interpretation, performance, breach, or termination — will be resolved by binding arbitration administered by the American Arbitration Association ("AAA") under its Commercial Arbitration Rules then in force (or, where the dispute qualifies, the AAA Consumer Arbitration Rules — whichever the AAA determines applicable). The seat and venue of arbitration will be Nevada, United States. The arbitration will be conducted in English by a single arbitrator. The arbitrator's award will be final and binding and may be entered as a judgment in any court of competent jurisdiction.

13.3 Proportionality safeguards for merchants

WB Connect is offered free to a global merchant audience via the Shopify App Store. To keep dispute resolution proportionate to the value exchanged:

  • Virtual proceedings. Either party may elect to conduct the arbitration remotely by video conference. Neither party is required to travel to Nevada to participate.
  • Arbitration fees. Flag Eagle LLC will pay all AAA filing, administrative, and arbitrator fees in excess of US$250 for any individual merchant claim, except where the arbitrator determines a claim was frivolous under AAA standards. A claim is not frivolous merely because the merchant does not prevail; frivolousness means the claim lacked any reasonable legal or factual basis. The merchant's exposure to AAA fees is capped at US$250 unless the arbitrator makes such a frivolousness finding.
  • Small-claims carve-out. Either party may bring an individual claim in a competent small-claims court in lieu of arbitration, provided the claim qualifies under that court's jurisdictional limits and is brought on an individual (non-class) basis.
  • Local-court election for non-US merchants. A merchant whose place of establishment is outside the United States may elect, by written notice to legal@warehousebridge.com at the time of filing, to bring the dispute in the competent courts of the merchant's country of establishment instead of AAA arbitration. If the merchant so elects, Flag Eagle LLC submits to the jurisdiction of those courts for that dispute. Flag Eagle LLC retains the same right to elect the merchant's local courts when it is the party initiating.
  • Non-waivable rights preserved. Nothing in this section overrides or limits any non-waivable right a merchant has to bring proceedings in the courts of the merchant's country or state of residence or establishment under applicable consumer-protection, small-business-protection, or other mandatory law — including non-waivable rights of merchants under California, Nevada, or other US state consumer-protection statutes, the UK Consumer Rights Act, the EU consumer-acquis, and equivalent frameworks.

13.4 Class-action waiver

You and Flag Eagle LLC each waive any right to a jury trial and any right to participate in a class action, class-wide arbitration, or representative proceeding in connection with this AUP, to the maximum extent permitted by applicable law and except for any non-waivable collective-redress right a merchant retains under applicable law (including, where applicable, EU representative-action regimes implementing Directive (EU) 2020/1828).

13.5 Interim and injunctive relief

Notwithstanding the above, either party may seek interim, injunctive, or other equitable relief in any court of competent jurisdiction to protect intellectual property rights, confidential information, personal data, or to stop ongoing unauthorized access to or misuse of systems, data, or accounts. This carve-out is mutual — it is available to merchants as well as to Flag Eagle LLC. For the avoidance of doubt, a merchant may invoke this carve-out to seek interim relief against Flag Eagle LLC on the same terms as Flag Eagle LLC may invoke it against a merchant.

14. Contact

For anything covered by this AUP, here is how to reach us:

  • Abuse and security reports: abuse@warehousebridge.com
  • Privacy, data protection, and data subject requests: privacy@warehousebridge.com (monitored by Flag Eagle LLC's designated Privacy Lead, who serves as our Data Protection point of contact)
  • Legal notices: legal@warehousebridge.com
  • General support and questions: support@warehousebridge.com

Flag Eagle LLC has determined that no UK GDPR Article 27 / EU GDPR Article 27 representative is required for WB Connect because the App is offered to Shopify merchants (B2B) and is not directed to UK or EEA data subjects as such — any UK/EU end-customer personal data flows through the App because the merchant (acting as controller) chose to fulfill that order via the connected 3PL. We will reassess this position if the App is materially redirected toward UK or EU data subjects in future.

Legal entity: Flag Eagle LLC, a Nevada limited liability company Registered address: 401 Ryland Street STE-200, Reno, NV 89502, United States Registration: Nevada Secretary of State App website: https://wbconnect.app App surface: https://app.warehousebridge.com Shopify App Store listing name: Warehouse Bridge v3 (presented as "WB Connect")

Top