Loading...
Skip to main content

Last Updated: 2026-06-10

This Data Processing Agreement ("DPA") forms part of the terms governing use of the WB Connect Shopify application (the "Connector") operated by Flag Eagle LLC, a Nevada limited liability company registered with the Nevada Secretary of State, with registered office at 401 Ryland Street STE-200, Reno, NV 89502, United States, trading as "Warehouse Bridge" and presenting the Connector to merchants under the sub-brand "WB Connect" (referred to in this DPA as "Warehouse Bridge", "we", "us" or "our").

The Connector is published on the Shopify App Store under the listing name "Warehouse Bridge v3" and is available free of charge at https://wbconnect.app. The merchant who installs the Connector on their Shopify store (the "Merchant", "you" or "your") is the counterparty to this DPA.

This DPA reflects the parties' agreement on the processing of personal data in accordance with applicable Data Protection Law, including:

  • the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 ("CCPA/CPRA"), and other US state privacy statutes (including the Nevada Revised Statutes Chapter 603A) to the extent they apply to Personal Data Processed under this DPA;
  • the United Kingdom General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018, to the extent they apply to UK Data Subjects whose Personal Data is Processed under this DPA; and
  • Regulation (EU) 2016/679 ("EU GDPR"), to the extent it applies to EEA Data Subjects whose Personal Data is Processed under this DPA.

This DPA is designed to satisfy (a) the "service provider" / "contractor" requirements of CCPA § 1798.140(ag) and § 1798.140(j) and the regulations of the California Privacy Protection Agency, and (b) the requirements of Article 28 of the UK GDPR and EU GDPR, in each case to the extent applicable to a given Data Subject's jurisdiction.

This DPA is entered into when the Merchant installs the Connector from the Shopify App Store and accepts the WB Connect Terms of Service. No separate signature is required: installation of the Connector constitutes execution of this DPA by the Merchant.

1. Definitions

In this DPA, unless the context requires otherwise:

"Business" and "Service Provider" have the meanings given to them in the CCPA/CPRA, and the additional concepts of "Sell", "Share", and "Personal Information" are also taken from the CCPA/CPRA.

"Connector" means the WB Connect Shopify application published on the Shopify App Store under the listing name "Warehouse Bridge v3" and operated at https://wbconnect.app and app.warehousebridge.com.

"Connected 3PL" or "3PL Warehouse Customer" means the third-party logistics provider that uses Warehouse Bridge as its warehouse management system and that the Merchant has elected to connect to via the Connector for the purpose of order fulfillment.

"Controller", "Processor", "Data Subject", "Personal Data", "Processing" and "Personal Data Breach" have the meanings given to them in the UK GDPR and EU GDPR. References in this DPA to "Controller" and "Processor" shall, in relation to Personal Information of US-resident Data Subjects, be read as references to "Business" and "Service Provider" respectively.

"Data Protection Law" means, collectively, the CCPA/CPRA, other applicable US state privacy statutes (including Nevada Revised Statutes Chapter 603A), the UK GDPR and the UK Data Protection Act 2018, and the EU GDPR, in each case as they apply to the Processing of Personal Data of the Data Subject concerned.

"Merchant Personal Data" means Personal Data Processed by Warehouse Bridge on behalf of the Merchant via the Connector, principally relating to the Merchant's end customers and orders, as further described in Annex 1.

"Merchant Account Data" means Personal Data relating to the Merchant itself (and its authorized users), such as the shop owner email, shop domain, billing record metadata, support correspondence and account audit logs.

"Shopify" means Shopify International Limited or Shopify Inc., as applicable, being the operator of the Shopify e-commerce platform from which the Merchant data originates.

"Sub-processor" means any third party engaged by Warehouse Bridge to Process Merchant Personal Data on behalf of the Merchant.

"Services" means the connector services made available through the Connector, as described in clause 3.2.

"Standard Contractual Clauses" or "SCCs" means (a) the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Implementing Decision (EU) 2021/914 ("EU SCCs"), and (b) the International Data Transfer Agreement and the UK International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner ("UK IDTA" / "UK Addendum").

2. Roles of the Parties

2.1 Merchant as Controller / Business, Warehouse Bridge as Processor / Service Provider

In relation to Merchant Personal Data (in particular Personal Data and Personal Information relating to the Merchant's end customers — names, addresses, contact details, order details, and any other Personal Data the Merchant transmits through their Shopify store):

  • the Merchant is the Controller under the UK GDPR and EU GDPR and the Business under the CCPA/CPRA; and
  • Warehouse Bridge is the Processor under the UK GDPR and EU GDPR and the Service Provider under the CCPA/CPRA.

In its capacity as Service Provider, Warehouse Bridge:

  • shall not Sell or Share Personal Information;
  • shall not retain, use or disclose Personal Information for any purpose other than the "business purpose" of providing the Services specified in clause 3.2, including the purposes set out in CCPA Regulations § 7050(a);
  • shall not retain, use or disclose Personal Information outside of the direct business relationship between Warehouse Bridge and the Merchant;
  • shall not combine the Personal Information that Warehouse Bridge receives from the Merchant with Personal Information that Warehouse Bridge receives from any other source, save as permitted by CCPA Regulations § 7050(b);
  • shall promptly notify the Merchant if Warehouse Bridge determines that it can no longer meet its obligations under the CCPA/CPRA, and shall stop Processing on notice from the Merchant; and
  • grants the Merchant the right, on reasonable notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information by Warehouse Bridge.

2.2 Warehouse Bridge as Controller / Business of Merchant Account Data

In relation to Merchant Account Data, Warehouse Bridge acts as an independent Controller (and, in relation to Merchant Account Data of US-resident individuals, as an independent Business) for the following limited and enumerated purposes only:

  • operating the Merchant's Connector account and authenticating the Merchant's authorized users;
  • administering the USD 0.00 AppSubscription billing record via the Shopify Billing API (no monetary charges are made to the Merchant by Warehouse Bridge through any channel);
  • detecting and preventing account takeover, abusive automation, repeated billing-API failures, OAuth token abuse, and impersonation attempts (collectively, "security monitoring");
  • detecting and preventing fraud against Warehouse Bridge or against the Connected 3PL ecosystem (e.g. fraudulent installs designed to scrape product catalogues);
  • complying with Warehouse Bridge's own regulatory, tax and accounting obligations as a Nevada-registered limited liability company; and
  • responding to support correspondence the Merchant initiates with Warehouse Bridge.

Warehouse Bridge will not use Merchant Account Data for marketing to the Merchant's end customers, for behavioural profiling for advertising purposes, or for training of any artificial intelligence or machine-learning models. The processing of Merchant Account Data by Warehouse Bridge in its capacity as Controller / Business is further described in the WB Connect Privacy Policy and, save for the express commitments in this clause 2.2, is outside the scope of clauses 4 to 12 of this DPA.

2.3 Connected 3PL / 3PL Warehouse Customer

Where the Merchant connects the Connector to a Connected 3PL, that Connected 3PL operates independently under a direct B2B agreement with the Merchant and is itself a Controller / Business or Processor / Service Provider in its own right for any Personal Data it receives in connection with fulfillment services. Warehouse Bridge transmits the relevant order and address data from the Merchant's Shopify store to the Connected 3PL's instance of the Warehouse Bridge WMS in order to dispatch fulfillment, acting on the Merchant's instructions under this DPA.

Any fulfillment, storage, handling, per-shipment or other warehouse fees that the Merchant pays are billed by the Connected 3PL directly under that 3PL's separate B2B contract with the Merchant. Flag Eagle LLC is not a party to those fees and does not collect or process payment for them through the Connector.

2.4 Shopify

Shopify is the source platform from which all Merchant Personal Data Processed under this DPA originates. Shopify's role and obligations in respect of that data are governed by the Merchant's separate agreement with Shopify and are outside the scope of this DPA.

3. Subject Matter and Details of Processing

3.1 Subject matter

The subject matter of the Processing is the operation of the Connector to synchronize orders, customers, products, inventory and fulfillment data between the Merchant's Shopify store and the Connected 3PL's instance of the Warehouse Bridge WMS.

3.2 Nature and purpose of Processing

Warehouse Bridge Processes Merchant Personal Data for the following purposes, which together constitute the "connector services" and the "business purpose" under CCPA/CPRA:

  • Order sync — receiving new, paid and cancelled orders from the Merchant's Shopify store via the Shopify Orders API and the per-merchant order webhooks (orders/create, orders/paid, orders/cancelled), storing them, and routing them to the Connected 3PL for picking, packing and shipping.
  • Inventory sync — receiving inventory levels and inventory adjustments from the Connected 3PL's WMS and from Shopify via the inventory_levels/update webhook, and pushing updated inventory levels back to the Merchant's Shopify store via the Shopify Inventory API.
  • Product catalogue sync — receiving product and variant data from the Merchant's Shopify store via the Shopify Products API and the products/create, products/update and products/delete webhooks to support SKU mapping and fulfillment.
  • Fulfillment dispatch — pushing fulfillment events, fulfillment line items and tracking numbers back to the Merchant's Shopify store so that the Merchant's customer-facing order status and tracking notifications stay accurate.
  • Store metadata — retrieving shop metadata (shop domain, plan, currency, time zone, locale) required to configure the connection and detect Shopify development stores.
  • Support and troubleshooting — investigating issues raised by the Merchant via support@warehousebridge.com.

Warehouse Bridge does not Process Merchant Personal Data for marketing, profiling, advertising, training of AI or machine-learning models, or any purpose other than providing the Services and complying with its legal obligations.

3.3 Duration

Processing continues for the duration of the Merchant's use of the Connector and for the period required under clause 11 (Return and Deletion) following uninstall or termination.

3.4 Types of Personal Data

The categories of Personal Data Processed by Warehouse Bridge on behalf of the Merchant are described in Annex 1, and include in particular:

  • end customer names;
  • shipping and billing addresses (street, city, postal code, region, country);
  • email addresses;
  • telephone numbers;
  • order details (order number, line items, SKU, quantity, price, currency, order status);
  • fulfillment status and tracking numbers; and
  • any free-text fields the end customer or the Merchant adds to an order (e.g. gift messages, delivery instructions).

Warehouse Bridge does not request, require or knowingly Process special category Personal Data (UK GDPR / EU GDPR Article 9), data relating to criminal convictions and offences (UK GDPR / EU GDPR Article 10), or "sensitive personal information" as defined in CCPA § 1798.140(ae), through the Connector. Where such data appears incidentally in free-text fields populated by an end customer (for example, a gift message that reveals religion or health), Warehouse Bridge will not Process that data beyond what is necessary to deliver the order to the Connected 3PL for fulfillment.

3.5 Categories of Data Subjects

The Data Subjects whose Personal Data is Processed are:

  • the Merchant's end customers (consumers and business buyers who place orders through the Merchant's Shopify store); and
  • where the Merchant chooses to include them in order or shipping records, the Merchant's own staff or authorized representatives.

4. Processor / Service Provider Obligations

4.1 Documented instructions

Warehouse Bridge shall Process Merchant Personal Data only on the documented instructions of the Merchant, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law to which Warehouse Bridge is subject (in which case Warehouse Bridge shall inform the Merchant of that legal requirement before Processing, unless prohibited from doing so by that law on important grounds of public interest).

The Merchant's documented instructions are: (a) this DPA; (b) the WB Connect Terms of Service; (c) the configuration choices the Merchant makes in the Shopify Admin and in the Connector (including the choice of Connected 3PL, shipping rules and webhook subscriptions); and (d) any further written instructions issued by the Merchant from time to time and accepted by Warehouse Bridge.

If Warehouse Bridge considers that an instruction from the Merchant infringes Data Protection Law, it shall promptly notify the Merchant.

4.2 Confidentiality

Warehouse Bridge shall ensure that persons authorized to Process Merchant Personal Data have committed themselves to confidentiality (whether under contract or under a statutory obligation of confidentiality), and that access to Merchant Personal Data is restricted to personnel who need such access to provide the Services.

4.3 Security

Warehouse Bridge shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex 2, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing, and the risk to the rights and freedoms of natural persons. These measures are designed to satisfy the security requirements of Article 32 UK GDPR / EU GDPR and the "reasonable security procedures and practices" required by NRS 603A.210 and the CCPA/CPRA.

4.4 Sub-processors

The Merchant grants Warehouse Bridge general authorization to engage the Sub-processors listed in Annex 3 as updated from time to time and published at https://wbconnect.app/sub-processors/ in accordance with this clause 4.4.

(a) Advance notice. Warehouse Bridge will give the Merchant at least thirty (30) days' advance notice (by email to the Merchant's shop owner email of record, and by updating the public sub-processor list) before any new or replacement Sub-processor begins Processing Merchant Personal Data.

(b) Objection right. If the Merchant has reasonable grounds (including data-protection, regulatory, sectoral or jurisdictional grounds) to object to a proposed new or replacement Sub-processor, the Merchant may give written notice of objection to privacy@warehousebridge.com within thirty (30) days of the notice. During the objection period the proposed Sub-processor will not begin Processing Merchant Personal Data.

(c) Good-faith resolution. On receipt of a timely objection, the parties shall work together in good faith for up to thirty (30) further days to resolve it (for example, by reconfiguring the proposed Sub-processor, scoping it out for the objecting Merchant, or proposing an alternative).

(d) No-fault exit. If the parties cannot agree, the Merchant may uninstall the Connector. Uninstall by the Merchant in these circumstances (i) does not constitute a breach of the WB Connect Terms of Service by the Merchant, (ii) does not give rise to any termination or early-exit charge, and (iii) triggers the return-and-deletion process under clause 11.2 without any of the limitations in clauses 11.2(a)–(b) being construed against the Merchant.

(e) Flow-down. Warehouse Bridge shall enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those in this DPA (including, where the underlying Data Subjects are UK/EU-located, terms required by Article 28(3) UK GDPR / EU GDPR, and where they are US-located, terms required by CCPA Regulations § 7053), and shall remain fully liable to the Merchant for the performance of each Sub-processor's obligations as if those obligations were performed by Warehouse Bridge itself.

For the purposes of this DPA, Annex 3 means the sub-processor list as updated from time to time and published at https://wbconnect.app/sub-processors/, subject always to the notice and objection rights in this clause 4.4. The version of Annex 3 in force as at the effective date of this DPA is reproduced at the end of this document.

4.5 Data Subject rights

Taking into account the nature of the Processing, Warehouse Bridge shall assist the Merchant by appropriate technical and organizational measures, insofar as this is possible, to fulfil the Merchant's obligations to respond to requests from Data Subjects exercising their rights under:

  • Chapter III of the UK GDPR or EU GDPR (including rights of access, rectification, erasure, restriction, portability, and objection); and
  • Title 1.81.5 of the California Civil Code and equivalent provisions of other applicable US state privacy statutes (including the rights to know, delete, correct, opt out of Sale or Sharing, and limit use of sensitive personal information).

If Warehouse Bridge receives a request directly from a Data Subject relating to Merchant Personal Data, Warehouse Bridge shall (a) not respond to the request other than to acknowledge receipt and direct the Data Subject to the Merchant, and (b) notify the Merchant of the request without undue delay.

Practical DSAR / consumer-request support. The Merchant's primary route to fulfil a Data Subject access, rectification, erasure or deletion request is the Shopify-mandated GDPR webhook flow described in clause 4.6. In addition, and at no charge to the Merchant:

  • Warehouse Bridge will respond substantively to a customers/data_request compliance webhook within fourteen (14) days of receipt (and in any event within the 30-day Shopify-permitted maximum), so that the Merchant has a meaningful window to compile its overall response within the UK GDPR / EU GDPR one-month deadline and the CCPA/CPRA 45-day deadline (extendable by a further 45 days under § 1798.130(a)(2));
  • the Merchant may also email privacy@warehousebridge.com at any time, identifying a specific end customer (by Shopify customer ID, email or order number), and Warehouse Bridge will provide the relevant Merchant Personal Data held about that Data Subject within fourteen (14) days; and
  • Warehouse Bridge processes the Shopify-mandated GDPR webhooks as described in clause 4.6.

4.6 Shopify compliance and lifecycle webhooks

In accordance with Shopify's Protected Customer Data Requirements, Warehouse Bridge has implemented the three mandatory compliance webhooks at the endpoint https://app.warehousebridge.com/shopify/webhooks/compliance. Each compliance webhook is acknowledged with an HTTP 200 OK response within Shopify's required delivery window. Substantive processing then proceeds as follows:

  • customers/data_request — when a Merchant's end customer requests their data (typically via the Merchant's privacy notice), Shopify forwards the request to Warehouse Bridge. Warehouse Bridge will, within fourteen (14) days of receipt and in any event no later than thirty (30) days, compile and provide the Merchant with all Merchant Personal Data Warehouse Bridge holds relating to that Data Subject so the Merchant can fulfil its access request.
  • customers/redact — once a Merchant marks an end customer for redaction in Shopify (or otherwise instructs Shopify to delete that customer), Shopify dispatches a redact webhook (Shopify's documented timing is approximately 48 hours after the request, subject to Shopify's documented exceptions). On receipt, Warehouse Bridge will erase or irreversibly anonymize the Personal Data of that Data Subject held in connection with the Merchant's store, subject only to records Warehouse Bridge is required to retain by law (e.g. for tax/audit) or for the establishment, exercise or defence of legal claims, in each case subject to the limits in clause 11.3.
  • shop/redact — Shopify dispatches the shop-redact webhook approximately 48 hours after a Merchant uninstalls the Connector, subject to Shopify's documented timing and exceptions for certain shop types (e.g. Shopify Plus). On receipt, Warehouse Bridge will erase the Merchant Personal Data associated with that shop, subject again to the limited retention exceptions in clause 11.3.

In addition, Warehouse Bridge subscribes to the app/uninstalled lifecycle webhook. This is not one of the three Shopify-mandated GDPR compliance webhooks declared at the compliance endpoint above — it is a separate lifecycle topic registered alongside the compliance subscription. On receipt of app/uninstalled, Warehouse Bridge immediately revokes its Shopify access token, pauses sync activity and marks the connection inactive, in preparation for the shop/redact flow which follows.

4.7 Other assistance

Warehouse Bridge shall provide reasonable assistance to the Merchant in ensuring compliance with the obligations set out in Articles 32 to 36 of the UK GDPR and EU GDPR (security, breach notification, data protection impact assessments and prior consultation), and with any equivalent obligations under US state privacy statutes (including risk assessments under emerging state regulations), taking into account the nature of Processing and the information available to Warehouse Bridge.

5. Personal Data Breach / Security Incident Notification

Warehouse Bridge shall notify the Merchant without unreasonable delay, and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach (within the meaning of Article 4(12) UK GDPR / EU GDPR, and including a reasonably suspected Personal Data Breach where, on a preliminary assessment by Warehouse Bridge, it is more likely than not that Merchant Personal Data has been compromised) affecting Merchant Personal Data.

For Personal Information of US-resident Data Subjects, Warehouse Bridge shall in addition notify the Merchant of any "breach of the security of the system" (within the meaning of NRS 603A.020 and equivalent statutes of other US states) in the most expedient time possible and without unreasonable delay, consistent with the obligations under NRS 603A.220 and equivalent state breach-notification statutes (such as Cal. Civ. Code § 1798.82), so as to enable the Merchant to make its own notifications within applicable statutory timeframes.

The notification shall, to the extent known at the time and updated as further information becomes available:

  • describe the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects and records concerned;
  • communicate the contact point at Warehouse Bridge from whom further information can be obtained (privacy@warehousebridge.com);
  • describe the likely consequences of the breach; and
  • describe the measures taken or proposed by Warehouse Bridge to address the breach and mitigate its possible adverse effects.

Warehouse Bridge shall cooperate with the Merchant and take reasonable commercial steps as directed by the Merchant to assist in the investigation, mitigation and remediation of any such Personal Data Breach. Notifications under this clause are not, of themselves, an acknowledgement by Warehouse Bridge of fault or liability.

6. International Data Transfers

6.1 Flag Eagle LLC as US data importer

Flag Eagle LLC is a Nevada limited liability company established in the United States. To the extent the Merchant or any end-customer Data Subject is located in the United Kingdom or the European Economic Area ("EEA") and Merchant Personal Data relating to such Data Subjects is transferred to Flag Eagle LLC, Flag Eagle LLC is the data importer and the Merchant (or, where applicable, the Connected 3PL or another upstream Controller) is the data exporter.

6.2 Primary processing location

Merchant Personal Data is hosted and Processed on Amazon Web Services infrastructure in the eu-west-2 (Ireland) region. Production data is not exported outside the EEA or the United Kingdom in the ordinary course of operating the Connector, save (i) for the administrative access by Flag Eagle LLC personnel as US data importer described in clause 6.3, and (ii) where the Merchant or a Sub-processor independently necessitates such a transfer.

6.3 Transfers from the UK / EEA to the United States

To the extent that Flag Eagle LLC personnel located in the United States access Merchant Personal Data (including for administration, support, security monitoring and incident response), and to the extent that any Sub-processor (notably certain Shopify support, engineering and webhook-delivery functions, and certain incidental AWS support functions) Processes Merchant Personal Data in the United States, Warehouse Bridge relies on one or more of the following transfer mechanisms in the order set out below:

  • (a) the EU SCCs adopted by the European Commission in Implementing Decision (EU) 2021/914 (Module Two: Controller to Processor, where Warehouse Bridge acts as Processor; Module Three: Processor to Processor, where a further Sub-processor is engaged), together with the UK IDTA or, at the parties' election, the UK Addendum to the EU SCCs, in each case as deemed incorporated into this DPA by reference under clause 6.5;
  • (b) the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework, where the relevant transfer recipient is self-certified and the transfer falls within the scope of the recipient's certification; and
  • (c) supplementary measures consistent with the European Data Protection Board's Recommendations 01/2020 on measures that supplement transfer tools, as described in clause 6.4.

6.4 Supplementary measures (EDPB Recommendations 01/2020)

In order to ensure a level of protection essentially equivalent to that guaranteed under UK and EU law for Merchant Personal Data transferred to the United States, Warehouse Bridge applies the following supplementary technical, contractual and organizational measures:

Technical measures:

  • end-to-end encryption in transit using TLS 1.2 or higher for all Merchant Personal Data;
  • AES-256 (or equivalent) encryption at rest on AWS-managed storage and database services;
  • pseudonymization and minimization of any data accessed from the United States for support purposes;
  • strict access controls (multi-factor authentication, role-based access, principle of least privilege) restricting US-based access to named personnel only;
  • short-lived, audited administrative sessions; and
  • separation of cryptographic key management from data hosting.

Contractual measures:

  • the SCCs / UK IDTA terms incorporated under clause 6.5;
  • the flow-down obligations on Sub-processors described in clause 4.4(e);
  • the obligation on Warehouse Bridge to challenge any disproportionate or unlawful access request from a US public authority through all available legal channels; and
  • the obligation on Warehouse Bridge to provide a transparency report on US public-authority requests as described below.

Organizational measures:

  • a documented procedure for handling US public-authority requests for access to Merchant Personal Data, including legal review and, where lawful, notification to the Merchant;
  • staff training on the limits of US public-authority access and on the EDPB Recommendations;
  • a transparency report published at https://wbconnect.app/transparency/ (or made available on request to privacy@warehousebridge.com) summarising the number and nature of any binding requests Warehouse Bridge has received from US public authorities for Merchant Personal Data, refreshed at least annually; and
  • a commitment to suspend transfers and notify the Merchant if Warehouse Bridge concludes that it is no longer able to comply with the SCCs / UK IDTA, including by reason of US public-authority access.

6.5 Standard Contractual Clauses by reference

Where Standard Contractual Clauses apply under clause 6.3(a), the following terms are deemed agreed:

  • the Merchant (or relevant upstream Controller / Business) is the "data exporter" and Flag Eagle LLC is the "data importer";
  • Module Two (Controller to Processor) applies where the transfer is from the Merchant to Warehouse Bridge; Module Three (Processor to Processor) applies where the transfer is from Warehouse Bridge to a further Sub-processor;
  • the optional docking clause (Clause 7) is engaged;
  • under Clause 11 (Redress), the optional independent dispute resolution body language is not engaged;
  • under Clause 17 (Governing law), the parties select the law of Ireland;
  • under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Ireland as the forum, without prejudice to a Data Subject's right under Clause 18(c) to bring proceedings in the courts of the Member State in which they habitually reside;
  • the supervisory authority is the Irish Data Protection Commission (for EEA transfers) and the UK Information Commissioner's Office (for UK transfers);
  • Annex I of the SCCs (Description of the transfer, parties, competent supervisory authority) is populated by the parties' identities in this DPA and by the information in Annex 1 and Annex 3 of this DPA;
  • Annex II of the SCCs (Technical and organizational measures) is populated by Annex 2 of this DPA; and
  • Annex III of the SCCs (List of Sub-processors) is populated by Annex 3 of this DPA.

The UK IDTA or, at the parties' election, the UK Addendum to the EU SCCs is incorporated on the same factual basis for transfers of UK-located Data Subject data, with the governing law of England and Wales and the UK Information Commissioner's Office as the competent supervisory authority.

6.6 Onward transfers

Where Warehouse Bridge engages a Sub-processor that itself transfers Merchant Personal Data outside the UK or EEA, the relevant SCCs / UK IDTA terms are flowed down under clause 4.4(e) and the supplementary measures in clause 6.4 are extended to that onward transfer.

7. Audit Rights

7.1 Information requests (standard route)

Warehouse Bridge shall make available to the Merchant all information reasonably necessary to demonstrate compliance with its obligations under Article 28 of the UK GDPR and EU GDPR, with CCPA Regulations § 7051 and § 7052, and with this DPA. In the first instance, Warehouse Bridge will satisfy such requests by providing, at no cost to the Merchant and not more than twice in any 12-month period:

  • a completed industry-standard security questionnaire (such as SIG Lite or CSA CAIQ);
  • a current summary of its technical and organizational measures (Annex 2);
  • the current Sub-processor list (Annex 3); and
  • the most recent relevant third-party assurance reports it holds or can obtain from underlying infrastructure providers (for example, AWS SOC 2 / ISO 27001 reports) on standard confidentiality terms.

7.2 On-site audits

In addition to the standard route in clause 7.1, the Merchant may, on reasonable prior written notice of not less than 30 days, and not more than once in any 12-month period (save where required following a confirmed Personal Data Breach or by a competent supervisory authority), audit Warehouse Bridge's compliance with this DPA. Audits shall:

  • be conducted during normal business hours and in a manner that does not unreasonably interfere with Warehouse Bridge's business operations;
  • be subject to reasonable confidentiality obligations;
  • not extend to the data, systems or facilities of other Warehouse Bridge customers; and
  • be at the Merchant's own cost, save that Warehouse Bridge shall bear its own reasonable cooperation costs (and reimburse the Merchant's reasonable, documented audit costs) where the audit identifies a breach by Warehouse Bridge of this DPA or of Data Protection Law.

For the purposes of this clause, a "breach" includes any failure by Warehouse Bridge to comply with its obligations under this DPA or Data Protection Law, whether or not the breach is "material". The parties acknowledge that the standard route in clause 7.1 should, in most cases, give the Merchant the information needed to assess compliance without an on-site audit.

8. Pricing and Billing — no off-platform charges to Merchants

Warehouse Bridge confirms, for the avoidance of doubt and to support compliance with Shopify App Store policy 1.2.1, that:

  • the Connector is provided free of charge to the Merchant;
  • on installation, Warehouse Bridge creates a recurring AppSubscription of USD 0.00 via the Shopify Billing API solely so that the App Store billing record is visible to the Merchant in Shopify Admin → Settings → Apps → Charges (the Merchant pays nothing regardless of their store currency);
  • Warehouse Bridge does not charge the Merchant for the Connector, whether through the Shopify Billing API or off-platform; and
  • any fulfillment, storage, handling, per-shipment or other warehouse fees that the Merchant pays are billed by the Connected 3PL directly under that 3PL's separate B2B contract with the Merchant. Flag Eagle LLC is not a party to those fees and does not collect or process payment for them through the Connector.

This clause is included in the DPA for transparency. It does not alter the data Processing roles described in clause 2.

9. Merchant Obligations

The Merchant warrants and undertakes that:

  • it has a lawful basis under Data Protection Law (including a valid "business purpose" under the CCPA/CPRA and a lawful basis under Article 6 UK GDPR / EU GDPR where applicable) to transmit the Merchant Personal Data to Warehouse Bridge for the purposes set out in clause 3.2;
  • it has provided all required information to its end customers (including via its privacy notice / "Notice at Collection" under the CCPA/CPRA) about the disclosure of their Personal Data to fulfillment and connector service providers, including Warehouse Bridge and the Connected 3PL;
  • where consent is required for any Processing, it has obtained that consent;
  • its instructions to Warehouse Bridge under this DPA comply with Data Protection Law; and
  • it will not knowingly or intentionally transmit special category Personal Data (UK GDPR / EU GDPR Article 9), data relating to criminal convictions and offences (UK GDPR / EU GDPR Article 10) or sensitive personal information (CCPA § 1798.140(ae)) through the Connector, and will use reasonable efforts (for example, by appropriate guidance in customer-facing free-text fields such as gift messages or delivery instructions) to discourage end customers from doing so.

Warehouse Bridge acknowledges that the Merchant cannot guarantee that special category Personal Data or sensitive personal information will never appear incidentally in free-text fields populated by end customers; where this occurs, Warehouse Bridge will Process that data only to the extent necessary to dispatch fulfillment, in accordance with clause 3.4.

10. Liability

Each party's liability arising under or in connection with this DPA is subject to and forms part of the limitations and exclusions of liability set out in the WB Connect Terms of Service, save that nothing in this DPA limits or excludes a party's liability where such liability cannot be limited or excluded as a matter of law (including liability for fraud, fraudulent misrepresentation, death or personal injury caused by negligence, or for civil penalties imposed directly by a supervisory authority or regulator under Data Protection Law on that party in its own capacity).

Minimum aggregate floor for data-protection liability. Because the Connector is provided free of charge and a liability cap calculated by reference to fees paid would otherwise be zero, the parties agree that — without prejudice to the carve-outs above — Warehouse Bridge's aggregate liability to the Merchant for breach of this DPA or of Data Protection Law in respect of Merchant Personal Data shall not be capped below fifty thousand United States dollars (USD 50,000) in aggregate per Merchant per 12-month period. This minimum floor applies notwithstanding any contrary fee-based cap in the WB Connect Terms of Service and does not apply to amounts the Merchant is required to indemnify Warehouse Bridge for under any separate agreement.

11. Return and Deletion of Personal Data

11.1 Mid-term

During the term, the Merchant may at any time export Personal Data relating to its store from Shopify directly. In addition, the Merchant may at any time email privacy@warehousebridge.com to request, at no charge, an export of Merchant Personal Data scoped to a named end customer (for access / deletion request purposes — see clause 4.5) or, on reasonable request, a bulk export of Merchant Personal Data the Merchant has transmitted through the Connector.

11.2 On termination

(a) Notification. Within seven (7) days after termination of the Services (whether by uninstall of the Connector, expiry of the App Store relationship, or otherwise), Warehouse Bridge will email the Merchant's shop owner email of record (i) confirming receipt of the termination event, (ii) inviting the Merchant to elect, by reply to privacy@warehousebridge.com, whether Merchant Personal Data held in active production systems should be (A) deleted, or (B) returned in a commonly used machine-readable format and then deleted, and (iii) warning the Merchant that, if no election is received within twenty-one (21) days, Warehouse Bridge will proceed with deletion under option (A).

(b) Headline timetable. Whichever option is chosen (or defaulted), Warehouse Bridge will complete return and/or deletion of Merchant Personal Data held in active production systems within thirty (30) days of termination. On the Merchant's written request received before that 30-day deadline expires, Warehouse Bridge will extend the window by up to a further sixty (60) days (giving a maximum of ninety (90) days) where the Merchant reasonably requires additional time to complete a migration.

(c) Shopify shop/redact interaction. The Shopify-mandated shop/redact webhook (clause 4.6) operates automatically per Shopify's documented timing after uninstall and will independently trigger deletion. Where the Merchant elects return of data under clause 11.2(a)(ii)(B), Warehouse Bridge will provide the export before the shop/redact deletion is executed.

11.3 Permitted retention

Warehouse Bridge may retain Merchant Personal Data after termination only:

  • (a) in encrypted, access-controlled backups, until those backups are routinely overwritten in accordance with Warehouse Bridge's standard backup rotation, not exceeding thirty-five (35) days. Warehouse Bridge will not restore, access or use Personal Data contained in such backups after termination, other than for legitimate disaster recovery, security-incident response, or where required by law or by a binding order of a competent court or authority;
  • (b) to the extent (and for as long as) required by applicable law (for example, retention of transactional records for accounting, tax or audit, or as required by US state privacy statutes), in which case retention shall not exceed the period prescribed by the applicable law; or
  • (c) where strictly necessary for the establishment, exercise or defence of legal claims, on a documented and minimized basis, in which case retention shall be limited to the minimum data and minimum period necessary and shall not exceed the applicable statutory limitation period plus twelve (12) months.

On the Merchant's written request, Warehouse Bridge will provide a summary of any Merchant Personal Data retained under sub-clauses (b) or (c) and the basis for its retention. In each case, retained data shall continue to be protected in accordance with this DPA until it is irretrievably deleted or anonymized.

12. Term, Survival, and Conflict

12.1 Term

This DPA takes effect on the date the Merchant installs the Connector and remains in effect for so long as Warehouse Bridge Processes Merchant Personal Data.

12.2 Survival

Clauses 1 (Definitions), 5 (Personal Data Breach — for incidents discovered during the term), 6 (International Transfers — for retained data), 7 (Audit Rights — for a period of one year following termination), 10 (Liability), 11 (Return and Deletion) and 13 (General) survive termination.

12.3 Conflict

In the event of any conflict between this DPA and the WB Connect Terms of Service or any other agreement between the parties, this DPA prevails in respect of Processing of Merchant Personal Data. Where Standard Contractual Clauses or the UK IDTA apply and conflict with this DPA, the Standard Contractual Clauses or UK IDTA (as applicable) prevail.

13. General

13.1 Governing law and dispute resolution

This DPA is governed by the laws of the State of Nevada, United States, without regard to its conflict of laws principles, save that matters concerning the protection of personal data of a Data Subject located in the United Kingdom, the EEA, California or any other US state with applicable privacy legislation are also governed by the Data Protection Law of that Data Subject's jurisdiction.

Any dispute, controversy or claim arising out of or relating to this DPA, including its existence, validity, interpretation, performance, breach or termination, shall be resolved by binding arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules, conducted in the State of Nevada, United States. Judgment on the award rendered by the arbitrator(s) may be entered in any court of competent jurisdiction. Each party waives any right to participate in class action lawsuits or class-wide arbitration in respect of this DPA.

Nothing in this clause:

  • prevents the Merchant from exercising any non-waivable consumer or data-subject rights under applicable local law;
  • prevents the Merchant or any Data Subject from raising a complaint with their local data-protection supervisory authority (including, in the UK, the Information Commissioner's Office; in the EEA, the relevant national supervisory authority and/or the Irish Data Protection Commission; and in California, the California Privacy Protection Agency or the California Attorney General);
  • overrides the governing-law, jurisdiction or dispute-resolution provisions of any incorporated Standard Contractual Clauses or the UK IDTA, which apply on their own terms;
  • restricts a Data Subject's right of action under Clause 18 of the EU SCCs to bring proceedings in the courts of the Member State in which they habitually reside; or
  • prevents either party from seeking interim or injunctive relief in any court of competent jurisdiction to protect intellectual property rights, confidential information, or to prevent ongoing or threatened unauthorized Processing of Personal Data.

13.2 Variation

Warehouse Bridge may amend this DPA only:

  • (a) where required by changes in Data Protection Law, the requirements or binding guidance of a competent regulator, or the published requirements of the Shopify platform; or
  • (b) where the amendment does not materially reduce the Merchant's rights, or materially reduce Warehouse Bridge's obligations to the Merchant, under this DPA.

Warehouse Bridge will notify the Merchant by email to the Merchant's shop owner email of record at least thirty (30) days before any amendment takes effect (whether or not Warehouse Bridge considers the amendment material). Editorial corrections (such as typographical fixes, updated contact-detail formatting or non-substantive renumbering) that do not change the parties' rights or obligations may be made without notice.

If the Merchant objects to a notified amendment, the Merchant may uninstall the Connector at any time before the effective date. Uninstall in these circumstances does not constitute a breach of the WB Connect Terms of Service by the Merchant, does not give rise to any termination or early-exit charge, and triggers the return-and-deletion process under clause 11.2 without further charge.

13.3 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

13.4 Entire agreement on Processing

This DPA, together with the WB Connect Terms of Service, the WB Connect Privacy Policy, the WB Connect Sub-processor list (Annex 3, as defined in clause 4.4) and (where applicable) the Standard Contractual Clauses and UK IDTA, constitutes the entire agreement between the parties in relation to the Processing of Merchant Personal Data through the Connector.

14. Contact

For all matters relating to this DPA, data protection or privacy:

  • Privacy / data protection requests: privacy@warehousebridge.com
  • General support: support@warehousebridge.com
  • Abuse reports: abuse@warehousebridge.com
  • Legal notices: legal@warehousebridge.com
  • Postal address: Flag Eagle LLC, 401 Ryland Street STE-200, Reno, NV 89502, United States
  • Website: https://wbconnect.app

Data Protection Officer. Flag Eagle LLC has not appointed a statutory Data Protection Officer under Article 37 of the UK GDPR / EU GDPR because, on assessment, the conditions in Article 37(1) (public authority, large-scale systematic monitoring, or large-scale processing of special-category or criminal-conviction data) are not met by the Connector. Privacy enquiries are handled by the Warehouse Bridge privacy team via privacy@warehousebridge.com.

EU Article 27 / UK GDPR Article 27 representative. Flag Eagle LLC is established in the United States and offers the Connector to merchants worldwide via the Shopify App Store, which can include merchants whose end customers are EEA or UK Data Subjects. To the extent required under Article 27 of the EU GDPR or the UK GDPR, Flag Eagle LLC has determined that, given (i) the occasional nature of the relevant Processing as between Flag Eagle LLC and EEA / UK Data Subjects (Processing is on documented Merchant instruction, not directly targeted at such Data Subjects by Flag Eagle LLC), (ii) the absence of large-scale Processing of special-category or criminal-conviction data, and (iii) the low risk to the rights and freedoms of EEA / UK Data Subjects, the derogation in Article 27(2)(a) is engaged and a representative is not currently required. Flag Eagle LLC keeps this assessment under review and will appoint and publish an Article 27 representative if and when the conditions for the derogation are no longer met. EEA and UK Data Subjects may in the meantime contact Warehouse Bridge directly at privacy@warehousebridge.com.

Top