Loading...
Skip to main content

Last Updated: 2026-06-10 — Version 1.2

This notice operates alongside our Privacy Policy and Cookie Policy, which set out our full data collection, retention periods, processing purposes, and tracking-technology disclosures. Please read this notice together with those documents.

A summary of changes from any prior version, and all future updates, will be maintained on our public change log at https://wbconnect.app/legal/changelog. This is Version 1.2.

Who This Notice Is For

WB Connect is the merchant-facing brand for the Shopify app listed on the App Store as "Warehouse Bridge", operated by Flag Eagle LLC, a Nevada limited liability company (United States) registered with the Nevada Secretary of State and trading as "Warehouse Bridge".

This notice explains how to exercise your data subject rights in relation to personal data processed through WB Connect. It is written for two audiences:

  • Shopify merchants who install WB Connect from the Shopify App Store and use it to connect their store to a third-party logistics (3PL) warehouse.
  • End customers of those merchants (the shoppers whose orders flow through the connector) whose personal data is processed when a merchant fulfils an order via WB Connect.

Different rights and routes apply depending on which role you are in. Both are covered below.

Controller, Business, and Processor Roles

Understanding who controls your data matters because it determines who you should contact.

Role Who What they decide
Business / Controller (merchant data) Flag Eagle LLC Account, billing, and audit data for the Shopify merchant who installed WB Connect
Business / Controller (end customer data) The Shopify merchant The merchant decides why and how their customer data is processed for fulfilment
Service Provider / Processor (end customer data) Flag Eagle LLC We process end customer data on the merchant's documented instructions to enable fulfilment
Independent Controller / Business (3PL fulfilment data) The merchant's 3PL Warehouse Customer The merchant's chosen 3PL receives order and shipping data directly from us at the merchant's instruction, and processes that data under its own independent B2B contract with the merchant
Source platform Shopify Inc. Personal data originates in Shopify and is transmitted to us via API and webhooks

We use "Business" and "Service Provider" in the CCPA/CPRA sense and "Controller" and "Processor" in the UK/EU GDPR sense; the rows above show the equivalent role for each.

The 3PL Warehouse Customer is selected and contracted by the merchant independently; WB Connect does not introduce new 3PL processors into the merchant's data flow without merchant action.

If you are an end customer of a Shopify merchant and want your data deleted, the mediated path described in Shopify End Customers: The Mediated Path is typically the fastest route. You may, however, contact us directly at any time without first going through the merchant.

Applicable Laws

Flag Eagle LLC is a United States company headquartered in Nevada. WB Connect handles personal data under several overlapping legal regimes, depending on where the data subject is located:

United States (primary frameworks for Flag Eagle LLC):

  • The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), for California residents.
  • The Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), the Texas Data Privacy and Security Act (TDPSA), the Oregon Consumer Privacy Act (OCPA), the Montana Consumer Data Privacy Act (MCDPA), the Florida Digital Bill of Rights (FDBR), and other comparable state privacy laws as applicable to residents of those states.
  • The Nevada Privacy of Information Collected on the Internet from Consumers Act (NRS 603A.300 et seq.), including the NRS 603A.330 right to direct an operator not to make a covered "sale" of certain personal information.
  • The Nevada Security of Personal Information statute (NRS 603A), including the breach-notification obligations at NRS 603A.220, and comparable state breach-notification statutes for residents of other US states.

United Kingdom and European Economic Area (frameworks we apply when processing data of UK/EU data subjects):

  • The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 for individuals in the United Kingdom.
  • The EU General Data Protection Regulation (Regulation (EU) 2016/679) for individuals in the European Economic Area.

The rights listed below are granted by these regimes; we honour the most protective standard available to you in your jurisdiction.

Your Rights

Rights Under CCPA / CPRA (California Residents)

If you are a California resident, you have the following rights, which are the primary statutory rights honoured by Flag Eagle LLC:

Right Description
Right to Know Request disclosure of the categories and specific pieces of personal information we collect, the categories of sources, the business or commercial purposes for collecting, the categories of third parties to whom we disclose it, and (for the prior 12 months) the categories of personal information we have collected, sold, or shared
Right to Delete Request deletion of personal information we collected from you, subject to statutory exceptions
Right to Correct Request correction of inaccurate personal information
Right to Opt Out of Sale or Sharing Direct us not to sell or share your personal information (including for cross-context behavioural advertising)
Right to Limit Use of Sensitive Personal Information Restrict our use of sensitive personal information to the purposes permitted by CPRA
Right to Non-Discrimination Receive equal service and pricing regardless of exercising your rights, with no retaliation

Flag Eagle LLC does not sell personal information and does not share personal information for cross-context behavioural advertising. WB Connect is a transactional B2B fulfilment connector; the data is used to enable Shopify orders to be fulfilled by a 3PL warehouse, and for no other purpose.

Rights Under Other US State Privacy Laws

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Florida, or another state whose privacy law confers comparable rights, you may exercise the equivalent state-law rights of access, correction, deletion, portability, and opt-out by submitting a request as described in How to Submit a Request Directly to WB Connect. You also have the right to appeal a refusal of a request under each of those state regimes — see Appeals and Complaints below.

Rights Under the Nevada NRS 603A.330 Opt-Out

If you are a Nevada consumer, you may direct Flag Eagle LLC, as an "operator" within the meaning of NRS 603A.330, not to make any covered sale of personal information about you collected through our website or app. As stated above, Flag Eagle LLC does not make covered sales of personal information, but you may register a Nevada NRS 603A.330 opt-out preference at any time by emailing privacy@warehousebridge.com with the subject line "Nevada Opt-Out".

Right of Access (UK GDPR / EU GDPR Article 15)

If you are in the United Kingdom or the European Economic Area, you can ask us to confirm whether we hold personal data about you and to provide a copy of that data, together with information about why we process it, who it is shared with, how long we keep it, and where it was obtained from. We will respond in a commonly used electronic format (typically CSV or PDF).

Right to Rectification (Article 16)

You can ask us to correct personal data that is inaccurate or to complete data that is incomplete. Where the data originated in Shopify (for example, an order shipping address), the authoritative correction usually needs to happen in Shopify itself; we will then receive the corrected version via the standard Shopify webhook and update our records.

Right to Erasure / Right to be Forgotten (Article 17)

You can ask us to delete personal data we hold about you. For Shopify-sourced data, this right is operationalised through Shopify's mandatory GDPR webhooks — see Shopify End Customers: The Mediated Path and How Shopify GDPR Webhooks Handle Deletion below.

Erasure is not absolute. We may retain data where retention is required by law (for example tax and accounting records under US federal and state law and, where applicable, UK HMRC retention rules), where it is necessary for the establishment, exercise, or defence of legal claims, or where it is needed for fraud prevention. Where we cannot delete, we will tell you why.

Right to Restriction of Processing (Article 18)

You can ask us to limit the use of your personal data — for example while you contest its accuracy, or while we determine whether our legitimate interests override your objection. When data is under restriction we will only store it, not actively process it, until the restriction is lifted.

Right to Data Portability (Article 20)

Where the lawful basis for processing is your consent or the performance of a contract and the processing is automated, you can ask us to provide your data in a structured, commonly used, machine-readable format (typically CSV or JSON) and, where technically feasible, to transmit it directly to another controller you nominate.

Right to Object (Article 21)

You can object to processing based on legitimate interests, including profiling. WB Connect does not use personal data for direct marketing, but you also have an absolute right to object to any direct marketing should that ever change.

Right Not to Be Subject to Solely Automated Decisions (Article 22)

You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects or similarly significant effects. WB Connect does not make solely automated decisions of this kind about merchants or end customers.

Cookies and Similar Technologies

WB Connect operates as a non-embedded Shopify app (declared embedded = false in the app manifest). Merchants authenticate via the standard OAuth flow and use the app surface directly, so we do not set cookies within the Shopify admin iframe context.

WB Connect's web presence consists of two distinct surfaces, each with its own cookie scope:

(a) The public-facing marketing and legal site at wbconnect.app. This static site serves the Privacy Policy, this Data Subject Request notice, the Cookie Policy, and the changelog. It sets only strictly-necessary functional cookies required for the static site itself (for example, basic session and CSRF protection on any public form, where used). Merchants do not authenticate on wbconnect.app, and no merchant order, customer, product, or inventory data is processed on this surface.

(b) The authenticated merchant app surface at app.warehousebridge.com. This is the backend surface where the Shopify OAuth flow terminates, where the merchant dashboard is served, and where Shopify webhooks (including the GDPR compliance webhooks) are received. This surface sets only strictly-necessary cookies for authentication, session management, and CSRF protection associated with OAuth and merchant dashboard use. It does not set analytics, advertising, profiling, or cross-site tracking cookies.

Across both surfaces, we do not use analytics cookies, advertising cookies, cross-site tracking cookies, third-party tags, fingerprinting, or any behavioural-profiling technologies.

Where consent is required under UK/EU ePrivacy law for any non-essential technology we may introduce in future, our cookie interface will provide equally prominent Accept and Reject options, no pre-ticked boxes, and a refusal option that is as easy as acceptance. We do not deploy non-essential trackers without prior opt-in consent.

Because Flag Eagle LLC does not sell or share personal information, a "Do Not Sell or Share My Personal Information" link is not required under Cal. Civ. Code § 1798.135. Should this ever change, we will provide the link in a clear and conspicuous location on wbconnect.app and notify merchants in advance via the changelog.

Full details of every cookie set, its purpose, duration, and category are maintained in our Cookie Policy.

Children's Data

WB Connect is a B2B fulfilment connector intended for use by Shopify merchants and their warehouse partners. It is not directed at children and is not marketed to anyone under the age of majority.

We do not knowingly collect personal data from anyone under 13 in the United States (COPPA, 15 U.S.C. §§ 6501–6506; CCPA, Cal. Civ. Code § 1798.120(c)). In the United Kingdom we do not knowingly collect personal data from anyone under 13 (Data Protection Act 2018 section 9, which sets the UK GDPR Article 8 threshold at 13). In the European Economic Area we apply a default threshold of 16 for the purposes of Article 8 EU GDPR, which is the default threshold set by Article 8(1) EU GDPR; Member States are permitted to lower (but not raise) this default to no less than 13. Where a Member State has lowered that threshold for residents of that State (some Member States have set thresholds between 13 and 15), the lower threshold applies as a matter of local law, but merchants do not need to determine which threshold applies — we apply 16 by default and adjust only where a Member State's law explicitly mandates otherwise.

Under CCPA / CPRA, sale or sharing of personal information of California consumers under the age of 16 requires affirmative opt-in (opt-in by the consumer if aged 13–15, or by a parent/guardian if under 13) under Cal. Civ. Code § 1798.120(c). Because we do not sell or share personal information at all, this provision does not arise in practice, but we acknowledge it for completeness.

End customer data flowing through the connector is collected by the merchant on their storefront, not directly by us; if a merchant becomes aware that a customer record relates to a child, the merchant should issue a customers/redact request through Shopify or contact us at privacy@warehousebridge.com and we will erase the record on receipt.

Shopify End Customers: The Mediated Path

If you are a shopper who bought something from a Shopify store that uses WB Connect and you want your data deleted, the mediated path through the merchant is typically the fastest and most complete route:

  • The merchant is the controller / business of your personal data. They decided to collect it, they decided to use WB Connect, and Shopify is the platform of record.
  • When you submit a customer data deletion request via the merchant's store, Shopify routes that request through its mandatory customers/redact GDPR webhook, which we receive and act on automatically.
  • Going through Shopify ensures a clean, auditable, platform-mediated deletion across every Shopify app the merchant uses — including WB Connect — without you having to chase each one individually.

You have an unconditional right to contact us directly at privacy@warehousebridge.com at any time, without first contacting the merchant. The mediated route is faster in most cases, but it is not a precondition. Whether you arrive via Shopify, via the merchant, or directly, your statutory rights are identical and we will process your request within the timelines set out below.

How Shopify GDPR Webhooks Handle Deletion

WB Connect implements all of Shopify's mandatory GDPR webhooks. They are received at https://app.warehousebridge.com/shopify/webhooks/compliance.

A note on hostnames. WB Connect runs on a single Flask backend. The app.warehousebridge.com hostname is the registered backend endpoint that the Shopify Partner Dashboard webhook subscriptions point to — it hosts the underlying authenticated app surface, the OAuth callback, the merchant dashboard, and our corporate email infrastructure. The wbconnect.app hostname is the merchant-facing brand and public marketing/legal surface for the same service (this notice, the Privacy Policy, the Cookie Policy, and the changelog are served from wbconnect.app). The authenticated app surface and brand presented to merchants in App Store materials is WB Connect; app.warehousebridge.com is used for backend webhook delivery, OAuth, the authenticated dashboard, support correspondence, and corporate identity. Current Shopify webhook timelines and behaviours are documented by Shopify at https://shopify.dev/docs/apps/build/privacy-law-compliance; the table below reflects those timelines as of the document date.

Webhook What we do
customers/data_request When a merchant's customer requests their data, Shopify notifies us immediately. Within 30 days of webhook receipt we either (a) compile the personal data we hold for that customer and provide it to the merchant — who, as controller / business, is responsible for delivering it to the customer — or (b) where we hold no personal data matching the request, confirm that fact to the merchant. We log every response for audit purposes.
customers/redact When a customer requests deletion through the merchant, Shopify sends customers/redact to all installed apps once the merchant's objection window has closed (as of the document date, Shopify's published policy is 10 days from the original customer request; the live policy at https://shopify.dev/docs/apps/build/privacy-law-compliance governs). The objection window is set and enforced by Shopify; we do not control or delay it. On receipt, we erase the customer's order and shipping address records from our active systems within 14 days of webhook receipt. Total time from a customer's deletion request to active-system deletion is therefore up to approximately 24 days (10-day merchant objection window enforced by Shopify, plus up to 14 days post-webhook), subject to Shopify's then-current published policy.
shop/redact When a merchant uninstalls WB Connect, Shopify sends shop/redact 48 hours after the uninstall event. On receipt, we delete all order, customer, product, and inventory records associated with that store from our active systems within 14 days of receiving the shop/redact webhook. Total time from uninstall to active-system deletion is therefore up to approximately 16 days (48-hour grace period plus up to 14 days post-webhook), subject to Shopify's then-current published policy.
app/uninstalled When a merchant uninstalls the app, we mark the connection inactive and start the 48-hour countdown to shop/redact. On uninstall, the $0/month Shopify AppSubscription is treated as cancelled by Shopify in line with the standard AppSubscription lifecycle.

Backups, Restoration, and Hard Maximum Retention

Residual copies in encrypted backups age out on the standard backup retention schedule and will not exceed 35 days from the date of backup. Backups are not restored to live systems in the ordinary course of business.

If we are required to restore from a backup older than the deletion request as part of a documented disaster-recovery event, we will:

  1. Re-apply any pending Shopify deletion instructions (customers/redact and shop/redact) against the restored data within 7 days of the restore completing; and
  2. Log the disaster-recovery event and the re-application of deletion in our audit log, available to affected merchants on written request to privacy@warehousebridge.com.

In no circumstances will the combined backup retention plus disaster-recovery re-deletion window cause personal data to persist beyond what is reasonably necessary to complete the restore-and-sweep cycle.

How to Submit a Request Directly to WB Connect

If you are a merchant, or an end customer who wishes to contact us directly (whether or not you have first used the mediated path), submit your request to:

Email: privacy@warehousebridge.com Subject line: Data Subject Request — [type of request]

What to include

To process your request efficiently please provide:

  1. Your full name.
  2. The email address associated with the data (for merchants, your Shopify account email; for end customers, the email used at checkout).
  3. The Shopify store domain (e.g. example.myshopify.com) that the data relates to.
  4. The type of request: access / right to know, rectification / correction, erasure / deletion, restriction, portability, objection, opt-out of sale or sharing, limit use of sensitive personal information, or a state-specific right.
  5. Enough specificity to identify the data you are asking about (for example an order number or date range).

Identity verification

To protect you against impersonation we must verify your identity before acting on the request. Our default approach is proportionate, not intrusive:

  • For requests made from the email address already associated with your account or order, email verification is normally sufficient.
  • For requests from a different email, we may ask you to confirm specific details we already hold (such as the last 4 digits of an order total or the destination postcode).
  • We will not ask you to send copies of passports, driving licences, or other government-issued ID unless we have a specific reason to believe the request is fraudulent and no less intrusive method will work.

We will limit verification to a single proportionate challenge and will not use repeated verification requests to delay or obstruct a legitimate request. If our first challenge is unsuccessful and we still have a genuine basis to doubt identity, we will explain the basis in writing rather than issuing further iterative challenges.

Any identity document we do request will be reviewed only for the purpose of verification, the verification outcome recorded, and the document itself securely deleted immediately after the verification decision is recorded, and in no event later than 7 days from receipt. We will never retain a copy of an ID document beyond what is strictly necessary for the verification, and we will never use it for any other purpose.

Appeals do not trigger a fresh identity challenge. On appeal we will not require you to re-submit identity documents; we will rely on the verification record from your original request unless we have a documented new basis to doubt identity, which we will explain in writing.

We do not charge a fee for legitimate first requests. We may charge a reasonable fee, or refuse to act, only where a request is manifestly unfounded or excessive — for example, repetitive identical requests.

Statutory Response Timelines

Jurisdiction Acknowledgement Substantive response Permitted extension
CCPA / CPRA (California) Within 10 business days (Cal. Civ. Code § 1798.130(a)(2); 11 CCR § 7021(b)) Within 45 days of receipt (Cal. Civ. Code § 1798.130(a)(2)) Up to a further 45 days (90 days total) with notice
Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, Montana MCDPA, Florida FDBR Without undue delay Within 45 days of receipt A further 45 days where reasonably necessary, with notice
UK GDPR / EU GDPR Without undue delay Within one month of receipt (Article 12(3)) A further two months (three months total) for complex or numerous requests, with reasons given within the first month
Shopify customers/data_request Automatic Within 30 days of webhook receipt None permitted by Shopify policy
Shopify customers/redact and shop/redact Automatic Acted on within 14 days of webhook receipt (our self-imposed commitment, well within Shopify's 30-day permitted window) None permitted by Shopify policy

We will acknowledge direct email requests within 5 business days even where the law does not require it.

What Personal Data WB Connect Processes

To help you understand the scope of any request, the categories of personal data WB Connect handles are:

Inbound from Shopify (via Shopify API and webhooks):

  • Order data and line items (order ID, dates, totals, currency, line item SKUs and quantities).
  • Customer shipping and billing addresses (name, postal address, email, telephone where the merchant collects it) delivered as part of the order payload itself — these contact details are attached to the order record we receive under our orders scope; we do not maintain a separate customers index outside of orders.
  • Product catalogue data (titles, SKUs, variants, prices, images).
  • Inventory levels per location.
  • Fulfilment status and existing fulfilments.
  • Merchant-managed fulfilment order data needed to claim, fulfil, and update fulfilment orders on the merchant's behalf.

These categories are obtained under the Shopify API access scopes declared in the app's installation manifest. We request only the minimum scopes necessary to operate the fulfilment connector. As of the document date the scopes requested are: read_orders, write_orders, read_products, write_products, read_inventory, write_inventory, read_fulfillments, write_fulfillments, read_merchant_managed_fulfillment_orders, write_merchant_managed_fulfillment_orders, and read_locations. The current scope list and a per-scope justification (mapping each scope to the data category and write action it enables) are published in our Privacy Policy and are kept in sync with the scopes the app actually requests at install. If the published list and the install-time scopes diverge for any reason, please email privacy@warehousebridge.com and we will reconcile within 5 business days.

Outbound to Shopify (via Shopify API):

  • Fulfilment events created on the merchant's behalf (under write_fulfillments and write_merchant_managed_fulfillment_orders).
  • Tracking numbers and carrier identifiers from the 3PL written back to the corresponding fulfilment record.
  • Inventory level updates from the 3PL (under write_inventory).
  • Order and product field updates on the merchant's behalf where the connector needs to reflect 3PL state back into Shopify (under write_orders and write_products).

About the merchant account itself (collected directly by us):

  • Shopify account email and shop owner name (derived from the shop record returned with the access token at OAuth callback).
  • App install, uninstall, and re-install timestamps.
  • The merchant's $0/month Shopify AppSubscription record (charge ID, activation timestamp, status) — held to evidence that billing is on-platform.
  • IP address and basic browser/user-agent metadata captured at merchant authentication, OAuth callback, and webhook receipt — held in standard security audit logs for fraud detection, incident response, and abuse investigation, and retained per the retention schedule in our Privacy Policy.

We do not capture analytics telemetry, IP geolocation profiling, behavioural tracking, session recording, heatmaps, or device fingerprinting from the merchant admin interface or from any end customer beyond the standard authentication and webhook security logs described above.

Where Your Data Is Stored and Who Processes It

All personal data processed through WB Connect is stored on Amazon Web Services infrastructure in the eu-west-2 (Ireland) region.

Sub-processors (acting on Flag Eagle LLC's instructions)

The following entities process personal data on our behalf to deliver the service and qualify as sub-processors under Article 28 GDPR / CCPA service-provider rules:

Sub-processor Purpose Headquarters
Amazon Web Services, Inc. Compute, database, and storage hosting in eu-west-2 (Ireland) United States (data resident in Ireland)
Amazon SES (Amazon Web Services, Inc.) Sending transactional emails (account, support, security notifications) United States

Onward recipients (independent controllers / businesses)

The following entities are not sub-processors of Flag Eagle LLC. They receive personal data either as the source platform (Shopify) or as an independent controller / business that the merchant has separately contracted with (the 3PL):

Recipient Role Headquarters
Shopify Inc. Source platform. Personal data originates in the merchant's Shopify store and reaches us via Shopify's APIs and webhooks. Shopify is the merchant's chosen e-commerce platform and is contracted by the merchant directly, not by Flag Eagle LLC. Canada
The merchant's 3PL Warehouse Customer Independent controller / business. Receives order and shipping data on the merchant's documented instruction so the warehouse can pick, pack, and ship the merchant's orders. The 3PL processes that data under its own pre-existing B2B contract with the merchant. Flag Eagle LLC is not a party to the 3PL's contract with the merchant, and does not select or impose 3PL providers on merchants. Varies — the specific 3PL is the warehouse partner the merchant has selected or been claimed by. Each merchant can see their 3PL partner identity and headquarters jurisdiction in their WB Connect dashboard under Settings → Warehouse Partner, and on request to privacy@warehousebridge.com.

Sub-processor change notice and right to object

We commit to the following sub-processor change controls:

  1. 30-day prior written notice before adding, replacing, or materially changing any sub-processor listed above. Notice is delivered both by email to the merchant's registered Shopify account email and on the merchant's WB Connect dashboard.
  2. Right to object. On receipt of a notice, the merchant has 30 days to object in writing to privacy@warehousebridge.com. A documented objection that we are not able to reasonably accommodate gives the merchant a clean exit: full data export in CSV/JSON, termination of the connection, and (where any paid product is involved — currently nil for WB Connect) pro-rata refund. We will not delay or obstruct an exit triggered by a legitimate sub-processor objection.
  3. Public dated sub-processor register. A current, dated sub-processor list is maintained at https://wbconnect.app/legal/sub-processors.
  4. Opt-in change notifications. Merchants can subscribe to email notification of sub-processor changes by emailing privacy@warehousebridge.com with the subject line "Subscribe — Sub-processor Updates"; subscribers receive notifications even where they have left the WB Connect dashboard.

A note on Stripe

WB Connect does not use Stripe. No order, customer, product, inventory, or merchant account data from your Shopify store is ever transmitted to Stripe under WB Connect. Flag Eagle LLC uses Stripe to administer billing on separate, unrelated products in its portfolio; those Stripe surfaces are entirely outside the WB Connect product and outside the WB Connect data flow. See A Note on Billing for the single canonical statement of this commitment.

International Transfers

All personal data is stored at rest in AWS eu-west-2 (Ireland). However, Flag Eagle LLC is established in the United States, and certain entities in the data flow are headquartered outside the UK and EEA (AWS Inc. and Amazon SES in the United States; Shopify Inc. in Canada).

For UK and EEA data subjects, where personal data is transferred from the United Kingdom or the European Economic Area to the United States (including to Flag Eagle LLC itself as the US data importer), or to any other third country, the transfer is covered by one or more of the following safeguards:

  • The EU Standard Contractual Clauses as adopted under Commission Implementing Decision (EU) 2021/914, in the appropriate Module for each transfer scenario.
  • The UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the "UK IDTA"), issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.
  • The EU-US Data Privacy Framework (and its UK Extension) where the recipient is certified.
  • For Canada, the European Commission's adequacy decision for PIPEDA for commercial-organisation transfers, and the UK government's equivalent adequacy regulations.

Where Flag Eagle LLC is itself the US data importer of UK/EEA personal data, we have implemented the EDPB Recommendations 01/2020 supplementary measures to give effect to the SCCs and IDTA. Those supplementary measures include encryption in transit (TLS 1.2 or higher) and at rest (AES-256), strict access controls and least-privilege role-based access, full audit logging of personal data access, internal policies governing responses to any law-enforcement or government access request, and transparent published reporting of the safeguards in this section.

Per-recipient mapping:

Recipient Transfer destination Safeguard relied on
Flag Eagle LLC (us, as US data importer) United States EU SCCs (2021/914) for EEA transfers and the UK IDTA for UK transfers, together with EDPB Recommendations 01/2020 supplementary measures (encryption, access controls, transparency).
Shopify Inc. Canada European Commission adequacy decision for Canada (PIPEDA) for commercial-organisation transfers; UK government's equivalent adequacy regulations for UK transfers.
Amazon Web Services, Inc. United States (operational support and corporate access; data resident in Ireland) EU-US Data Privacy Framework (and its UK Extension) where AWS is certified; in addition, the EU SCCs (2021/914) and the UK IDTA are in place under AWS's Data Processing Addendum as a fallback.
Amazon SES (AWS Inc.) United States Same as AWS Inc. above — DPF where certified, SCCs / IDTA as fallback.
The merchant's 3PL Warehouse Customer Varies Where the 3PL is established outside the UK/EEA, the transfer is covered by the EU SCCs (2021/914) or the UK IDTA in the 3PL's data processing terms, executed through the merchant's contract with that 3PL.

We keep our sub-processor list and the transfer safeguards in force under review. A current copy of the safeguards in place for any sub-processor is available on request to privacy@warehousebridge.com.

A Note on Billing

Warehouse Bridge is not a party to, and does not process, any fees charged by the 3PL warehouse. The 3PL's fulfilment, storage, and per-shipment fees are a separate commercial matter between the merchant and the 3PL under their pre-existing B2B contract, entirely outside WB Connect and entirely outside any payment surface operated by Flag Eagle LLC.

WB Connect itself is free to install and free to use. On install, the OAuth callback creates a $0/month recurring Shopify AppSubscription through the Shopify Billing API. This is visible to the merchant in Shopify Admin under Settings → Apps and sales channels → Charges. It exists to satisfy Shopify App Store policy 1.2.1 (on-platform billing) and to provide an auditable on-platform billing record. Flag Eagle LLC does not bill merchants off-platform for WB Connect, and does not bill merchants through Shopify for WB Connect beyond the $0/month AppSubscription record.

Stripe is never used for WB Connect. No WB Connect installation, feature, upgrade, or service is billed via Stripe, and no order, customer, product, inventory, or merchant account data from any Shopify store reaches Stripe through WB Connect. The $0/month Shopify AppSubscription is the only billing surface that exists for WB Connect. Flag Eagle LLC operates Stripe on separate, unrelated products in its portfolio; those surfaces are entirely outside WB Connect. There are no current plans to introduce Stripe into any WB Connect data flow; any such change would be made only through a prominently announced amendment to this notice, the Privacy Policy, and the changelog at https://wbconnect.app/legal/changelog before the change takes effect.

Awaiting-partner phase. If you install WB Connect from the Shopify App Store before selecting a 3PL warehouse partner, we receive your order, product, inventory, and customer data into the WB Connect account that is provisioned for your store at install time, but we do not transmit that data to any 3PL until you have selected a partner and confirmed the connection. During this awaiting-partner phase the data is held solely to enable you to onboard with a 3PL, and is subject to the same retention, deletion, and Shopify GDPR webhook handling described elsewhere in this notice.

During the awaiting-partner phase, the merchant has full access to all WB Connect functionality that does not inherently require a 3PL endpoint (data sync, dashboards, settings, account management). No WB Connect feature is gated behind any paid plan, upgrade tier, or off-platform charge. Partner selection is a configuration step, not a billing or plan step.

Maximum awaiting-partner holding period. If you do not select a 3PL partner within 180 days of installing WB Connect, we will email you a reminder at the Shopify account email on day 180; if you take no further action within a further 30 days, we will purge the awaiting-partner data from active systems automatically (the 35-day backup-retention cap continues to apply to any residual backup copies). Re-establishing the connection at that point requires a fresh OAuth install.

If you uninstall before selecting a partner, the data is deleted on receipt of shop/redact in the normal way.

This matters for data subject requests because any invoice or payment data for fulfilment services is held by the 3PL, not by us; invoice-related access or deletion requests should be directed to your 3PL provider.

Security and Breach Notification

Flag Eagle LLC maintains administrative, technical, and physical safeguards designed to protect personal data against unauthorised access, use, disclosure, alteration, and destruction, in line with the security requirements of NRS 603A, the security obligations of CCPA/CPRA, and Article 32 UK GDPR / EU GDPR.

In the event of a security breach involving personal data, Flag Eagle LLC will notify affected individuals and regulators where required by applicable law, including NRS 603A.220 (Nevada), comparable breach-notification statutes in other US states, and Articles 33 and 34 UK GDPR / EU GDPR. Notifications will be issued without unreasonable delay and within the timeframes prescribed by the relevant statute.

Exceptions and Limitations

We may decline, or partially decline, a request if:

  • A legal obligation requires us to retain the data (for example US federal or state tax records, UK HMRC retention rules where applicable, or fraud prevention obligations).
  • The data is needed to establish, exercise, or defend legal claims.
  • The request is manifestly unfounded or excessive (repetitive, abusive, or made for reasons other than exercising the right).
  • Compliance would adversely affect the rights and freedoms of other people (for example revealing personal data of third parties).
  • We cannot verify your identity to a level proportionate to the sensitivity of the request (subject to the single-proportionate-challenge commitment described under Identity Verification above).

The burden of demonstrating that a request is manifestly unfounded or excessive rests with us, in line with Article 12(5) UK GDPR and EU GDPR, and with our equivalent good-faith obligation under CCPA/CPRA. We will not invoke this exception lightly, and we will document our reasoning in writing before applying it.

Where we decline in whole or in part we will explain the specific reason, inform you of your right of appeal under the applicable US state law (see below), and inform you of your right to complain to the relevant supervisory authority.

Authorised Agents

You may appoint someone to make a request on your behalf — for example an attorney, a privacy services company, or a family member. The agent must provide:

  • Written authorisation signed by you (an email from your verified address authorising the agent is acceptable for most requests).
  • Sufficient information for us to verify both your identity and the agent's identity.

For CCPA / CPRA requests in California we follow the agent verification rules at 11 CCR § 7063. For Virginia VCDPA requests we follow Virginia Code § 59.1-577. For Colorado CPA requests we follow the Colorado Privacy Act Rules at 4 CCR 904-3, Rule 4.08. For Connecticut CTDPA requests we follow Conn. Gen. Stat. § 42-518. For other state requests we follow the agent-of-record rules in the applicable state regulation.

Appeals and Complaints

If you are unhappy with how we have handled your request:

  1. Ask us to review. Email privacy@warehousebridge.com with the subject line "Appeal — Data Subject Request" and we will have someone other than the original handler review your case. Under the Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, Oregon OCPA, Montana MCDPA, Florida FDBR, and comparable state laws, you have a statutory right to appeal a refusal of a request. We will respond to an appeal within the timeline required by the applicable state law (typically 45 or 60 days) and will inform you in writing of the appeal outcome and the reasons for it. As stated above, an appeal does not trigger a fresh identity challenge unless we have a documented new basis to doubt identity.
  2. Lodge a complaint with a regulator. You have the right to complain directly to a regulator at any time, whether or not you have asked us to review first:
    • California: California Privacy Protection Agency (https://cppa.ca.gov) or the California Attorney General (https://oag.ca.gov/privacy).
    • Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Florida, and other US states: the Attorney General of your state, who is the enforcement authority under your state's privacy law.
    • Nevada: the Nevada Attorney General (https://ag.nv.gov), who is the enforcement authority under NRS 603A and NRS 603A.330.
    • United Kingdom: Information Commissioner's Office (ICO) — https://ico.org.uk — telephone 0303 123 1113.
    • European Economic Area: Your national Data Protection Authority. A list is maintained at https://edpb.europa.eu/about-edpb/about-edpb/members_en. You may also lodge a complaint with the supervisory authority of the EU Member State in which our EU Representative is established.

You have the right to an effective judicial remedy under Article 79 UK GDPR / EU GDPR (for UK/EEA data subjects) and the right to pursue available remedies under CCPA/CPRA and other state privacy laws (for US residents), independently of any administrative complaint.

Privacy Contact, DPO, and Representatives

Privacy Contact (acting privacy lead at Flag Eagle LLC): the Manager of Flag Eagle LLC, reachable at privacy@warehousebridge.com, has day-to-day responsibility for data protection matters relating to WB Connect.

Data Protection Officer: Flag Eagle LLC has assessed the criteria in Article 37(1) UK GDPR / EU GDPR and a formal Data Protection Officer is not mandatory because our core activities do not consist of large-scale, regular and systematic monitoring of data subjects, nor of large-scale processing of special categories of data or criminal-offence data. We have nonetheless designated the privacy contact above as the single point of accountability for data subject requests, and we will keep this assessment under review as our processing volumes grow.

EU Representative (Article 27 EU GDPR) and UK Representative (Article 27 UK GDPR):

Because Flag Eagle LLC is established outside the European Economic Area and the United Kingdom, Article 27 GDPR requires Flag Eagle LLC to designate Representatives in the EEA and the UK before offering the service to data subjects in those territories.

Current status (Version 1.2, 2026-06-10). As of the effective date of this notice, the EU Representative and UK Representative for WB Connect have not yet been formally appointed in writing. The WB Connect Shopify App Store listing is configured to block installation by merchants established in EEA Member States and the United Kingdom until both Representatives are appointed. Until that geo-restriction is lifted, EEA and UK merchants will see the WB Connect listing as unavailable in their territory.

When the Representatives are appointed, this notice will be updated to name each Representative inline (full legal name, postal address, and email), and the changelog at https://wbconnect.app/legal/changelog will record the appointment. We commit to notifying every then-active merchant by email and via the WB Connect dashboard at least 30 days before any future change of EU Representative or UK Representative.

UK and EEA data subjects (whose data may currently reach WB Connect only via merchants established outside the UK/EEA) may address requests either directly to privacy@warehousebridge.com or, once appointed, to the relevant Representative; both routes are equally valid and are monitored daily.

Contact

Purpose Address
Data subject requests, privacy and DPO matters privacy@warehousebridge.com
General support support@warehousebridge.com
Legal correspondence legal@warehousebridge.com
Abuse reports abuse@warehousebridge.com
Postal address Flag Eagle LLC, 401 Ryland Street STE-200, Reno, NV 89502, United States
Website https://wbconnect.app

Flag Eagle LLC is a Nevada limited liability company registered with the Nevada Secretary of State.

Governing Law, Dispute Resolution, and Statutory Rights

This Data Subject Request notice is a statutory rights notice, not a contract. It sets out how Flag Eagle LLC will honour data subjects' rights under the laws identified above. Nothing in this section limits, waives, or replaces any statutory right of any data subject under their local law.

Statutory rights of data subjects are unaffected

If you are a data subject (a merchant individual, an end customer, or any other natural person whose personal data we process), your rights under your local law — including without limitation the CCPA/CPRA, other US state privacy laws, NRS 603A, UK GDPR, EU GDPR, and any consumer-protection or data-protection law applicable to you — apply in full, in your local jurisdiction, under your local courts and supervisory authorities. The governing-law and arbitration provisions below do not apply to data subjects exercising statutory data-protection rights, and do not override the dispute resolution provisions of the EU SCCs (2021/914) or the UK IDTA, which contemplate competent EU/UK supervisory authorities and courts as the forum for SCC/IDTA disputes.

UK and EEA data subjects may bring statutory data-protection claims in the courts of their habitual residence under Article 79 GDPR. Residents of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Florida, and Nevada may pursue the administrative and judicial remedies provided by their state law. We will not seek to compel any data subject into Nevada arbitration over a statutory privacy claim.

Contractual disputes between Flag Eagle LLC and merchants (US merchants only)

For purely contractual disputes between Flag Eagle LLC and a merchant established in the United States that arise out of this notice (as distinct from statutory privacy claims), the following terms apply:

  • Governing law. Such disputes are governed by the laws of the State of Nevada, without regard to conflict-of-laws principles.
  • Informal dispute resolution. Before either party initiates arbitration, the party with the complaint will email legal@warehousebridge.com (or, for Flag Eagle LLC, the merchant's registered Shopify email) with a written description of the dispute, and the parties will engage in good-faith discussions for 30 days. Arbitration may only be commenced if the dispute is not resolved within that period.
  • Binding arbitration. Disputes not resolved through informal discussions will be resolved by binding individual arbitration under the rules of the American Arbitration Association (Consumer Arbitration Rules where applicable), conducted in Nevada or, at the merchant's election, by remote video.
  • Fees. For individual merchant claims under USD 10,000, Flag Eagle LLC will pay the AAA filing and administrative fees. Each party bears its own attorneys' fees except as the AAA rules or applicable law provide otherwise.
  • Small claims preserved. Either party may bring a qualifying individual claim in small-claims court in lieu of arbitration.
  • No class actions. Arbitration is on an individual basis. Class, mass, and representative arbitrations are not permitted. This class waiver does not apply to claims brought as a private attorney general under any applicable statute where such waiver is not permitted by law.
  • 30-day arbitration opt-out. A merchant may opt out of binding arbitration entirely by emailing legal@warehousebridge.com with the subject line "Arbitration Opt-Out" within 30 days of first installing WB Connect. Opt-out has no effect on the merchant's access to the app and no other consequence.
  • Injunctive relief. Either party may seek injunctive relief in any court of competent jurisdiction.

Contractual disputes — non-US merchants

If you are a merchant established outside the United States (including in the UK, EEA, Canada, Australia, or elsewhere), the Nevada governing-law and AAA arbitration provisions above do not apply to you. You may bring contractual claims arising out of this notice in the courts of your habitual place of business under your local law. This carve-out is unconditional and does not require an opt-out.

Severability of dispute terms

If any part of this Governing Law section is held unenforceable in your jurisdiction, the remainder of this notice (including all statutory-rights commitments) continues in full force. The statutory rights of data subjects are paramount and severable from the contractual dispute mechanism.

Frequently Asked Questions

Q: Is there a fee for submitting a request? A: No. We do not charge for legitimate first data subject requests. We reserve the right to charge a reasonable administrative fee, or to refuse to act, only where a request is manifestly unfounded or excessive (for example, repetitive identical requests). The burden of showing that a request is manifestly unfounded or excessive rests with us, and we will explain our reasoning before charging.

Q: I am a shopper, not a merchant. Whose responsibility is my data? A: The merchant whose store you bought from is the controller / business of your personal data. WB Connect (Flag Eagle LLC) acts as a processor / service provider for that data on the merchant's behalf. The mediated route via the merchant is typically the fastest path to deletion because Shopify will route the request through the customers/redact webhook and we will act on it automatically. However, you may also contact us directly at privacy@warehousebridge.com at any time without first contacting the merchant.

Q: I uninstalled WB Connect from my Shopify store. Is my data gone? A: When you uninstall, Shopify sends us an app/uninstalled notification and, 48 hours later, a shop/redact instruction. Within 14 days of shop/redact we delete all order, customer, product, and inventory records associated with your store from our active systems — a total of approximately 16 days from uninstall to active-system deletion, subject to Shopify's then-current published policy. Residual copies in encrypted backups age out on the standard backup retention schedule and will not exceed 35 days from the date of backup. Backups are not restored to live systems in the ordinary course of business; if a disaster-recovery restore occurs, we re-apply pending deletion instructions within 7 days of the restore.

Q: How long do you keep my data while I am still a merchant? A: For as long as you have WB Connect installed and active, we retain operational data (orders, fulfilments, inventory) for the period needed to provide the service and to meet legal retention obligations. Full retention periods, broken down by data category, are set out in our Privacy Policy.

Q: Does WB Connect use cookies or tracking technologies? A: WB Connect's web presence consists of two distinct surfaces, each with its own cookie scope. The public marketing and legal site at wbconnect.app (which serves this notice, the Privacy Policy, the Cookie Policy, and the changelog) sets only strictly-necessary functional cookies required for the static site itself. The authenticated merchant app surface at app.warehousebridge.com (where OAuth terminates and the merchant dashboard is served) sets only strictly-necessary authentication, session, and CSRF cookies. WB Connect is a non-embedded Shopify app and does not set cookies inside Shopify Admin. We do not use analytics, advertising, profiling, or cross-site tracking technologies on either surface. Full details are in our Cookie Policy.

Q: Will my request affect my service? A: Exercising your rights will not affect your standard of service, and we will not retaliate or discriminate against you for exercising them. However, certain requests — particularly erasure — may limit our ability to provide some functionality. For example, deletion of order records will mean we cannot return fulfilment status for those orders. We will tell you in advance where this applies.

Q: Do you sell or share my data for advertising? A: No. WB Connect is a transactional B2B connector. We do not sell personal information and we do not share personal information for cross-context behavioural advertising under CCPA/CPRA, NRS 603A.330, or any other applicable state privacy law.

Q: My personal data is transferred outside the UK or EEA — what protects it? A: Personal data is stored at rest in AWS eu-west-2 (Ireland). Where data is transferred to the United States — including to Flag Eagle LLC itself as the US data importer — the transfer is protected by the EU Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, EDPB Recommendations 01/2020 supplementary measures (encryption, access controls, transparency), and the EU-US Data Privacy Framework where the specific recipient is certified. For Canada the European Commission's PIPEDA adequacy decision and the UK government's equivalent adequacy regulations apply. See the International Transfers section for the per-recipient mapping.

Q: I am a US resident outside California. Do I have rights? A: Yes. If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Florida, or another state whose privacy law applies to us, you have rights of access, correction, deletion, portability, and opt-out under your state's law, together with a right to appeal a refusal. Submit your request to privacy@warehousebridge.com and we will honour it under the applicable state law. Nevada consumers also have the NRS 603A.330 opt-out right described above.

Q: I am a UK or EU merchant. Do I have to arbitrate in Nevada? A: No. The arbitration provisions in this notice apply only to contractual disputes brought by US-established merchants. UK, EEA, and other non-US merchants may bring contractual claims in the courts of their habitual place of business under local law. Statutory data-protection rights of any data subject — wherever located — are not subject to arbitration at all and may be exercised in the data subject's local jurisdiction.

Q: WB Connect is free. Will I ever be charged for it? A: No. WB Connect is free to install and free to use. The only billing record that exists is the $0/month Shopify AppSubscription that we are required to create on install to satisfy Shopify App Store policy 1.2.1. We do not use Stripe or any other off-platform billing surface for WB Connect, and we will not introduce paid tiers without a prominently announced amendment to this notice, the Privacy Policy, and the changelog.

Top