Loading...
Skip to main content

Last Updated: 2026-06-10

This Subprocessor List forms part of the WB Connect Privacy Policy, available at https://wbconnect.app/privacy. In the event of any conflict between this page and the Privacy Policy, the Privacy Policy prevails.

Overview

This page lists the third-party service providers ("Subprocessors") engaged by Flag Eagle LLC in connection with the Shopify app listed in the Shopify App Store as Warehouse Bridge v3 (also marketed publicly as "WB Connect"; both names refer to the same app). Throughout this page we use "WB Connect" for brevity.

Flag Eagle LLC is a Nevada limited liability company organized under the laws of the State of Nevada, United States, registered with the Nevada Secretary of State, and trading as "Warehouse Bridge" with the Shopify-merchant-facing sub-brand "WB Connect". Our registered address is 401 Ryland Street STE-200, Reno, NV 89502, United States. References to "we", "us" and "our" on this page are references to Flag Eagle LLC.

In relation to personal data processed via WB Connect, the merchant is the business / controller and Flag Eagle LLC is the service provider / processor acting on the merchant's documented instructions. Shopify Inc. is a separate business / controller in its own right for data it holds about the merchant's shop and that shop's customers. Each 3PL Warehouse Customer engaged by a merchant via WB Connect is a Subprocessor acting on the merchant's instructions, flowed through Flag Eagle LLC.

Each Subprocessor listed below is engaged under a written agreement that imposes data protection obligations no less protective than those we owe to merchants under our own Data Processing Agreement. We remain responsible for the acts and omissions of our Subprocessors to the same extent we would be responsible if performing the services directly.

Governing Law

This Subprocessor List, and our relationship with merchants in respect of WB Connect, is governed by the laws of the State of Nevada, United States, without regard to its conflict of law principles. Any dispute arising out of or in connection with this Subprocessor List or our processing activities shall be resolved through binding arbitration in accordance with the rules of the American Arbitration Association ("AAA"), conducted in Nevada.

Nothing in this section limits the rights of data subjects in the United Kingdom or European Economic Area to bring claims, or to lodge complaints with supervisory authorities, in the jurisdiction in which they reside, where applicable data protection law affords them that right. Equally, nothing in this section limits the right of a merchant established in the United Kingdom or European Economic Area to bring claims in the jurisdiction of its establishment where mandatory consumer or commercial law affords that right.

Applicable Privacy Frameworks

Flag Eagle LLC is a United States company, and the operative legal framework for our relationship with most merchants is United States privacy law. For the majority of Shopify merchants using WB Connect (US-based merchants and merchants serving US customers), Flag Eagle LLC operates as a CCPA/CPRA service provider under written contract, processing personal information solely on the merchant's documented instructions and only for the limited business purposes set out in this document. UK GDPR and EU GDPR frameworks apply only to personal data of UK or EEA data subjects that we process on behalf of a merchant.

The frameworks below apply as set out:

  • United States — primary frameworks for Flag Eagle LLC as a US business:
    • California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), where applicable to data of California residents
    • Other state consumer privacy laws as they apply to residents of those states (including but not limited to Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, and Oregon OCPA), where applicable
    • Nevada Revised Statutes Chapter 603A, including the security and breach notification requirements of NRS 603A.210 and NRS 603A.220, and the consumer opt-out right under NRS 603A.340
    • Federal Trade Commission Act Section 5 (unfair or deceptive practices in commerce)
  • United Kingdom — applied to personal data of UK data subjects we process on behalf of a merchant:
    • UK General Data Protection Regulation ("UK GDPR")
    • Data Protection Act 2018
    • Privacy and Electronic Communications Regulations 2003 ("PECR"), where applicable to electronic communications
  • European Union — applied to personal data of EEA data subjects we process on behalf of a merchant:
    • Regulation (EU) 2016/679 ("EU GDPR")
    • National implementing laws of the EU member state of the data subject's residence, where applicable
  • Cross-border transfers from UK/EU to the US — supplementary framework:
    • European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on Standard Contractual Clauses ("EU SCCs")
    • The UK International Data Transfer Agreement and the UK Addendum to the EU SCCs ("UK IDTA")
    • European Data Protection Board Recommendations 01/2020 on supplementary measures (encryption, access controls, transparency)

Flag Eagle LLC operates as the United States data importer for any personal data transferred from the United Kingdom or European Economic Area in connection with WB Connect. The transfer mechanism, supplementary measures, and our own role as importer are set out in detail under "International Data Transfers" below.

About WB Connect

WB Connect is a free Shopify-side connector that enables a Shopify merchant to link their store to a third-party logistics ("3PL") fulfillment warehouse which uses the Warehouse Bridge warehouse management system as its WMS. The merchant installs WB Connect at no cost via the Shopify App Store.

WB Connect is offered free of charge. On install, a $0/month recurring AppSubscription is created via the Shopify Billing API in compliance with Shopify App Store policy 1.2.1. This gives the merchant a visible billing entry in Shopify Admin under Settings → Apps → Charges. There are no charges for the app. Flag Eagle LLC does not charge the merchant through Shopify Billing, through Stripe, or off-platform in connection with WB Connect.

For absolute clarity to Shopify App Store reviewers: (a) the WB Connect Shopify app is free of charge to install and use; (b) no Flag Eagle LLC revenue flows from this app, whether through Shopify Billing, Stripe, invoice, or any other channel; (c) any fulfillment, storage, or per-shipment charges paid by a merchant to a 3PL Warehouse Customer exist under a separate B2B logistics contract between the merchant and that 3PL, which is independent of the WB Connect app and governs the physical fulfillment relationship — not access to the app or its features. The merchant's ability to install, configure and use every feature of WB Connect is not conditional on the existence, terms, or status of any 3PL contract; (d) Flag Eagle LLC is not party to those 3PL fees, does not collect, process, facilitate, take any margin on, or otherwise touch these charges, and they are not a condition of access to any feature of WB Connect.

Data Flows

WB Connect processes the following personal and store data. The fields listed below correspond to what the app actually requests via the Shopify Admin API and the webhook topics declared in our Shopify app configuration (GDPR compliance topics, product create/update/delete, inventory level updates, plus order webhooks scoped per-merchant).

Inbound (Shopify → WB Connect, via Shopify Admin API and webhooks):

  • Order data (order identifier, status, currency)
  • Line items (product, variant, SKU, quantity, price)
  • Customer shipping and billing addresses (name, address, postcode, country, phone, email)
  • Product catalog (title, handle, status, vendor, product type, variant SKU and price)
  • Inventory levels (per location, per variant)
  • Fulfillment status
  • Store metadata (shop domain, contact email)

Customer phone and email are received from Shopify only where present on the order; they are passed to the 3PL where required for carrier delivery notifications (for example, SMS update on dispatch). WB Connect does not require phone or email to function and does not use customer phone or email for any purpose other than fulfillment.

Outbound (WB Connect → Shopify):

  • Fulfillment events
  • Tracking numbers and carrier identifiers
  • Inventory level updates

Classification under US privacy law

Under the CCPA/CPRA, the data described above constitutes personal information ("PI") as defined in California Civil Code 1798.140(v). WB Connect does not collect, process, share, or sell sensitive personal information ("SPI") as defined in California Civil Code 1798.140(ae). Specifically, WB Connect does not process:

  • Government identifiers (social security numbers, driver's license numbers, state ID numbers, passport numbers)
  • Financial account credentials or payment card data (Shopify processes payments natively; no card data is passed to WB Connect)
  • Account log-in credentials or security codes
  • Precise geolocation data (the addresses we process are postal addresses, not geolocation coordinates)
  • Race, ethnicity, religious or philosophical beliefs, or union membership
  • Genetic data, biometric identifiers, or health information
  • Contents of consumer mail, email, or text messages where Flag Eagle LLC is not the intended recipient
  • Sexual orientation or sex life information

Equivalent SPI categories under Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, and Oregon OCPA are likewise not collected or processed by WB Connect.

Purpose of Processing

We process each data category for the specific purposes set out below:

  • Order data and line items — required to transmit accurate fulfillment instructions (what to pick, pack and ship) to the merchant's chosen 3PL.
  • Customer shipping and billing addresses — required so the 3PL can label and ship the parcel to the end customer, and so the correct ship-to address is written back to Shopify as part of the fulfillment record.
  • Product catalog (titles, handles, SKUs, prices, variants) — required to render the merchant's catalog inside the WB Connect dashboard, to map Shopify variants to 3PL stock units, and to keep the 3PL's product list synchronised with Shopify.
  • Inventory levels — required to keep Shopify inventory in sync with 3PL stock counts so the merchant does not oversell.
  • Fulfillment status — required to know which Shopify orders still need to be sent to the 3PL and which have already been actioned.
  • Store metadata (shop domain, contact email) — required to identify the connected shop, route incoming webhooks to the correct merchant, and contact the merchant about service-essential matters (for example, data subject requests, install confirmations, fulfillment alerts).

Lawful Basis / Legal Authority for Processing

For data subjects in the United States, Flag Eagle LLC processes personal information as a CCPA/CPRA service provider to the merchant business, under written contract, solely for the business purposes the merchant has instructed. We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA, we do not combine merchant or end-customer personal information received from one merchant with personal information from any other source, and we do not retain, use, or disclose merchant or end-customer personal information for any purpose other than performing the contracted services. The same service-provider / processor treatment is applied under equivalent state privacy statutes (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA) where they apply to data subjects in those states.

For data subjects in the United Kingdom or European Economic Area, we process the personal data described above on the following lawful bases under UK GDPR and EU GDPR:

  • Performance of a contract (Article 6(1)(b)) — for processing necessary to provide the WB Connect service requested by the merchant, including transmitting orders to the 3PL, synchronising inventory and product data, and writing fulfillment events back to Shopify. The end customer's personal data (shipping/billing addresses, phone, email) is processed on the basis of the contract between the merchant and the customer for the supply and delivery of goods, for which we act as processor.
  • Legitimate interests (Article 6(1)(f)) — for operational logging, fraud prevention, abuse detection, security monitoring and integrity of our application surface, where these interests are not overridden by data subject rights and freedoms.
  • Legal obligation (Article 6(1)(c)) — where retention or disclosure is required by tax, accounting, audit, or other applicable law.

All inbound data is received at our application surface and stored within our Amazon Web Services account in the eu-west-2 (Ireland) region. Operational logs, backups and database state are likewise held in eu-west-2.

Data Retention

  • Active merchant data is retained for the duration of the merchant's use of WB Connect.
  • On app uninstall, before shop/redact — the merchant's OAuth access token is revoked immediately upon receipt of the app/uninstalled webhook, preventing any further API calls. No new data is ingested from Shopify. Existing data is held pending the shop/redact webhook and then deleted within 48 hours.
  • Shop and merchant personal data is deleted within 48 hours of receipt of the shop/redact webhook (typically issued by Shopify 48 hours after app uninstall), except where retention is required by law (for example, tax records, fraud and audit logs — retained for up to 7 years). Customer personal data such as names, addresses, phone numbers and email addresses is NEVER retained under this 7-year legal exception unless specifically required by law applicable to the merchant's jurisdiction; the exception is limited to transaction identifiers, totals, dates, and similar minimum tax / audit fields.
  • Customer personal data subject to a customers/redact request is deleted within 30 days of receipt of the request, subject to the same legal retention exceptions. Again, customer names, addresses, phone numbers and email addresses are NEVER retained under those exceptions unless a specific law applicable to the merchant's jurisdiction explicitly compels retention.
  • Operational backups containing personal data are encrypted and retained for up to 35 days before being overwritten.
  • Application logs containing personal data are retained for up to 90 days before deletion.
  • Early deletion requests — a merchant may request immediate deletion of their data at any time by emailing privacy@warehousebridge.com; we will action such requests within 5 business days, subject to legal retention obligations.

Data retained under the 7-year legal exception is limited to the minimum fields required for the stated legal purpose (for example, transaction identifiers and totals for tax records), is access-controlled, and is not used for any other purpose.

GDPR Compliance Webhooks

All three Shopify-mandated compliance webhook topics (customers/data_request, customers/redact, shop/redact) are subscribed in our Shopify app configuration (shopify.app.toml) and are actively handled by our application. The app/uninstalled topic is also subscribed and handled. Webhook signatures are verified using HMAC-SHA256 against our shared secret on every request, and unverified requests are rejected with HTTP 401. These webhooks are served from the WB Connect application surface at app.warehousebridge.com under the path /shopify/webhooks/compliance.

All compliance webhook endpoints acknowledge receipt with HTTP 200 within Shopify's required response window (under five seconds) and queue the actual deletion, redaction or export work for asynchronous processing on our internal job queue. Webhook payloads, HMAC signatures, the verification result, and the eventual completion status of the asynchronous job are logged for audit purposes and retained for the periods set out in the Data Retention section. Where Shopify retries a webhook (for example, due to transient infrastructure issues), our handler is idempotent on the Shopify-supplied webhook ID and will not double-process.

  • customers/data_request — notifies us that a customer of the installing shop has requested the personal data we hold about them. Upon receipt, we compile that data and provide it to the merchant within 30 days of receipt. We will only respond directly to the data subject where we are legally required to do so, or where the merchant has instructed us to do so.
  • customers/redact — notifies us to delete the identified customer's personal data. We action this within 30 days of receipt, subject to legal retention obligations described in the Data Retention section above.
  • shop/redact — notifies us to delete shop and merchant personal data following app uninstall. Shopify fires this webhook 48 hours after uninstall; we action the deletion as soon as possible upon receipt and in any event within 48 hours, subject to the same legal retention exceptions.
  • app/uninstalled — fired by Shopify when the merchant uninstalls WB Connect from their store. Upon receipt, we immediately revoke the merchant's stored OAuth access token, mark the connection as terminated, and start the data retention countdown that culminates in the subsequent shop/redact action.

Data Subject and Consumer Rights

Individuals whose personal data is processed by WB Connect on behalf of a merchant have the rights afforded to them by the privacy law applicable to their place of residence. Flag Eagle LLC supports merchants in giving effect to those rights and, where directly contacted, will route the request to the appropriate merchant as described below.

For United States consumers, depending on state of residence:

  • Right to know what personal information is collected, used, shared, or sold
  • Right to access a copy of personal information
  • Right to delete personal information
  • Right to correct inaccurate personal information
  • Right to opt out of the sale or sharing of personal information for cross-context behavioral advertising (Flag Eagle LLC does not sell or share personal information for these purposes)
  • Right to limit the use of sensitive personal information (Flag Eagle LLC does not process sensitive personal information via WB Connect)
  • Right to non-discrimination for exercising these rights
  • Right of Nevada residents to submit a verified request directing Flag Eagle LLC not to sell their covered personal information under Nevada Revised Statutes 603A.340. Flag Eagle LLC does not sell personal information as defined under Nevada law, but Nevada residents may submit such a verified request to privacy@warehousebridge.com and we will honour it on a continuing basis.

For United Kingdom and European Economic Area data subjects under UK GDPR and EU GDPR:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent (where processing is based on consent)
  • Right not to be subject to a decision based solely on automated processing (WB Connect does not perform such processing on personal data)

For data processed by WB Connect on behalf of a Shopify merchant, the merchant is the business / controller and is the primary point of contact for data subject and consumer requests. Where Flag Eagle LLC is contacted directly with a request relating to personal data we process on behalf of a merchant, we will notify the merchant of the request without undue delay and will not respond substantively to the data subject other than to acknowledge receipt and direct them to the merchant, unless legally required to do otherwise or instructed by the merchant.

We will respond to US consumer rights requests within 45 days of receipt, extendable by a further 45 days where reasonably necessary, in line with CCPA/CPRA and equivalent state law timelines. We will respond to UK and EU data subject requests within one calendar month of receipt, extendable by a further two months for complex requests in line with UK GDPR and EU GDPR Article 12(3).

Requests can be sent to privacy@warehousebridge.com or by post to Flag Eagle LLC, 401 Ryland Street STE-200, Reno, NV 89502, United States.

Data subjects also have the right to lodge a complaint with a supervisory authority. In the United States, this includes the California Privacy Protection Agency (CPPA) for California residents and the Attorney General of the state of residence (including the Nevada Attorney General for Nevada residents). In the United Kingdom this is the Information Commissioner's Office (ICO, https://ico.org.uk). In the European Union it is the data protection authority of the member state where the data subject resides or where the alleged infringement took place.

Security and Breach Notification

We maintain technical and organisational measures appropriate to the nature of the personal data processed, including encryption in transit (TLS 1.2 or higher), encryption at rest (AES-256), least-privilege access controls, logging and monitoring, and routine vulnerability management.

In the event of a security incident involving personal data we process on behalf of a merchant, Flag Eagle LLC will notify the affected merchant without undue delay and, in any event, within 72 hours of becoming aware of the incident, providing the information reasonably required for the merchant to meet its own notification obligations to data subjects and supervisory authorities.

We will additionally meet our own statutory breach notification obligations under applicable US state law, including Nevada Revised Statutes 603A.220 (which requires notification to affected Nevada residents in the most expedient time possible and without unreasonable delay), and equivalent breach notification statutes of other US states where affected residents reside.

Where a breach affects 500 or more California residents, Flag Eagle LLC will additionally submit the sample notification to the California Attorney General as required by California Civil Code 1798.82(f). Equivalent notifications will be made to other state Attorneys General (including, for example, the New York Attorney General under N.Y. Gen. Bus. Law 899-aa, the Texas Attorney General under Tex. Bus. & Com. Code 521.053, the Virginia Attorney General under Va. Code 18.2-186.6, and the Illinois Attorney General under 815 ILCS 530/) where the volume, type or jurisdictional triggers of the breach require such notification under the affected residents' state of residence.

Cookies and Tracking

WB Connect sets only first-party, strictly necessary session cookies (named session and csrf_token) for the duration of an authenticated session, expiring on browser close or after 24 hours of inactivity, whichever is sooner. These cookies contain no personal data beyond an opaque session identifier and are essential for authentication and CSRF protection.

Under the CCPA/CPRA and equivalent US state privacy statutes, no "Do Not Sell or Share My Personal Information" or "Limit the Use of My Sensitive Personal Information" link is required on WB Connect surfaces because (a) WB Connect does not sell or share personal information for cross-context behavioral advertising, (b) WB Connect does not process sensitive personal information, and (c) the cookies set are strictly necessary for authentication and security and do not enable any tracking, profiling, or targeted advertising. We do not engage in any practice that would be classified as a "dark pattern" under California Civil Code 1798.140(l) or equivalent state guidance.

Under PECR, UK GDPR, EU ePrivacy guidance, and ICO and EDPB cookie guidance applicable to UK and EU data subjects, no consent banner is required for strictly necessary cookies and none is shown.

No third-party cookies, advertising pixels, or analytics trackers are set by WB Connect on either app.warehousebridge.com or wbconnect.app.

If non-essential cookies are ever introduced, we will (a) notify merchants in advance via the Subprocessor change notification mechanism described below, (b) under US frameworks, surface any opt-out controls required by applicable state law (including a "Do Not Sell or Share" link if and only if our practices ever required one), and (c) under UK and EU frameworks, present a compliant consent banner in which refusing consent is as straightforward as granting it (single click, equal prominence), in line with EDPB Guidelines 03/2022 and ICO guidance.

Current Subprocessors

Subprocessor Services Used / Purpose Data Categories Location Certifications
Amazon Web Services, Inc. (AWS) EC2, RDS and S3 for hosting, compute, persistent storage, database and backups; CloudWatch for application logs All inbound and outbound categories listed under "Data Flows" Primary: eu-west-2 (Ireland) for production data. Control-plane services: United States. ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2 Type II, SOC 3, PCI DSS Level 1 (see note 5)
Amazon Web Services, Inc. — Simple Email Service (AWS SES) Outbound transactional email (install confirmations, fulfillment notifications to operators, data subject responses where applicable) Recipient email address, sender address, subject and body content of transactional messages eu-west-2 (Ireland) ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2 Type II, SOC 3
Shopify Inc. Source platform; supplies order, customer, product, inventory and fulfillment data via authenticated API and webhooks for the merchant's connected shop, and receives fulfillment events, tracking numbers and inventory updates back from WB Connect Order data, line items, customer shipping and billing addresses, product catalog, inventory levels, fulfillment status, store metadata Canada and the United States, plus other regions per Shopify's published sub-processor list SOC 2 Type II, SOC 3, PCI DSS Level 1, ISO 27001
Stripe, Inc. Internal billing administration tooling only — see note 6. None in respect of WB Connect Shopify merchant data. United States and Ireland PCI DSS Level 1, SOC 1, SOC 2 Type II, ISO 27001
The merchant's nominated 3PL Warehouse Customer Fulfillment processing — operates as a Subprocessor authorised by the merchant when the merchant elects to connect a 3PL via WB Connect. The 3PL receives orders, picks, packs, ships and reports tracking back through Warehouse Bridge to Shopify. The merchant authorises this onward transfer as part of their connection flow. Order data, line items, customer shipping addresses, fulfillment and tracking data United Kingdom, European Union, or United States, per the merchant's chosen 3PL Varies per 3PL. Each 3PL is contractually bound to data protection obligations no less protective than those we owe merchants. Certifications held by individual 3PLs will be supplied within 10 business days of a written request to privacy@warehousebridge.com. Merchants connecting a 3PL may also obtain certification details directly from their chosen 3PL.

Notes on the table

  1. Primary processing region. WB Connect production data is stored in AWS eu-west-2 (Ireland). Where AWS routes control-plane traffic via its US infrastructure as part of normal service operation, this is treated as an onward transfer from the EU to the US under the mechanisms described in "International Data Transfers" below.
  2. 3PL contractual chain. Where Flag Eagle LLC has a direct contractual relationship with the 3PL (typically because the 3PL uses Warehouse Bridge as its WMS under a Flag Eagle LLC WMS agreement), a Data Processing Agreement is in place between Flag Eagle LLC and that 3PL. Where the commercial 3PL relationship sits primarily between the merchant and the 3PL, equivalent data protection terms are flowed down through the merchant's own onboarding contract with the 3PL.
  3. Verification before transfer. In all cases, Flag Eagle LLC will not transfer personal data to a 3PL Subprocessor until we have either (a) executed a Data Processing Agreement directly with that 3PL, or (b) received reasonable written assurance from the merchant that equivalent data protection terms are in place between the merchant and the 3PL. The merchant may request a copy of the relevant terms or evidence of the arrangement at any time.
  4. Shopify Inc. is identified in this list because data originates from the Shopify platform and is returned to it. Shopify is a separate business / controller in its own right for the data it holds about the merchant's shop and that shop's customers; the merchant's relationship with Shopify is governed by Shopify's own terms and privacy policies.
  5. PCI DSS and cardholder data. WB Connect does not process cardholder data. Shopify processes payments natively and no card data is passed to WB Connect or to AWS via WB Connect. AWS's PCI DSS Level 1 certification is listed for completeness only and is not relied on by WB Connect for cardholder data handling.
  6. Stripe scope (important). Stripe is listed here for Flag Eagle LLC's overall vendor transparency. No Stripe charge is initiated against any Shopify merchant in connection with the WB Connect Shopify app, and no Shopify merchant data (whether merchant business data or end-customer personal data) is transferred to Stripe in connection with WB Connect. Should this ever change, this Subprocessor List will be updated and merchants will be notified at least 30 days in advance under the change procedure described below before any such processing begins.

International Data Transfers

The primary processing location for WB Connect production data is the European Union (AWS eu-west-2, Ireland). Flag Eagle LLC, as a United States entity, operates as the United States data importer in respect of personal data of UK and EEA data subjects that we process under contract with the merchant. The following lawful transfer mechanisms apply:

  • Standard Contractual Clauses approved by the European Commission under Implementing Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs")
  • The UK International Data Transfer Agreement and the UK Addendum to the EU SCCs ("UK IDTA") for transfers of UK personal data
  • Adequacy regulations or decisions where they apply to the destination country, including the UK Extension to the EU-US Data Privacy Framework where the Subprocessor is certified
  • Subprocessor binding corporate rules where adopted
  • Supplementary technical and organisational measures consistent with EDPB Recommendations 01/2020, including encryption in transit (TLS 1.2 or higher), encryption at rest (AES-256), access controls, logging, and transparency to data subjects regarding government access requests

Transfer mechanisms by Subprocessor:

  • Amazon Web Services, Inc. — primary processing is in the EU (eu-west-2, Ireland), so most production transfers are intra-EEA. For onward transfer to the United States (control-plane services and any administrative transfer to AWS's US parent entity), we rely on the EU SCCs plus the UK IDTA, supplemented by the UK Extension to the EU-US Data Privacy Framework where AWS is certified. We have executed the AWS Data Processing Addendum with Amazon Web Services, Inc.
  • Shopify Inc. — for transfers to Canada we rely on the EU Commission's adequacy decision for Canada (commercial organisations) where applicable; for transfers to the United States we rely on the EU SCCs plus the UK IDTA, supplemented by the UK Extension to the EU-US Data Privacy Framework where Shopify is certified. We have executed the Shopify Data Processing Addendum with Shopify Inc.
  • Stripe, Inc. — no Shopify merchant or end-customer personal data is transferred to Stripe in connection with WB Connect, so no transfer mechanism is engaged in respect of WB Connect. If WB Connect's scope ever changes such that Stripe begins processing merchant or end-customer personal data on its behalf, the EU SCCs plus the UK IDTA (supplemented by the UK Extension to the EU-US Data Privacy Framework where Stripe is certified) will apply, and merchants will be notified at least 30 days in advance under the change procedure below.
  • Merchant's nominated 3PL — typically located in the UK, EU or US. For UK/EU 3PLs, transfers are intra-UK / intra-EEA. For US-based 3PLs, transfers of a UK/EU data subject's personal data flow under the EU SCCs plus the UK IDTA, with the same supplementary measures applied. Data Processing Agreements are in place with the 3PL Warehouse Customer engaged by each merchant, either directly via Flag Eagle LLC's WMS agreement with that 3PL or flowed down through the merchant's onboarding contract with the 3PL.

We periodically verify Subprocessor participation in the EU-US Data Privacy Framework and its UK Extension via the official DPF list (https://www.dataprivacyframework.gov), reviewed quarterly. Where a Subprocessor is not currently DPF-certified for a transfer, we rely solely on Standard Contractual Clauses plus the UK Addendum with documented supplementary measures (encryption in transit using TLS 1.2 or higher, encryption at rest using AES-256, and the access controls described in our security documentation).

Notification of Subprocessor Changes

We will give merchants and other affected parties at least 30 days' prior notice before engaging any new Subprocessor or making a material change to an existing Subprocessor engagement. Notice is given by:

  1. Email to the address held on file for the merchant's WB Connect account; and
  2. A posted update to this page reflecting the change and its effective date.

In addition to email and an updated posting on this page, we may also display an in-app notification within the WB Connect dashboard for high-impact Subprocessor changes (for example, change of primary hosting region) so merchants see the change at next login.

Objection Process

If you object to a proposed new or changed Subprocessor on reasonable data protection grounds, you may notify us in writing at privacy@warehousebridge.com within 30 days of the notice being given. We will work with you in good faith to address the objection.

During the objection period and any good-faith discussions, we will not transfer your personal data to the proposed new Subprocessor. If we cannot resolve your objection, we will either (a) not engage the proposed Subprocessor in respect of your data, or (b) where engaging the proposed Subprocessor is commercially infeasible to avoid — meaning no comparable Subprocessor is reasonably available on commercially reasonable terms to provide the same service component — give you a reasonable transition period (at least 30 days) to migrate off WB Connect before the change takes effect, and we will reasonably assist with data export during that period. If we invoke this commercial-infeasibility path, we will provide you with a written explanation of why no comparable alternative is reasonably available, so that you can assess the good faith of the decision and, where you disagree, raise the matter with a supervisory authority.

You may uninstall WB Connect from your Shopify Admin at any time at no cost.

Update History

Date Change
2026-06-10 Initial publication for the WB Connect Shopify app

Contact

For any question relating to Subprocessors, data processing, or this list:

  • Privacy and data subject requests: privacy@warehousebridge.com
  • General and support enquiries: support@warehousebridge.com
  • Abuse reports: abuse@warehousebridge.com
  • Legal notices: legal@warehousebridge.com
  • Website: https://wbconnect.app
  • Postal address: Flag Eagle LLC, 401 Ryland Street STE-200, Reno, NV 89502, United States

The privacy@warehousebridge.com inbox is actively monitored during US business hours (Monday–Friday, 09:00–17:00 Pacific Time), with acknowledgment of receipt within two business days. Flag Eagle LLC has assessed its processing activities and determined that the appointment of a statutory Data Protection Officer is not required under UK GDPR or EU GDPR Article 37; an internal privacy lead is nonetheless responsible for data protection matters and is reachable at the address above.

For the purposes of CCPA/CPRA and equivalent US state consumer privacy laws, Flag Eagle LLC's authorised contact for consumer rights requests is reachable at privacy@warehousebridge.com or by post to the address above. Flag Eagle LLC has assessed its processing activities against the CCPA/CPRA business thresholds (annual gross revenue exceeding US$26,625,000; buying, selling, or sharing personal information of 100,000 or more California consumers or households; or deriving 50% or more of annual revenue from selling or sharing personal information) and determined that it does not currently meet any of those thresholds in respect of the WB Connect app. On that basis, the toll-free telephone option under California Civil Code 1798.130(a)(1)(A) is not mandatory for the WB Connect service, and consumer rights requests may be submitted via email or post as set out above. If our processing activities ever cross a CCPA/CPRA threshold, we will add a toll-free telephone option and update this page accordingly.

A note on domains: wbconnect.app is the public-facing marketing and legal domain for WB Connect (privacy notices, this Subprocessor List, support contact). app.warehousebridge.com is the technical application surface that serves the Shopify OAuth callback, the GDPR compliance webhooks at /shopify/webhooks/compliance, and the merchant-facing dashboard. Both domains are operated by Flag Eagle LLC and refer to the same product and the same legal entity.

Business / controller of record (Flag Eagle LLC's own corporate data): Flag Eagle LLC, 401 Ryland Street STE-200, Reno, NV 89502, United States. Business / controller of merchant and end-customer personal data processed via WB Connect: the installing Shopify merchant. Service provider / processor: Flag Eagle LLC.

Top