Last Updated: 2026-06-10

1. Introduction

This Cookie Policy explains how Flag Eagle LLC, a Nevada limited liability company ("Flag Eagle," "we," "us," or "our"), uses cookies and similar tracking technologies on the marketing website located at https://wbconnect.app (the "Site") and, where indicated, on the authenticated app surface at https://app.warehousebridge.com (the "App Surface"). Flag Eagle LLC trades as "Warehouse Bridge" and offers a Shopify-side connector under the sub-brand "WB Connect".

WB Connect is published in the Shopify App Store under the listing name "Warehouse Bridge v3". Throughout this policy, the names "WB Connect" and "Warehouse Bridge v3" refer to the same product. Where this policy refers to the "WB Connect app," the "Shopify app," or "the app," that reference is to Warehouse Bridge v3 as listed on the Shopify App Store.

Flag Eagle LLC is a United States company registered with the Nevada Secretary of State. Its registered-agent address for service of process is 401 Ryland Street STE-200, Reno, NV 89502, United States. For business correspondence, including privacy and cookie inquiries, please use the email addresses set out in Section 18 (Contact Us); for postal correspondence, please write to the registered-agent address above marked "Attn: Privacy Team — Flag Eagle LLC" and we will route accordingly.

This Cookie Policy should be read together with our Privacy Policy, which describes how we collect, use, and protect personal information, and contains the full notice of categories of personal information we process, the sources, recipients, retention criteria, and data-subject-rights mechanisms required by applicable US state privacy laws.

2. What Cookies and Similar Technologies Are

Cookies are small text files that a website places on your browser or device when you visit it. They allow a site to recognize your browser across pages or visits, remember preferences, and operate securely. We also use the term "cookies" loosely to refer to other client-side storage and similar technologies (such as localStorage, sessionStorage, and pixel tags) where those technologies serve a comparable function.

This policy covers:

HTTP cookies set by us on the Site
Browser localStorage and sessionStorage entries we use for essential UI state
Server-set session cookies on the authenticated App Surface
Any third-party cookies that may be set as a consequence of features described below

3. Our Position on Tracking

We have deliberately built WB Connect with a minimal tracking footprint:

We do not currently use Google Analytics, Meta Pixel, LinkedIn Insight Tag, TikTok Pixel, or any other third-party advertising or analytics tracker on the Site.
We do not set advertising or cross-site profiling cookies.
We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"), the Colorado Privacy Act, the Connecticut Data Privacy Act, the Texas Data Privacy and Security Act, the Oregon Consumer Privacy Act, the Virginia Consumer Data Protection Act, or any comparable US state privacy law.
The App Surface sets a single essential session cookie used solely to maintain an authenticated merchant session.

Binding policy commitment. If Flag Eagle LLC ever introduces analytics, advertising, performance, functional, or cross-context tracking technologies on the Site or App Surface, we commit that we will:

Obtain prior opt-in consent from all visitors before any non-essential cookie or similar technology is set, regardless of jurisdiction — this is a single global standard that exceeds the minimum required by US state law and matches the standard required by the UK Privacy and Electronic Communications Regulations 2003 and the EU ePrivacy Directive (2002/58/EC, as amended);
Continue to honor the Global Privacy Control ("GPC") and "Do Not Track" browser signals as a global opt-out for all visitors, not only for residents of US states whose laws mandate such honor;
Provide at least thirty (30) days' prior notice of the change via a prominent banner on the Site and, for users of the App Surface, by email to the registered merchant or warehouse-user contact;
Update this Cookie Policy with the specific cookies, purposes, durations, and recipients before deployment.

This is a binding commitment of Flag Eagle LLC and is intended to be relied on by merchants and visitors when assessing whether to install or use WB Connect.

4. Cookies We Use on wbconnect.app (Marketing Site)

4.1 Strictly Necessary Cookies

These cookies are required for the Site to function and to protect it against common security threats. They are not used for analytics, advertising, or profiling. Under the UK Privacy and Electronic Communications Regulations 2003 ("PECR") and the EU ePrivacy Directive (2002/58/EC, as amended), strictly necessary cookies do not require prior consent. Under US state privacy laws (CCPA/CPRA, Colorado, Connecticut, Texas, Oregon, Virginia, Utah, Montana, and others as enacted), they are not within scope of "sale" or "share" opt-out rights, nor within scope of Nevada Revised Statutes ("NRS") Chapter 603A "sale" of covered information.

Cookie / Storage Key	Purpose	Type	Duration
`wbc_session`	Maintains visitor state across pages of the Site	First-party HTTP cookie	Session (deleted when browser closes)
`csrf_token`	Anti-forgery protection for any form submission on the Site	First-party HTTP cookie	Session
`wbc_consent`	Records your cookie preference choice so we do not ask again on the same browser	First-party HTTP cookie	12 months
`wbc_lang`	Stores your selected language / locale preference	First-party `localStorage` entry	Until cleared by you

Legal basis (UK/EU visitors): Strictly necessary — no consent required under PECR / ePrivacy Directive. US treatment: Operationally necessary — not a "sale" or "share" under CCPA/CPRA, Colorado, Connecticut, Texas, Oregon, Virginia, or comparable state law; not in scope of opt-out rights under NRS Chapter 603A (including NRS 603A.340 sale opt-out).

4.2 Non-Essential Cookies

We do not currently set any non-essential, analytics, performance, functional, or advertising cookies on the Site. The commitments in Section 3 above (prior opt-in consent globally, GPC/DNT honor globally, 30 days' prior notice, policy update before deployment) apply to any future change. If this changes, the table below will be updated before such cookies are deployed and the consent banner described in Section 10.0 will be presented offering equally prominent "Accept" and "Reject" options.

Cookie	Purpose	Type	Duration
(none in use)	—	—	—

4.3 Categories of Personal Information Collected via Cookies (CCPA/CPRA, Cal. Civ. Code § 1798.140(v))

For the purpose of the notice-at-collection obligation under California Civil Code § 1798.100(a) and the equivalent disclosure obligations under the Colorado Privacy Act, Connecticut Data Privacy Act, Texas Data Privacy and Security Act, Oregon Consumer Privacy Act, Virginia Consumer Data Protection Act, Utah Consumer Privacy Act, and Montana Consumer Data Privacy Act, the strictly necessary cookies and storage entries listed above collect personal information falling into the following statutory categories and serve the following business purposes:

Statutory Category (CCPA/CPRA)	Examples in this Policy	Business Purpose (Cal. Civ. Code § 1798.140(e))
Identifiers — Cal. Civ. Code § 1798.140(v)(1)(A)	`wbc_session` session identifier; `csrf_token` value	Maintaining the security and integrity of the Site; preventing fraudulent or malicious activity; providing the Site as requested
Internet or other electronic network activity information — § 1798.140(v)(1)(F)	Server-side request logs created when the Site is accessed; basic device/browser metadata in HTTP headers	Debugging to identify and repair errors; short-term, transient use; security and abuse prevention
Commercial information — § 1798.140(v)(1)(D)	None collected via cookies (the marketing Site does not process purchases)	Not applicable

We do not collect Sensitive Personal Information (as defined in Cal. Civ. Code § 1798.140(ae) and the equivalent definitions under other US state privacy laws) through cookies or similar technologies on the Site or App Surface. Because we do not process Sensitive Personal Information through cookies, the CCPA/CPRA right to limit the use and disclosure of sensitive personal information (Cal. Civ. Code § 1798.121) does not arise in the context of this Cookie Policy. See our Privacy Policy for the full enterprise-wide treatment of any other personal information we may process.

5. Cookies on the Authenticated App Surface (app.warehousebridge.com)

The App Surface is the authenticated environment your fulfillment partner uses to operate WB Connect on your behalf, and (where applicable) where you authenticate as a Shopify merchant. It is a separate domain from the Site and is governed by access controls.

On the App Surface we set a single essential server-side session cookie:

Cookie	Purpose	Type	Duration
`session`	Maintains your authenticated session after login; required for the App Surface to function	First-party HTTP cookie (Secure, HttpOnly, SameSite=Lax)	Session, with idle timeout

No analytics, advertising, or third-party cookies are set on the App Surface.

6. Third-Party Cookies

The Site does not embed third-party advertising, analytics, or social-media trackers and, in normal operation, does not cause third-party cookies to be set in your browser.

The Site and App Surface are served behind standard cloud infrastructure providers (including Amazon Web Services). In our current production configuration, AWS does not set client-visible cookies on requests to wbconnect.app or app.warehousebridge.com (e.g., AWS Application Load Balancer sticky-session cookies such as AWSALB, AWSALBCORS, and CloudFront viewer-affinity cookies are not enabled). If we enable any such infrastructure cookie in the future, this policy will be updated and the cookie added to the strictly necessary table in Section 4.1 with its purpose and duration before the change takes effect.

If you reach WB Connect via the Shopify App Store listing for "Warehouse Bridge v3", Shopify's own cookies on shopify.com and myshopify.com are governed by Shopify's privacy and cookie notices, not by this policy.

7. WB Connect Product Context

WB Connect (Shopify App Store listing: "Warehouse Bridge v3") is a free Shopify-side connector that lets a Shopify merchant connect their store to a third-party logistics ("3PL") fulfillment warehouse that uses Warehouse Bridge as its warehouse management system. The merchant installs the app free of charge through the Shopify App Store.

On installation, the OAuth callback creates a $0.00/month recurring AppSubscription through the Shopify Billing API. This is required by Shopify App Store policy 1.2.1 and produces a real merchant-visible billing record in Shopify Admin → Settings → Apps and sales channels → Charges. The merchant is never charged by Flag Eagle LLC for use of WB Connect, either through Shopify or off-platform.

The functionality of WB Connect itself is not gated behind any payment to Flag Eagle LLC or to any 3PL. All app features available at the moment of installation remain available regardless of whether the merchant has a separate fulfillment-services contract with any 3PL, and regardless of how much (if anything) the merchant pays that 3PL. We do not operate a paid tier and we do not unlock features inside the app in exchange for payment, whether through Shopify Billing or off-platform.

Any fulfillment, storage, or per-shipment charges the merchant pays for the physical movement and storage of goods are billed directly by the merchant's 3PL fulfillment partner under that 3PL's existing business-to-business agreement with the merchant. Flag Eagle LLC is not party to those fees, does not receive a share of those fees, and does not invoice the merchant for them. Those fees are entirely outside the scope of WB Connect and outside the scope of the merchant's relationship with Flag Eagle LLC.

This product context is relevant to cookies because WB Connect operates primarily server-to-server with Shopify (via API and webhooks). It does not deploy client-side trackers into the merchant's storefront or into the buyer experience.

8. How We Treat Data Subjects in Different Jurisdictions

Flag Eagle LLC is a United States company headquartered in Nevada. Our cookie practices are designed to satisfy applicable US federal and state privacy frameworks as the primary baseline, with additional UK and EU protections applied where their laws reach a particular visitor. Where two frameworks both apply to a visitor, we apply the framework that provides that visitor the stronger protection.

8.1 United States Visitors (Primary Framework)

Cookie and similar-technology use is governed primarily by US federal and state consumer-protection and privacy law. In particular:

California (CCPA/CPRA, Cal. Civ. Code §§ 1798.100 et seq.): California residents have the right to know what personal information we collect (notice at collection — see Section 4.3), to request access, deletion, and correction, to opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising, to limit the use of sensitive personal information, and to non-discrimination for exercising these rights (Cal. Civ. Code § 1798.125). As stated in Section 3, we do not sell or share personal information in that sense.
California "Shine the Light" (Cal. Civ. Code § 1798.83): California residents may request information regarding our disclosure of personal information to third parties for those parties' direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes. Requests under § 1798.83 may be addressed to privacy@warehousebridge.com with the subject line "Shine the Light Request — California Resident."
Nevada (NRS Chapter 603A, including NRS 603A.340 sale opt-out and NRS 603A.220 security-breach notification): Nevada residents may submit a verified request directing us not to make any "sale" of covered information. We do not engage in such sales. In the event of a qualifying security incident, NRS 603A.220 will be observed.
Colorado Privacy Act, Connecticut Data Privacy Act, Texas Data Privacy and Security Act, Oregon Consumer Privacy Act, Virginia Consumer Data Protection Act, Utah Consumer Privacy Act, Montana Consumer Data Privacy Act, and other comprehensive US state privacy statutes as enacted: we honor equivalent access, deletion, correction, portability, and opt-out (sale / targeted advertising / certain profiling) rights to the extent they apply to a given visitor.
State breach notification statutes, including NRS 603A.220 and the breach-notification statutes of other applicable US states, will be observed in the event of a qualifying security incident.

8.2 United Kingdom Visitors

For visitors in the United Kingdom, our cookie practices comply with PECR and, in respect of personal data we process, with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

8.3 European Economic Area Visitors

For visitors in the European Economic Area, our cookie practices comply with the ePrivacy Directive (2002/58/EC, as amended) as implemented in the relevant Member State, and with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "EU GDPR") as it applies to data subjects whose personal data we process.

8.4 Other Jurisdictions

Where another jurisdiction's law applies to a visitor and grants greater protection in respect of cookies or similar technologies than the frameworks above, we will apply that higher standard.

9. International Data Transfers

Flag Eagle LLC is a US data importer. Because Flag Eagle LLC is a US company and its personnel access platform data from the United States, transfers of personal data from the United Kingdom or European Economic Area to Flag Eagle LLC are international transfers irrespective of the physical AWS region where the data is at rest.

9.1 Hosting Regions (Accurate Naming)

Primary hosting / data storage region: Amazon Web Services Europe (London), AWS region code eu-west-2. This is where the WB Connect application database, object storage (Amazon S3), and analytics-event stream (Amazon Kinesis) primarily reside.
Transactional email region: Amazon SES in Amazon Web Services Europe (Ireland), AWS region code eu-west-1. This is used to send transactional notifications (e.g., account, billing, and webhook-acknowledgement emails).
Sub-processors: Shopify (source platform — your store data originates in Shopify's infrastructure); the merchant's chosen 3PL fulfillment partner (WMS environment operated by that 3PL, where the merchant has elected to connect a 3PL); Stripe (Billing API administration for the $0/month Shopify-billed AppSubscription record only — no merchant payment passes through Stripe for WB Connect itself); Amazon Web Services (compute, storage, transactional email).

Hosting in London does not eliminate the need for international-transfer safeguards because Flag Eagle LLC and its personnel are located in the United States and access personal data from the United States. Accordingly:

9.2 Transfer Safeguards (Inbound to US)

For personal data of UK or EEA data subjects that is accessed or processed by Flag Eagle LLC in the United States, we rely on the following safeguards:

The 2021 EU Standard Contractual Clauses as adopted by Commission Implementing Decision (EU) 2021/914, in the appropriate module(s); and
For UK data subjects, the UK International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner's Office (the "UK IDTA" / Addendum), or the UK International Data Transfer Agreement, as applicable.

We supplement these transfer mechanisms with the technical and organizational measures recommended in European Data Protection Board Recommendations 01/2020 on measures that supplement transfer tools, including encryption in transit (TLS 1.2 or higher) and at rest, role-based access controls, audit logging, and transparency to data subjects.

9.3 US State Law — Cross-Border Disclosure

For US state-law purposes (including the Texas Data Privacy and Security Act § 541.102 transparency requirement and the Oregon Consumer Privacy Act notice obligations), we confirm that US merchant data is processed by infrastructure physically located in the United Kingdom and (for transactional email only) Ireland. This processing occurs because Flag Eagle LLC's WMS-partner customer base is concentrated in the United Kingdom and Ireland and our infrastructure was originally provisioned in those regions for latency and operational reasons. US merchants whose data is processed via these European regions may contact privacy@warehousebridge.com for further information about cross-border processing of their data.

10. How You Can Control or Withdraw Consent

Because the Site does not currently set non-essential cookies, no opt-in consent is required for normal browsing. If we introduce non-essential cookies in the future, the controls in 10.1, 10.2, and 10.3 will apply globally to all visitors, and in any case the controls in 10.2 and 10.3 are available to you today.

10.0 Current Consent Mechanism

No cookie consent banner is currently displayed to any visitor in any jurisdiction, because the Site does not set any non-essential cookies. If we deploy any non-essential cookie in the future, then before any such cookie is set we will present every visitor (regardless of jurisdiction) with a banner offering equally prominent "Accept" and "Reject" options, in accordance with the binding policy commitment in Section 3 and the requirements of CCPA/CPRA symmetry-of-choice rules, Colorado Privacy Act rules, PECR, and the EU ePrivacy Directive.

10.1 Refusing Is As Easy As Accepting

Refusing all non-essential cookies will require no more clicks or steps than accepting them. This symmetry of choice is required by California Code of Regulations, Title 11, § 7004 (which prohibits dark patterns and asymmetrical consent flows), by the Colorado Privacy Act Rules (4 CCR 904-3, Rule 7), by the Connecticut Data Privacy Act, by the UK GDPR and PECR, and by the EU GDPR and ePrivacy Directive. We honor this symmetry as a single global standard for all visitors, regardless of jurisdiction.

10.2 Browser Controls

You can manage and delete cookies through your browser. Most modern browsers allow you to:

View cookies and localStorage entries currently stored on your device
Delete individual cookies or all cookies
Block all cookies, or only third-party cookies
Set per-site exceptions

Instructions for common browsers:

Google Chrome: Settings → Privacy and security → Third-party cookies
Mozilla Firefox: Settings → Privacy & Security → Cookies and Site Data
Apple Safari: Settings → Privacy → Manage Website Data
Microsoft Edge: Settings → Cookies and site permissions → Manage and delete cookies and site data

10.3 Global Privacy Control and Do Not Track

We honor the Global Privacy Control ("GPC") signal as a valid opt-out of any "sale" or "sharing" of personal information for cross-context behavioral advertising, and as a valid opt-out of targeted advertising and certain profiling, for residents of:

California (per California Code of Regulations, Title 11, § 7025);
Colorado (per 4 Colorado Code of Regulations 904-3, Rule 5.07 — Universal Opt-Out Mechanism);
Connecticut (per the Connecticut Data Privacy Act, Conn. Gen. Stat. § 42-518(e)(1));
Texas (per the Texas Data Privacy and Security Act);
Oregon (per the Oregon Consumer Privacy Act);
Montana (per the Montana Consumer Data Privacy Act);
and any other US state whose law recognizes a universal opt-out mechanism.

We also honor "Do Not Track" browser signals as a request not to deploy non-essential tracking.

In addition to the state-by-state honor described above, we have committed in Section 3 to honor GPC and DNT as a global opt-out for all visitors, not only where state law mandates it. As noted, we do not currently engage in any sale, share, targeted advertising, or cross-context behavioral advertising for which GPC would operate as an opt-out.

10.4 Withdrawing Consent

To withdraw a previously given cookie consent or change your preferences, you may:

Clear cookies and site data for wbconnect.app in your browser; this will remove the wbc_consent record and you will be prompted again on your next visit (if a banner is in use at that time); and / or
Email us at privacy@warehousebridge.com with the subject line "Cookie Consent Withdrawal".

10.5 What Happens If You Block Cookies

If you block strictly necessary cookies, parts of the Site (and any authenticated areas of the App Surface) may not function correctly, including login and form submissions.
Blocking the wbc_lang storage entry will reset your language preference each visit.
Because we do not use non-essential cookies, blocking them has no operational effect today.

11. Cookie Retention Durations and CCPA/CPRA Retention Disclosure

This section satisfies the retention-disclosure obligation under California Civil Code § 1798.100(a)(3) (and the equivalent obligations under the Colorado Privacy Act, Connecticut Data Privacy Act, Texas Data Privacy and Security Act, Oregon Consumer Privacy Act, Virginia Consumer Data Protection Act, and other comprehensive US state privacy laws as enacted) in respect of personal information collected through cookies and the server-side records generated by them.

11.1 Client-Side Cookie Retention

Session cookies (wbc_session, csrf_token, App Surface session): deleted when you close your browser. The App Surface session cookie is additionally invalidated server-side after an idle timeout.
wbc_consent (12 months): retained for up to twelve (12) months from the date your preference was recorded, after which we will ask for your preference again where consent is required.
wbc_lang (until cleared by you): retained in your browser's localStorage until you clear browser site data; we have no server-side copy of this preference.

11.2 Server-Side Records Created by Cookie Operation

Web-server access logs (request URL, status code, IP address, user-agent, timestamp), generated when essential cookies and HTTP requests are exchanged: retained for ninety (90) days for security, abuse-prevention, debugging, and short-term incident response, then deleted or anonymized.
Authentication / session-audit logs on the App Surface (login, logout, session-rotation events, source IP): retained for twelve (12) months for security, fraud-prevention, and audit purposes, then deleted.
Security-incident records that ingest the above logs into a contained investigation workspace are retained for the duration of the investigation and for up to twenty-four (24) months thereafter where required to meet our security, legal, or regulatory obligations.

11.3 Retention Criteria

Where a specific retention period is not stated above, the criteria we use to determine the period are: (i) the period necessary to fulfill the business purpose for which the information was collected (for example, providing the requested page, maintaining the authenticated session, or completing an incident response); (ii) any legal or regulatory retention obligation that applies; and (iii) the period necessary to defend or pursue legal claims. After the applicable period, the information is deleted, anonymized, or aggregated.

12. Data Subject Rights and Requests

Depending on where you are located, you may have the right to:

Request access to personal information we hold about you (the right to know)
Request correction of inaccurate personal information
Request deletion of personal information
Request portability of personal information you have provided to us
Object to or restrict certain processing
Opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising, and of targeted advertising and certain profiling decisions (CCPA/CPRA, NRS 603A.340, Colorado, Connecticut, Texas, Oregon, Virginia, Utah, Montana, and other comparable US state laws)
Limit the use and disclosure of sensitive personal information (Cal. Civ. Code § 1798.121); as noted in Section 4.3, we do not process sensitive personal information through cookies
Withdraw consent where processing is based on consent (UK GDPR / EU GDPR)
Lodge a complaint with a supervisory authority, including the UK Information Commissioner's Office (ico.org.uk), an EU/EEA Member State data protection authority, the California Privacy Protection Agency, or the office of the Attorney General of any US state with jurisdiction

12.1 Non-Discrimination (Cal. Civ. Code § 1798.125 and equivalent)

We will not discriminate against you for exercising any of your privacy rights. This means we will not deny you goods or services, charge you a different price or rate, provide you a different level or quality of service, or suggest that we will do any of these things, because you exercised a privacy right under CCPA/CPRA, NRS 603A, or any other US state privacy law.

12.2 Methods for Submitting Requests

You may submit a verifiable privacy request, including a request for access, correction, deletion, portability, or opt-out, by emailing privacy@warehousebridge.com.

Because Flag Eagle LLC operates exclusively online with respect to merchants and visitors and has no offline interaction with consumers in the context of cookies, we provide a single online submission method as permitted by California Civil Code § 1798.130(a)(1)(A) for businesses that operate exclusively online and have a direct relationship with the consumer from whom they collect personal information. We will verify your request using information you have provided to us (for example, your registered email address) and will respond within the timeframes mandated by the applicable framework (typically 45 days under CCPA/CPRA, extendable by an additional 45 days where reasonably necessary, and one month under UK GDPR / EU GDPR, extendable by two further months where the request is complex).

12.3 Authorized Agents

You may designate an authorized agent to make a request on your behalf (Cal. Civ. Code § 1798.135(c) and 11 CCR § 7063). If you use an authorized agent, please ensure the agent emails privacy@warehousebridge.com with: (a) signed written permission from you authorizing the agent to act on your behalf; (b) verification of your own identity directly to us; and (c) the specific request being made. We may deny a request from an agent who cannot demonstrate authority.

13. Shopify Compliance Webhooks and Protected Customer Data

For Shopify merchants who install WB Connect (Shopify App Store listing: "Warehouse Bridge v3"), Shopify forwards the mandatory GDPR compliance webhooks — customers/data_request, customers/redact, and shop/redact — together with the related app/uninstalled lifecycle webhook, to our endpoint at https://app.warehousebridge.com/shopify/webhooks/compliance. The app/uninstalled webhook is a Shopify lifecycle webhook (not itself a GDPR webhook) that triggers our merchant-data lifecycle described below. We handle all of these webhooks in accordance with Shopify's developer requirements (including Shopify Protected Customer Data requirements and App Store policy 4.4) and with applicable privacy law. These webhooks operate at the API/data layer and do not involve cookies set in any merchant's or shopper's browser.

13.1 Data Handled

In connection with the WB Connect app, we receive and process the following categories of data via the Shopify API:

Shopify Protected Customer Data: customer shipping and billing addresses associated with orders, customer names where present on orders, customer order history, and order line items.
Merchant store data: product catalog (titles, SKUs, variants, prices), inventory levels, fulfillment status, store metadata (shop name, domain, plan name, owner email).
OAuth credentials: the access token issued by Shopify on app install.

We treat all customer personal data described above as Shopify Protected Customer Data for the purposes of Shopify's Protected Customer Data requirements, and apply the access controls, encryption, logging, and minimization measures required by those requirements.

13.2 Customer Data Request (`customers/data_request`)

When Shopify forwards a customers/data_request webhook, we will, within thirty (30) days of receipt, locate any customer personal data associated with the identified customer (across order records, address records, and any cached fulfillment data) and return that data to the merchant (or directly to the customer where the merchant directs us to do so) in a portable format. If we hold no data matching the request, we will respond accordingly.

13.3 Customer Redact (`customers/redact`)

When Shopify forwards a customers/redact webhook, we will, within thirty (30) days of receipt, permanently delete or irreversibly anonymize all customer personal data associated with the identified customer held in our systems, including any cached customer records, address records, and fulfillment metadata linked to that customer. Data we are required to retain for legal, tax, or fraud-prevention reasons (where applicable) will be isolated and access-restricted; we will state any such retention if it applies to the specific request.

13.4 Shop Redact (`shop/redact`) and `app/uninstalled` Lifecycle

When a merchant uninstalls WB Connect, Shopify sends the app/uninstalled webhook. We immediately:

Mark the merchant's connection inactive and stop processing further events;
Invalidate the merchant's OAuth access token;
Cancel the $0/month Shopify AppSubscription billing record;
Cease all outbound API calls and webhook subscriptions for that shop.

Shopify subsequently sends the shop/redact webhook approximately forty-eight (48) hours after uninstall (Shopify's standard grace window). Upon receiving shop/redact, we will, within ninety (90) days of receipt (consistent with Shopify's developer guidance), permanently delete the merchant's shop data including any remaining cached order records, product cache, OAuth credentials, webhook subscription records, and any analytics events derived from that shop's data, except where retention is required by applicable law (e.g., for security incident records under Section 11.2 or for tax/legal record-keeping).

13.5 Merchant Data Lifecycle Summary

Event	Action	Maximum Timeframe
`customers/data_request` received	Locate and return customer data, or confirm none held	30 days
`customers/redact` received	Delete or irreversibly anonymize customer personal data	30 days
`app/uninstalled` received	Invalidate token, mark connection inactive, cancel $0 subscription, stop API/webhook calls	Immediately on receipt
`shop/redact` received	Delete merchant shop data (orders cache, products cache, tokens, webhook records, derived events)	90 days
Security or audit logs containing shop or customer references	Retained per Section 11.2 retention schedule, then deleted	90 days (access logs) / 12 months (auth logs) / up to 24 months (incident records)

14. Children

The Site and WB Connect are intended for business users. They are not directed at children, and we do not knowingly use cookies to collect personal information from children.

United States (COPPA, 15 U.S.C. § 6501 et seq.): We do not knowingly collect personal information from children under the age of 13. If you believe we have inadvertently collected personal information from a child under 13, please contact privacy@warehousebridge.com and we will delete it.
California residents under 16 (CCPA/CPRA, Cal. Civ. Code § 1798.120(c)): We do not sell or share personal information of California residents under 16 without affirmative opt-in consent (from the consumer if 13-15, or from a parent/guardian if under 13). As stated in Section 3, we do not sell or share personal information at all.
United Kingdom and European Economic Area: We comply with the applicable age of digital consent under UK GDPR and EU GDPR (typically between 13 and 16 depending on the EU Member State or UK position). Our cookie practices do not currently rely on consent at all (only strictly necessary cookies are used), so this age does not currently restrict our processing.

15. Changes to This Cookie Policy

We may update this Cookie Policy from time to time to reflect changes in our practices, the technologies we use, applicable laws, or other operational, legal, or regulatory reasons. The "Last Updated" date at the top of this policy indicates when it was most recently revised.

Notice of material changes. A "material change" includes (without limitation): the introduction of any non-essential, analytics, advertising, performance, or functional cookie or similar technology; any change in the categories of personal information collected via cookies; any change in the parties with whom such information is shared; any change in the cross-border transfer mechanisms in Section 9; or any change in the data-subject-rights mechanisms in Sections 10 and 12.

For material changes we commit to:

(a) Posting a prominent banner notice on the Site for at least thirty (30) days before the change takes effect;
(b) Providing at least thirty (30) days' prior notice before the change takes effect, regardless of whether prior notice is strictly required by law in the visitor's jurisdiction;
(c) For users of the App Surface (warehouse users and authenticated merchants), sending email notification to the registered contact email at least thirty (30) days before the change takes effect;
(d) For any change that introduces a non-essential cookie or similar technology, obtaining prior opt-in consent from all visitors (globally, not only where required by law) before any such cookie is set, consistent with the binding policy commitment in Section 3;
(e) Keeping an archived copy of the prior version of this Cookie Policy available on request at privacy@warehousebridge.com for at least twelve (12) months after the change.

Non-material changes (e.g., typographical corrections, contact-information updates, formatting changes that do not affect substantive rights or processing) may be made by updating the "Last Updated" date without prior notice.

16. Governing Law

This Cookie Policy is a notice issued by Flag Eagle LLC. Where it constitutes a contract or legally enforceable commitment, that commitment is governed by the laws of the State of Nevada, United States, without regard to its conflict of law principles. Disputes arising from Flag Eagle LLC's commercial Terms of Service are addressed in those Terms; this Cookie Policy does not itself require the visitor or merchant to arbitrate disputes about cookie use.

Nothing in this Cookie Policy — and nothing in any governing-law, forum, or arbitration provision contained in Flag Eagle LLC's other agreements — limits, waives, or restricts:

any non-waivable right or remedy under California, Massachusetts, Montana, or other applicable US state consumer-protection or privacy law (including the right of California residents to bring small-claims-court actions and the right to lodge complaints with the California Privacy Protection Agency or any US state Attorney General with jurisdiction);
the right of a UK or EEA data subject to lodge a complaint with the UK Information Commissioner's Office, an EU/EEA Member State data protection authority, or any other competent supervisory authority;
the right of a UK or EEA data subject to bring statutory data-subject-rights claims in the courts of the data subject's habitual residence or place of work to the extent permitted by Article 79 UK GDPR / Article 79 EU GDPR;
the right of any visitor or data subject to pursue statutory remedies available in their home jurisdiction in respect of cookies, consent, or personal data processing.

Where any forum or dispute-resolution provision elsewhere in Flag Eagle LLC's agreements purports to require arbitration of a cookie or privacy claim, that requirement does not apply to (i) claims by UK or EEA data subjects under UK GDPR / EU GDPR, (ii) statutory data-subject-rights claims that cannot be waived by contract in the data subject's home jurisdiction, (iii) the lodging of complaints with regulators, or (iv) US state-law consumer-protection or privacy claims that cannot be waived under applicable state law.

17. Severability

If any provision of this Cookie Policy is found to be unenforceable in whole or in part by a court or supervisory authority of competent jurisdiction, the remaining provisions will continue in full force and effect.

18. Contact Us

For questions about this Cookie Policy or about our cookie practices, please contact:

Flag Eagle LLC (trading as Warehouse Bridge; Shopify App Store listing: "Warehouse Bridge v3" / sub-brand "WB Connect") 401 Ryland Street STE-200 Reno, NV 89502 United States (Registered-agent address for service of process; postal correspondence may be addressed to this address marked "Attn: Privacy Team — Flag Eagle LLC" and will be routed to the Privacy Team electronically.)

Privacy, cookies, and data subject requests (including CCPA, UK GDPR, EU GDPR, and other US state privacy law requests): privacy@warehousebridge.com
General and support: support@warehousebridge.com
Legal: legal@warehousebridge.com
Abuse / security reports: abuse@warehousebridge.com
Website: https://wbconnect.app
Shopify App Store listing: Warehouse Bridge v3