Last Updated: 2026-06-10

1. Introduction

Flag Eagle LLC is a Nevada-incorporated United States business. This Privacy Policy is written from a US-primary perspective, with United Kingdom and European Union privacy rights applied to data subjects in those territories where Flag Eagle LLC processes their personal data.

This Privacy Policy explains how Flag Eagle LLC ("Flag Eagle", "we", "us" or "our"), a Nevada limited liability company trading as "Warehouse Bridge", collects, uses, discloses, protects, and retains personal information in connection with WB Connect — our free Shopify-side connector that links a merchant's Shopify store to a third-party logistics ("3PL") fulfillment warehouse that uses Warehouse Bridge as its warehouse management system ("WMS").

WB Connect is the merchant-facing sub-brand of Warehouse Bridge. On the Shopify App Store the application is listed under the developer name "Warehouse Bridge v3" and presented to merchants as "WB Connect". This Policy applies to:

the WB Connect Shopify application, operated on Warehouse Bridge's shared application infrastructure at app.warehousebridge.com (which hosts the OAuth callback, the Shopify-mandated GDPR compliance webhooks described in Section 8, and the order, product and inventory webhook endpoints);
the website at https://wbconnect.app and its subdomains; and
any related support, documentation, or transactional communications we send in connection with WB Connect.

The two domains (wbconnect.app and app.warehousebridge.com) are operated by the same data controller, Flag Eagle LLC, and any data processed at either surface is subject to this Policy.

In this Policy, references to obligations and rights apply to Flag Eagle LLC as the legal entity, regardless of whether we are referred to by our trading name (Warehouse Bridge) or by the WB Connect product brand.

This Policy is written to comply with the privacy laws that apply to a Nevada-based business serving merchants and shoppers globally. Because Flag Eagle LLC is a United States business, US privacy frameworks are listed first and form the primary lens for our processing; UK and EU frameworks then apply to data subjects in those jurisdictions. The applicable frameworks include: the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, the "CCPA"); Nevada's online privacy notice law (Senate Bill 220, codified at NRS Chapter 603A); Nevada's data-breach notification law (NRS 603A.220) and equivalent breach-notification statutes in other US states (including, without limitation, California Civil Code § 1798.82); other applicable US state comprehensive privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, and equivalent state laws as they come into effect); the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 ("PECR") for data subjects in the United Kingdom; the EU General Data Protection Regulation ("EU GDPR") for data subjects in the European Economic Area; and the Shopify Partner Programme requirements applicable to apps distributed through the Shopify App Store.

1.1 Who we are (Data Controller)

Field	Detail
Legal entity	Flag Eagle LLC
Jurisdiction of formation	State of Nevada, United States
State filing	Registered with the Nevada Secretary of State; entity details are publicly searchable through the Nevada Secretary of State business entity search at https://www.nvsos.gov/sosentitysearch under the entity name "Flag Eagle LLC". The current Nevada business identification number is available on written request to legal@warehousebridge.com
Trading name	Warehouse Bridge
Product brand (Shopify)	WB Connect
Shopify App Store developer name	Warehouse Bridge v3
Registered address	401 Ryland Street STE-200, Reno, NV 89502, United States
Marketing website	https://wbconnect.app
Application surface	https://app.warehousebridge.com
Privacy contact	privacy@warehousebridge.com
General support	support@warehousebridge.com
Abuse reports	abuse@warehousebridge.com
Legal notices	legal@warehousebridge.com

For the personal data described in this Policy, Flag Eagle LLC acts as the business (under CCPA terminology) — equivalent to the data controller under UK GDPR / EU GDPR — in relation to (a) merchant account holders who install and configure WB Connect, (b) visitors to https://wbconnect.app, and (c) any party who corresponds with us at the contact addresses above.

In relation to end-customer personal data ingested from a merchant's Shopify store (for example, a shopper's name and shipping address attached to an order), Flag Eagle LLC acts as a service provider (under CCPA terminology) — equivalent to a data processor under UK GDPR / EU GDPR — on behalf of the merchant; the merchant is the business / controller of that data and Shopify is its source platform. The merchant's own privacy policy governs the merchant's relationship with their shoppers. All processing of end-customer personal data by Flag Eagle — including any incidental processing for the security, abuse-prevention, fault-diagnosis and audit purposes described in Section 4 — is carried out only on the merchant's documented instructions, consistent with CCPA service-provider obligations and (where the data subject is in the UK or EEA) Article 28 UK GDPR / EU GDPR, as further described in Section 4.

2. Scope of the Service: WB Connect is Free

WB Connect itself is free. Merchants are not charged by Flag Eagle LLC, on or off the Shopify platform, for installing or using WB Connect.

Installing WB Connect creates a $0.00 / month recurring app charge through the Shopify Billing API. This zero charge appears in the merchant's Shopify Admin under Settings → Apps and sales channels → Charges as a record of the installation. It is a Shopify-administered billing record only; Flag Eagle LLC does not currently collect any money under this $0.00 charge.

If WB Connect ever introduces paid features in the future, those charges will be administered exclusively through the Shopify Billing API in accordance with Shopify App Store requirements (including the billing requirements set out in the Shopify Partner Programme Agreement, Section 9 (Application Charges)), and any new pricing will be disclosed in the Shopify App Store listing and to existing merchants before it takes effect. Flag Eagle LLC will not bill any Shopify merchant for use of WB Connect off-platform.

Any warehousing, fulfillment, pick-and-pack, freight, storage, or per-shipment fees that a merchant pays to a 3PL warehouse partner arise solely from the merchant's own pre-existing commercial contract with that 3PL. Those fees:

are not charged through WB Connect;
are not invoiced or collected by Flag Eagle LLC;
are not processed through the Shopify Billing API by Flag Eagle;
are not a condition imposed by Flag Eagle LLC or by Shopify of installing or continuing to use the WB Connect app; and
exist independently of the merchant's decision to install WB Connect.

WB Connect provides the same functionality regardless of the commercial terms the merchant has agreed with its 3PL.

3. Personal Data We Collect

We collect three categories of personal data: (i) merchant-account data, (ii) end-customer order data ingested from Shopify on the merchant's behalf, and (iii) visitor data collected directly via https://wbconnect.app.

3.1 Data we collect from a merchant via the Shopify API

When a merchant installs WB Connect, Shopify prompts them to authorise the OAuth scopes set out below. The scopes listed here correspond 1:1 to the access scopes declared in our published shopify.app.toml. Every scope is requested at install (none is conditional on a feature flag), and we only request scopes that are necessary to operate the connector. WB Connect is not registered as a Shopify fulfillment service; the merchant remains the manager of the fulfillment order in Shopify, and WB Connect simply submits fulfillment events to the merchant-managed fulfillment order on the merchant's behalf:

Shopify scope	Why we need it
`read_orders`	To read incoming orders so we can route them to the merchant's 3PL warehouse for fulfillment.
`write_orders`	To write back order-level changes (for example, notes and tags) that arise from fulfillment activity, and to keep order state in sync with the 3PL.
`read_products`	To synchronise the merchant's product catalog (titles, SKUs, variants, weights) so the 3PL can identify what to pick.
`write_products`	To push product updates that originate from the 3PL's WMS (for example, weight or dimension corrections) back to Shopify so the storefront stays accurate.
`read_inventory`	To read inventory levels per location so the 3PL's stock view stays accurate.
`write_inventory`	To push inventory adjustments from the 3PL's WMS back into Shopify so the storefront reflects real availability.
`read_fulfillments`	To read existing fulfillment state and avoid duplicating events.
`write_fulfillments`	To post fulfillment events and tracking numbers back to Shopify once the 3PL ships the order.
`read_locations`	To map the merchant's Shopify locations to the 3PL's warehouse location(s).
`read_merchant_managed_fulfillment_orders`	To read fulfillment orders that the merchant continues to manage themselves (WB Connect is not a registered Shopify fulfillment service) so that WB Connect can identify the orders that require routing to the merchant's nominated 3PL.
`write_merchant_managed_fulfillment_orders`	To submit fulfillment progress and completion events back to the merchant-managed fulfillment order once the 3PL has picked, packed and shipped on the merchant's behalf.

The specific personal data items received from Shopify under these scopes include:

Order data: order ID, order number, order status, currency, totals, payment status (boolean only — we do not store card data), tags, notes, channel of origin, order creation/update timestamps.
Line items: product title, SKU, variant, quantity, unit price, weight, and fulfillable quantity.
Customer shipping and billing addresses (end-customer personal data): recipient name, company, street address, city, region/state, postal/ZIP code, country, phone number, and email address where the shopper has supplied it to the merchant. We process this on behalf of the merchant strictly to enable the 3PL to ship the order.
Product catalog: product/variant identifiers, SKU, title, description, images (URLs), pricing, weight, barcodes.
Inventory levels per Shopify location.
Fulfillment status and existing fulfillment records.
Store metadata: shop domain (.myshopify.com), shop name, shop owner email and name, billing address of the shop, plan name, currency, and time zone.

We do not receive, request, or store payment card numbers, CVV codes, or full bank account credentials. Shopify Payments and the merchant's payment processors handle that data outside of WB Connect.

3.2 Data we collect directly from a merchant

When a merchant installs the app, contacts our support team, or uses the merchant-facing screens of WB Connect, we collect:

Contact details: name and business email address (defaulted from the Shopify shop owner record on install, editable thereafter), business name, and optional phone number for support.
Account information: an internal merchant user account is provisioned so we can attribute API calls and audit logs to the correct shop. The email recorded on this account is the real shop owner email retrieved from the Shopify shop record where it is available; where it is not available, we generate a deterministic synthetic email derived from the shop handle (in the form shopify+{shop_handle}@warehousebridge.local). A random password is set on the account so that it is technically valid; the merchant authenticates to it exclusively via the Shopify OAuth flow and does not need to set or remember a password with us.
Support correspondence: any messages, screenshots, or files a merchant sends to support@warehousebridge.com, including the metadata of those emails (subject, sent time, IP and mail headers).
Automated app-usage logs: authenticated API requests made by the merchant within WB Connect, including timestamp, requested endpoint, HTTP status code, the merchant's Shopify shop domain, the source IP address of the request, the user-agent string, and a correlation/request ID. These logs are used for diagnostics, abuse detection, security monitoring, and audit.

3.3 Data we collect from visitors to https://wbconnect.app

When you visit the WB Connect marketing website at https://wbconnect.app, we may collect:

Strictly necessary technical data: IP address, browser type and version, operating system, referring URL, the pages you request, response status codes, and timestamps. This data is logged automatically by our hosting infrastructure for security and to deliver the site to your browser.
Navigation and engagement data if you give consent to non-essential analytics cookies (see Section 11): pages viewed, time on page, scroll depth, and aggregated session statistics.
Voluntary contact data: if you fill in a contact form or email us, we collect the data you choose to submit (typically name, email, company, and your message).

We do not set non-essential cookies, advertising pixels, third-party analytics tags, or fingerprinting scripts before you give explicit, granular consent via the cookie banner described in Section 11.

3.4 Data we do not collect

We do not knowingly collect: government identification numbers, payment card primary account numbers, biometric data, special category data (as defined in Article 9 UK GDPR), or any data from individuals we know or have reason to believe are under 16 years of age. CCPA-defined "sensitive personal information" (Cal. Civ. Code § 1798.140(ae)) is not knowingly collected beyond what is reasonably necessary to provide the WB Connect service, consistent with Cal. Civ. Code § 1798.121(a).

4. How We Use Personal Data, the Legal Basis, and Our Service-Provider Commitments

We process personal data only for the purposes set out below. For US data subjects we identify the CCPA business purpose for which the data is processed; for UK/EU data subjects we identify the UK GDPR / EU GDPR Article 6 lawful basis. The same processing activity is described under both frameworks where it is relevant to both. US privacy frameworks are listed first because Flag Eagle LLC is a US business.

Purpose	Categories of data	CCPA business purpose	UK GDPR / EU GDPR Article 6 lawful basis (where data subject is in the UK / EEA)
Provide the WB Connect service: receive orders from Shopify, route them to the merchant's nominated 3PL, and post fulfillment events and tracking back to Shopify.	Order data, line items, end-customer shipping address, product catalog, inventory, fulfillment status, store metadata.	Performing services on behalf of the merchant (CCPA service-provider role): order routing, fulfillment, and account maintenance.	(b) Performance of a contract with the merchant; in respect of end-customer addresses, processed on the merchant's documented instructions as the merchant's processor under Art. 28.
Authenticate the merchant and maintain the OAuth connection.	Shop domain, store metadata, OAuth tokens, app-usage logs.	Maintaining account integrity and quality of services; security and fraud prevention.	(b) Performance of contract; (f) legitimate interests in operating the connector securely.
Send transactional emails (install confirmation, OAuth re-authorisation prompts, GDPR webhook acknowledgements, security notices, service outage notices).	Merchant contact details.	Performing services on behalf of the merchant; compliance with legal obligations.	(b) Performance of contract; (c) compliance with legal obligation (where security or breach notification is required).
Diagnose faults, prevent abuse, detect fraud, and secure our infrastructure.	App-usage logs, IP address, user-agent, request IDs. Incidentally, end-customer identifiers may appear in logs (for example, in error traces).	Detecting security incidents, protecting against malicious or fraudulent activity, and short-term transient use as expressly permitted by Cal. Civ. Code § 1798.140(e)(4).	(f) Legitimate interests in keeping our service secure and reliable, in respect of merchant-controller data. In respect of any end-customer personal data, processing is carried out only on the merchant's documented Art. 28 instructions, as part of providing the service securely.
Comply with Shopify Partner Programme obligations, including processing the GDPR compliance webhooks (Section 8).	Whatever data is referenced by the webhook payload (typically customer email, order IDs, or shop domain).	Compliance with legal obligations and platform partnership obligations.	(c) Compliance with a legal obligation; (f) legitimate interests in honouring our platform partnership obligations.
Operate the marketing website and contact form at https://wbconnect.app.	Technical logs, voluntary contact data.	Site operation, security, and responding to user-initiated requests.	(f) Legitimate interests in running the site; (a) consent for non-essential cookies and analytics.
Defend, exercise, or establish legal claims.	Any of the above.	Compliance with legal obligations and exercising or defending legal claims.	(f) Legitimate interests; (c) legal obligation.

CCPA service-provider commitment. When we process end-customer personal data on behalf of a merchant (such as a shopper's shipping address attached to an order), we act as a service provider under the CCPA. We will not (i) sell or share that data, (ii) retain, use, or disclose it for any purpose other than the specific business purposes specified in our agreement with the merchant, (iii) retain, use, or disclose it outside the direct business relationship with the merchant, or (iv) combine it with personal information that we receive from other sources, except as expressly permitted by Cal. Civ. Code § 1798.140(ag)(1).

UK GDPR / EU GDPR Art. 28 boundary clarification. Where the data subject is in the UK or EEA, the same end-customer personal data is processed only on the documented instructions of the merchant under Article 28 of the UK GDPR / EU GDPR. The security, abuse-detection, fault-diagnosis and audit activities listed above are part of providing the WB Connect service to the merchant and are therefore carried out within those documented instructions. We will not use end-customer personal data for any purpose other than providing the service to the merchant, unless we are required to do so by law.

We do not use merchant or end-customer personal data for purposes beyond providing the connector and meeting the operational, legal, and security obligations listed above. In particular, we do not:

sell personal data;
share personal data with advertising networks;
use end-customer data to market to the end customer;
train machine-learning or generative-AI models on merchant or end-customer personal data; or
enrich profiles of end customers using third-party data sources.

5. Who We Share Personal Data With

We share personal data only with the categories of recipient listed below, and only to the extent necessary.

5.1 Shopify (source platform — not a sub-processor)

Shopify Inc. and its affiliates are the source platform from which we ingest merchant and end-customer data via the Shopify APIs and webhooks, and to which we push fulfillment, inventory, and billing-record events. Shopify is not a sub-processor commissioned by Flag Eagle LLC; the parties' respective roles are defined by the Shopify Partner Programme Agreement and Shopify's own Data Processing Addendum. Shopify's processing of personal data is governed by Shopify's Privacy Policy, available at https://www.shopify.com/legal/privacy. We encourage merchants and shoppers to review it alongside this Policy.

5.2 The 3PL Warehouse Customer using Warehouse Bridge

The merchant's nominated 3PL fulfillment warehouse — the warehouse customer that operates Warehouse Bridge as its WMS — receives the order, line item, and customer shipping address data necessary to pick, pack, and ship the merchant's orders. The merchant chooses which 3PL to connect to (typically via an invitation link issued by that 3PL or by selecting the 3PL during onboarding) and has a direct contractual relationship with that 3PL. The existence of a commercial relationship between the merchant and a 3PL is a matter solely between those two parties; Flag Eagle LLC does not require, broker, or take a commission on that relationship, and installation of WB Connect from the Shopify App Store is not conditional on the merchant having paid any fee to a 3PL.

Roles under applicable privacy law. For the data flow that runs through WB Connect, the 3PL receives end-customer order data on the merchant's instruction. To the extent the 3PL uses that data only to pick, pack, ship, and confirm fulfillment of the order, the 3PL acts as a further service provider / further processor of the merchant. To the extent the 3PL uses the data for its own purposes (for example, carrier-account administration, customs paperwork, freight-claim records, or its own statutory record-keeping), the 3PL acts as an independent business / controller for those specific purposes. The merchant's contract with the 3PL governs that relationship in full. The 3PL is not a sub-processor of Flag Eagle LLC: it does not act on Flag Eagle's instructions, it is selected and contracted by the merchant, and it is identified separately in this Section 5 rather than in the Flag Eagle sub-processor list at Section 5.3.

What this means for the merchant — recommended action. Because the merchant remains the business / controller of its end-customer personal data, the merchant should ensure that its own commercial contract with the 3PL includes appropriate data-processing terms — CCPA-compliant service-provider terms where the 3PL handles California-resident data, and Article 28 UK GDPR / EU GDPR terms where the 3PL handles UK or EEA data subject data (covering subject matter, duration, nature and purpose of processing, type of personal data, categories of data subjects, and the controller's obligations and rights) — before connecting WB Connect to that 3PL. We can provide a template business-to-service-provider / controller-to-processor data processing agreement on request, free of charge, by emailing privacy@warehousebridge.com.

What this means for the merchant — limit of our responsibility. Once data is passed to the 3PL, the protections of this Policy stop applying to the 3PL's independent-business / independent-controller uses of that data. Merchants are encouraged to review their 3PL partner's privacy policy in addition to entering into the data processing agreement described above. Flag Eagle LLC is not responsible for the 3PL's independent-business / independent-controller processing of personal data once transmitted. For the avoidance of doubt, this limitation is scoped only to the 3PL's independent processing for the 3PL's own purposes; Flag Eagle LLC remains fully responsible, under this Policy and applicable law, for its own continuing processing of that same personal data within the WB Connect environment — for example, in the WB Connect database, encrypted backups, application logs, audit trails, and support correspondence — which continues to be governed by this Policy and (where applicable) by our CCPA service-provider commitments and Article 28 UK GDPR / EU GDPR obligations to the merchant.

5.3 Our sub-processors

We engage the following sub-processors. A sub-processor is a third party engaged by Flag Eagle LLC to process personal data on Flag Eagle's behalf, on Flag Eagle's instructions, and under a written data processing agreement that meets CCPA service-provider requirements and (for UK/EEA data subject data) UK GDPR / EU GDPR Article 28 requirements.

Sub-processor	Role	Processing location
Amazon Web Services, Inc. ("AWS")	Compute, database, and object storage hosting for the WB Connect application and its data.	Primary storage and processing in the AWS eu-west-2 (Ireland) region. AWS-operated infrastructure in other regions may be used for resilience, disaster recovery, and content-delivery purposes, supported by Standard Contractual Clauses (Implementing Decision (EU) 2021/914), the UK Addendum to the EU SCCs and/or the UK IDTA, and where the receiving entity is self-certified, the EU-U.S. Data Privacy Framework and the UK Extension.
Amazon Simple Email Service ("AWS SES")	Sending transactional email to merchants (install confirmations, security notices, webhook acknowledgements).	AWS-operated regions used to deliver transactional email, supported by Standard Contractual Clauses with the UK Addendum / IDTA where applicable, and the EU-U.S. Data Privacy Framework and UK Extension where the receiving entity is self-certified.
Stripe, Inc. and its affiliates ("Stripe")	Billing API administration for Flag Eagle LLC's general business operations. Important scope limitation: Stripe is not used to charge any Shopify merchant in connection with WB Connect. The $0.00 / month WB Connect AppSubscription is administered exclusively through the Shopify Billing API (see Section 2). Flag Eagle LLC uses Stripe only for billing administration of other Warehouse Bridge products that are sold separately to 3PL warehouse partners under different commercial agreements outside the Shopify App Store. A 3PL's name and billing contact (which may include a contact person's name and business email) may be stored in Stripe in that separate, non-Shopify context. No Shopify merchant payment data, and no end-customer personal data ingested via WB Connect, is transmitted to Stripe by Flag Eagle LLC.	United States, with onward Stripe-administered processing supported by the EU-U.S. Data Privacy Framework, the UK Extension, and/or Standard Contractual Clauses with the UK Addendum / IDTA where applicable for transfers from the UK/EEA.

Each sub-processor is bound by a written data processing agreement that meets the requirements of the CCPA's service-provider rules and (for UK/EEA data subject data) Article 28 UK GDPR / EU GDPR.

Note on the 3PL Warehouse Customer. The 3PL fulfillment warehouse that the merchant elects to connect to (see Section 5.2) is not listed in the table above because it is not a Flag Eagle sub-processor. The 3PL is selected by the merchant, contracted by the merchant, and acts on the merchant's instructions (or, for its own purposes, as an independent business / controller as described in Section 5.2).

5.4 Professional advisers and auditors

We may share limited personal data with our accountants, auditors, insurers, and external legal counsel when reasonably necessary to obtain professional advice or to defend our legal rights. They are bound by duties of confidentiality.

5.5 Law enforcement and regulators

We may disclose personal data where we are legally required to do so by a competent court, regulator (including the California Privacy Protection Agency, the California Attorney General, the Nevada Attorney General, the Federal Trade Commission, the UK Information Commissioner's Office, or an EEA data protection authority), tax authority, or law enforcement agency, or where disclosure is necessary to protect the vital interests of an individual or the security of our service.

5.6 Business transfers

If Flag Eagle LLC is involved in a merger, acquisition, financing, reorganisation, or sale of all or substantially all of its assets, personal data may be transferred to the acquiring party. Where this occurs:

we will provide notice via the WB Connect website and to the merchant's primary contact address on file at least 30 days before any personal data becomes subject to a different privacy policy;
the data will remain subject to the protections promised in this Policy until that date;
if you do not accept the acquiring party's privacy policy, you may uninstall WB Connect and request deletion of your personal data under Section 9 at any time before or after the change takes effect, without penalty; and
we (or the acquirer) will honour any deletion request received in that context before the new policy is applied to the data covered by the request, subject only to the minimum retention required by law. For example, the acquirer may need to retain Flag Eagle LLC's financial and tax records for the periods prescribed by applicable US federal and state record-keeping rules (typically up to 7 years), but operational order, customer, and inventory data will be deleted as requested.

6. Where We Store and Process Personal Data

Flag Eagle LLC is established in the State of Nevada, United States. The WB Connect application stores and processes personal data primarily in the AWS eu-west-2 (Ireland) region, which is chosen for compute proximity to merchants and shoppers and to keep operational data within an EU member state by default. Personal data may also be transferred to or accessed from the United States by Flag Eagle LLC and its US-based personnel for the limited administrative, support, and security purposes described in Section 4, and to or from other AWS regions for resilience, disaster recovery, and content-delivery purposes.

Personal data is transferred to or accessed from the following jurisdictions for the limited purposes described:

Ireland (AWS eu-west-2) — primary storage and processing location for the WB Connect application database, object storage, and compute resources operated for Flag Eagle LLC.
United States — where Flag Eagle LLC (as the US-incorporated data controller) administers, secures, supports, and audits the service; where Shopify Inc. operates source-platform infrastructure that ingests order, customer, and store metadata via Shopify APIs and webhooks; where AWS operates transactional email delivery via AWS SES; and where Stripe operates billing administration infrastructure used only for Flag Eagle LLC's separate, non-Shopify products as scoped in Section 5.3.
Canada and the European Union — where Shopify Inc. operates additional source-platform and Billing API infrastructure (including the channel used to record the $0 AppSubscription).
Other AWS regions — where AWS operates resilience, disaster-recovery, content-delivery, or administrative traffic infrastructure on Flag Eagle's behalf.

6.1 Cross-border transfers from the UK or EEA to the United States

Because Flag Eagle LLC is established in the United States and accesses the WB Connect application surface from the United States for administration, security and support, personal data relating to UK and EEA data subjects that is stored in the AWS eu-west-2 (Ireland) region is transferred to, or accessed from, the United States in the ordinary course of providing the service. For the purposes of UK GDPR Chapter V and EU GDPR Chapter V, Flag Eagle LLC is the US-based data importer for those transfers.

For those transfers we rely on one or more of the following safeguards, as appropriate:

the EU Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the EU GDPR (Commission Implementing Decision (EU) 2021/914), Module 2 (controller-to-processor) or Module 4 (processor-to-controller) as appropriate to the data flow, for transfers from the European Economic Area;
the UK International Data Transfer Agreement (IDTA) or, in the alternative, the UK Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018, for transfers from the United Kingdom;
the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework, where the receiving party (for example, AWS Inc. or its US affiliate) is self-certified to the relevant list (verified periodically against the official list at https://www.dataprivacyframework.gov);
the data-transfer addenda and onward-transfer safeguards published by AWS, Shopify and Stripe under their respective data processing agreements; and
supplementary technical and organisational measures consistent with the EDPB Recommendations 01/2020 on measures that supplement transfer tools, including encryption in transit (TLS 1.2 or higher), encryption at rest (AES-256), strict role-based access controls, audit logging, US-personnel access on a documented need-to-know basis, and transparency reporting on government-access requests (Section 5.5).

Belt-and-braces — SCCs / IDTA remain in place irrespective of DPF status. Where Flag Eagle LLC or one of its sub-processors is self-certified to the EU-U.S. Data Privacy Framework or the UK Extension, we treat the Data Privacy Framework as one of multiple layered safeguards. The Standard Contractual Clauses (Implementing Decision (EU) 2021/914), the UK Addendum to the EU SCCs and/or the UK IDTA, together with the EDPB Recommendations 01/2020 supplementary measures listed above, remain in place as a fallback safeguard, and continue to govern transfers of UK and EEA data subject personal data to the United States regardless of the operational status of the EU-U.S. Data Privacy Framework or any judicial or regulatory challenge to it. UK and EEA merchants and data subjects are therefore protected by SCCs / IDTA whether or not the DPF is in force.

Transfer impact assessment. A transfer impact assessment covering the AWS eu-west-2 → United States pathway — addressing the lawful basis for transfer, the categories of recipient and data, the applicable US legal regime (including, where relevant, Section 702 of the US Foreign Intelligence Surveillance Act and Executive Order 12333), the supplementary technical and organisational measures listed above, and the residual-risk conclusion — is maintained by Flag Eagle LLC and is available to data subjects and supervisory authorities on request to privacy@warehousebridge.com.

6.2 Transfers between the US, Canada and the EEA

For transfers between the United States, Canada (where Shopify operates) and the EEA, we rely on the applicable adequacy decisions where they apply (for example, the European Commission's adequacy decision for Canada for commercial organisations under PIPEDA), and otherwise on the safeguards described in Section 6.1.

You may request a copy of the safeguards in place — including the executed Standard Contractual Clauses and UK Addendum / IDTA — by emailing privacy@warehousebridge.com.

7. Data Retention

We retain personal data only for as long as we have a lawful and operational reason to do so. Specifically:

Data category	Retention period
Active order, fulfillment, inventory, and product data	For as long as the merchant has WB Connect installed, plus 90 days after uninstall or disconnection, after which the data is deleted or anonymised.
End-customer shipping address attached to a Shopify order	Retained for the same period as the parent order data (above); deleted earlier if (a) the merchant or shopper exercises a valid erasure request, or (b) we receive a `customers/redact` GDPR webhook from Shopify in respect of that customer.
Shopify OAuth tokens	Held until the merchant uninstalls the app or revokes the OAuth grant in Shopify Admin, then revoked and purged within 30 days.
Merchant contact details and account record	Retained for the duration of the merchant's use of WB Connect and for 24 months after uninstall, after which they are deleted or anonymised, unless we are required to retain them for longer to comply with a legal obligation.
Support correspondence	24 months from the last message in the thread.
App-usage logs (authenticated API requests, IPs, user-agents)	13 months maximum, after which the logs are deleted or aggregated into non-identifying statistics. The 13-month period reflects industry-standard security incident lookback windows used for breach investigation and audit. Where a valid `customers/redact` webhook (Section 8.2) identifies an end-customer whose identifiers appear in these logs, identifying fields relating to that customer are redacted from the live log store within 30 days of receipt of the webhook, subject to the technical feasibility of identifying the customer within unstructured log data. Where redaction of a specific identifier is not technically feasible within unstructured log data, the affected log records will not be retained beyond the standard 13-month rotation, and will be deleted at the earliest scheduled rotation point. We will not extend the retention of any log record in order to preserve identifiable end-customer data, and we do not export or repurpose unredacted historical log lines for any other use.
Website server logs (https://wbconnect.app)	90 days.
Financial and tax records	Up to 7 years from the end of the relevant accounting period, in accordance with applicable US federal and Nevada state record-keeping rules (including IRS guidance on retention of business tax records and Nevada Revised Statutes governing limited liability company records).
Records required to defend a legal claim	Until the relevant limitation period has expired.

When we delete personal data, we use industry-standard secure deletion methods. Where data has been backed up to AWS-managed encrypted backups, it will be overwritten in the ordinary course of the backup rotation cycle (which does not exceed 35 days after the live record is deleted).

8. Shopify-Mandated GDPR Webhooks

Shopify requires every public Shopify app to implement the following compliance webhooks. WB Connect implements all of them. The webhooks are received at https://app.warehousebridge.com/shopify/webhooks/compliance — the WB Connect application surface (see Section 1). The HMAC signature on every payload is verified before any action is taken, and a 200 OK acknowledgement is returned to Shopify immediately upon successful HMAC verification. The compliance-webhook URL published in our shopify.app.toml and registered in the Shopify Partner Dashboard matches this endpoint.

8.1 `customers/data_request`

Triggered when a shopper of the merchant exercises a right of access. When we receive this webhook we:

verify the HMAC signature, return 200 OK to Shopify, and log the request (request ID, timestamp, shop domain);
compile any personal data we hold about the identified customer (typically: name, postal address, phone, email, and the order IDs the customer appears on);
provide that data to the merchant within 30 days, so the merchant — as controller of their shopper data — can satisfy the shopper's request. The merchant is responsible for delivering the data to the shopper.

If we do not hold any personal data identifying the requested customer, we will record that fact and notify the merchant accordingly within the same 30-day window. All customers/data_request webhook events are logged with a request ID, timestamp, and shop domain for audit purposes.

8.2 `customers/redact`

Triggered when a shopper exercises a right of erasure, or when Shopify automatically requests redaction six months after the customer's last order with the merchant. When we receive this webhook we:

verify the HMAC signature, return 200 OK to Shopify, and log the request;
delete or irreversibly anonymise the identified customer's personal data (name, address, phone, email) from our live systems within 30 days, including in app-usage logs and diagnostic traces where the customer can be technically identified within those records (subject to the technical feasibility of identifying the customer within unstructured log data; see Section 7 for the parallel commitment that no log record will be retained beyond the standard 13-month rotation in order to preserve identifiable end-customer data);
ensure the redaction propagates to encrypted backups within the backup rotation cycle (not exceeding a further 35 days).

We may retain a minimal, non-identifying record of the fact that a redaction occurred (request ID, shop domain, timestamp) for audit and Shopify compliance evidence.

8.3 `shop/redact`

Triggered by Shopify approximately 48 hours after a merchant uninstalls WB Connect (or after store closure). When we receive this webhook we:

verify the HMAC signature, return 200 OK to Shopify, and log the request;
delete or irreversibly anonymise all personal data associated with that shop (orders, customers, products, inventory, store metadata, OAuth tokens) within 30 days;
retain only the minimal records required for legal, tax, or audit obligations.

We may retain a minimal, non-identifying audit record (request ID, shop domain, timestamp) of the fact that a shop/redact event was processed, for Shopify compliance evidence and our own audit purposes.

8.4 Uninstall

When a merchant uninstalls WB Connect (via the app/uninstalled webhook or by revoking the OAuth grant in Shopify Admin), we immediately revoke the stored access token, stop ingesting new data for that shop, and queue the shop for the 90-day retention/deletion cycle described in Section 7. Approximately 48 hours after uninstall, Shopify fires the shop/redact webhook to our compliance endpoint, which triggers the deletion flow described in Section 8.3.

9. Your Privacy Rights

Your rights depend on the privacy law that applies to you. This Section sets out (a) rights for California residents under the CCPA, (b) rights for residents of other US states with comprehensive privacy laws, and (c) rights for UK and EEA data subjects under UK GDPR / EU GDPR. We honour the most protective standard available to you in your jurisdiction.

9.1 Rights for California residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA"):

Right to know — request disclosure of (i) the categories of personal information we have collected about you, (ii) the categories of sources from which that information was collected, (iii) the business or commercial purposes for collecting, selling or sharing it, (iv) the categories of third parties to whom we disclose it, and (v) the specific pieces of personal information we have collected about you.
Right to delete — request deletion of personal information we have collected from you, subject to the statutory exceptions in Cal. Civ. Code § 1798.105(d).
Right to correct — request correction of inaccurate personal information.
Right to opt out of the "sale" or "sharing" of personal information.
Right to limit the use and disclosure of sensitive personal information to the purposes set out in Cal. Civ. Code § 1798.121(a).
Right to non-discrimination — receive equal service and pricing regardless of whether you exercise your CCPA rights.

We do not "sell" or "share" personal information as those terms are defined under the CCPA, and we have not done so in the preceding 12 months. We do not knowingly collect or use sensitive personal information beyond what is reasonably necessary to provide the WB Connect service, as permitted by Cal. Civ. Code § 1798.121(a) and the implementing regulations.

You may designate an authorised agent to submit a CCPA request on your behalf in accordance with 11 Cal. Code Regs. § 7063.

9.2 Rights for residents of other US states

If you are a resident of another US state with a comprehensive privacy law — including Nevada (under NRS Chapter 603A, including Senate Bill 220), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), or any equivalent state law in force — you have the rights granted by that state's privacy law, which typically include the right to access, delete, correct (where the law provides for correction), opt out of targeted advertising / sale / certain profiling, and appeal a denial of any of those rights. We will honour those rights according to the most protective applicable standard.

Nevada residents specifically may, under NRS 603A.340, submit a verified request to opt out of the sale of certain personal information. As described above, Flag Eagle LLC does not sell personal information; this opt-out right is honoured by default.

9.3 Rights for UK and EEA data subjects (UK GDPR / EU GDPR)

If you are in the United Kingdom or the European Economic Area, you have the following rights in respect of personal data we hold about you as a controller:

Right of access (Art. 15) — to obtain confirmation of whether we process your personal data and to receive a copy of it.
Right to rectification (Art. 16) — to have inaccurate or incomplete personal data corrected.
Right to erasure (Art. 17, "right to be forgotten") — to have your personal data deleted where we no longer have a lawful basis to retain it.
Right to restrict processing (Art. 18) — to have us pause processing in defined circumstances.
Right to data portability (Art. 20) — to receive your personal data in a structured, commonly-used, machine-readable format and to have it transmitted to another controller where technically feasible.
Right to object (Art. 21) — to object to processing carried out under our legitimate interests, including any profiling.
Right to withdraw consent — where we rely on consent, to withdraw that consent at any time (without affecting the lawfulness of processing before withdrawal).
Rights in relation to automated decision-making (Art. 22) — we do not carry out solely automated decisions producing legal or similarly significant effects on you.

9.4 How to exercise your rights

Send a written request to privacy@warehousebridge.com, including enough information for us to identify you and verify your identity.

For CCPA and other US state privacy law requests, we will acknowledge receipt within 10 business days and respond substantively within 45 days, extendable by a further 45 days where necessary (or such other timeframe as the applicable state law requires).
For UK GDPR / EU GDPR requests, we will respond within one calendar month of receipt, extendable by a further two months for complex or numerous requests (UK GDPR Art. 12(3)).

Exercising your rights is free of charge, except where a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act in accordance with the applicable US state privacy law or UK GDPR Article 12(5).

If you are an end-customer of a merchant that uses WB Connect, you may also direct your request to that merchant, who is the business / controller of your data; we will support the merchant in responding to you.

9.5 Right to complain to a supervisory authority

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the supervisory authority that applies to you:

California: California Privacy Protection Agency (https://cppa.ca.gov) or California Attorney General (https://oag.ca.gov/privacy).
Nevada: Nevada Attorney General — Office of the Attorney General, 100 N. Carson Street, Carson City, NV 89701.
Other US states: the Office of the Attorney General in your state (or, where applicable, your state's privacy enforcement authority).
United Kingdom: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom — helpline 0303 123 1113 — https://ico.org.uk/make-a-complaint/.
European Economic Area: your national data protection authority. A list is maintained at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

You also have the right to an effective judicial remedy independently of any administrative complaint.

10. Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, including:

TLS 1.2 or higher for all data in transit between Shopify, the WB Connect application surface, and your browser.
Encryption at rest for our primary database and object storage on AWS (AES-256).
HMAC-SHA256 verification of every Shopify webhook before it is processed.
Time-limited OAuth access tokens stored encrypted at rest, with rotation on re-authorisation.
Principle-of-least-privilege access controls within the Warehouse Bridge codebase, with multi-tenant isolation enforced on the data-access path.
Rate limiting, brute-force lockout, and audit logging on authenticated endpoints.
Regular dependency scanning and patching of our application stack.
Restricted, logged administrative access to production systems.
Staff confidentiality undertakings and security training.

No method of transmission over the internet or storage on a computer system is one hundred per cent secure. While we strive to protect your personal data, we cannot guarantee its absolute security. This factual disclaimer does not limit, exclude, or restrict any of our statutory obligations under the CCPA, Nevada's NRS Chapter 603A (including NRS 603A.220), other US state privacy and breach-notification laws, the UK GDPR, the Data Protection Act 2018, the EU GDPR (where applicable), or our contractual commitments to merchants under our terms of service.

10.1 Personal data breaches

If we become aware of a personal data breach affecting your personal information, we will notify affected individuals, merchants, and the applicable regulators as required by:

US state breach-notification statutes that apply to the affected individuals — including, without limitation, Nevada's NRS 603A.220 (which requires notification to affected Nevada residents and, in defined circumstances, to the Nevada Attorney General), California's Cal. Civ. Code § 1798.82, and equivalent breach-notification statutes in other US states. We will notify "in the most expedient time possible and without unreasonable delay," consistent with the applicable statute and with any law-enforcement hold.
UK GDPR / EU GDPR, where the breach affects UK or EEA data subjects: we will notify the UK Information Commissioner's Office (ICO) or the lead EU supervisory authority within 72 hours under Article 33 where required, and notify affected individuals where required under Article 34.

Where we act as a service provider / processor for a merchant, we will notify the merchant of any breach affecting that merchant's data without undue delay so the merchant can discharge its own controller / business notification obligations.

11. Cookies and Similar Technologies

This Section applies to the website at https://wbconnect.app and, where indicated, to the WB Connect application surface at app.warehousebridge.com.

11.1 What we use

Strictly necessary cookies / local storage — required to deliver the website (for example, CSRF protection token, session continuity, load-balancer routing). These are set without consent because they are exempt under Regulation 6(4) PECR.
Preference cookies — to remember your cookie-banner choice.
Analytics cookies (non-essential) — only set if you give consent.

We do not use advertising cookies, third-party advertising pixels, social-media tracking pixels, or cross-site fingerprinting on https://wbconnect.app.

11.2 Consent

When you first visit https://wbconnect.app you will be presented with a cookie banner that:

displays equally prominent "Accept" and "Reject" controls — refusing non-essential cookies is as easy as accepting them;
does not set any non-essential cookie, pixel, or tracker until you click "Accept";
allows granular choice between essential and analytics categories; and
allows you to change or withdraw your consent at any time via the "Cookie preferences" link in the website footer.

This is consistent with the CCPA's requirements for opt-out controls, the EU ePrivacy Directive and UK PECR for non-essential tracking, and the ICO's published guidance on cookie consent.

11.3 Within the Shopify app

The WB Connect Shopify app surface itself does not set marketing or analytics cookies. It uses only the strictly necessary session and CSRF mechanisms required to keep the merchant authenticated.

Any cookies set within the WB Connect application surface are first-party cookies on the WB Connect / Warehouse Bridge domain, used solely for authenticated session continuity and CSRF protection. No data about merchant activity within the app is transmitted to any third-party analytics, advertising, or tracking provider.

For completeness, the hosting and email-delivery sub-processors listed in Section 5.3 (AWS, AWS SES) necessarily process traffic in order to deliver the service, but they do so strictly as service providers (under the CCPA) and as data processors (under UK GDPR / EU GDPR Article 28 where applicable) and do not use the data for their own analytics, advertising, profiling, or product-improvement purposes.

12. Children's Data

WB Connect is a business-to-business service for Shopify merchants and their 3PL fulfillment partners. It is not directed at, marketed to, or intended for use by children. We do not knowingly collect personal data from any individual under 13 years of age in the United States (consistent with the Children's Online Privacy Protection Act ("COPPA") and the CCPA's protections for minors under 13). In the United Kingdom we do not knowingly collect personal data from any individual under 13 (the threshold set by the Data Protection Act 2018 implementing UK GDPR Article 8). In the European Economic Area, we do not knowingly collect personal data from any individual below the Article 8 threshold applicable in the data subject's Member State (which is 16 by default and is lowered to between 13 and 15 in some Member States). If you become aware that a child has provided personal data to us, please contact privacy@warehousebridge.com and we will take steps to delete that information.

13. Automated Decision-Making and Profiling

We do not use personal data to take decisions about you by purely automated means that produce legal or similarly significant effects on you. Routing of orders to the merchant's nominated 3PL is a deterministic, merchant-configured operation, not profiling.

14. Third-Party Links

The WB Connect website and in-app help may contain links to third-party websites and services (for example, Shopify documentation, our hosting providers' status pages, or the merchant's chosen 3PL's site). We are not responsible for the privacy practices of those third parties; please review their privacy policies.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, our service, applicable law, or Shopify Partner Programme requirements.

15.1 How we notify you of changes

When we make a change, we will update the "Last Updated" date at the top of this Policy and post the revised text at https://wbconnect.app/privacy.

When we make a material change — defined as any change that broadens the categories of personal data we collect, broadens the purposes for which we use it, introduces a new sub-processor or new transfer jurisdiction, or reduces a data subject right — we will additionally:

clearly label the change as material in the notice;
post a notice on https://wbconnect.app at least 30 days before the change takes effect; and
email the merchant's primary contact address on file.

15.2 Your options when the Policy changes

You are never deemed to have silently accepted a material change. Specifically:

Personal data collected under the prior policy continues to be governed by the prior policy until either (a) we delete it in accordance with Section 7, or (b) you separately consent to the new policy where consent is required.
If you do not accept a material change, you may uninstall WB Connect at any time, and the personal data processed about you prior to the change will continue to be governed by the version of this Policy in force when the data was collected, until that data is deleted in accordance with Section 7.
Changes that materially affect how we process personal data take effect on the date stated in the notice. Where a change requires fresh consent under UK GDPR or EU GDPR, we will obtain that consent separately before the change is applied to you.
Non-material changes (for example, clarifications, typographical corrections, or updates to a contact address) take effect when posted.

16. Privacy Lead

Flag Eagle LLC has designated an internal Privacy Lead to oversee compliance with this Policy, the CCPA, Nevada's NRS Chapter 603A, other applicable US state privacy laws, the UK GDPR / EU GDPR where applicable, and the Shopify Partner Programme privacy obligations.

Flag Eagle LLC's core processing activities, as described in this Policy, consist of providing a free Shopify-side connector for a defined and verifiable population of business merchants and a small set of routine operational support functions. Those activities do not consist of large-scale, regular and systematic monitoring of data subjects, and do not involve large-scale processing of special-category personal data within the meaning of Article 9 UK GDPR / EU GDPR or of personal data relating to criminal convictions and offences within the meaning of Article 10. Flag Eagle LLC is therefore not required to appoint a statutory Data Protection Officer under Article 37(1) UK GDPR / EU GDPR. The Privacy Lead acts as the single point of accountability for data subject requests, privacy enquiries, breach notifications, and supervisory-authority correspondence.

You can reach the Privacy Lead at privacy@warehousebridge.com or by writing to:

Privacy Lead Flag Eagle LLC (trading as Warehouse Bridge) 401 Ryland Street STE-200 Reno, NV 89502 United States

17. Contact Us

Reason for contact	Address
General questions and support	support@warehousebridge.com
Privacy questions, data subject requests, Privacy Lead	privacy@warehousebridge.com
Abuse, security or fraud reports	abuse@warehousebridge.com
Legal notices and service of process	legal@warehousebridge.com
Postal address	Flag Eagle LLC, 401 Ryland Street STE-200, Reno, NV 89502, United States
Marketing website	https://wbconnect.app
Application surface	https://app.warehousebridge.com