Privacy Policy

Effective: June 2026

Overview

WarpWare ("we," "us," or "our") provides third-party logistics (3PL) order-management and fulfillment software for e-commerce sellers and the warehouses that serve them. This Privacy Policy describes how we collect, use, store, share, and dispose of information — including order data and buyer personal information received from connected marketplaces such as the Amazon Selling Partner API (SP-API) — when you use our platform and services.

By using WarpWare, you agree to the practices described in this policy. We process marketplace buyer information solely as a service provider, to fulfill orders on behalf of the seller who connected the account.

Information We Collect

Marketplace Order Data (including Amazon)

When you connect a sales channel, we receive the order information needed to fulfill orders. From the Amazon Selling Partner API and similar marketplaces this includes buyer personal information (PII) such as:

  • Buyer name and shipping address
  • Order line items, quantities, and order identifiers
  • Order amounts and fulfillment status
  • Product, listing, and inventory data

We collect only the data required to fulfill and support orders (data minimization). We do not request or store buyer payment card numbers.

Account Information

From our own users (sellers and their staff), we collect:

  • Name, email address, and company name
  • Login credentials (passwords are hashed using bcrypt and never stored in plain text)
  • Role and organization assignments

Integration Credentials

To connect your sales channels and warehouse systems, we store API credentials including OAuth tokens, API keys, and webhook secrets. All integration credentials are encrypted with AES-256 before storage and are never stored in plain text.

Usage Data

We collect logs of platform activity including login events, configuration changes, API requests, and admin dashboard interactions. This data is used for security auditing, troubleshooting, and platform reliability.

How We Use Your Information

We use marketplace order data solely to fulfill orders on the seller's behalf:

  • Order processing: Receive, transform, route, and submit orders to the warehouse that will fulfill them
  • Inventory & fulfillment sync: Keep available inventory accurate and write shipment confirmations and tracking numbers back to the marketplace
  • Platform operation: Maintain integrations and execute the seller's configured automation rules
  • Security and auditing: Log administrative actions, detect unauthorized access, and maintain audit trails
  • Support: Diagnose issues and provide technical assistance

We never use buyer information for marketing or any secondary purpose, and we never sell it. Amazon Information is not used to advertise, to build buyer profiles, or to compete with Amazon or its sellers.

How We Share It

We do not sell your data. We share order data only with the parties required to fulfill the order, and only over encrypted HTTPS connections:

  • Warehouse / WMS (Extensiv): Order data — including buyer name and shipping address — is transmitted to the warehouse management system (Extensiv) responsible for picking, packing, and shipping the order
  • Shipping carriers: Address and parcel details are shared with carriers as needed to ship orders and return tracking information
  • Cloud infrastructure providers: We use managed cloud hosting and database services to operate the platform. These providers process data on our behalf under data processing agreements and do not use it for their own purposes
  • Legal requirements: We may disclose data if required by law, court order, or government request

We do not share buyer information with any other third party, and we do not transfer it for advertising or analytics by others.

Data Security

We maintain an information-security program that includes:

  • Encryption in transit: TLS for all data moving between systems, marketplaces, warehouses, and carriers
  • Encryption at rest: AES-256 for stored credentials, tokens, and sensitive data
  • Bcrypt password hashing with a high cost factor
  • Role-based access control on a need-to-know basis, with multi-factor authentication (MFA) available for accounts
  • Organization-scoped data isolation enforced at the database level
  • Audit logging of all administrative and data-modifying operations
  • Session management with configurable idle and absolute timeouts
  • Invite-only account provisioning (no open self-registration)

If we become aware of a security incident involving Amazon Information, we will notify Amazon within 24 hours of detection and cooperate on remediation, consistent with Amazon's Data Protection Policy.

Multi-Tenant Data Isolation

WarpWare is a multi-tenant platform. Your data is isolated at the database level using organization-scoped access controls. Each query is scoped to your organization, and database-enforced boundaries prevent cross-tenant data access. Your order data, rules, configurations, and credentials are never visible to other tenants.

Data Retention & Disposal

We retain data only as long as necessary to fulfill and support orders and to meet legal, tax, and accounting obligations, after which it is securely deleted. Operational logs follow this schedule:

  • Activity and webhook logs: 30 days
  • Rule execution logs: 60 days
  • Order audit trail: 90 days
  • Compliance and organization audit logs: 180 days
  • Order records: Retained for the duration of your service agreement, then deleted

Amazon buyer PII is deleted within 30 days of when it is no longer needed to fulfill the order, or upon revocation of the seller's authorization — whichever comes first — unless retention is required by law (for example, tax or accounting records, which exclude buyer PII where possible).

Amazon Information

Where we process information obtained through the Amazon Selling Partner API ("Amazon Information"), we handle it in compliance with Amazon's Acceptable Use Policy and Data Protection Policy. Specifically:

  • We collect and retain only the Amazon Information required to fulfill orders (data minimization)
  • We encrypt Amazon Information in transit (TLS) and at rest (AES-256)
  • We restrict access to Amazon Information to authorized personnel on a need-to-know basis
  • We delete Amazon buyer PII within 30 days once it is no longer needed or upon de-authorization, unless retention is legally required
  • We do not use Amazon Information for advertising or marketing, to build buyer profiles, or to compete with Amazon or its sellers
  • We report security incidents involving Amazon Information to Amazon within 24 hours of detection

Your Rights & Data Requests

We support data-subject rights under the GDPR, the California Consumer Privacy Act (CCPA/CPRA), and similar laws for buyers and users whose information we process:

  • Access: Export of the data associated with a person on request
  • Correction: Update of inaccurate information
  • Deletion / redaction: PII fields (name, email, phone, addresses) redacted from order records, or full records deleted
  • Shop deactivation: Full data cleanup when a merchant disconnects
  • Do not sell: We do not sell personal information, so no opt-out is required — but you may confirm this with us

Because we act as a service provider to sellers, buyer requests are typically routed through the seller of record; we assist sellers in fulfilling them. All data-rights actions are logged in an audit trail. To make a request, email [email protected].

Cookies & Tracking

The WarpWare admin dashboard uses httpOnly session cookies for authentication. We do not use third-party advertising trackers or cross-site tracking cookies. Our marketing website may use basic, privacy-friendly analytics to understand page traffic.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Effective" date. Continued use of the platform after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights, contact us at our contact page or email [email protected].