CommerceBridge — Privacy Policy

Last updated: 7 July 2026

This Privacy Policy explains how Commerce Bridge ("Commerce Bridge", "we", "us") collects, uses, shares and protects personal information when you use our multi-tenant commerce platform, our website, and our Shopify app and connectors (together, the "Services"). It also explains the rights available to you under the UK GDPR, EU GDPR, POPIA and similar laws.

For most storefront shoppers, the merchant (store owner) is the data controller and Commerce Bridge acts as a data processor on their behalf. For our own account holders, resellers and website visitors, Commerce Bridge is the controller.

1. Information we collect

Account & billing data

Name, email, phone, company, login credentials (passwords are hashed), and billing/subscription details for account holders and resellers.

Usage & device data

Log data, IP address, browser/device type, pages viewed, and performance metrics (see Cookies). Used to operate, secure and improve the Services.

Merchant & storefront data (processed on behalf of merchants)

When a merchant uses Commerce Bridge, we process the data their store generates — product catalogue, orders, inventory, and customer details (name, email, address, order history) — solely to provide the Services to that merchant.

Integration data

Where a merchant connects an ERP/PIM (e.g. SAP, SysPro, SalesLayer) or a marketplace/payment provider, we process the catalogue, pricing, inventory and order data required to synchronise those systems.

2. How we use information

Our legal bases are: performance of a contract, our legitimate interests in operating and securing the Services, consent (where required, e.g. non-essential cookies/marketing), and legal obligation.

3. Shopify app data

Our Shopify app accesses only the scopes a merchant approves — typically products, orders, inventory, fulfilment, customers, and (for B2B) company data — to sync the store with Commerce Bridge and power storefront features (wishlists, upsells, search, loyalty, audits). We honour Shopify's mandatory compliance webhooks: customers/data_request, customers/redact and shop/redact. When a shop uninstalls the app or a redaction request is received, we delete the associated data from our systems.

4. Sharing & sub-processors

We do not sell personal information. We share it only with:

Sub-processors are bound by contract to protect data and process it only on our instructions.

5. Cookies & performance metrics

We use strictly-necessary cookies for authentication and security, and, with your consent, analytics/performance cookies. We collect anonymised real-user performance metrics (e.g. page load timings) to monitor and improve reliability. You can manage non-essential cookies via the on-site consent banner.

6. Data retention

We keep personal information only as long as needed to provide the Services, comply with legal, tax and audit obligations, and resolve disputes. Merchant/storefront data is retained per our agreement with the merchant and deleted on account closure or valid redaction request.

7. Security

We protect data with encryption in transit (TLS) and at rest for sensitive fields, access controls and least-privilege scoping, audit logging, and regular security review. No system is perfectly secure, but we work to protect your information and to notify you of material incidents as required by law.

8. Your rights

Subject to applicable law, you may request access, correction, deletion, restriction, portability, or object to certain processing, and withdraw consent. Where Commerce Bridge is a processor for a merchant, we will direct storefront-shopper requests to that merchant or assist them in responding.

To exercise your rights, contact us at support@commerce-bridge.tech. You also have the right to complain to your data protection authority (e.g. the UK ICO or the South African Information Regulator).

9. International transfers

We operate infrastructure in multiple regions (including the UK, EU and South Africa). Where personal data is transferred across borders, we rely on appropriate safeguards such as adequacy decisions or standard contractual clauses.

10. Children

The Services are not directed to children under 16, and we do not knowingly collect their personal information.

11. Changes to this policy

We may update this policy from time to time. Material changes will be posted here with a revised "Last updated" date.

12. Contact us

Commerce Bridge — Privacy
Email: support@commerce-bridge.tech