This Data Processing Agreement ("DPA") forms part of the Omnifill Terms of Service between Glare Studios, LLC, doing business as Omnifill ("Omnifill", "we", "us", or "Processor"), and the client, partner, business, or other organization that creates an account, uses the service, accepts this DPA, or authorizes a user to use Omnifill on its behalf ("Customer", "you", or "Controller").
This DPA applies when Omnifill processes personal data on behalf of a Customer, including customer order data, partner portal data, source-platform import data, product mapping data, routing data, and fulfillment handoff data. By using Omnifill after this DPA is presented for acceptance, you agree to this DPA. If you are accepting for an organization, you confirm that you are authorized to bind that organization.
Operational summary. Omnifill imports orders from payment, commerce, and CSV sources, normalizes messy source data into warehouse-ready records, maps products and bundles, applies routing rules, and sends or exports orders to the fulfillment destination selected by the Customer. Omnifill uses Customer Personal Data only to provide, secure, support, and improve that workflow. We do not sell Customer Personal Data, use customer order data for advertising, or use Customer Personal Data to train public or third-party foundation models.
Omnifill is a B2B SaaS platform for merchants, creators, fulfillment teams, warehouses, and 3PLs. It connects to order sources such as Stripe, PayPal, Shopify, WooCommerce, and CSV imports, then turns source-specific records into a normalized order table. Customers can review orders, define products and bundles, create routing rules, export CSVs, publish hosted CSV feeds, push files by SFTP, and send orders to supported 3PL or WMS APIs.
The partner portal lets warehouses and 3PLs connect with client Omnifill accounts by email after the client accepts access. A connected partner can review the linked client's visible order information needed for fulfillment and update fulfillment status in the partner portal.
Omnifill uses Customer Personal Data for these purposes:
Omnifill does not need special-category personal data, raw payment card numbers, government IDs, health data, children's data, or criminal-offense data to provide the service. Customers must not intentionally upload those categories unless Omnifill has expressly agreed in writing.
For customer order data and other data that a Customer submits into Omnifill for order management, the Customer is normally the Controller and Omnifill is normally the Processor. The Customer determines why the data is processed, which sources are connected, which partner or warehouse receives data, and how long the Customer keeps using Omnifill.
Omnifill acts as an independent controller for limited business data that it needs to run its own company, including billing records, account administration records, security logs, public website analytics, legal records, and direct communications with Omnifill.
Fulfillment partners, warehouses, WMS providers, and 3PLs that receive order data at the Customer's direction may act as the Customer's processor, sub-processor, independent controller, or other recipient under the Customer's own relationship with them. The Customer is responsible for making that role determination and having the required agreement with the recipient.
The Customer instructs Omnifill to process Customer Personal Data as necessary to provide the service, as configured in the dashboard or partner portal, as described in this DPA, the Terms of Service, the Privacy Policy, support communications, and any written order form or statement of work. Omnifill will process Customer Personal Data only on documented Customer instructions unless applicable law requires otherwise.
If Omnifill believes an instruction violates applicable data protection law, Omnifill will inform the Customer unless prohibited by law.
The Customer is responsible for:
Omnifill will ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations or an appropriate statutory confidentiality duty. Omnifill personnel may access Customer Personal Data only as needed to provide, secure, support, maintain, or improve Omnifill.
Omnifill will maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. Current measures include:
Omnifill's reliability depends on a normalization engine and human-reviewed rule layer. The engine standardizes order data across source platforms and export destinations so orders can be reviewed and sent to fulfillment systems with fewer manual edits.
Omnifill may review limited operational patterns, such as raw country values, region values, currencies, statuses, source labels, product names, SKUs, export mappings, and recurring import or fulfillment errors, to maintain and approve normalization rules. This review is for service reliability, support, and operational improvement. Omnifill does not use customer names, email addresses, phone numbers, or full shipping addresses for advertising or model training.
If the dashboard assistant is available and a Customer uses it, Omnifill may process the user's prompt, recent assistant conversation, public Omnifill documentation, and a limited account summary such as counts, sources, statuses, missing-address counts, product/SKU readiness, routing-rule summaries, and connection status. The assistant is not intended to receive secrets, raw customer lists, full addresses, payment credentials, or private warehouse specifications.
The Customer gives Omnifill general authorization to use sub-processors to provide the service. Omnifill will impose data protection obligations on sub-processors that are substantially similar to those in this DPA. Omnifill remains responsible for sub-processor performance to the extent required by applicable data protection law.
Omnifill may add or replace sub-processors. If a change is material, Omnifill will provide notice by updating this page, the Privacy Policy, account notice, email, or another reasonable method. Customers may object to a new sub-processor by contacting [email protected] within 14 days of notice. Omnifill will work in good faith to address the objection. If the parties cannot resolve it, the Customer may stop using the affected feature or terminate the service as allowed by the Terms of Service.
Customer-selected fulfillment destinations, source platforms, connected partner portals, SFTP servers, WMS systems, and 3PL APIs are recipients selected by the Customer or by a partner/client connection. They are not Omnifill sub-processors merely because Omnifill sends Customer Personal Data to them on the Customer's instruction.
Partners may use Omnifill only for legitimate warehouse, 3PL, fulfillment, support, and client-management purposes. Partners must not use linked client order data for advertising, resale, unrelated analytics, competitive analysis, or any purpose outside fulfillment support unless the linked client has separately authorized that use.
A partner must connect only client emails it is authorized to service. A client connection becomes active only when the client accepts access or otherwise authorizes the connection. Once connected, partner users may see order details needed to prepare, ship, or update fulfillment status, including recipient names, contact details, shipping addresses, products, SKUs, quantities, source/status fields, amounts/currencies where visible, and fulfillment notes.
Partners are responsible for their own personnel, downstream systems, warehouse processes, and legal obligations once they receive or access linked client data.
Taking into account the nature of the processing, Omnifill will provide reasonable assistance to the Customer for data subject access, correction, deletion, restriction, portability, objection, and similar requests. If a data subject contacts Omnifill directly about Customer Personal Data, Omnifill may direct that person to the Customer unless applicable law requires a different response.
Omnifill will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. The notice will include information reasonably available to Omnifill, such as the nature of the incident, affected data categories, likely consequences, mitigation steps, and a contact point for follow-up. Omnifill's notice is not an admission of fault or liability.
During the subscription term, Customers can export order data through available dashboard exports. After account closure or termination, Omnifill will delete or return Customer Personal Data from active systems within 30 days unless applicable law requires retention or the data is retained in support, security, billing, legal, or backup records under Omnifill's normal retention controls. Where deletion from backups is not immediate, backup data will be protected from routine access and overwritten in the ordinary course.
Omnifill will make available information reasonably necessary to demonstrate compliance with this DPA. Where required by applicable data protection law, the Customer may request an audit of Omnifill's relevant controls no more than once per year, unless a confirmed security incident or regulator request reasonably requires more frequent review. Audits must be limited in scope, conducted during normal business hours, protect Omnifill confidential information and other customers' data, and avoid unreasonable disruption to the service.
Omnifill stores application data on servers in the EU. Some processing may involve access from, or transfer to, countries outside the EU/EEA, the United Kingdom, or Switzerland, including where a Customer connects a non-EU source platform, chooses a non-EU fulfillment destination, uses a third-party service with non-EU processing, or Omnifill uses a sub-processor that processes limited data outside the EU/EEA.
Where a restricted transfer of Customer Personal Data occurs and applicable data protection law requires a transfer mechanism, Omnifill will rely on an appropriate mechanism such as an adequacy decision, the European Commission Standard Contractual Clauses, the UK International Data Transfer Addendum or Agreement, the Swiss addendum where applicable, or another valid transfer mechanism. The parties will reasonably cooperate to complete any required transfer details.
If Omnifill receives a legally binding request for Customer Personal Data, Omnifill will try to notify the Customer before disclosure unless legally prohibited. Omnifill will disclose only the data it reasonably believes is required by the request.
This DPA starts when the Customer first accepts it, creates an account after it is made available, continues using Omnifill after required acceptance, signs an order form incorporating it, or otherwise agrees to it. It remains in effect for as long as Omnifill processes Customer Personal Data on behalf of the Customer.
If this DPA conflicts with the Terms of Service or Privacy Policy about the processing of Customer Personal Data, this DPA controls for that processing. If the parties sign a separate written DPA or enterprise agreement, that signed agreement controls to the extent of conflict.
| Subject matter | Importing, storing, normalizing, reviewing, routing, exporting, sending, logging, and supporting order and fulfillment data through the Omnifill dashboard, partner portal, API, and related operational systems. |
|---|---|
| Duration | For the term of the Customer's account, partner workspace, subscription, trial, or other service relationship, plus the deletion, backup, billing, legal, and security retention periods described in this DPA and the Privacy Policy. |
| Nature of processing | Collection, receipt, hosting, storage, organization, parsing, normalization, canonicalization, deduplication, display, search, filtering, product mapping, bundle expansion, routing, CSV generation, API delivery, SFTP delivery, hosted-feed publication, status update, logging, support, security monitoring, deletion, and export. |
| Purpose | To provide no-code order aggregation, fulfillment preparation, automatic order routing, partner access, warehouse-ready CSV exports, hosted feeds, SFTP/API handoff, delivery logs, support, account administration, security, and service reliability improvements. |
| Data subjects | Customer account users, partner users, admin users, invited client contacts, support contacts, store customers, order recipients, payers, shipping recipients, and individuals whose personal data appears in imported order records, CSV files, support messages, fulfillment notes, or connected source records. |
| Personal data categories | Names, email addresses, phone numbers, shipping addresses, billing or payer information when included in source records, order IDs, source IDs, source platform names, products, raw item names, SKUs, quantities, prices, currencies, payment states, fulfillment statuses, routing destinations, delivery logs, support messages, diagnostics, page URLs, user agents, IP addresses, authentication records, 2FA settings, partner-client connection records, and related metadata. |
| Secrets and credentials | OAuth tokens, API keys, SFTP passwords, private keys, passphrases, WMS credentials, hosted feed tokens, session tokens, password hashes, 2FA secrets, recovery-code hashes, and agent access token hashes. These are processed to operate integrations, authentication, and account security, and must not be shared publicly. |
| Special categories | Omnifill is not designed to process special-category data, children's data, government IDs, health data, criminal-offense data, or raw payment card data. Customers must not intentionally submit these categories unless Omnifill has expressly agreed in writing. |
| Source import and sync | Omnifill receives order data from connected sources and CSV uploads, including Stripe, PayPal, Shopify, WooCommerce, Kickstarter CSV, Indiegogo CSV, Gamefound CSV, and other sources where supported. |
|---|---|
| Normalization | Omnifill standardizes inconsistent source data into warehouse-ready records, including country and region formats, addresses, postal fields, customer names, line items, products, SKUs, source IDs, payment states, currencies, export dialects, and partner-specific formatting quirks. |
| Product and bundle mapping | Customers can map raw order item names to products and SKUs, create no-fulfillment products, track stock fields, and define source-aware bundles that expand one imported item into multiple shippable order items. |
| Routing and delivery | Customers can create export rules by product, SKU, source, country, region, and advanced criteria. Rules can generate manual CSV exports, hosted CSV feeds, SFTP pushes, ShipBob API sends, DCIx API sends, or other supported delivery modes. |
| Partner portal | Warehouses and 3PLs can register for partner access, connect client emails, view active linked client orders after acceptance, and update fulfillment status and notes for visible orders. |
| Support and administration | Omnifill processes support tickets, support attachments, enterprise inquiries, delivery logs, admin user records, partner management records, and account settings to operate and support the service. |
| Optional assistant and agent features | Where enabled, Omnifill may process dashboard prompts, recent assistant messages, account summaries, agent access scopes, agent action requests, and agent activity logs to provide supervised assistance and workflow planning. |
| Infrastructure and hosting | EU-hosted application servers, database storage, backups, system administration, security monitoring, and operational logs. |
|---|---|
| Stripe | Subscription billing, checkout, customer IDs, subscription IDs, payment status, and Stripe order source sync when a Customer connects Stripe. |
| PayPal | PayPal OAuth, approved profile data, and PayPal transaction or order sync when a Customer connects PayPal. |
| Shopify and WooCommerce | Storefront order sync and source-account authorization where the Customer connects those storefronts. |
| Google OAuth for sign-in where used, Google Workspace SMTP for transactional email, and Google Analytics where optional analytics is enabled. | |
| Microsoft Clarity and Meta Pixel | Optional website and product usage analytics or ad measurement where enabled by consent and configuration. Omnifill does not intentionally send customer order records to these tools. |
| OpenAI | Optional dashboard assistant processing for user prompts, recent assistant conversation, public Omnifill documentation, safety checks, and limited account summaries. Customer secrets and raw customer order lists are not intended assistant inputs. |
| Customer-selected fulfillment recipients | SFTP servers, hosted feed consumers, ShipBob, DCIx, warehouses, 3PLs, WMS providers, shipping tools, CSV recipients, and other destinations chosen or authorized by the Customer or linked partner. These recipients receive only the order and routing data needed for the configured handoff. |
For privacy, DPA, sub-processor, or data protection questions, contact:
Glare Studios, LLC
131 Continental Dr
Newark, DE, US
+1 302 610 0190
EU data protection representative and privacy contact: Jakov Jandrić, Croatia, reachable at [email protected].