Privacy and Data Handling Policy Summary

Purpose & Scope

Our organization provides integrated software, fulfillment, and manufacturing support services to our clients who sell on Amazon Marketplace. In providing these services, we act as a data processor on behalf of our clients (the data controllers) and handle Amazon Information, including Personally Identifiable Information (PII), strictly according to our client agreements and this policy summary. This policy applies to Amazon Information accessed via the Selling Partner API (SP-API).

Data Collection

We collect Amazon Information solely through the official Amazon SP-API as authorized by our clients. The data collected is limited to what is necessary to provide our contracted services, including order details, shipment information, buyer communications, inventory levels, performance metrics, and PII (such as buyer name, shipping address, phone number) required for order fulfillment and communication. We do not collect Amazon Information from any other sources.

Data Processing & Use

Amazon Information is processed exclusively to deliver our services to the client whose data it is. This includes:

• Processing orders for fulfillment (both FBA coordination and Direct-to-Consumer shipping).

• Generating shipping labels (using PII).

• Managing inventory and informing manufacturing planning.

• Facilitating buyer communication via our software tools.

• Providing performance analytics and reporting within our platform.

• Enabling listing, pricing, and content management via our software.

PII is processed only for specific, necessary functions (shipping, communication) with access restricted on a strict need-to-know basis within our systems. Automated and manual processes may be used as required for service delivery.

Data Storage & Security

All Amazon Information is stored securely within our controlled AWS environment. Data resides in services like Amazon RDS and S3, located within private VPC subnets. We implement robust technical and organizational security measures, including:

• Encryption at rest (AES-256) for all stored PII and sensitive data.

• Encryption in transit (TLS/SSL) for all data transfers, including API calls.

• Strict network controls (VPCs, Security Groups, NACLs, VPN access).

• Role-Based Access Control (RBAC) based on the principle of least privilege.

• Multi-Factor Authentication (MFA) for system access.

• Regular vulnerability scanning and penetration testing (at least every 60 days).

• Secure software development practices (code scanning, testing environments).

• Comprehensive logging and monitoring (CloudTrail, CloudWatch) for security events.

• A documented Incident Response Plan.

Data Sharing

We do not sell or share Amazon Information with any third parties, except for the necessary sharing of buyer name, address, and phone number with recognized shipping carriers (e.g., USPS, UPS, FedEx) via secure APIs solely for the purpose of generating shipping labels and dispatching orders fulfilled by us. All data handling is performed for the direct benefit of the client (the data controller).

Data Retention & Disposal

Personally Identifiable Information (PII) required for order fulfillment is retained only for the period necessary to complete shipment and related tracking, and is securely deleted or anonymized within 30 days of order shipment, in accordance with our policy and Amazon's requirements. Other non-PII Amazon Information is retained as necessary to provide ongoing services to our clients or as required by our client agreements or applicable laws. Data is disposed of using secure deletion methods.

Data Subject Rights

As a data processor, we direct any requests from end consumers (Amazon buyers) regarding their data rights (access, deletion, etc.) to our client (the Amazon Seller / Data Controller) who is responsible for validating and responding to such requests.

Policy Governance

Our internal formal Data Handling and Privacy Policy provides further detail and governs all data processing activities. This policy is reviewed regularly and provided to all employees and relevant partners, who are bound by confidentiality and data protection obligations.