Privacy Policy
Last Updated: May 22nd, 2025
Embedded Files
Privacy and Data Handling Policy
Privacy and Data Handling Policy
This Privacy and Data Handling Policy ("Policy") outlines how Shipbreeze ("we," "us," or "our") collects, processes, stores, uses, shares, and disposes of data, including Personally Identifiable Information (PII), accessed through the Amazon Selling Partner API (SP-API) in connection with the fulfillment services we provide to Amazon sellers ("you" or "Seller").
We are committed to protecting the privacy and security of Amazon data and complying with the Amazon Acceptable Use Policy, Data Protection Policy (DPP), and the Amazon SP-API Developer Agreement. This Policy is publicly accessible to meet Amazon's requirements for SP-API credentials.
Purpose & Scope
Purpose & Scope
This Policy applies specifically to Amazon data obtained through the SP-API. "Amazon Data" includes, but is not limited to:
Personally Identifiable Information (PII): Information that can be used on its own or with other information to identify, contact, or locate an individual. This includes, but is not limited to, customer names, shipping addresses, email addresses, phone numbers, and buyer IDs.
Order Information: Details of customer orders, including products purchased, quantities, pricing, shipping information, and order status.
Shipment Information: Tracking numbers, carrier details, and delivery status.
Seller Information: Information related to your Amazon seller account necessary for providing our fulfillment services.
Data Collection
We collect Amazon Data solely for the purpose of providing fulfillment services as agreed with our Sellers. This data is accessed directly through the Amazon SP-API upon your authorization. We will only request access to the minimum data fields necessary to perform these services.
The types of Amazon Data we collect include:
Information required to identify and process orders (e.g., Order ID, SKU, quantity).
Information required for shipping and delivery (e.g., customer name, shipping address, phone number, email address for shipping notifications).
Information required to update order status and tracking information within the Amazon platform.
Information required for inventory management and reconciliation related to fulfillment.
Data Processing & Use
Data Processing & Use
Amazon Data is processed for the following specific purposes:
Order Fulfillment: Receiving order details, picking, packing, and shipping products to customers.
Shipment Management: Generating shipping labels, coordinating with carriers, and tracking shipments.
Inventory Management: Updating inventory levels based on fulfilled orders.
Customer Service (related to fulfillment): Responding to inquiries about order status, shipping, and delivery, only when initiated by the Seller or as contractually agreed for direct support.
Reporting and Analytics (for the Seller): Providing Sellers with reports on fulfillment performance and order history.
Tax Calculation and Remittance: Using order and PII data as necessary to calculate and remit taxes as required by law.
Compliance with Legal Obligations: Processing data as required by applicable laws and regulations.
All processing activities are conducted within secure environments, and access to Amazon Data is strictly limited to authorized personnel whose job responsibilities require such access.
Data Storage & Security
Data Storage & Security
We implement robust technical, physical, and administrative security measures to protect Amazon Data from unauthorized access, disclosure, alteration, loss, or destruction. These measures include:
Encryption:
Data in Transit: All Amazon Data transmitted to or from the SP-API, or within our internal systems, is encrypted using industry-standard protocols (e.g., HTTPS, TLS 1.2 or higher).
Data at Rest: All PII stored in our systems is encrypted using strong encryption standards (e.g., AES-256 or RSA with 2048-bit key size or higher). Cryptographic keys are securely managed and accessible only to authorized processes and services.
Access Controls:
Access to Amazon Data is restricted based on the principle of least privilege.
Unique user credentials and multi-factor authentication (MFA) are required for access to systems handling Amazon Data.
Access privileges are regularly reviewed (at least quarterly) and revoked immediately upon termination of employment or change in job role necessitating removal of access.
Network Security:
Network firewalls and intrusion detection/prevention systems are implemented to protect our systems.
Network segmentation is used to isolate sensitive systems.
Asset Management: An inventory of all physical and software assets with access to Amazon Data is maintained and regularly updated.
Vulnerability Management:
Regular vulnerability scanning (at least every 180 days) and penetration testing (at least annually) are conducted.
Code is scanned for vulnerabilities prior to each release.
Physical Security: Secure facilities are used for storing any hardware that processes or stores Amazon Data, with appropriate access controls.
Incident Response Plan: We maintain a documented incident response plan to address any potential security incidents, including data breaches. This plan includes procedures for detection, containment, eradication, recovery, and post-incident analysis. In the event of a data breach involving Amazon Data, we will notify Amazon and affected Sellers in accordance with Amazon's requirements and applicable legal obligations.
Data Usage
Data Usage
Amazon Data, particularly PII, is used strictly for the purposes outlined in Section 3 (Data Processing). We will not:
Use Amazon Data for any purpose other than fulfilling orders and providing related services as authorized by the Seller and Amazon.
Use Amazon Data for marketing or advertising purposes, either for our own services or for third parties, without explicit consent where legally permissible (and noting Amazon’s strict PII usage policies).
Enrich, combine, or correlate Amazon Data with any other data sources for purposes beyond what is necessary for fulfillment and as permitted by Amazon.
Sell Amazon Data.
Data Sharing
Data Sharing
We will not share Amazon Data, especially PII, with third parties except in the following limited circumstances:
Shipping Carriers: Sharing necessary PII (e.g., name, address, phone number, email) and order details with shipping carriers (e.g., UPS, FedEx, USPS) for the sole purpose of delivering orders. These carriers are responsible for their own data protection practices.
As Required by Law: If required to disclose Amazon Data by law, court order, or other legal process, we will notify Amazon and the Seller, unless prohibited by law.
With Explicit Seller Consent (and Amazon's Permission): For any other sharing, only with the explicit written consent of the Seller and in full compliance with Amazon's Data Protection Policy and other applicable agreements.
Service Providers: We may use third-party service providers (e.g., for data hosting or security services) who may have access to Amazon Data. Such providers are contractually bound to protect the data with security measures at least as stringent as those outlined in this Policy and to use the data only for the services they are contracted to provide. We remain responsible for the handling of Amazon Data by these service providers.
We will never share Amazon SP-API credentials or access keys.
Data Retention and Disposal
Data Retention and Disposal
PII Retention: In accordance with Amazon's Data Protection Policy, PII (such as customer name, address, email, phone number) will be retained for no longer than 30 days after order delivery confirmation. This retention is solely for the purpose of fulfilling orders, calculating and remitting taxes, producing tax invoices, and meeting legal or regulatory requirements directly related to the order.
Exceptions to PII Retention: PII may be retained beyond 30 days only if explicitly required by law (e.g., for tax or regulatory audit purposes). In such cases, the PII will be securely archived (e.g., cold storage, encrypted backups) and not actively used for any other purpose. Access to this archived PII will be strictly controlled and logged.
Non-PII Data Retention: Non-PII Amazon Data may be retained as necessary for Seller reporting, analytics, and our operational purposes, in compliance with Amazon's policies.
Data Disposal: When Amazon Data is no longer needed for the purposes for which it was collected and is outside the defined retention period, it will be securely and permanently deleted or anonymized in accordance with industry-standard sanitization processes (e.g., NIST 800-88). This applies to live data and any backups.
Seller Request for Deletion: We will promptly delete Amazon Data upon request from the Seller, subject to our legal and contractual obligations and Amazon's policies. Please email admin@shipbreeze.com to request data deletion.
Amazon Request for Deletion/Return: We will permanently and securely delete or return Amazon Data within 72 hours of Amazon's request, in accordance with Amazon's notice requiring deletion and/or return. All live (online or network accessible) instances of Amazon Data will be permanently and securely deleted within 90 days after Amazon's notice. If requested by Amazon, we will certify in writing that all Amazon Data has been securely destroyed.
Data Subject Rights (for Amazon Customers)
Data Subject Rights (for Amazon Customers)
While Shipbreeze primarily processes data on behalf of Sellers, we acknowledge that Amazon customers have rights regarding their PII. Any requests from Amazon customers regarding their data (e.g., access, correction, deletion) received by Shipbreeze will be directed to the Seller or Amazon, as appropriate, as Amazon and the Seller are the data controllers. We will assist Sellers in responding to such requests as necessary and in accordance with our contractual agreements and Amazon's policies.
Vulnerability Management
Vulnerability Management
We maintain a structured vulnerability management lifecycle:
Vulnerability scans: Monthly
Penetration testing: Quarterly
Remediation timelines:
Critical/High: Within 7 days
Medium: Within 30 days
Low: Within 90 days or next review cycle
All findings are logged, tracked, and validated by the security team.
Data Sharing
Data Sharing
We do not share or sell Amazon Information with third parties, except as required for service delivery. The only data shared externally is:
Buyer name, shipping address, and phone number
Shared only with shipping carriers (e.g., USPS, FedEx, UPS) via secure APIs
Used solely to generate shipping labels and ensure order fulfillment
Data Retention & Disposal
Data Retention & Disposal
PII: Retained only as long as necessary for order fulfillment and tracking (max 30 days post-shipment)
Non-PII: Retained per contract or legal requirements
Disposal: Follows NIST 800-88 standards (secure wipe or cryptographic erasure)
Policy Updates
Policy Updates
This Policy may be updated from time to time to reflect changes in our practices, service offerings, or Amazon's requirements. We will post the updated Policy on our public website and indicate the "Last Updated" date. Your continued use of our services after any such changes constitutes your acceptance of the new Policy.
10. Roles and Responsibilities
10. Roles and Responsibilities
All Shipbreeze employees and contractors with access to Amazon Data are required to comply with this Policy and undergo regular data protection and security training.
11. Contact Information
11. Contact Information
If you have any questions or concerns about this Privacy and Data Handling Policy or our practices concerning Amazon Data, please contact our Data Protection Officer or designated privacy contact at:
255 Middlesex Ave, Iselin, NJ 08830
(848) 219-9919
Page updated
Report abuse