Apex Seller Suite - Privacy and Data Handling Policy

1. Overview and Scope

This Privacy and Data Handling Policy governs how Apex Seller Suite ("we," "us," or "our") collects, processes, stores, uses, shares, and disposes of data obtained from Amazon's Selling Partner API, including Restricted Data Tokens (RDT) and Personally Identifiable Information (PII). This policy applies to all Amazon seller data processed through our platform.

Effective Date: 01/01/2025
Last Updated: 06/01/2025

2. Data Collection

2.1 Types of Data Collected

Amazon Selling Partner API Data:

  • Order information (order IDs, dates, status, amounts)

  • Product data (SKUs, ASINs, titles, categories)

  • Inventory levels and management data

  • Financial transaction records

  • Performance metrics and analytics data

Restricted Data Token (RDT) Protected Information:

  • Customer names and addresses

  • Phone numbers and email addresses

  • Shipping addresses and delivery information

  • Payment information (when available through API)

Account and Authentication Data:

  • Seller account identifiers

  • API credentials and authorization tokens

  • Platform usage analytics

  • System logs and access records

2.2 Data Collection Methods

  • Direct API Integration: Data is collected through authenticated connections to Amazon's Selling Partner API

  • Real-time Synchronization: Automated data retrieval processes run at scheduled intervals

  • Manual Uploads: Users may upload supplementary data files when necessary

  • System Monitoring: Operational data is collected for platform performance and security

3. Data Processing

3.1 Processing Purposes

We process Amazon data for the following legitimate business purposes:

  • Analytics and Reporting: Generate sales performance, inventory, and financial analytics

  • Business Intelligence: Provide insights for data-driven decision making

  • Inventory Management: Track stock levels and optimize inventory strategies

  • Financial Tracking: Monitor revenue, costs, and profitability metrics

  • Custom Reporting: Create tailored reports based on seller requirements

  • Platform Operation: Maintain system functionality and user experience

3.2 Processing Principles

  • Data Minimization: We collect only data necessary for specified purposes

  • Purpose Limitation: Data is used solely for the purposes outlined in this policy

  • Accuracy: We maintain data accuracy through regular synchronization with Amazon APIs

  • Retention Limitation: Data is retained only as long as necessary for business purposes

4. Data Storage and Security

4.1 Storage Architecture

Multi-Tenant Database Structure:

  • Each seller's data is isolated in dedicated database schemas

  • Complete logical separation prevents cross-tenant data access

  • PostgreSQL database with enterprise-grade security configurations

Cloud Infrastructure:

  • Data stored in SOC 2 Type II compliant cloud facilities

  • Redundant storage across multiple availability zones

  • Regular automated backups with point-in-time recovery

4.2 Security Measures

Access Controls:

  • Role-based access control (RBAC) for all system users

  • Multi-factor authentication for administrative access

  • Principle of least privilege for data access

  • Regular access reviews and deprovisioning

Data Protection:

  • AES-256 encryption for data at rest

  • TLS 1.3 encryption for data in transit

  • Encrypted database connections and API communications

  • Regular security assessments and penetration testing

Monitoring and Auditing:

  • Comprehensive audit logging of all data access

  • Real-time security monitoring and alerting

  • Automated threat detection and response

  • Regular security incident response testing

5. Data Usage

5.1 Permitted Uses

Primary Business Functions:

  • Generate analytics dashboards and reports

  • Provide business intelligence insights

  • Facilitate inventory management and optimization

  • Support financial tracking and reporting

  • Enable custom data analysis and reporting

Platform Operations:

  • System maintenance and performance optimization

  • User support and troubleshooting

  • Platform development and feature enhancement

  • Compliance monitoring and reporting

5.2 Restricted Uses

We will NOT use Amazon data for:

  • Marketing or advertising purposes unrelated to the seller's business

  • Competing with Amazon sellers or Amazon's business

  • Training machine learning models for external purposes

  • Sharing with third parties without explicit consent

  • Any purpose not directly related to the seller's business operations

6. Data Sharing and Disclosure

6.1 Third Party Sharing

No Unauthorized Sharing: We do not sell, rent, or share Amazon data with third parties for their commercial purposes.

Limited Sharing Scenarios:

  • Service Providers: Authorized subprocessors who assist in platform operations under strict contractual obligations

  • Legal Compliance: When required by law, regulation, or valid legal process

  • Security Incidents: To protect against fraud, security breaches, or other harmful activities

  • Business Transfers: In the event of merger, acquisition, or sale of business assets

6.2 Seller Control

Data Ownership: Sellers retain ownership of their Amazon data Access Rights: Sellers can access, export, or delete their data at any time Consent Management: Sellers can modify data sharing preferences through account settingsTransparency: Regular reporting on data sharing activities and third-party access

7. Data Retention and Disposal

7.1 Retention Periods

Active Account Data:

  • Retained for the duration of active service subscription

  • Continuous updates maintain data currency and accuracy

  • Historical data retained for trend analysis and reporting

Inactive Account Data:

  • Retained for 90 days after account termination

  • Grace period allows for account reactivation and data recovery

  • Automated deletion processes after retention period

Backup Data:

  • Retained in encrypted backups for 1 year for disaster recovery

  • Regular backup rotation and secure disposal procedures

  • No active processing of backup data except for recovery purposes

7.2 Secure Disposal

Data Deletion Procedures:

  • Cryptographic erasure of encryption keys

  • Multi-pass data overwriting for physical storage

  • Secure destruction of backup media

  • Certificate of destruction for compliance verification

Disposal Verification:

  • Automated verification of data deletion completion

  • Audit trails for all disposal activities

  • Regular compliance audits of disposal procedures

  • Documentation of disposal activities for regulatory compliance

8. Data Subject Rights

8.1 Seller Rights

Access Rights: Request access to all data processed about their Amazon business Correction Rights: Request correction of inaccurate or incomplete data Deletion Rights: Request deletion of data (subject to legal retention requirements)Portability Rights: Request data export in machine-readable format Restriction Rights: Request limitation of data processing activities

8.2 End Customer Rights

For customer data obtained through RDT:

  • We act as a data processor on behalf of Amazon sellers

  • Customer rights requests should be directed to the respective Amazon seller

  • We provide tools for sellers to manage customer data appropriately

  • We support sellers in responding to customer rights requests

9. Compliance and Governance

9.1 Regulatory Compliance

Amazon Selling Partner API Requirements:

  • Full compliance with Amazon's API Terms of Service

  • Proper use of Restricted Data Tokens

  • Regular compliance audits and certifications

  • Prompt reporting of any compliance issues

Data Protection Regulations:

  • GDPR compliance for European data subjects

  • CCPA compliance for California residents

  • SOC 2 Type II compliance for security controls

  • Regular legal and regulatory updates monitoring

9.2 Governance Framework

Data Protection Officer: Designated DPO responsible for privacy compliance Privacy by Design: Privacy considerations integrated into system design Regular Training: Ongoing privacy and security training for all personnelIncident Response: Established procedures for data breach notification and response

10. Data Breach Response

10.1 Incident Detection and Response

Monitoring: Continuous monitoring for security incidents and data breaches Response Team: Dedicated incident response team with defined roles and responsibilities Containment: Immediate containment procedures to limit breach impact Assessment: Rapid assessment of breach scope and affected data

10.2 Notification Procedures

Timeline: Breach notification within 72 hours of discovery (where required) Affected Parties: Notification to affected sellers, customers, and relevant authorities Documentation: Comprehensive documentation of incident details and response actions Follow-up: Post-incident review and implementation of preventive measures

11. International Data Transfers

11.1 Cross-Border Data Processing

Adequate Safeguards: Implementation of appropriate safeguards for international transfers Standard Contractual Clauses: Use of approved data transfer mechanisms Data Localization: Compliance with local data residency requirements Transfer Impact Assessments: Regular assessment of transfer risks and safeguards

12. Updates and Changes

12.1 Policy Updates

Change Notification: Advance notice of material policy changes Version Control: Maintenance of policy version history Effective Dates: Clear communication of when changes take effect Consent: Obtaining renewed consent where required by law

12.2 Continuous Improvement

Regular Reviews: Periodic review and update of privacy practices Industry Standards: Adoption of emerging privacy and security best practices Stakeholder Feedback: Incorporation of feedback from sellers and customers Regulatory Updates: Prompt adaptation to new regulatory requirements

13. Contact Information

13.1 Privacy Inquiries

Data Protection Officer: [DPO Email Address]
Privacy Team: [Privacy Team Email]
Phone: [Phone Number]
Address: [Physical Address]

13.2 Breach Reporting

Security Incidents: [Security Email Address]
Emergency Contact: [24/7 Emergency Number]
Regulatory Reporting: [Compliance Email Address]

14. Definitions

Amazon Data: Any data obtained through Amazon's Selling Partner API
Restricted Data Token (RDT): Amazon's mechanism for accessing PII data
PII: Personally Identifiable Information of Amazon customers
Data Controller: The Amazon seller who determines data processing purposes
Data Processor: Apex Seller Suite processing data on behalf of sellers
Multi-Tenant Architecture: System design ensuring data isolation between tenants

This policy is subject to regular review and updates. Sellers will be notified of any material changes in accordance with applicable law and contractual obligations.