Privacy and Data Handling Policy

This Privacy and Data Handling Policy describes how our organization collects, processes, stores, uses, shares, and disposes of Amazon customer data accessed through the Amazon Selling Partner API. Our practices are designed to meet the requirements set forth in Amazon’s Data Protection Policy.

1. Data Collection

We collect only the minimum data required from the Amazon Selling Partner API to fulfill customer orders and meet applicable tax or legal obligations. This includes:

  • Customer name

  • Shipping address

  • Phone number

  • Email address

  • Order details (e.g., ASIN, quantity, price)

All data is collected over secure, encrypted API calls using TLS 1.2 or higher.

2. Data Processing

All processing of Amazon customer data is performed in secure environments that meet Amazon’s security standards:

  • Processing occurs in isolated and access-controlled cloud environments (Microsoft Azure).

  • Only approved, trained personnel with a need-to-know basis are granted access.

  • Data is never used for analytics, profiling, or any non-fulfillment purposes.

3. Data Storage

  • Amazon data is stored securely in cloud infrastructure using encryption at rest (AES-256).

  • Access is restricted via role-based access control (RBAC) and audited regularly.

  • No Amazon data is stored on personal devices, removable media, or unsecured environments.

4. Data Usage

Amazon customer data is used strictly for the following purposes:

  • Order fulfillment (shipping and tracking)

  • Customer communication related to orders

  • Generating tax invoices or documents when required

  • Complying with legal or regulatory obligations

We do not use Amazon data for marketing, data mining, or analytics, and we never sell or monetize customer data.

5. Data Sharing

We only share Amazon data with authorized third parties when required to complete order fulfillment, such as:

  • Shipping carriers (e.g., USPS, FedEx, UPS)

  • Tax authorities (if legally mandated)

All third-party services are subject to confidentiality agreements and must comply with industry-standard data protection policies.

6. Data Retention and Disposal

  • Amazon customer data is retained for no longer than 7 days after order delivery.

  • After this period, all data is securely deleted following NIST 800-88 data sanitization guidelines.

  • Logs are retained for monitoring and audit purposes but do not contain PII.

  • If Amazon issues a deletion request, we will securely remove the data within 30 days and confirm the deletion in writing.

7. Data Security

  • All data in transit is encrypted using TLS 1.2+.

  • All data at rest is encrypted using AES-256 or RSA 2048+.

  • We use Microsoft Sentinel for threat detection, logging, and automated incident response.

  • Logs are reviewed bi-weekly, with alerts configured for anomalous behavior.

  • Access to systems is protected using Multi-Factor Authentication (MFA).

8. Privacy Rights

While Amazon owns the customer relationship, we honor any data subject access requests from Amazon or required by applicable law, including requests to:

  • Access customer data

  • Correct errors

  • Delete data

  • Restrict processing

9. Incident Response

In the event of a security incident involving Amazon data:

  • We will notify Amazon within 24 hours of discovery.

  • We will follow our internal Incident Response Plan, including investigation, mitigation, and documentation of actions taken.

  • We will provide Amazon with an incident report and evidence of remediation steps.