Data Handling & Privacy Policy

Last Updated: March 12, 2026

1. Overview

[Your Organization Name] ("we," "us," or "our") provides automated multi-channel fulfillment services. This policy describes how we collect, process, store, and dispose of information obtained through the Amazon Selling Partner API (SP-API) and other third-party sales channels (e.g., TikTok Shop, Walmart Marketplace, Etsy).

2. Data Collection and Purpose

We collect and process Personally Identifiable Information (PII)—including customer names, shipping addresses, and phone numbers—solely for the purpose of facilitating Multi-Channel Fulfillment (MCF). This data is ingested from external sales channels and transmitted to Amazon FBA to ensure accurate delivery and tracking of consumer orders.

3. Data Retention and Disposal

• PII Retention: We maintain a strict data minimization policy. All Personally Identifiable Information (PII) is automatically deleted from our active databases and logs within 30 days of order shipment.
• Data Disposal: After the 30-day retention period, data is irrecoverably deleted using industry-standard cryptographic erasure or overwriting processes.
• Anonymization: We may retain non-PII data (e.g., SKU volumes, order counts, and timestamps) for long-term business analytics and financial reporting.

4. Data Security and Encryption

• Encryption at Rest: All Amazon Information and PII are encrypted at rest using Advanced Encryption Standard (AES-256).
• Encryption in Transit: All data transmitted between our servers, sales channels, and the Amazon SP-API is encrypted using Transport Layer Security (TLS 1.2 or higher).
• Key Management: Cryptographic keys are managed through a dedicated Key Management Service (KMS) with strict access controls and annual rotation.

5. Access Control

• Principle of Least Privilege: Access to systems handling Amazon Information is restricted to authorized employees on a "need-to-know" basis.
• Authentication: Multi-Factor Authentication (MFA) is mandatory for all internal access to our production environments and databases.
• Audit Logging: We maintain comprehensive audit logs of all access to PII. These logs are reviewed bi-weekly for suspicious activity and retained for at least 12 months.

6. Data Sharing and Third Parties

We do not sell, rent, or trade Amazon Information to third parties. PII is only shared with Amazon for the explicit purpose of order fulfillment. We do not use Amazon Information for marketing or any purpose other than the specific service requested by the user.

7. Vulnerability Management

We perform automated vulnerability scans every 30 days and conduct annual penetration testing. We utilize Static Application Security Testing (SAST) in our development lifecycle to identify and remediate code vulnerabilities before deployment to production.

8. Incident Response

In the event of a suspected or confirmed data breach, we maintain a formal Incident Response Plan. We will notify Amazon and any affected parties within 24 hours of discovering a significant security incident involving Amazon Information.

9. Contact Information

For questions regarding this policy or to exercise your data rights, please contact our Incident Management Point of Contact via our contact form here.