Amazon Selling Partner Data Handling Policy
Effective date: November 04, 2025
Scope. This policy describes how Shippinglot (“we”, “us” or “our”) collects, uses, stores, shares and disposes of Amazon Information obtained via the Amazon Selling Partner API (SP‑API). It complements our general Website Privacy Policy and is intended to meet Amazon’s Acceptable Use Policy and Data Protection Policy requirements.
1. Definitions
- Amazon Information: any data we obtain via SP‑API for an authorized Selling Partner account.
- PII: Personally Identifiable Information about Amazon buyers (e.g., name, shipping address, phone, email).
- RDT: Restricted Data Token required by Amazon to access restricted/PII endpoints.
- SP‑API: Amazon Selling Partner API and related services.
2. Role & Legal Basis
For SP‑API processing we act as a processor on behalf of the Selling Partner (controller). Our lawful bases generally include performance of a contract and legitimate interests (fulfillment, fraud/security). Where applicable, we also comply with local laws (e.g., GDPR) and execute data protection terms upon request.
3. Categories of Amazon Information We Process
- Order PII (buyer name, shipping address, phone/email) solely for MFN shipping and customer service.
- Non‑PII (order IDs, line items, SKUs, quantities, fulfillment status, inventory, pricing, catalog metadata).
4. Purpose Limitation & Least‑Privilege
We process Amazon Information only to provide WMS functionality: order/inventory synchronization, catalog/pricing updates, FBA visibility, and Buy Shipping label generation for MFN orders. Access is strictly least‑privilege and limited to explicitly authorized accounts.
5. Collection & Access via RDT
Where PII is required, we obtain it only by using the Restricted Data Token (RDT) and only for the relevant order(s). We do not attempt to access restricted data without RDT, and we never extend RDT scope beyond the minimum needed.
6. Retention & Deletion
- PII retention: deleted or anonymized within 30 days after order shipment. If a longer period is legally required (e.g., tax), data is kept only for that purpose in offline/cold, encrypted storage, then disposed.
- Backups: PII in backups is lifecycle‑managed to the same maximum window.
- Non‑PII: retained per operational and legal needs (e.g., logs ≥ 12 months), absent any conflicting Amazon rule.
7. Storage & Encryption
Amazon Information is stored in encrypted databases and object storage using AES‑256 with KMS‑managed keys, with regular key rotation. Data in transit uses TLS 1.2+.
8. Access Controls
- Enterprise SSO + MFA with unique identities.
- RBAC and need‑to‑know limits; periodic access reviews; immediate revocation on role change.
- Administrative access requires change tickets and peer review.
9. Logging, Monitoring & Security
- Centralized SIEM for application/IAM/network logs; anomaly alerts.
- WAF, rate limiting, IDS/IPS; EDR on hosts; hardened VPC with private subnets.
- Secrets in a dedicated manager; no secrets in code or CI logs; automated rotation for sensitive keys.
10. Sub‑processors
| Provider | Purpose | Data Categories |
|---|
| AWS | Hosting, encrypted storage, KMS | PII and non‑PII (encrypted at rest) |
| Cloudflare (or similar) | WAF/CDN, DDoS mitigation | Transit metadata; no PII storage |
| Sentry / Datadog (or similar) | Application monitoring | PII masked by design; logs/metrics |
11. International Transfers
Where data crosses borders, we implement appropriate safeguards (e.g., SCCs) and minimize PII residency outside required regions.
12. Testing & Non‑Production
We do not use real PII in test environments. We use synthetic/masked data; non‑prod is logically isolated from production and never shares prod keys or databases.
13. Incident Response & Notifications
Our IR plan covers detection, containment, forensics, eradication, recovery and notification. If an incident involves Amazon Information, we notify Amazon at security@amazon.com in accordance with Amazon’s policies.
14. Data Subject Rights & Contact
Requests to access, correct, delete or restrict processing of Amazon Information should be directed to the Selling Partner (controller). We assist the controller as required. For questions, contact: contact@shippinglot.com.
15. Changes to this Policy
We may update this policy to reflect process or regulatory changes. The “Effective date” at the top indicates the latest version.
© 2025 Shippinglot. All rights reserved.