Amazon API data, seller data, and DPP commitments

This Data Policy specifically explains how the Company processes Amazon seller data, advertising data, product data, order and fulfillment data, inventory data, settlement and finance data, API logs, and synchronization status obtained through Amazon Selling Partner API, Amazon Advertising API, Brand Analytics, reporting APIs, and related authorized interfaces. This page is separate from the Privacy Policy, which covers website visitors, business contacts, and internal user personal information.

The Company obtains data only when it owns or is authorized to operate the relevant Amazon account, store, or brand, using Amazon official authorization flows, API credentials, and required permission scopes. We do not scrape Seller Central pages, simulate Seller Central login, request authorization from unrelated third-party sellers, or process seller data unrelated to the Company's own operations.

Data may include seller account and marketplace identifiers, store and brand information, ASINs, SKUs, product titles and categories, inventory and FBA data, order status and fulfillment data, return and after-sales operational information, sales and traffic reports, advertising campaigns, ad groups, keywords, budgets, bids, spend, impressions, clicks, orders, ACOS/ROAS metrics, settlement and fee reports, and API request, error, synchronization, and audit logs.

We use this data only for internal cross-border e-commerce operations, including listing and product optimization, inventory and fulfillment management, advertising delivery and budget control, keyword and campaign analysis, sales trend reporting, financial reconciliation, exception troubleshooting, compliance audit, system maintenance, and API automation for the Company's own Amazon business.

The Company manages API data according to Amazon's Data Protection Policy (DPP), Acceptable Use Policy (AUP), and applicable API terms. We request only the roles and permission scopes needed for the business purpose, restrict internal access by job role, isolate data by store or account where appropriate, and periodically review permissions that are no longer needed.

We do not sell, rent, trade, or publicly disclose Amazon API data. We do not use it for advertising profiles, consumer marketing, credit evaluation, or third-party services unrelated to the Company's Amazon operations. We do not provide data to unauthorized sellers, competitors, or the public, and we do not place API credentials, access tokens, or sensitive reports in public pages, public repositories, or downloadable files.

LWA Client Secrets, Refresh Tokens, Access Tokens, AWS keys, and advertising API credentials are stored only in access-controlled server-side environments. Frontend pages, logs, reports, email attachments, and public repositories must not contain complete credentials. If credentials may be exposed, permissions become abnormal, or personnel leave, the Company will revoke, rotate, or disable credentials as needed.

The Company uses HTTPS/TLS transmission, server access controls, least-privilege permissions, role separation, audit logging, network access restrictions, firewall controls, abuse monitoring, encrypted backups, configuration isolation, and authorized-personnel restrictions. For Amazon buyer personal information or sensitive business data, we apply additional access and export restrictions.

Operational reports, advertising metrics, inventory, product, and settlement data are retained only while needed for business, audit, reconciliation, or legal compliance. If Amazon buyer personal information is processed for order fulfillment, tax, invoice, or legal purposes, it is generally not retained in production systems for more than 30 days after order delivery unless required by law. API logs and security audit logs are retained as needed for compliance and security, normally for at least 90 days.

When the Company stops using an Amazon-authorized account or the relevant business purpose ends, we stop synchronization, revoke or delete tokens, delete or archive data that is no longer needed, and restrict backup access. Seller authorization may be revoked through Amazon authorization management, and internal accounts lose access when disabled by an administrator.

To operate the website, servers, databases, backups, email, and security monitoring, the Company may use service providers bound by confidentiality obligations. Service providers may process data only according to Company instructions and may not use data for their own purposes. Because Amazon systems, cloud services, and Company operations may be located in different regions, data may be transferred to or stored on servers in China or other regions with encrypted transmission and access controls.

If an incident may affect Amazon API data, seller data, or buyer personal information, the Company will investigate promptly, contain risk, preserve logs, remediate the issue, and notify relevant parties according to applicable law, Amazon policy, and contractual obligations. Internal users must immediately report abnormal access, mistaken export, or suspected credential exposure.

Questions about Amazon API data, seller data retention, deletion, authorization revocation, or security incidents should be submitted through the Company contact email. We will verify the requester's identity, account relationship, and request scope before processing.