Effective July 11, 2026
Amazon Data Protection Policy
This policy describes the technical and organizational controls SellerGuy applies to Amazon Information accessed through the Selling Partner API and Amazon Advertising API, mapped to the Amazon Selling Partner API Data Protection Policy.
1. Scope And Definitions
"Amazon Information" means any data SellerGuy receives from Amazon through the Selling Partner API (SP-API) or the Amazon Advertising API, including listings, inventory, pricing, orders metadata, advertising campaigns, reports, and operational metrics tied to a seller's authorized selling account.
"Personally Identifiable Information" (PII) means buyer-level identifiers including buyer name, shipping address, phone number, and email. SellerGuy does not request, retrieve, store, or process buyer PII. The SP-API roles SellerGuy operates under do not include access to PII-bearing endpoints such as getOrderAddress, getOrderBuyerInfo, or shipment-level recipient data, and the application is not granted the Restricted Data Token (RDT) flow.
2. Permitted Use Of Amazon Information
SellerGuy uses Amazon Information solely to operate the SellerGuy service for the seller who authorized access. Specifically: to surface insights about the seller's own catalog and advertising, to draft listing and advertising changes that the seller reviews and approves, and to maintain workspace evidence for the seller's audit and replay.
SellerGuy does not sell, license, or share Amazon Information with third parties for their independent use, does not use it to construct cross-seller benchmarks or aggregated marketplace datasets, does not use it to target advertising, and does not contribute it to training datasets for any AI model.
3. Data Minimization
SellerGuy limits connected and scheduled reads to the resources required for the seller's enabled product, listing, inventory, order, report, and advertising workflows. Provider calls are bound to an explicit seller grant, marketplace, or advertising profile. Workspace evidence is scoped per seller and is never cross-referenced against another seller's data.
4. Encryption
In transit: all traffic between SellerGuy, Amazon, sub-processors, and the seller's browser is encrypted with TLS 1.2 or higher. HTTPS is enforced application-wide with HSTS.
At rest: Cloudflare and Supabase provide encryption at rest for their managed storage. Direct OAuth refresh tokens receive an additional AES-256-GCM application-encryption layer whose key is held in Cloudflare Workers Secrets, separate from the database. Deployed-agent workspace data is isolated in a dedicated per-seller host volume with operating-system access controls and is never mounted into another seller's runtime.
5. Key Management
OAuth refresh tokens for the Selling Partner API and Amazon Advertising API are encrypted at the application layer before being written to the database; the encryption key is provisioned through Cloudflare Workers Secrets, is rotated annually or on suspicion of compromise, and is never co-located with the encrypted ciphertext. LWA client secrets are held only in Cloudflare Workers Secrets and are never written to the database, logs, or workspace files.
6. Access Control
Production systems holding Amazon Information are accessible only to named individuals on the SellerGuy operator team. All human access requires multi-factor authentication. Access to the Supabase production project, the Cloudflare account, and the Amazon Developer Console is gated behind hardware-key MFA where supported and TOTP MFA otherwise. The service uses least-privilege service-role credentials scoped per worker.
Within the application, seller data is isolated by authenticated user id and per-seller workspace prefix. The AI model never receives raw refresh tokens; tool calls execute server-side against the seller's own grant.
7. Network Protection
Application traffic is fronted by Cloudflare with edge security and rate limiting. Backend control-plane tables are service-role-only and seller browser access is authenticated. Deployed-agent dashboards and API canaries bind to private or loopback access; the separate workspace execution container has no profile secrets and blocks executor-originated network connections. There is no public administrative interface exposed without authentication.
8. Logging And Monitoring
Application diagnostics are captured through Cloudflare logs and analytics, bounded workspace run manifests, and Langfuse tracing for managed deployed-agent installations. OAuth tokens and authorization headers are excluded from model-visible state and structured application logs. Retention follows the relevant service plan and configured project policy; security-relevant failures and unusual mutation activity are reviewed.
9. Vulnerability Management
Application and infrastructure dependencies are tracked through automated dependency scanning (Dependabot equivalent). Critical and high-severity vulnerabilities are patched within 7 calendar days of disclosure; medium-severity within 30 days. The application is rebuilt and redeployed on every dependency update.
10. Incident Response
SellerGuy maintains a written incident response plan with defined roles, escalation paths, and a six-month review cadence. If SellerGuy becomes aware of a security incident involving Amazon Information, the operator team begins triage immediately and reports the incident to Amazon at security@amazon.com within 24 hours of detection, with affected sellers notified in parallel. The notification includes the nature of the incident, scope of affected data, remediation steps, and a contact for follow-up.
11. Risk Assessment And Training
SellerGuy is operated as a sole proprietorship. The founder completes an annual self-assessment against the OWASP Top 10, the Amazon SP-API Data Protection Policy, and the Amazon SP-API security guidance, and reviews this policy and the underlying controls on the same cadence or whenever the architecture changes materially.
12. Sub-Processors
SellerGuy uses the following sub-processors to process Amazon Information:
- Cloudflare (United States, global edge) — application hosting, Workers compute, R2 object storage, edge security, and Workers Secrets for application-layer encryption keys.
- Supabase (Ireland,
eu-west-1) — authentication, account and billing records, runtime entitlements, and encrypted direct-OAuth refresh tokens. - Hetzner (Finland for the current managed installations) — dedicated per-seller deployed-agent compute and workspace volumes.
- Amazon Web Services Bedrock / Anthropic Claude — primary deployed-agent text and vision inference. Selected conversation and workspace evidence is sent through the configured European Bedrock inference profile.
- OpenRouter and the selected fallback model provider — fallback text and vision inference if the primary Bedrock request is unavailable.
- Langfuse EU Cloud (Ireland,
eu-west-1) — bounded prompt, response, tool, session, and usage tracing for reliability and debugging. - FAL — image-generation prompts, reference images, and generated image delivery for the deployed agent.
- Slack — customer messaging and file transport when the seller uses a private Slack app connected to their deployed agent.
- Google AI (United States) — Gemini image generation for listing image candidates. Google's Generative AI API terms for paid usage prohibit training on customer data.
- Stripe (United States) — payment processing. Stripe does not receive Amazon Information.
- Pipedream (United States) — managed OAuth and credential proxy for Gmail and configured Amazon Selling Partner connections. Pipedream handles Amazon Information only when the seller selected a Pipedream-backed Amazon Seller connection; Amazon Advertising uses SellerGuy's direct connection.
- SerpAPI — public marketplace search and product-page evidence; it does not receive private Amazon account credentials.
SellerGuy selects providers with documented security and data-protection controls and configures them for the narrow service purpose described above. The current list is maintained on this page; material architecture changes are reflected here.
13. Geographic Data Residency
SellerGuy's Supabase project and Langfuse project are hosted in Ireland (eu-west-1), and the current managed deployed-agent installations are hosted in Finland. The primary model uses a European Amazon Bedrock inference profile. Cloudflare compute runs at the edge and R2 uses Cloudflare's configured placement; fallback inference and other listed providers may process data in additional regions under their service terms.
SellerGuy therefore does not promise that every transient processing operation remains in one country. Seller-scoped storage location and cross-border processing are disclosed here and may change as the managed fleet expands.
14. Retention And Deletion
SellerGuy retains Amazon Information only as long as required to operate the service for the authorizing seller. When a seller revokes the SP-API or Amazon Advertising authorization, when the seller requests deletion, or when the SellerGuy account is closed, SellerGuy deletes the seller's Amazon Information from primary storage within 30 days of the request, and from backup storage on the backup rotation schedule (no longer than 90 days).
Operational logs and billing records may be retained beyond 30 days as required by law and for security, debugging, accounting, and abuse prevention, with Amazon Information redacted where present.
15. Production / Development Separation
Production and development environments are isolated: separate Cloudflare Workers environments, separate Supabase projects, separate LWA Security Profiles, and separate secret stores. Real seller data is never copied into a development environment.
16. Data Subject And Seller Requests
Sellers may at any time disconnect their Amazon authorization from inside the SellerGuy app, which revokes the refresh token and triggers deletion of the associated Amazon Information per Section 14. Sellers may also email a deletion or access request to szymon@sellerguy.ai; requests are acknowledged within 7 days and actioned within 30 days.
17. Contact
Security and data-protection inquiries: szymon@sellerguy.ai. Postal address: SellerGuy (Szymon Zmyślony), ul. Opalenicka 69, 60-362 Poznań, Poland.
This policy supplements, and does not replace, the SellerGuy Privacy Policy and Terms of Service.