Effective July 11, 2026

Privacy Policy

This policy explains how SellerGuy handles seller workspace, connected-app, billing, and usage data, including data accessed from Amazon Selling Partner and Amazon Advertising accounts.

Data We Process

SellerGuy processes account identity, session state, subscription status, uploaded files, workspace files, chat messages, tool calls, schedule records, connection metadata, and usage telemetry needed to operate the service.

When you connect apps, you authorize SellerGuy through the provider-specific OAuth flow. Amazon Selling Partner API access may use either SellerGuy's direct Login with Amazon connection or a Pipedream-managed connection and credential proxy. Amazon Advertising uses SellerGuy's direct Login with Amazon connection. Gmail uses Pipedream-managed OAuth and its credential proxy; Gmail messages and metadata are not Amazon Information.

SellerGuy stores only non-secret connection projections in the seller workspace. Refresh tokens for SellerGuy-managed direct Amazon connections are encrypted at the application layer with AES-256-GCM in the backend database; credentials for Pipedream-managed connections remain with Pipedream. Provider tokens are never written to the seller workspace or exposed to the AI model.

Connected apps may include Amazon Seller, Amazon Ads, and Gmail.

Amazon Information

When you connect an Amazon Selling Partner or Amazon Advertising account, SellerGuy accesses your Amazon data — listings, orders, reports, pricing, advertising metrics, and related records — only to operate the features you request. Reads run on demand, including read-safe report creation when the provider marks it non-mutating. Seller mutations such as listing changes, advertising changes, and customer solicitations require your explicit one-time approval in your authorized private Slack conversation.

We do not sell Amazon Information, share it for advertising, use it to build cross-seller profiles, or use it for any purpose other than operating SellerGuy for you. Amazon Information is retained only as long as needed for the requested workflow and is deleted on request or account closure.

AI Processing And Sub-processors

SellerGuy uses service providers to operate the product: Cloudflare (application hosting, object storage, edge security, and operator test infrastructure), Supabase (authentication, account, billing, usage, and encrypted direct-OAuth records), Hetzner (isolated per-seller deployed-agent gateway, workspace storage, and zero-secret code execution), Amazon Web Services Bedrock with Anthropic Claude (primary deployed-agent inference), OpenRouter and its selected model provider (fallback inference), Langfuse EU Cloud (prompt, tool, session, and usage tracing), FAL (image generation), Slack (customer messaging, approvals, and file transport), Pipedream (managed OAuth and credential proxy for Gmail and configured Amazon Seller connections), Stripe (payments), Google AI (image generation for operator testing), and SerpAPI (public marketplace lookups).

Only content needed for the feature you request is sent to the relevant provider. For example, a model receives the conversation and selected workspace evidence; Langfuse receives bounded observability traces; and Slack receives the messages and files exchanged through the Slack surface. SellerGuy does not use customer content to train its own models. Each external provider processes data under its own service terms and SellerGuy configuration.

Retention And Deletion

Referenced uploads, promoted reports, product and campaign work, memories, schedules, and other durable seller files remain until deleted, a verified deletion request is completed, or the account is closed. In the managed deployed-agent workspace, unreferenced uploads and terminal unpromoted run evidence are eligible for deletion after 30 days, disposable scratch files after 7 days, and only the five newest managed release backups are retained.

Operational logs, billing records, and provider-side telemetry may be retained as required for security, debugging, accounting, and abuse prevention. Langfuse traces follow the configured project retention; where the plan does not offer an automatic retention setting, traces remain until they are deleted.

To delete your data, disconnect connected apps in the control center, ask through your authorized private Slack conversation, or email us for full account and data deletion. We action verified deletion requests within 30 days.

Security

Data is encrypted in transit with TLS. Cloudflare and Supabase provide encryption at rest for their managed storage. Seller data is isolated by authenticated user id and workspace prefix in the browser agent and by a dedicated per-seller container and workspace in the deployed-agent runtime. The deployed agent's terminal runs in a separate zero-secret execution container that can read seller workspace evidence but cannot read profile credentials or initiate network connections.

Direct provider OAuth refresh tokens are encrypted at the application layer with AES-256-GCM before persistence, with the encryption key held separately in Cloudflare Workers Secrets. Provider credentials stay in the TypeScript capability plane; the model, workspace, and zero-secret code-execution container do not receive them.

For the Amazon-specific control set mapped to Amazon's Selling Partner API Data Protection Policy, see the Amazon Data Protection Policy.

Contact

Privacy questions, data access, and deletion requests: szymon@sellerguy.ai.