Amazon Selling Partner Data Protection & Privacy Policy

1. Introduction

2LM Sp. z o.o. ("we," "our," or "us") is committed to protecting the privacy and security of data retrieved through the Amazon Selling Partner API (SP-API). This policy outlines our rigorous standards for collecting, processing, storing, and disposing of Amazon Information in full compliance with Amazon’s Data Protection Policy (DPP) and Acceptable Use Policy (AUP).

2. Data Collection and Usage

We collect Amazon Information (including Personally Identifiable Information - PII) strictly to provide e-commerce management services to our authorized users. This includes:

• Order Fulfillment: Retrieving order details to facilitate merchant-managed shipping (MFN).
• Logistics: Generating shipping labels and providing real-time tracking.
• Inventory & Pricing: Synchronizing stock levels and automating pricing strategies.
• Financial Analytics: Processing sales data for business performance reporting.

3. Data Storage and Infrastructure

Our infrastructure is designed with security as a priority:

• Encryption at Rest: All Amazon Information is stored using industry-standard AES-256 encryption.
• Encryption in Transit: Data is protected using TLS 1.2 or higher during all transmissions.
• Hosting: All data is hosted on secure, audited servers provided by OVHcloud within the European Union.
• Isolation: Database servers are located within a private network (vRack) with no direct public internet access.

4. Data Retention and Disposal

We strictly follow the principle of data minimization:

• PII Retention: Personally Identifiable Information (buyer names, addresses, phone numbers) is retained for a maximum of 30 days after order shipment.
• Automatic Disposal: After the 30-day period, PII is programmatically scrubbed and permanently deleted from our production databases.
• Backups: Encrypted backups are maintained for disaster recovery but follow the same strict retention and disposal schedules.

5. Access Control & Monitoring

• Role-Based Access: Only authorized senior technical staff have access to systems handling Amazon data on a "need-to-know" basis.
• Authentication: We enforce a strict password policy requiring a minimum of 12 characters with mandatory complexity (uppercase, lowercase, numeric, and special characters), password rotation every 90 days, a history of 12 passwords to prevent reuse, and account lockout after 5 consecutive failed attempts. Multi-Factor Authentication (MFA) is mandatory for all accounts.
• Audit Logs: All access to PII is logged. Audit logs are reviewed bi-weekly and retained for 12 months.
• Log Hygiene: Personally Identifiable Information (PII) is never stored in application or security logs. All log entries are programmatically sanitized to mask or exclude buyer names, addresses, and contact details.
• Device Policy: Access to Amazon Information from personal or unauthorized devices is strictly prohibited and technically blocked.

6. Third-Party Sharing

We do not sell or trade Amazon Information. Data is shared only with authorized third-party logistics providers (e.g., DHL, DPD) solely to execute shipping requested by the user. Every external data transfer is logged and secured.

7. Incident Response Plan

In the event of a suspected security breach or unauthorized access to Amazon Information, our Incident Management Point of Contact (IMPOC) will:

• Notify Amazon Security (security@amazon.com) within 24 hours.
• Initiate containment and forensic analysis procedures.
• Notify affected users as required by applicable law and Amazon policies.