Data Protection Policy

Last updated: April 13, 2026

1. Purpose and Scope

This Data Protection Policy ("DPP") describes how ZSell Inc ("ZSell", "we", "our") handles information accessed through Amazon's Selling Partner API ("SP API") and related Amazon services. It supplements our Privacy Policy and applies specifically to data we access, retrieve, store, or process from Amazon's marketplaces.

This DPP exists in addition to, and is designed to comply with, Amazon's Acceptable Use Policy and Data Protection Policy for Selling Partner API developers.

2. Amazon Information We Access

When a seller authorizes one of our products (such as ZSell Vision) to access their Amazon Seller account, we retrieve only the data necessary to provide the features the seller has enabled. Specifically:

  • Product catalog information — titles, descriptions, images, dimensions, sales rank, and other publicly-available catalog attributes
  • Pricing information — current offer data, Buy Box status, and seller-listed prices
  • Own-seller listing content — when the seller has authorized it, titles, bullet points, descriptions, and backend search terms for listings in their own account
  • Sales and inventory data — only where the seller has explicitly granted access, and only for the seller's own products

We access this data through authorized, documented Amazon APIs using credentials the seller has issued to us. We do not attempt to access data outside the scope of the seller's authorization.

3. Amazon Information We Do Not Access

We do not access, store, or process:

  • Personally Identifiable Information (PII) of Amazon buyers — including names, addresses, email addresses, phone numbers, or order details associated with individual buyers
  • Financial account information — bank accounts, credit card numbers, or disbursement records
  • Other sellers' private listing data — backend search terms, A+ content modules, or any data scoped to a specific seller's own account and not publicly visible on Amazon's product pages
  • Amazon employee information
  • Any data outside the scopes the seller has granted

4. Data Storage and Retention

4.1 Storage

Amazon Information we access is stored on infrastructure operated by our cloud hosting provider, located in the United States. All stored Amazon Information is encrypted at rest using industry-standard encryption.

4.2 Retention

We retain Amazon Information only as long as necessary to provide the Services:

  • Cached product data — retained for up to 7 days, after which it is purged unless refreshed
  • Analysis results — retained for the duration of the seller's subscription and for 30 days after termination, to support reactivation
  • Audit logs of API access — retained for 90 days for security and compliance purposes
  • Aggregated, de-identified analytics — retained without attribution to any specific seller

Upon written request from a seller, we will delete all of their Amazon Information within 30 days, subject to legal retention requirements.

5. Security Controls

We implement the following security controls to protect Amazon Information:

5.1 Encryption

  • In transit: All data transmitted between our systems, Amazon's APIs, and our sub-processors is encrypted using TLS 1.2 or higher.
  • At rest: All stored Amazon Information is encrypted using AES-256 or equivalent.

5.2 Access Control

  • Access to Amazon Information is restricted to personnel with a legitimate business need
  • Administrative access to production systems requires multi-factor authentication (MFA)
  • Access is logged and periodically reviewed
  • We follow the principle of least privilege

5.3 Credential Management

  • SP API credentials (client IDs, client secrets, refresh tokens) are stored in encrypted form, never in source control, and never hard-coded into applications
  • Credentials are rotated on a regular schedule and upon any suspected compromise
  • Access to credential stores is logged and audited

5.4 Network Security

  • Systems that handle Amazon Information are protected by firewalls and network segmentation
  • Intrusion detection and anti-malware controls are deployed on production systems
  • Administrative access is restricted to authorized networks or requires secure remote access

5.5 Secure Development

  • Code changes are reviewed before deployment to production
  • Dependencies are scanned for known vulnerabilities
  • Security patches are applied promptly upon release

6. Sub-Processors

We rely on a small number of third-party service providers to operate our infrastructure. Sub-processors that may come into contact with Amazon Information are:

  • Our cloud hosting provider — hosts application servers, databases, and storage containing Amazon Information. Contracts include confidentiality and security obligations.
  • Our transactional email provider — receives seller email addresses for account-related communications. Does not receive Amazon catalog, order, or listing data.
  • Stripe — processes seller subscription payments. Does not receive Amazon Information.
  • JungleScout — commercial third-party data provider whose API we use to retrieve aggregated Amazon marketplace data (public catalog, keyword intelligence, historical trends). We send product queries to JungleScout; we do not send seller-private Amazon Information.

We do not share Amazon Information with sub-processors outside this list without the affected seller's consent, unless required by law.

7. Incident Response

We maintain an incident response plan covering the detection, containment, investigation, and remediation of security incidents involving Amazon Information. Key elements:

  • Detection: Security events are monitored through log review and alerting on production systems.
  • Triage: Suspected incidents are investigated within 24 hours of detection.
  • Amazon Notification: If we discover or suspect that Amazon Information has been exposed, misused, or accessed without authorization, we will notify Amazon at security@amazon.com within 24 hours of detection, in accordance with Amazon's Data Protection Policy.
  • Affected Seller Notification: We will notify affected sellers as soon as practicable, and in any case within the timeframes required by applicable law.
  • Post-Incident Review: Every significant incident triggers a post-incident review to identify root causes and improve controls.

8. Compliance with Amazon Policies

We operate in compliance with:

We do not use Amazon Information for any purpose other than providing the Services to the seller whose account the Amazon Information was obtained from. We do not sell, rent, or disclose Amazon Information to any third party for advertising, marketing, or any purpose beyond the scope of the authorized Service.

9. Seller Rights Regarding Amazon Information

Sellers have the following rights regarding Amazon Information we hold on their behalf:

  • Access — request a copy of the Amazon Information we hold for their account
  • Correction — request correction of inaccurate data (though we typically refresh from source)
  • Deletion — request deletion of their Amazon Information, subject to legal retention requirements
  • Authorization Withdrawal — revoke our access to their Amazon Seller account at any time through Amazon's Seller Central console. Upon withdrawal, we will stop accessing new data and will purge cached data within 30 days.

To exercise any of these rights, contact us at policy@zsell.ai.

10. Changes to This Policy

We may update this Data Protection Policy from time to time to reflect changes in our practices, Amazon's policies, or applicable law. When we make material changes, we will notify affected sellers and post the updated policy on our website. The "Last updated" date at the top indicates the most recent revision.

11. Contact

For questions about this Data Protection Policy, data handling practices, or to report a suspected security incident involving your Amazon Information, contact us at:

ZSell Inc Attn: Data Protection Email: policy@zsell.ai Address: Fulshear, TX, United States