Amazon SP-API Data Protection Policy

This policy describes how ABIS Consulting Limited (registered in England and Wales, company number 11912324, registered office 20-22 Wenlock Road, London, N1 7GU), trading as CholaVerse ("CholaVerse", "we", "us", "our"), handles data accessed through the Amazon Selling Partner API ("Amazon Information"). It supplements, and does not replace, our general Privacy Policy and GDPR & Data Protection pages.

This policy applies to all Amazon Information accessed by the CholaVerse application registered with Amazon Developer Central (Application ID: amzn1.sp.solution.eedbc27a-d810-4ae6-84be-823dab8515ab).

1. Scope: What we mean by "Amazon Information"

"Amazon Information" means any data we receive from Amazon through the Selling Partner API, including but not limited to:

Order data (order ID, items, quantities, prices, status)
Buyer information (name, shipping address, email — where authorised by role)
Product and listing data (ASIN, SKU, titles, descriptions, images, pricing)
Inventory and FBA stock data
Financial events (fees, refunds, settlements, FBA charges)
Seller account identifiers (Seller ID, Marketplace ID)
OAuth credentials (refresh tokens, access tokens)

This policy applies to all such data regardless of the Amazon role or API endpoint through which it was obtained.

2. Data storage and encryption

Encryption at rest. All Amazon Information stored by CholaVerse is encrypted at rest using AES-256-GCM envelope encryption. Encryption keys are stored separately from encrypted data and access is restricted to authorised personnel.

Encryption in transit. All data transmitted between CholaVerse, Amazon, and our customers' browsers is encrypted using TLS 1.2 or higher. We do not accept connections using deprecated protocols (SSL, TLS 1.0, TLS 1.1).

OAuth credentials. Amazon refresh tokens and access tokens are encrypted at rest using the same AES-256-GCM standard. Tokens are never logged, never transmitted to third parties, and never stored in plaintext at any layer of our infrastructure.

Storage location. Amazon Information is stored in CholaVerse's primary database, hosted on infrastructure located within the United Kingdom and European Union.

3. Access controls

Access to Amazon Information is restricted on the principle of least privilege:

Customer-level isolation. Each customer's Amazon Information is logically isolated by orgId at the database query level. No customer can access another customer's Amazon Information through any application interface.
Personnel access. Access to production systems containing Amazon Information is restricted to a small number of authorised CholaVerse engineering and operations personnel. All personnel with access have signed confidentiality agreements and completed data protection training.
Audit logging. All administrative access to systems containing Amazon Information is logged with identity, timestamp, and action recorded. Logs are retained for at least 12 months.
Authentication. All personnel access to production systems requires Multi-Factor Authentication via TOTP. MFA is also available to all customers for their CholaVerse accounts.

4. Data use limitations

We use Amazon Information solely to provide the Services to the customer who authorised the connection. Specifically:

We do not sell Amazon Information to any third party.
We do not share Amazon Information with any third party except: (a) sub-processors strictly necessary to provide the Services (listed below), and (b) where required by law.
We do not use Amazon Information to train any general-purpose machine learning model. Where AI features are provided to a customer, processing is per-customer and does not contribute to any shared model.
We do not combine Amazon Information from one customer with that of another customer.
We do not use Amazon Information for advertising purposes.

5. Sub-processors

We engage a limited set of sub-processors who may process Amazon Information on our behalf, under written agreements requiring equivalent or stronger data protection:

Sub-processor	Purpose	Location
Hostinger International Ltd	Infrastructure hosting	EU
Anthropic, Inc.	AI model inference (where customer enables AI features)	US (UK IDTA in place)
Google LLC (Imagen API)	Image generation (where customer enables AI features)	US (UK IDTA in place)

A current and complete list of sub-processors is available on request from admin@cholaverse.com. We notify customers of material sub-processor changes with at least 30 days' notice.

6. Data retention and deletion

During active use. We retain Amazon Information for as long as the customer's CholaVerse account is active and the Amazon connection is authorised.

On disconnect or account closure. When a customer disconnects their Amazon account from CholaVerse, or closes their CholaVerse account, we delete all associated Amazon Information from our active systems within 30 days. This includes:

Refresh tokens and access tokens (revoked immediately)
Order, product, inventory, and financial event data
All cached and derived data

Backup retention. Amazon Information may persist in encrypted database backups for up to 30 additional days, after which backups are automatically purged.

Customer-initiated deletion. Customers may request deletion of specific Amazon Information at any time by emailing admin@cholaverse.com. We will complete such deletions within 30 days unless a legal obligation requires otherwise.

Legal exceptions. Where UK law requires us to retain certain records (for example, transaction records under HMRC tax requirements), we may retain a minimal subset of Amazon-derived data in anonymised or pseudonymised form. Such retained data does not include Amazon credentials, full buyer PII, or any data classified as Restricted PII by Amazon.

7. Data subject rights

Where Amazon Information includes personal data of identifiable individuals (such as buyer names and addresses), those individuals retain their rights under UK GDPR and applicable law, including the right of access, rectification, erasure, restriction, portability, and objection.

The customer (the Amazon seller) is the controller of buyer personal data. CholaVerse acts as the customer's processor. Data subject requests received by CholaVerse will be forwarded to the relevant customer for action.

8. Incident response and breach notification

We maintain an incident response process for security events affecting Amazon Information.

Notification to Amazon. In the event of any actual or suspected unauthorised access, disclosure, loss, or other security incident affecting Amazon Information, we will notify Amazon at security@amazon.com within 24 hours of becoming aware of the incident.

Notification to customers. We will notify affected customers without undue delay, and in any event within 72 hours of becoming aware, where the incident is likely to result in a risk to their rights, their business, or their buyers.

Notification to ICO. Where required by UK GDPR, we will notify the UK Information Commissioner's Office within 72 hours.

Cooperation. We will cooperate fully with Amazon and any regulatory authority in investigating and remediating any incident.

9. Personnel security

All CholaVerse personnel with access to Amazon Information:

Sign written confidentiality agreements covering Amazon Information specifically.
Complete data protection and security training on engagement and annually thereafter.
Have access revoked immediately on termination of engagement.
Must use multi-factor authentication for all access to production systems.

10. Annual security review

CholaVerse conducts a formal review of its security posture, controls, and this policy at least once per year. The review includes:

Verification of encryption standards and key management
Review of access controls and personnel access lists
Review of sub-processor agreements and security postures
Assessment of incident response readiness
Update of this policy where required

The most recent review date is recorded at the top of this policy.

Automated vulnerability scanning runs continuously: SAST via GitHub CodeQL on every code change, dependency monitoring via Dependabot weekly with npm audit gating all merges to main, and infrastructure scanning via nmap/nikto monthly. Findings follow documented remediation SLAs (Critical: 7 days, High: 30 days, Medium: 90 days, Low: best-effort).

11. Restricted data and PII

CholaVerse is registered as a Public Developer with Amazon Selling Partner API. Where Amazon Information includes Personally Identifiable Information ("PII") — such as buyer names, shipping addresses, and email addresses — we apply additional controls:

PII is processed only for the specific purpose authorised by the seller (e.g. order fulfilment, customer service).
PII is not used for any secondary purpose, including marketing, analytics outside the customer's own organisation, or model training.
PII is encrypted at rest and in transit at all times.
Access to PII is logged and audited.

CholaVerse does not delegate access to PII to any other developer's application via Restricted Data Token (RDT) delegation.

12. Compliance with Amazon policies

We comply with the Amazon Acceptable Use Policy, the Amazon Data Protection Policy, and the Selling Partner API Developer Agreement, as updated from time to time.

If any provision of this policy conflicts with the current Amazon Data Protection Policy, the Amazon Data Protection Policy takes precedence.

13. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the latest revision. Material changes affecting how we handle Amazon Information will be notified to active customers via email or in-product notice with at least 30 days' notice where practicable.

14. Contact

For questions about this policy or our handling of Amazon Information:

Email: admin@cholaverse.com
Postal address: ABIS Consulting Limited, 20-22 Wenlock Road, London, N1 7GU, United Kingdom

For data protection complaints, you may also contact the UK Information Commissioner's Office at ico.org.uk.