Privacy Policy

1. Introduction

This Data Privacy, Security, and Compliance Policy defines how EcomShadow, a SaaS platform designed for e-commerce sellers, collects, processes, stores, and protects data obtained through official APIs such as Amazon Selling Partner API (SP-API) and Flipkart Seller API. The policy ensures compliance with Indian IT Act (2000), GDPR, and Amazon/Flipkart's data protection requirements, while giving sellers complete ownership and control over their data.

2. Data Ownership and Consent

All data accessed through Amazon SP-API, Flipkart APIs, or any other integrated marketplace belongs exclusively to the seller. EcomShadow does not claim ownership of catalog, inventory, pricing, or order data. Data access is granted only via explicit seller authorization through secure OAuth login flows.

• Ownership: All marketplace data belongs exclusively to the seller
• Consent: Data access only via secure OAuth authorization
• Revocation: Sellers may revoke access at any time
• Transparency: Clear information about data collection and usage

3. Types of Data Collected

EcomShadow collects only the minimum data necessary to deliver its services:

• Catalog Data: Titles, descriptions, attributes, categories
• Inventory Data: SKU details, stock levels, availability status
• Pricing Data: Current and historical pricing information
• Order Data: Order IDs, status, cancellations (excluding buyer PII)
• Reports Data: Sales reports, performance metrics
• Analytics Data: Keyword volumes, conversion insights

Explicitly Excluded: Buyer PII, payment details, sensitive personal data

4. Usage Restrictions

Clear guidelines on how data can and cannot be used:

• Permitted: AI-powered optimization, theft detection, competitor analysis
• Prohibited: Selling data, sharing with third parties, storing PII

5. Security Measures

Comprehensive security framework to protect your data:

• Encryption: AES-256 at rest, TLS 1.3 in transit
• Access Control: Role-based access with MFA
• Token Management: AWS KMS-secured, regularly rotated
• Zero Trust: Every request authenticated
• Monitoring: Real-time SIEM logs and alerts
• Testing: Regular penetration testing and vulnerability scans
• Backup: Encrypted and geo-redundant storage

6. Data Retention and Deletion

Clear policies on how long data is kept and when it's deleted:

• Active data retained only while subscribed
• Revoked access data deleted within 7 business days
• Backups purged within 30 days
• Anonymization applied for analytics
• All deletions logged and audited

7. Your Rights

Complete control over your data with these rights:

• Right to Access: View all stored data
• Right to Deletion: Remove data at any time
• Right to Portability: Export data (CSV, PDF)
• Right to Restrict Processing: Limit data usage
• Right to Audit: Review compliance records
• Right to Complain: Contact DPO or regulators

8. Incident Response

Rapid response protocol for any security incidents:

• Detection: Automated monitoring systems
• Containment: Immediate isolation of affected systems
• Notification: Within 72 hours to sellers and Amazon
• Investigation: Comprehensive forensic review
• Remediation: Implementation of fixes and safeguards
• Reporting: Detailed incident reports to stakeholders
• Simulation: Bi-annual breach response drills

9. SP-API Compliance

Strict adherence to marketplace API requirements:

• Only official endpoints used
• Minimal required roles requested
• Tokens secured, never exposed in code
• Brand Analytics used only with approval
• No scraping or PII handling
• Logs available for Amazon audits

10. Continuous Review and Improvement

Regular updates to maintain the highest standards:

• Reviewed every 6 months for regulatory updates
• API changes and cybersecurity improvements
• Audit learnings incorporated
• Compliance Officer and DPO ensure updates