Privacy Policy

The Plain English Version

SellerVault is built by sellers, for sellers. Our own business data runs through this platform every day. We take data privacy seriously because it's not just your data at stake — it's ours too. Here's what you need to know, without the legal jargon.

What We Collect

Account Information

The basics to create your account:

• Email address (for account communication)
• Name (optional)
• Password (encrypted with bcrypt — not visible to anyone, including us)

Your Amazon Data

When you connect your Amazon account, SellerVault accesses:

• Inventory and product information
• Sales and order history
• Fee data (for profitability calculations)
• Shipping and fulfillment data

Important:We never see or store your Amazon password. All data access goes through Amazon's official SP-API with OAuth tokens. You can revoke access anytime from your Amazon Seller Central settings.

SP-API Compliance:This application accesses your Amazon data solely through Amazon's official SP-API in accordance with Amazon's SP-API Terms of Service. Your data is stored securely and used only to provide analytics and reporting for your authorized seller account. We do not aggregate data across unrelated sellers, resell it, or share it with third parties. For agency or multi-account plans, each client's data is stored separately and is never combined or aggregated across different seller accounts.

Amazon Advertising Data

When you connect your Amazon Advertising account, SellerVault accesses the following data through the Amazon Advertising API:

• Campaign performance metrics (impressions, clicks, spend, sales)
• Ad group and keyword performance data
• Advertising Cost of Sales (ACoS) and Return on Ad Spend (RoAS)
• Product targeting and bid information
• Sponsored Products, Sponsored Brands, and Sponsored Display campaign data
• Historical advertising reports and analytics

How we use your advertising data:

• Display your advertising performance alongside sales and inventory data
• Calculate true profitability by factoring in advertising costs
• Provide insights and recommendations to optimize your ad spend
• Generate reports combining sales and advertising metrics

Amazon Advertising API Compliance:This application uses the Amazon Advertising API in accordance with Amazon's API License Agreement. Your advertising data is stored securely and used solely to provide you with analytics and insights. We do not share your advertising data with third parties for their marketing purposes. You can disconnect your Amazon Advertising account and request deletion of your advertising data at any time.

Chrome Extension Data

When you use the SellerVault Chrome extension, we collect:

• ASINs of products you analyze (to provide deal scoring)
• Your extension settings and preferences
• Products you save to your buy list

What the extension does NOT collect:

• Your browsing history outside of approved seller workflows
• Personal information from web pages
• Keystrokes or form data
• Any data from non-Amazon websites

Extension Permissions: The extension only activates on Amazon domains needed for user-initiated analysis and secure communication with SellerVault servers. All data is transmitted securely over HTTPS.

Usage Data

We collect standard usage data such as IP address, browser type, and pages visited. This helps us understand feature usage patterns and improve the product.

Password and Credential Management

SellerVault enforces strict password and credential management policies that meet or exceed Amazon's Data Protection Policy (DPP) standards. These requirements are enforced at both the application and API level — passwords that do not meet the policy are rejected before account creation or password change can complete.

Password Complexity Requirements

• Minimum length: 12 characters (enforced on registration, admin user creation, password change, and password reset)
• Uppercase letters: Must contain at least one uppercase letter (A-Z)
• Lowercase letters: Must contain at least one lowercase letter (a-z)
• Numbers: Must contain at least one numeric digit (0-9)
• Special characters: Must contain at least one special character (e.g., !@#$%^&*()_+-=[]|;'",.<>/?)
• No personal information: Passwords must not contain the user's name or email address

Password Lifecycle Policies

• Password history: Users cannot reuse any of their last 10 passwords
• Minimum password age: Passwords can only be changed once every 24 hours to prevent rapid cycling
• Transmission: Passwords are transmitted exclusively over HTTPS (TLS 1.2/1.3). HTTP requests are redirected to HTTPS automatically.

Password Storage

• Hashing algorithm: bcrypt with 12 salt rounds
• No plaintext storage: Passwords are never stored in plaintext and cannot be viewed or recovered by anyone, including our staff
• Password history hashes: Previous password hashes are retained (last 10) solely for reuse prevention and are not reversible

Session and Token Security

• Access tokens (JWT): Expire after 15 minutes
• Refresh tokens: Expire after 7 days; stored as cryptographic hashes (not plaintext)
• Password change: All existing sessions are revoked when a password is changed, requiring re-authentication on all devices
• Account lockout: Accounts are temporarily locked after repeated failed login attempts

Multi-Factor Authentication (MFA)

• TOTP-based multi-factor authentication is available for admin accounts
• MFA enrollment is managed per-user from account security settings
• Admins can reset MFA for team members if a device is lost

How We Use Your Data

We use your data to:

• Operate the platform and display your analytics
• Calculate metrics, forecasts, and recommendations
• Send alerts (stockouts, profit warnings, etc.)
• Process payments for paid plans
• Respond to support requests
• Improve the product based on aggregate usage patterns

We do not build advertising profiles from your data or use it for any purpose beyond operating and improving SellerVault.

Data Processing Agreement (DPA)

SellerVault acts as a data processor on behalf of Selling Partners (data controllers). We process seller data solely for the purpose of providing our services.

A Data Processing Agreement (DPA) is available upon request for enterprise customers and where required by applicable law (including GDPR Article 28). Contact privacy@sellervault.io to request a DPA.

How We Protect Your Data

We apply the same level of security we require for our own business operations:

• All data encrypted in transit using TLS 1.2/1.3
• Database connections use SSL/TLS encryption
• Amazon API refresh tokens are encrypted before storage using AES-256-GCM
• Passwords hashed with bcrypt (12 salt rounds)
• Access logging and monitoring
• OAuth tokens for Amazon API access (credentials never stored)
• Regular security updates and vulnerability patching
• Rate limiting and intrusion detection

Employee and Internal Access Controls

• Access to seller data is restricted to authorized personnel only
• Access is granted on a least-privilege basis — support staff can only view data necessary to resolve specific support requests
• Database access is restricted to senior engineering staff with production access justification
• Access permissions are reviewed periodically to ensure appropriate access levels
• Access for departing team members is revoked promptly upon separation

Security Incident Response

In the event of a data breach or security incident, we follow a structured response process:

1. Detection: Monitoring and logging systems are in place to help detect anomalies and potential security incidents.
2. Containment: Affected systems are isolated as quickly as possible upon confirmation of an incident.
3. Notification:
   • Amazon is notified within 24 hours of confirmed breach discovery
   • Affected Selling Partners are notified within 72 hours
   • Notification includes: nature of the breach, data affected, and remediation steps
4. Remediation: Root cause analysis, system hardening, and preventive measures are implemented.
5. Documentation: Full incident report retained for a minimum of 3 years.

Data Retention

We retain your data only as long as needed to provide the service:

• Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
• Amazon SP-API data:Inventory, orders, and fee data retained for up to 18 months to provide historical analytics and trend analysis, in compliance with Amazon's Data Protection Policy.
• Amazon Advertising data: Campaign and performance data retained for up to 18 months. You can request earlier deletion at any time.
• Usage logs:Server logs retained for 12 months for security, troubleshooting, and compliance purposes, in accordance with Amazon's Data Protection Policy.

When you disconnect your Amazon accounts or delete your SellerVault account, we stop syncing new data immediately and delete existing data within 30 days.

Data Deletion and Right to Erasure

Sellers may request complete deletion of their data at any time by following this process:

1. Contact privacy@sellervault.io with the subject line "Data Deletion Request"
2. We will verify your identity and confirm the scope of deletion
3. All personal data and seller data will be permanently deleted within 30 days
4. Amazon API tokens are immediately revoked upon account disconnection
5. Backup copies are purged within 90 days of the deletion request
6. A confirmation email is sent upon completion of the deletion process

Amazon Marketplace PII Handling

Amazon PII Auto-Purge:Amazon marketplace PII (customer names, addresses, order details) is automatically purged within 30 days of order delivery, in compliance with Amazon's Data Protection Policy.

Upon Account Disconnection or Closure

• All stored Amazon SP-API tokens are immediately invalidated
• Seller data is retained for 30 days (grace period), then permanently deleted
• Aggregated, anonymized analytics may be retained for service improvement

Data Sharing

We do not sell your data. Period.

The only circumstances under which data may be shared:

• Service providers: Hosting, payment processing, and email services necessary to operate the platform. They receive only the minimum data required for their function.
• Legal compliance: If required by a valid court order or legal process.
• Business transfer: In the event of a company acquisition or merger, your data would transfer to the new owner. We would notify you in advance.

Third-Party Service Providers (Subprocessors)

We use the following service providers to deliver our services. These providers have access only to the minimum data necessary for their function:

• Infrastructure Hosting: Our servers are hosted on dedicated infrastructure with encrypted storage. Subprocessors do not have direct access to seller data.
• Payment Processing (Stripe): Processes billing information only. No access to seller inventory, sales, or Amazon data.
• Email Service: Receives only email addresses for transactional notifications (account alerts, password resets).
• Database: PostgreSQL hosted on our own infrastructure — no third-party database service.

We do not share, sell, or provide seller data to any third party for their own purposes. All subprocessors are bound by data processing agreements.

Your Rights

You can always:

• Request a copy of all data we hold about you
• Correct any inaccurate information
• Delete your account and all associated data
• Export your data in standard formats
• Disconnect Amazon access at any time
• Unsubscribe from marketing emails

To exercise any of these rights, contact us at privacy@sellervault.io. We will respond within 30 days.

Cookies

We use cookies to maintain your session and remember your preferences. We also use basic analytics to understand how the platform is used. We do not use tracking cookies or share cookie data with third-party advertisers.

Changes to This Policy

If we make material changes to this privacy policy, we will notify you by email before the changes take effect.

Questions?

If anything here doesn't make sense or you want to know more:

Email: privacy@sellervault.io