Amazon SP-API Privacy & Data Handling Policy

 

HubBroker ApS  is committed to the highest standards of data privacy and security. This dedicated policy explains how we handle data accessed through the Amazon Selling Partner API (SP-API) for our integration services offered to Amazon selling partners. It supplements our general Privacy Policy and complies fully with Amazon’s Data Protection Policy (DPP), Acceptable Use Policy (AUP), and applicable laws including the General Data Protection Regulation (GDPR).

1. Data We Collect via SP-API

We collect only the data necessary to provide our iPaaS, EDI, API integration, and automation services (e.g., order processing, inventory synchronization, reporting) for Amazon sellers who authorize us via OAuth.

This may include:

  • Seller account and business data (e.g., inventory levels, orders, sales reports, fulfillment information).
  • Restricted data / Personally Identifiable Information (PII) only when explicitly required and authorized by the selling partner (e.g., buyer name, shipping address, email, phone for order fulfillment and shipping).
  • We never access or collect data beyond what the seller grants permission for through the SP-API authorization process.

2. How We Use Amazon Data

  • Data is used exclusively to deliver the requested integration services, such as real-time order syncing between Amazon and ERP systems, automated invoicing, inventory management, and reporting.
  • We do not use Amazon data for marketing, advertising, profiling, resale, or any purpose not approved by the selling partner or Amazon.

3. Data Storage and Protection

All Amazon data, including PII, is handled with strict security measures:

  • Encryption in Transit: All data transmission uses TLS 1.2
  • Encryption at Rest (Control 2.4): Data is encrypted at rest using AES-256 encryption (industry-standard symmetric algorithm) in our secure databases and storage systems. Cryptographic keys are managed securely via [e.g., AWS Key Management Service (KMS) or equivalent secure key management system], rotated at least annually, and accessible only to authorized processes and services.
  • Access controls: Access controls follow the principle of least privilege, with role-based access, multi-factor authentication (MFA), and restrictions on personal device storage.
  • Data Loss Prevention (DLP) controls are implemented to monitor and prevent unauthorized exfiltration or movement of Amazon data/PII.

4. Data Sharing

We share Amazon data only when necessary:

  • With the authorized Amazon selling partner who granted access.
  • With trusted subprocessors (e.g., cloud providers like AWS) bound by data processing agreements and security requirements.
  • As required by law or to comply with valid legal requests.

We do not sell, rent, trade, or disclose Amazon data to unauthorized third parties.

5. Data Retention and Deletion

We retain Amazon data only as long as needed for service delivery or per the selling partner’s instructions:

  • Non-PII data: Retained based on business need or seller agreement.
  • Restricted Data / PII: Retained for a maximum of 30 days after order fulfillment/processing (or shorter if possible), unless longer retention is legally required (e.g., for tax or regulatory compliance). After this period, data is securely deleted or irreversibly anonymized.
  • Upon app deauthorization, seller request, or termination of service, associated data is deleted promptly in accordance with Amazon DPP requirements.

6. Security Logging and Monitoring (Control 2.6)

We maintain detailed logs of all access, API calls, security events, errors, and system activities across our services. Logs are:

  • Protected against unauthorized access and tampering.
  • Monitored in near real-time using automated tools for anomaly detection (e.g., unusual access patterns, high-volume requests, suspicious activities).
  • Reviewed regularly to trigger alerts and investigations as needed.
  • Retained securely for at least 12 months (or longer if required by law) to support incident response.

Personally Identifiable Information (PII) in Logs:

  • Logs do not contain Personally Identifiable Information (PII) by default.
  • PII is included only when strictly necessary for legal, tax, or regulatory requirements (e.g., incident investigations or compliance obligations).3
  • In such exceptional cases, PII is minimised to the greatest extent possible.
  • Where feasible, PII is anonymised or pseudonymized.
  • Any retained PII is protected using equivalent encryption and access-control measures.
  • PII is retained only for the minimum period required by law.
  • The organization prioritizes excluding PII from logs to align with Amazon’s Data Protection Policy best practices and reduce risk.
  • Log access is strictly controlled to prevent unauthorized viewing or tampering.

7. Credential and Access Management (Control 1.4 & Data Governance 2.2)

We enforce strong access controls:

  • Passwords: Minimum 12 characters, including upper/lower case, numbers, and special characters; no reuse of old passwords; expiration every 90–365 days; account lockout after failed attempts.
  • Multi-Factor Authentication (MFA): Required for all accounts with access to systems handling Amazon data.
  • API keys, secrets, and credentials (including SP-API tokens) are encrypted, rotated regularly, and never hardcoded or shared.
  • Access is reviewed quarterly; terminated or changed-role access is revoked within 24 hours.
  • No generic/shared/default accounts are used.

Password and Credential Management:

  • Minimum length: 12 characters.
  • Complexity: Must include a mix of uppercase letters, lowercase letters, numbers, and special characters (minimum requirements enforced for each category).
  • Passwords must not contain the user’s name, username, or common/restricted words.
  • Password age: Minimum 1 day (cannot change immediately after reset); maximum expiration period of 365 days.
  • No password reuse (history enforcement for at least last 10 passwords).
  • Account lockout after repeated failed attempts (e.g., 5–10 failures).
  • Multi-Factor Authentication (MFA) is mandatory for all accounts/systems with access to Amazon data or related systems.
  • API keys, secrets, and SP-API tokens: Stored encrypted, rotated regularly (at least annually or upon suspicion), never hardcoded or shared, with access limited to authorized personnel only.
  • No generic, shared, or default accounts permitted.
  • Access reviews: Conducted quarterly for all accounts with Amazon data access.
  • Termination/Role change: Access revoked within 24 hours.

8. Compliance, Incident Response, and Your Rights

  • We fully comply with Amazon’s Data Protection Policy (DPP), including prompt notification to Amazon within 24 hours of any suspected security incident or data breach. We maintain robust incident response procedures and conduct regular security training.
  • Selling partners and end-users have rights under GDPR and other laws (e.g., access, rectification, deletion).
  • In the event of a suspected security incident or data breach involving Amazon data, HubBroker will notify Amazon within 24 hours (or sooner as required) and cooperate fully with any investigation per Amazon DPP.

This policy is supplemental to our general Privacy Policy and is specifically tailored for Amazon Selling Partner API (SP-API) integrations.

For Amazon data concerns, contact us directly or Amazon support.

Reach us at:

Email: contact@hubbroker.com

Phone: +45 25943777

Denmark Office:  Bredgade 45, B, 1260 København K, Denmark

India Office:  D-1010, The First, B/H ITC Narmada, Near Mansi Circle, Vastrapur, Ahmedabad, Gujarat – 380015

We review and update this policy regularly to maintain compliance. Continued use of our services after updates constitutes acceptance.

For general privacy inquiries, refer to our main Privacy Policy. For full Amazon SP-API documentation, visit Amazon Developer Docs.

Last Updated: February 17, 2026