Privacy & Data Protection Policy

This Privacy Policy governs the receipt, storage, usage, transfer, and disposal of Information accessed through Amazon Selling Partner API (SP-API). IQ5 B.V. ("we," "our," or "us") is committed to protecting the privacy and security of Amazon seller data in compliance with Amazon's Data Protection Policy (DPP), Acceptable Use Policy (AUP), and applicable data protection laws including GDPR.

IQ5 processes Amazon SP-API data solely for the connected seller account that authorized access through OAuth; we do not store or use data from any other seller account. We fully complies with Amazon's Data Protection Policy requirements for SP-API developers:

3.1 Types of Data Processed

IQ5 processes the following Amazon seller data through authorized SP-API access:

• Order Information: Sales data, order details, customer shipping information (PII limited to fulfillment purposes)
• Inventory Data: Stock levels, product listings, fulfillment metrics
• Pricing Information: Product prices, competitor pricing, buy box statistics
• Advertising Data: Campaign performance, advertising cost of sale (ACOS), keyword metrics
• Business Analytics: Sales performance, revenue metrics, growth trends

3.2 Personally Identifiable Information (PII) Handling

In compliance with DPP Section 2:

• PII is processed only for order fulfillment and tax compliance purposes
• PII retention limited to 30 days post-order delivery unless required by law
• No use of PII for marketing, customer targeting, or external data services
• Strict access controls and encryption for all PII data stores

Amazon seller data is used exclusively for providing authorized services:

• Pricing Optimization: AI-driven repricing algorithms using sales velocity and competition data
• Inventory Management: Stock level forecasting and restocking recommendations
• Advertising Optimization: Campaign performance analysis and budget allocation
• Business Intelligence: Sales analytics, performance reporting, growth insights
• Compliance Reporting: Tax calculation and regulatory requirement fulfillment

5.1 Technical Security Controls

• Network Security: Firewalls, intrusion detection/prevention systems, regular vulnerability scanning
• Access Controls: Role-based access, principle of least privilege, MFA enforcement
• Encryption: End-to-end encryption for data in transit and at rest
• Monitoring: Real-time security monitoring and anomaly detection

5.2 Administrative Controls

• Employee Training: Annual data protection and security awareness training
• Access Reviews: Quarterly access right verification and certification
• Incident Response: Documented procedures for security incident handling
• Change Management: Formal processes for system and configuration changes

6.1 Retention Periods

• Operational Data: Retained for active service delivery duration
• PII Data: Maximum 30 days post-order delivery (DPP Section 2.1)
• Analytical Data: Aggregated and anonymized after service termination
• Legal Requirements: Retained only as required by tax or regulatory laws

6.2 Secure Deletion Procedures

In compliance with DPP Section 1.7:

• Permanent deletion of Amazon data within 30 days of request
• Removal of all live instances within 90 days of termination
• NIST 800-88 compliant sanitization processes
• Written certification of data destruction provided upon request

IQ5 maintains a comprehensive Security Incident Response Plan in accordance with DPP Section 1.6:

• 24-Hour Notification: Immediate reporting to Amazon (security@amazon.com) upon incident detection
• Investigation Procedures: Detailed incident analysis and root cause determination
• Remediation Actions: Immediate containment and corrective measures
• Documentation: Complete incident documentation and evidence preservation
• Prevention Measures: Implementation of controls to prevent recurrence

IQ5 does not sell, rent, or share Amazon seller data with third parties except:

• Service Providers: Limited to infrastructure providers with equivalent security standards
• Legal Requirements: When required by law, regulation, or legal process
• Business Transfers: In connection with merger, acquisition, or sale of assets

9.1 User Rights (GDPR Compliance)

• Right to Access: Request information about personal data processing
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of personal data ("right to be forgotten")
• Right to Restriction: Limit processing of personal data under certain conditions
• Right to Data Portability: Receive personal data in structured, machine-readable format

9.2 User Responsibilities

• Maintain security of authentication credentials
• Promptly report any suspected security incidents
• Comply with Amazon's Acceptable Use Policy and terms of service
• Ensure authorized use of IQ5 services for legitimate business purposes

In accordance with DPP Section 3:

• Maintenance of all books and records for 12 months post-agreement termination
• Cooperation with Amazon or independent auditor assessments
• Provision of remediation evidence for any identified deficiencies
• Regular internal audits and compliance verification

This Privacy Policy may be updated to reflect changes in:

• Amazon SP-API DPP or AUP requirements
• Applicable data protection laws and regulations
• IQ5 service offerings and data processing activities
• Security best practices and industry standards

Users will be notified of material changes and continued use of services constitutes acceptance of updated terms. All processing activities continue to comply with the Amazon Developer Data Protection Policy and Acceptable Use Policy. IQ5 does not engage in data aggregation or multi-seller analytics.

For privacy-related inquiries, data subject requests, or security concerns:

• Privacy Officer: privacy@iq5.io
• Security Incidents: security@iq5.io
• Amazon Compliance: compliance@iq5.io
• General Inquiries: info@iq5.io

Data Protection Authority: Dutch Data Protection Authority (Autoriteit Persoonsgegevens)