RePricer Logo RePricer
Legal

Data Protection &
Acceptable Use Policy

Last updated: March 15, 2026

This Data Protection & Acceptable Use Policy ("Policy") describes how RePricer ("we," "us," or "our") protects data obtained through the Amazon Selling Partner API (SP-API), and outlines acceptable use requirements for our RePricer service ("Service"). This Policy is designed to comply with Amazon's Data Protection Policy (DPP) and Acceptable Use Policy (AUP).

1. Data Handling Principles

We operate under the following core principles when handling data from the Amazon SP-API:

  • Purpose Limitation: We only access and process data necessary to provide the repricing Service you authorized.
  • Data Minimization: We collect the minimum amount of data required for each feature.
  • Transparency: We clearly disclose what data we access and how we use it.
  • Security by Design: Security controls are built into every aspect of our infrastructure.

2. Data Categories & Usage

2.1 Data We Access via SP-API

  • Catalog Items: Product listings, ASINs, SKUs, titles, descriptions, and images — used to display your product catalog.
  • Pricing Data: Current prices, competitive pricing, and Buy Box data — used for repricing calculations and analytics.
  • Offers: Offer conditions, fulfillment channels — used to manage your listings.
  • Seller Information: Seller ID, marketplace IDs — used to identify your account and marketplaces.

2.2 How We Use This Data

  • To display your product catalog within the Service.
  • To calculate and apply pricing changes based on your rules.
  • To generate analytics and reports about your pricing performance.
  • To submit price updates to Amazon on your behalf.

We do not use Amazon SP-API data for any purpose other than directly providing the Service to you. We do not sell, rent, or share Amazon data with any third party for their own marketing, analytics, or any other purpose.

3. Encryption & Data Security

3.1 Encryption in Transit

  • All communications between our Service and Amazon SP-API use TLS 1.2 or higher.
  • All communications between your browser and our Service use TLS 1.2 or higher (HTTPS enforced).
  • Internal service-to-service communications use encrypted channels.

3.2 Encryption at Rest

  • All databases are encrypted at rest using AES-256 encryption.
  • Encryption keys are managed through a Key Management System (KMS) with regular key rotation.
  • Backups are encrypted with the same level of protection as primary data stores.

4. Access Controls

  • Role-Based Access Control (RBAC): Internal access to data is restricted based on job role and the principle of least privilege.
  • Multi-Factor Authentication (MFA): Required for all internal access to production systems.
  • Account Lockout: Accounts are locked after ten (10) unsuccessful login attempts.
  • Password Policy: Passwords must meet complexity requirements. Password history retains the last ten (10) passwords to prevent reuse.
  • API Key Management: API keys and tokens are rotated regularly and stored securely.
  • Access Logging: All access to sensitive data is logged and monitored.

5. Network Protection

  • Intrusion Detection & Prevention: We deploy IDS/IPS systems to monitor and block suspicious activity.
  • Firewalls: Network firewalls restrict traffic to authorized connections only.
  • Anti-Virus / Anti-Malware: All systems run anti-virus and anti-malware tools that cannot be disabled by end users. These tools are patched and updated regularly.
  • Patch Management: All information systems are reviewed and patched on a regular schedule.
  • Vulnerability Scanning: Regular vulnerability assessments are performed on our infrastructure.

6. Data Retention & Deletion

We follow strict data retention schedules in compliance with Amazon's DPP:

  • PII from Amazon Orders: Deleted within 30 days after the latest estimated delivery date, unless longer retention is required by applicable law.
  • Non-PII Amazon Data: Retained for no more than 18 months. Data older than 18 months is automatically purged.
  • User Account Data: Retained while your account is active. Deleted within 30 days of account termination.
  • Authorization Tokens: Revoked and deleted immediately when you disconnect your Amazon account.

Upon termination of service or revocation of Amazon authorization, we promptly delete all Amazon SP-API data associated with your account.

7. Incident Response

  • We maintain a documented Incident Response Plan to handle security incidents.
  • A designated Incident Management Point of Contact (IMPOC) is available and reachable at all times.
  • In the event of a security breach affecting Amazon data, we will notify Amazon within 24 hours of detection.
  • Affected users will be notified promptly with details about the nature of the breach and remedial actions taken.
  • Post-incident reviews are conducted to prevent recurrence.

8. Acceptable Use Requirements

As a user of the Service, you agree to the following acceptable use requirements:

8.1 Permitted Uses

  • Using the Service to manage and optimize your own Amazon product pricing.
  • Configuring repricing rules for your own SKUs and marketplaces.
  • Viewing analytics and reports about your pricing performance.

8.2 Prohibited Uses

  • Accessing, attempting to access, or using data from other sellers' accounts.
  • Using Amazon SP-API data for any purpose other than the authorized repricing functionality.
  • Sharing, reselling, or redistributing Amazon data obtained through the Service.
  • Using the Service to engage in price-fixing or anti-competitive practices.
  • Using the Service to manipulate Amazon's marketplace in violation of Amazon's policies.
  • Storing Amazon PII beyond the permitted retention periods.
  • Attempting to circumvent security controls or access unauthorized systems.
  • Using the Service in a manner that violates any applicable laws, regulations, or Amazon policies.

9. Secure Coding & Development

  • Our development team undergoes mandatory secure coding training on a regular basis.
  • Code reviews and static analysis are part of our development workflow.
  • We follow OWASP guidelines for secure web application development.
  • Dependencies are regularly audited for known vulnerabilities.

10. Compliance

This Policy is designed to comply with:

  • Amazon SP-API Data Protection Policy (DPP)
  • Amazon SP-API Acceptable Use Policy (AUP)
  • Amazon Services API Developer Agreement
  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)

We regularly review and update our practices to maintain compliance with the latest versions of these policies.

11. Policy Updates

We may update this Policy to reflect changes in our practices, Amazon's requirements, or applicable regulations. Material changes will be communicated via email or in-app notification at least 30 days before taking effect.

12. Contact

For questions about this Data Protection & Acceptable Use Policy, contact:

RePricer — Security & Compliance
Email: support@amzndev.com
Website: https://amzndev.com