Privacy Policy – Amazon SP-API & Personally Identifiable Information (PII)

Last updated: 3. February 2026

1. Scope and Role

This Privacy Policy describes how IDEAL ALPHA GmbH, Kaiser-Friedrich-Str. 90, 10585 Berlin (“we”, “us”) processes personal data in connection with the use of the Amazon Services API (SP-API).

We act exclusively as a data processor on behalf of Amazon sellers and vendors (“Authorized Users”). The respective seller remains the data controller at all times. We process personal data solely based on the documented instructions and authorization provided by the seller.

2. Source of Personal Data

Personal data is obtained exclusively via the Amazon Services API (SP-API) after explicit authorization by the respective Amazon seller. We do not collect Amazon customer data from any other sources.

3. Categories of Personal Data

Depending on the authorized services, we may process the following categories of personal data:

  • Buyer name
  • Shipping address
  • Contact details (email address, phone number, if provided by Amazon)
  • Order-related information required for fulfillment or legal documentation

We do not process payment data, marketing data, or profiling information.

4. Purpose Limitation

Amazon customer personal data is processed solely for the following permitted purposes:

  • Merchant-fulfilled order processing and shipping
  • Tax calculation and tax reporting
  • Invoice generation and legally required documentation
  • Customer support activities explicitly authorized by the seller

Personal data is never used for marketing, advertising, analytics, profiling, aggregation across sellers, AI training, or any other non-permitted purposes.

5. Data Minimization

We collect and process only the minimum personal data strictly necessary to perform the permitted purposes defined above.

6. Data Retention

Personal data is retained for no longer than 30 days after order delivery, unless a longer retention period is required by applicable law (e.g. tax or regulatory obligations).

Where longer retention is legally required, the data is securely archived, access-restricted, and retained only for the mandatory statutory period.

7. Secure Deletion

Upon expiration of the retention period or upon request by Amazon or the authorized seller, personal data is permanently and securely deleted in accordance with industry standards such as NIST 800-88.

8. Data Security Measures

We implement appropriate technical and organizational security measures, including but not limited to:

  • Encryption in transit using TLS 1.2 or higher
  • Encryption at rest using AES-256 or equivalent industry standards
  • Role-based access controls following the principle of least privilege
  • Mandatory multi-factor authentication (MFA) for systems handling personal data
  • Centralized logging and security monitoring

9. Access Control

Access to personal data is restricted to authorized personnel on a strict need-to-know basis. Unique user IDs are used at all times. Shared or generic accounts are prohibited.

Access rights are reviewed regularly and revoked immediately upon role change or termination.

10. Subprocessors

We may engage carefully selected subprocessors (e.g. hosting or infrastructure providers) solely to support the provision of our services.

All subprocessors are contractually bound to data protection and security obligations that are at least equivalent to those described in this Privacy Policy and Amazon’s Data Protection Policy.

A current list of subprocessors is available upon request.

11. Data Subject Rights

We support Amazon sellers in fulfilling data subject rights under applicable data protection laws, including the right of access, rectification, erasure, and restriction of processing.

We act exclusively on the documented instructions of the respective seller when responding to such requests.

12. Incident and Breach Notification

In the event of any actual or suspected personal data breach, we notify affected sellers and Amazon without undue delay and no later than 24 hours after detection, in accordance with applicable laws and Amazon policies.

All incidents are investigated, documented, and remediated to prevent recurrence.

13. International Data Transfers

Personal data is processed and stored within the European Union. If data transfers outside the EU become necessary, such transfers are conducted in compliance with applicable data protection laws and with appropriate safeguards in place.

14. Contact Information

IDEAL ALPHA GmbH
Kaiser Friedrich Str. 90
10585 Berlin
Germany
privacy@ideal-alpha-com

For Amazon-related security incidents, our designated Incident Management Point of Contact (IMPOC) can be reached at:

Email: security@ideal-alpha.com