Privacy & Data‑Handling Policy

Purpose and Scope

This policy describes how Agrezor GmbH (“Agrezor”) collects, processes, stores, uses, shares, and disposes of Amazon Data, including Personally Identifiable Information (“PII”), obtained via the Amazon Selling Partner API. The policy applies to all Agrezor employees, systems, and environments that handle Amazon Data.

1. Data Collection and Purpose Limitation

Amazon Data is collected only via the official Amazon Selling Partner API and only for authorised roles related to merchant‑fulfilled shipping and tax invoicing for our own Seller account.

The collected PII may include buyer name, shipping address, billing address, and contact information (email/phone) where provided by Amazon.

Data is used strictly for:

  • Generating shipping labels and confirming shipment destinations.

  • Tax invoicing and accounting in compliance with VAT and local tax laws.

Agrezor does not collect or process Amazon Data for marketing, analytics, profiling, resale, or any non‑operational purpose.

2. Data Minimisation and Retention

  • Only the minimum PII necessary to perform fulfilment and invoicing functions is retrieved and stored.

  • PII is retained no longer than 30 days after order fulfilment or invoice issuance, unless longer retention is legally required for accounting or tax regulations.

  • After the retention period expires, data is securely deleted or anonymised so that individuals can no longer be identified.

3. Data Storage and Encryption

  • All Amazon Data is stored within controlled environments hosted in the European Union.

  • Data is encrypted in transit using TLS 1.2+ and at rest using AES‑256 encryption.

  • Encryption keys are stored in a secure key‑management system, rotated annually or immediately upon suspicion of compromise.

4. Access Control and Identity Management

  • Access to Amazon Data is restricted to authorised personnel who require access to perform fulfilment or accounting tasks.

  • All users have unique IDs; shared or generic accounts are prohibited.

  • Multi‑factor authentication (MFA) is enforced for all privileged access.

  • Access rights are reviewed quarterly and revoked within 24 hours of employee termination or role change.

5. Data Sharing and Third Parties

  • Agrezor does not share or transfer Amazon Data to any external third parties.

  • No subcontractors or service providers process Amazon Data on Agrezor’s behalf.

  • Amazon Data is used only within our internal infrastructure by authorised Agrezor staff.

6. Monitoring, Logging, and Audit

  • All access to systems containing Amazon Data is logged, including user ID, timestamp, and type of action.

  • Logs are reviewed at least monthly to detect anomalies or unauthorised access.

  • Logs are retained for a minimum of 90 days and stored without PII.

  • Annual internal audits verify adherence to this policy and Amazon’s Data Protection Policy (DPP).

7. Data Disposal and Secure Deletion

  • When data reaches the end of its retention period, it is permanently deleted using secure erasure procedures that render it unrecoverable.

  • Backup data is encrypted and deleted within the same retention timeframe.

  • Disposal actions are logged and auditable.

8. Privacy and Security Governance

  • The Data Protection Officer (DPO) oversees compliance with this policy and ensures adherence to Amazon’s DPP, AUP, and GDPR requirements.

  • Employees with access to Amazon Data receive annual training on privacy, data handling, and incident response.

  • All staff are bound by confidentiality and data‑protection clauses in their employment agreements.

9. Incident Response and Notification

  • Agrezor maintains an incident‑response plan covering detection, containment, eradication, and recovery from security incidents.

  • Any confirmed or suspected compromise of Amazon Data is reported to Amazon’s security team at security@amazon.com within 24 hours, as required by the DPP.

  • Root‑cause analyses and post‑incident reviews are documented, and corrective measures are implemented to prevent recurrence.

10. Data Subject Rights

Although Agrezor processes PII only as a data processor for Amazon, we support Amazon’s obligations under GDPR by promptly assisting with any verified data‑subject requests transmitted by Amazon.

11. Policy Review and Updates

  • This policy is reviewed annually or whenever Amazon’s Data Protection Policy, GDPR, or local regulations change.

  • Any updates are documented, versioned, and communicated to all relevant personnel.

Summary Compliance Statement

Agrezor’s privacy and data‑handling practices comply with Amazon’s Data Protection Policy §2.2, Acceptable Use Policy §4.1, and the EU GDPR. Amazon Data is used only for authorised business purposes (fulfilment and tax compliance), protected by industry‑standard encryption, governed by strict access control, and disposed of securely at the end of the retention period.