Privacy Policy

Last updated: November 17, 2025

CCPA/CPRA Compliant | Amazon SP-API Data Protection Policy

Quick Navigation

1. Information We Collect2. How We Use Your Information3. Data Sharing & Disclosure4. Amazon SP-API Data Protection5. Data Security Measures6. Your Privacy Rights (CCPA/CPRA)

Introduction

RepriceLab ("we," "our," or "us") is a US-based company committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Amazon repricing service. We comply with US privacy laws including the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and Amazon's SP-API Data Protection Policy.

1. Information We Collect

1.1 Account Information

  • Personal Data: Name, email address, password (encrypted with bcrypt)
  • Payment Information: Processed securely through Stripe (PCI DSS Level 1 compliant). We do not store credit card details.
  • Contact Information: Information provided when contacting support

1.2 Amazon Seller Data (via SP-API OAuth)

When you connect your Amazon Seller Central account, we access:

  • Product Listings: SKU, ASIN, titles, descriptions, images, categories
  • Inventory Data: Stock levels, fulfillment methods (FBA/FBM)
  • Pricing Information: Current prices, competitive offers, Buy Box status
  • Order Data: Order history for analytics (read-only access)
  • Seller Metrics: Account health, performance indicators
  • Marketplace Participations: Active marketplaces and regions

1.3 Automatically Collected Data

  • Usage Data: Pages visited, features used, time spent on platform
  • Device Information: IP address, browser type, operating system
  • Log Data: API calls, repricing actions, error logs
  • Cookies: Session management, authentication tokens (JWT)

2. How We Use Your Information

Repricing Services

Automated price adjustments based on your configured rules, Buy Box ownership analysis, and competitor monitoring

Analytics & Reporting

Dashboard metrics, sales insights, profitability analysis, historical data tracking

Service Operations

Account management, billing, customer support, service improvements

Security & Compliance

Fraud prevention, security monitoring, legal compliance, incident response

3. Data Sharing and Disclosure

✓ We DO NOT Sell Your Data

We never sell, rent, or trade your personal information or Amazon seller data to third parties for marketing purposes. This is a commitment under CCPA and our core business principle.

3.1 Service Providers

We share data only with trusted service providers who help operate our service:

  • Amazon Web Services (AWS): Cloud hosting, infrastructure (SOC 2, ISO 27001 certified)
  • Stripe: Payment processing (PCI DSS Level 1 compliant)
  • Email Service Providers: Transactional emails and notifications

All service providers are contractually bound to protect your data and use it only for specified purposes.

3.2 Legal Requirements

We may disclose information when required by:

  • Law, regulation, subpoena, or court order
  • Government or regulatory authority requests
  • Protection of our legal rights or prevention of fraud
  • Emergency situations involving safety or security

4. Amazon SP-API Data Protection

As an Amazon SP-API solution provider, we comply with Amazon's Data Protection Policy requirements:

Access Control

  • • Role-based access (RBAC)
  • • Least privilege principle
  • • Multi-factor authentication (MFA)
  • • Regular access reviews

Data Encryption

  • • TLS 1.2+ in transit
  • • AES-256 encryption at rest
  • • Encrypted backups
  • • Secure key management

Data Retention

  • • Active account: data retained
  • • Account closure: 30-day grace
  • • Permanent deletion after 30 days
  • • Compliance logs: 7 years

Token Security

  • • OAuth refresh tokens encrypted
  • • Secure storage in PostgreSQL
  • • Auto-revocation on disconnect
  • • No token logging

5. Data Security Measures

Technical Safeguards

  • Authentication: JWT-based secure authentication, bcrypt password hashing (cost factor 12)
  • Network Security: AWS VPC isolation, security groups, DDoS protection
  • Database Security: PostgreSQL with encrypted connections, parameterized queries (SQL injection prevention)
  • Infrastructure: AWS infrastructure with SOC 2, ISO 27001, and PCI DSS compliance
  • Monitoring: 24/7 security monitoring, intrusion detection, automated alerts

Operational Safeguards

  • Backups: Automated daily encrypted backups, 30-day retention
  • Incident Response: Documented procedures, 24-hour response time
  • Vulnerability Management: Regular security scans, patch management
  • Employee Access: Background checks, NDA agreements, security training
  • Audits: Annual third-party security assessments

6. Your Privacy Rights (CCPA/CPRA)

Under California and other US state privacy laws, you have the following rights:

Right to Know

Request disclosure of personal information we collect, use, and share

Right to Delete

Request permanent deletion of your account and personal data

Right to Correct

Correct inaccurate or incomplete information

Right to Portability

Export your data in machine-readable format (JSON/CSV)

Right to Opt-Out

Opt-out of sale/sharing of personal data (we don't sell data)

Right to Non-Discrimination

Exercise rights without discrimination or denial of service

How to Exercise Your Rights

To exercise these rights, contact us at repricelab@gmail.com or use our Contact Form. We will respond within 45 days (CCPA requirement).

Verification: We may request information to verify your identity before processing requests.

6.1 Authorized Agent

California residents may designate an authorized agent to make requests on their behalf. The agent must provide written authorization and proof of authority.

7. Data Retention

We retain your data for as long as necessary to provide our services:

  • Active Accounts: Data retained while your account is active
  • After Cancellation: 30-day grace period for account recovery
  • Permanent Deletion: All personal data deleted after 30 days
  • Legal Compliance: Financial records and compliance logs retained for 7 years
  • Amazon SP-API Tokens: Automatically deleted upon store disconnection

8. Cookies and Tracking Technologies

Essential Cookies (Required)

Authentication tokens (JWT), session management, security features

Analytics Cookies (Optional)

Usage patterns, feature adoption - requires user consent

You can manage cookie preferences in your browser settings. Note that disabling essential cookies may affect service functionality.

9. Do Not Track Signals

We currently do not respond to Do Not Track (DNT) browser signals. However, we comply with CCPA's "Right to Opt-Out of Sale" and do not sell personal information.

10. Children's Privacy

RepriceLab is intended for business use by individuals 18 years or older. We do not knowingly collect information from children under 18. If you believe we have collected data from a minor, contact us immediately for deletion.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Material changes will be communicated via:

  • Email notification to registered users
  • Dashboard notification banner
  • Updated "Last Updated" date at the top of this page

Continued use of our service after changes constitutes acceptance of the updated policy.

12. Contact Information

Privacy Questions or Concerns?

Email: repricelab@gmail.com

Contact Form: https://repricelab.com/contact

Response Time: Within 48 hours for privacy inquiries

California residents: Requests under CCPA will receive a response within 45 days as required by law.

Compliance & Certifications

✓ CCPA Compliant

California Consumer Privacy Act

✓ CPRA Compliant

California Privacy Rights Act

✓ Amazon SP-API DPP

Amazon Data Protection Policy Certified

✓ PCI DSS via Stripe

Payment Card Industry Data Security Standard

© 2025 RepriceLab. All rights reserved.