Privacy Policy — Amazon Growth and Reporting by Ivan C.

Last updated: 2026-04-17

App name: Amazon Growth and Reporting by Ivan C.

Trading name: Optipotamus

Provider / Data Controller: Ivan Cherepanov JDG — Amazon Data Analytics MCP (operating as "Optipotamus")

Registered business address: ul. Przyjaźni Polsko-Węgierskiej 4/16, 30-644 Kraków, Poland

Contact for privacy inquiries: hello.optipotamus@gmail.com

1. Scope

This Privacy Policy describes how Ivan Cherepanov JDG — Amazon Data Analytics MCP, trading as Optipotamus ("we", "us", "Controller"), processes personal data and Amazon-derived data in connection with the application Amazon Growth and Reporting by Ivan C. ("the App").

The App is an agency-operated platform used to manage Amazon Sponsored Ads campaigns and to generate operational and performance reports on behalf of Amazon sellers ("Clients") who voluntarily authorize the App through Amazon's OAuth flow.

This policy applies to:

Amazon Selling Partners who grant the App access to their Amazon Seller Central account via Amazon Selling Partner API (SP-API).
Amazon Advertising account holders who grant the App access via the Amazon Advertising API.
Individuals whose personal data is contained in data returned by those APIs (for example, buyer names and shipping addresses contained in order reports).

2. Data we access

When a Client authorizes the App, we may access the following categories of data via Amazon SP-API and Amazon Ads API:

Orders data: order identifiers, status, marketplace, order totals, shipment information, and buyer shipping address (only to the extent Amazon returns it for sellers).
Inventory data: SKU, ASIN, quantity on hand, warehouse/fulfillment-center assignment, replenishment metrics.
Reports: Sales & Traffic reports, Search Terms reports, and other operational reports generated by Amazon.
Financial data: settlement reports, fee breakdowns, reimbursement data. We do not access payment card numbers or bank account numbers.
Advertising data: campaigns, portfolios, ad groups, keywords, targets, negatives, bids, placements, budgets, and performance reports across Sponsored Products, Sponsored Brands, and Sponsored Display.

We do not request and do not process:

Amazon Personally Identifiable Information (PII) beyond what is incidentally included in order reports;
Tax data;
Direct-to-Consumer shipping data;
Brand Analytics restricted reports;
Payment credentials, bank account numbers, or full card data.

3. Purpose and legal basis (GDPR Art. 6)

We process data for the following purposes:

Contract performance (Art. 6(1)(b)): to deliver the agency services the Client has engaged us to perform — campaign management, reporting, operational support.
Legitimate interest (Art. 6(1)(f)): for service security, fraud prevention, aggregate performance analysis used to improve the App. Our legitimate interest is balanced against data subject rights; we do not use data for direct marketing to buyers.
Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, and regulatory obligations applicable to the Controller under Polish and EU law.

The Client remains the data controller for Amazon-derived personal data it submits through the App; we act as data processor on the Client's behalf. A Data Processing Addendum (DPA) is available to Clients on request.

4. Sub-processors

At the time of this policy's last update, the App is in pre-deployment configuration and has no production Client workloads. Prior to onboarding any Client, we will publish and maintain a current list of sub-processors in the following categories:

Cloud hosting / compute — an EU-based cloud provider for application hosting and API processing.
Database — a managed database provider storing Client operational data within the European Economic Area.
Transactional email — a transactional email provider used solely for service notifications and data subject request handling (not marketing).
Error monitoring / logging — an observability provider for operational logs and error reporting, with PII scrubbing applied at the source.

Every sub-processor we engage will be bound by a written Data Processing Agreement meeting the requirements of GDPR Article 28, including confidentiality, equivalent security measures, sub-processing controls, and assistance with data subject rights.

A current, up-to-date sub-processor list (including processor name, purpose, and storage region) is available on request from the contact address above. Material changes to the sub-processor list will be communicated to active Clients at least 14 days before they take effect.

5. International transfers

The Controller is established in Poland (European Union). Where data is transferred outside the European Economic Area (for example, to sub-processors based in the United States), we rely on one or more of the following safeguards under GDPR Chapter V:

Standard Contractual Clauses (SCCs) adopted by the European Commission;
An adequacy decision where applicable (e.g., EU–U.S. Data Privacy Framework);
Supplementary technical measures including encryption at rest and in transit.

6. Retention

We retain Client-authorized Amazon data only for as long as necessary for the purposes described in Section 3, and no longer than the following:

Operational data (orders, inventory, campaigns): retained for the duration of the engagement with the Client plus up to 30 days after termination, after which data is deleted or irreversibly anonymized.
Reporting / aggregated performance data: up to 24 months from collection.
Financial / accounting records: retained for the period required by applicable Polish tax law (currently 5 years from the end of the accounting year).
Logs and audit data: up to 12 months from creation.

Clients may request earlier deletion at any time via the contact email above; we will confirm deletion within 30 days unless a legal retention obligation applies.

7. Security measures

We implement the following technical and organizational measures:

Encryption in transit: TLS 1.2+ for all API traffic and data exchange.
Encryption at rest: AES-256 or equivalent for stored Client data.
Access control: role-based access; least-privilege; multi-factor authentication on all administrative accounts.
Secrets handling: API credentials stored in encrypted secret stores, never checked into version control.
Logging and monitoring: access logs retained for audit; anomaly monitoring on authentication endpoints.
Personnel: written confidentiality obligations; no sub-contractor access without written DPA.
Breach response: incident response plan maintained; affected Clients notified within 72 hours of discovery of a personal-data breach, per GDPR Art. 33.

8. Data subject rights

Individuals whose personal data is processed by the App have the following rights under GDPR (Articles 15–22):

Right of access;
Right to rectification;
Right to erasure ("right to be forgotten");
Right to restriction of processing;
Right to data portability;
Right to object to processing;
Right to withdraw consent where processing is based on consent;
Right to lodge a complaint with a supervisory authority (in Poland: Urząd Ochrony Danych Osobowych — UODO, https://uodo.gov.pl).

Requests can be sent to the contact email above. We respond within 30 days.

Because most personal data processed via the App belongs to the Client's buyers (not the Client itself), such requests may need to be forwarded to the Client (the controller) for action. We will cooperate with the Client to facilitate a response.

9. Deauthorization and deletion

Clients may revoke the App's access at any time from within their Amazon Seller Central or Amazon Advertising account (Manage Your Apps). Upon revocation:

We cease all further processing of the Client's data immediately;
We delete or irreversibly anonymize stored Client data within 30 days, subject to the legal retention obligations in Section 6.

10. Cookies and tracking

The App is a backend integration and does not operate a public website with cookies or tracking pixels. We do not perform cross-site tracking, advertising profiling, or behavioral analytics on end users.

11. Children

The App is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child's data has been inadvertently processed, please contact us for prompt deletion.

12. Changes to this policy

We may update this policy to reflect changes in law, sub-processors, or the App's functionality. Material changes will be notified to active Clients via email at least 14 days before they take effect. The "Last updated" date at the top of this document always reflects the current version.

13. Contact

For any privacy inquiry, data subject request, or general question about this policy, please contact:

Email: hello.optipotamus@gmail.com
Postal address: ul. Przyjaźni Polsko-Węgierskiej 4/16, 30-644 Kraków, Poland
Controller: Ivan Cherepanov JDG — Amazon Data Analytics MCP (trading as Optipotamus)