Privacy Policy

1. Overview

Trace ("we," "our," or "us") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, process, store, share, and dispose of information when you use our e-commerce management platform and related services (the "Services").

Our Services help e-commerce businesses manage their operations across multiple marketplaces. We process data on behalf of our clients and handle marketplace data in accordance with strict security and privacy standards.

2. Information We Collect

2.1 Client Business Information

• Account Information: Business name, contact details, billing information, and marketplace credentials
• Product Data: Product listings, SKUs, descriptions, pricing, and inventory levels
• Order Information: Order details, transaction data, and fulfillment status
• Performance Metrics: Sales data, marketplace performance indicators, and analytics

2.2 Customer Data (Processed on Behalf of Clients)

• Shipping Information: Customer names and addresses for order fulfillment and shipping label generation
• Order Details: Purchase history, order status, and tracking information
• Communication Data: Customer service interactions and feedback management

2.3 Technical Information

• System Data: API usage logs, system performance metrics, and error reports
• Security Logs: Access logs, authentication records, and security event data
• Usage Analytics: Platform usage patterns and feature utilization data

3. How We Use Your Information

3.1 Service Provision

• Managing marketplace operations and inventory synchronization
• Processing orders and generating shipping labels
• Automating pricing strategies and competitive analysis
• Facilitating customer communication and feedback management
• Providing analytics and performance reporting

3.2 Platform Operations

• Maintaining system security and preventing unauthorized access
• Monitoring system performance and troubleshooting issues
• Improving our Services through analytics and user feedback
• Ensuring compliance with marketplace requirements and regulations

3.3 Legal and Compliance

• Complying with applicable laws and regulations
• Responding to legal requests and protecting our rights
• Maintaining accurate financial and tax records
• Conducting security investigations and fraud prevention

4. Information Sharing and Disclosure

4.1 Service Providers

Each marketplace connection is authorized separately by you and is limited to the specific permissions (scopes) displayed on that marketplace's consent screen at the time of authorization. We do not request or exercise access beyond those scopes.

We may share information with trusted third-party service providers who assist in delivering our Services, including:

• Cloud infrastructure providers (AWS, Microsoft Azure)
• Shipping carriers and logistics partners
• Payment processors and financial institutions
• Security and monitoring service providers

4.2 Marketplace Platforms

We share data with marketplace platforms as necessary to provide our Services, including product listings, inventory updates, order processing, and customer communication.

4.3 Legal Requirements

We may disclose information when required by law, court order, or government regulation, or when necessary to protect our rights, property, or the safety of our users or others.

5. Data Storage and Security

5.1 Data Storage Infrastructure

• Primary Storage: SOC 2 Type II certified cloud infrastructure (AWS/Microsoft Azure)
• Geographic Location: Data stored in secure facilities within the United States
• Redundancy: Multi-region backup systems for data availability and disaster recovery

Marketplace Authorization & Tokens

We connect to your marketplace accounts exclusively through each marketplace's official OAuth authorization flow. We never receive, see, or store your marketplace account password. The authorization process issues us access and refresh tokens, which are encrypted at rest (AES-256) and used only to call the marketplace's official APIs on your behalf. Tokens are never exposed to your browser or stored by our public authorization portal (integrate.trace.ninja), which holds no marketplace credentials of any kind. You may revoke our access at any time from your marketplace account settings; revocation immediately and permanently ends our access.

5.2 Encryption Standards

• Data at Rest: AES-256 encryption for all stored data
• Data in Transit: TLS 1.3 encryption for all data transmissions
• Database Encryption: Transparent Data Encryption (TDE) for database systems
• Key Management: Hardware Security Modules (HSM) and dedicated Key Management Systems

5.3 Access Controls

• Multi-factor authentication for all system access
• Role-based access control with principle of least privilege
• Regular access reviews and automated deprovisioning
• Comprehensive audit logging and monitoring

6. Data Retention and Disposal

6.1 Retention Periods

• Active Client Data: Retained while providing Services and as required for business operations
• Customer PII: Retained only as long as necessary for order fulfillment and legal requirements and no longer than 30 days after order fulfillment unless required by law or tax obligation
• Financial Records: Retained for 7 years in compliance with accounting standards
• Security Logs: Retained for 2 years for security monitoring and compliance

6.2 Secure Disposal

When data is no longer needed, we securely dispose of it using:

• NIST 800-88 compliant data sanitization methods
• Cryptographic erasure for encrypted data
• Physical destruction of storage media when necessary
• Certificate of destruction for sensitive data disposal

7. Your Rights and Choices

7.1 Access and Correction

You have the right to access, correct, or update your personal information. Contact us to request access to your data or to make corrections.

7.2 Data Portability

You may request a copy of your data in a structured, machine-readable format to transfer to another service provider.

7.3 Deletion Rights

You may request deletion of your personal information, subject to legal and contractual obligations.

7.4 Opt-Out Options

You may opt out of non-essential communications and data processing activities where legally permissible.

8. Compliance and Certifications

8.1 Industry Standards

• SOC 2 Type II: Annual compliance audits for security and availability
• ISO 27001: Information security management system certification
• PCI DSS: Payment card industry data security standards compliance

8.2 Privacy Regulations

• GDPR: General Data Protection Regulation compliance for EU data subjects
• CCPA: California Consumer Privacy Act compliance
• PIPEDA: Personal Information Protection and Electronic Documents Act compliance for Canadian clients

8.3 Marketplace Compliance

We maintain compliance with data protection requirements of all supported marketplace platforms, including al marketplace privacy requirements.

Amazon Selling Partner Data

For data obtained through the Amazon Selling Partner API, we comply with Amazon's Acceptable Use Policy and Data Protection Policy. We use Personally Identifiable Information (PII) solely to fulfill orders and provide the services you authorize. We retain order-related PII no longer than 30 days after order fulfillment unless a longer period is required by law or tax obligation, in which case it is archived in encrypted form with restricted access. We encrypt all such data in transit (TLS 1.2+) and at rest (AES-256), enforce least-privilege access with audit logging and multi-factor authentication for personnel, never store PII on removable media, and will report any data incident affecting Amazon Information to Amazon and affected parties within 72 hours of discovery.

9. Policy Updates

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes through:

• Email notifications to registered users
• Prominent notices on our platform
• Updated version posting on our website

Continued use of our Services after policy updates constitutes acceptance of the revised terms.

10. Contact Information

For immediate privacy concerns or data breach reports, please contact our Data Protection Officer directly at dpo@trace.rocks.