Privacy Policy

Last updated: 26 March 2026

The authoritative version of this Privacy Policy is the English version. Translations, if provided, are for convenience only.

1. Introduction

This Privacy Policy explains how Kenderson Tripaldi (sole proprietorship, VAT IT13063450012), whose registered address is Via Ettore Fico 7, 10090 Castiglione Torinese (TO), Italy (hereinafter "we", "us", "our"), collects, uses, stores, transfers, and protects personal data when you use MarginLock (the "Service") — a fulfillment management platform for Amazon FBA sellers.

This Policy complies with:

  • Regulation (EU) 2016/679 (GDPR) and Italian Legislative Decree 196/2003 as amended by D.Lgs. 101/2018;
  • The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) (Cal. Civ. Code §§ 1798.100–1798.199.100);
  • Other applicable US state privacy laws where relevant.

By accessing or using the Service you acknowledge that you have read and understood this Policy. If you do not agree, you must discontinue use of the Service.

2. Data Controller

The Data Controller (as defined by the GDPR) is:

Kenderson Tripaldi
Via Ettore Fico 7
10090 Castiglione Torinese (TO)
Italy
VAT: IT13063450012
E-mail: privacy@marginlock.io

For all privacy-related requests — including the exercise of data subject rights — please contact us at the e-mail address above. We will respond within the timeframes required by applicable law (ordinarily 30 days under the GDPR; 45 days under the CCPA, with a possible one-time 45-day extension).

3. Data We Collect

3.1 Account and Profile Data

When you register for or use the Service, we collect:

  • Identity data: full name, e-mail address, password (stored as a salted bcrypt hash — we never store plaintext passwords).
  • Account preferences: preferred language / locale setting.
  • Session data: authentication tokens and session identifiers used to keep you logged in.

3.2 Amazon Seller Account Data (via SP-API)

When you connect your Amazon Seller Central account, we obtain an OAuth 2.0 refresh token issued by Amazon. Using that token we retrieve, on your behalf, the following categories of data from Amazon's Selling Partner API (SP-API):

  • Catalog data: product ASINs, seller SKUs, product titles, descriptions, images, pricing information, and inventory levels.
  • Inbound shipment plan data: FBA inbound plan identifiers, shipment IDs, destination fulfillment centres, box contents (SKUs, quantities, weights, dimensions), and shipment status.
  • Notification data: Amazon-issued notifications relating to catalog item changes (e.g. listing suppression, attribute updates) and inbound shipment status updates.
  • Merchant / marketplace identifiers: Amazon Merchant Token (MerchantID) and Marketplace ID, used to scope all queries to your account.

All Amazon data is retrieved exclusively to provide the features of the Service and is never used for any other purpose or shared with third parties for advertising.

3.3 Usage and Technical Data

  • Log data: server-side logs containing pseudonymised internal request identifiers, HTTP method, response status codes, and timestamps. Logs do not contain SP-API tokens, full Amazon identifiers, or product catalog data.
  • Device / browser data: IP address (truncated to /24 before storage when analytics are enabled), browser type, operating system, and referring URL, collected automatically when you access the Service.
  • Feature usage data: pages visited, features interacted with, and events triggered within the Service, collected in aggregate and pseudonymised form.

3.4 Cookie and Analytics Data

We use cookies and similar technologies. See Section 12 (Cookies) for full details. If you consent, we collect analytics data via Google Analytics 4 (Google LLC, USA) with IP anonymisation enabled. If you do not consent, no analytics data is collected.

4. Purposes and Legal Bases for Processing

We rely on the following legal bases under Article 6 GDPR:

PurposeCategories of dataLegal basis
Creating and managing your accountIdentity, sessionArt. 6(1)(b) — contract performance
Providing the core features of the Service (catalog sync, shipment planning, notifications)Amazon SP-API data, account dataArt. 6(1)(b) — contract performance
Security, fraud prevention, and abuse detectionLog data, device data, session dataArt. 6(1)(f) — legitimate interests
Service analytics and performance monitoringUsage data (pseudonymised)Art. 6(1)(f) — legitimate interests
Cookie-based analytics (Google Analytics)Device/browser data, usage dataArt. 6(1)(a) — consent (freely withdrawable)
Compliance with legal obligations (e.g. tax, accounting)Identity, billing dataArt. 6(1)(c) — legal obligation

Where we rely on legitimate interests (Art. 6(1)(f)), we have carried out a balancing test and concluded that our interests are not overridden by your rights, given the limited scope of the data and the technical safeguards in place. You may object to processing based on legitimate interests at any time (see Section 9).

5. How We Process Amazon SP-API Data

MarginLock operates as an Amazon Selling Partner application. When you authorise the connection:

  • Amazon issues us an LWA (Login with Amazon) refresh token. We store this token encrypted at rest using AES-256-GCM with a key managed separately from the database (see Section 10). The token is decrypted only in memory for the duration of an API request and never logged.
  • Short-lived access tokens (TTL: 1 hour) are obtained on demand and held only in server memory; they are never persisted.
  • All catalog, shipment, and notification data retrieved from Amazon is stored exclusively within your merchant account in our database. Strict tenant isolation ensures that no data from your account is ever accessible to other merchants.
  • We do not share, sell, or monetise your Amazon data in any way beyond what is necessary to provide the Service.
  • You may disconnect your Amazon account at any time via Settings. Upon disconnection, your refresh token is immediately deleted from our database.

6. Data Retention

CategoryRetention period
Account and profile dataFor the duration of your account, plus 30 days after deletion to allow recovery. Billing-related identity data is retained for 10 years to satisfy Italian accounting obligations (Art. 2220 Civil Code).
Amazon SP-API OAuth tokensFor as long as the Amazon connection is active. Deleted immediately upon disconnection or account deletion.
Amazon catalog and shipment dataFor as long as your account is active. Deleted within 30 days of account deletion.
Server logs90 days, then automatically purged.
Analytics data (with consent)Up to 14 months (Google Analytics default retention window). Consent withdrawal stops future collection; historical aggregated data may persist in anonymised form.

7. Sharing Your Data

We do not sell your personal data. We share data only with:

  • Infrastructure providers: cloud hosting, database, and CDN services (e.g. Vercel, Supabase / cloud PostgreSQL). These act as Data Processors under Article 28 GDPR and are bound by data processing agreements. They process data only on our instructions.
  • Amazon.com, Inc.: We send API requests to Amazon's SP-API on your behalf. Amazon's own privacy policy governs data held within Seller Central.
  • Google LLC (analytics, if consented): Google Analytics 4 receives pseudonymised usage data with IP anonymisation enabled. Google may process this data in the United States (see Section 8).
  • Law enforcement / legal process: We may disclose data when required by applicable law, court order, or governmental authority, or to protect our legal rights.

We require all third-party processors to implement appropriate technical and organisational security measures and to process personal data solely for specified, legitimate purposes.

8. International Data Transfers

We are based in the EU (Italy). Some of our service providers, including Google LLC and certain cloud infrastructure providers, process data in the United States or other third countries outside the European Economic Area (EEA).

We ensure that any transfer of personal data outside the EEA is subject to appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), supplemented where necessary by a Transfer Impact Assessment;
  • The EU–US Data Privacy Framework (where the recipient is certified).

You may request a copy of the applicable transfer safeguards by contacting us at privacy@marginlock.io.

9. Data Security, Anonymisation, and Pseudonymisation

We apply the following technical and organisational measures to protect your data:

Encryption

  • All data in transit is protected with TLS 1.2 or higher. HTTPS is enforced; HTTP requests are redirected.
  • Amazon SP-API OAuth refresh tokens and other credentials are encrypted at rest using AES-256-GCM with an application-level encryption key that is stored separately from the database.
  • Database backups are encrypted at rest using the cloud provider's managed encryption.

Pseudonymisation

  • Users and merchants are identified internally by random UUIDs (universally unique identifiers) rather than Amazon Merchant IDs or e-mail addresses. This internal identifier is used as the primary key for all database relations, limiting exposure of Amazon-issued identifiers to the minimum necessary.
  • Server logs reference the internal UUID only; they do not contain e-mail addresses, Amazon identifiers, OAuth tokens, or catalog content.
  • In development and staging environments, only synthetic or anonymised data is used. Production data is never copied to non-production systems.

Access Control and Tenant Isolation

  • Every database query is scoped by merchantId. It is architecturally impossible for one merchant's data to be returned in another merchant's context.
  • Infrastructure access follows the principle of least privilege. Production credentials are managed via environment variables and secrets managers, never committed to source control.
  • Administrative accounts require multi-factor authentication.

Analytics Data Minimisation

  • IP addresses sent to Google Analytics are truncated (anonymised) before processing. We do not pass user IDs, merchant IDs, e-mail addresses, or any business data to analytics platforms.
  • Analytics is only activated upon your explicit consent. You may withdraw consent at any time via the Cookie Settings option in the application.

Token Lifecycle Management

  • Amazon SP-API access tokens (TTL: 1 hour) are obtained on demand and held only in server memory; they are never persisted to disk or database.
  • Refresh tokens are revoked and deleted immediately upon Amazon account disconnection or user account deletion.

Despite these measures, no transmission over the internet or storage system can be guaranteed to be 100% secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours (Art. 33 GDPR) and, where required, notify affected individuals without undue delay (Art. 34 GDPR).

10. Your Rights Under the GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights:

  • Right of access (Art. 15): request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): request correction of inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten", Art. 17): request deletion of your data, subject to our legal retention obligations.
  • Right to restriction of processing (Art. 18): request that we restrict how we use your data in certain circumstances.
  • Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format (applies to data processed on the basis of consent or contract).
  • Right to object (Art. 21): object to processing based on legitimate interests or for direct marketing purposes (if applicable).
  • Right to withdraw consent (Art. 7(3)): withdraw any consent you have given at any time without affecting the lawfulness of prior processing.
  • Right not to be subject to automated decision-making (Art. 22): we do not make solely automated decisions that produce legal or similarly significant effects.

To exercise any of these rights, contact us at privacy@marginlock.io. We may ask you to verify your identity before processing your request. We will respond within 30 days (with a possible 2-month extension for complex requests, with notice).

You also have the right to lodge a complaint with the competent supervisory authority. In Italy this is:

Garante per la protezione dei dati personali
Piazza Venezia 11, 00187 Roma, Italy
Website: www.garanteprivacy.it

11. California Residents – CCPA / CPRA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the CPRA, grants you the following rights. These rights are in addition to, and do not limit, your GDPR rights where both frameworks apply.

Categories of Personal Information Collected

In the past 12 months we have collected:

  • Identifiers (name, e-mail, IP address, unique internal IDs)
  • Internet or network activity (usage data, log data)
  • Commercial information (Amazon catalog and shipment data that you authorise us to retrieve)
  • Geolocation data (country-level, derived from IP address)
  • Inferences drawn from the above (e.g. preferred language)

We do not collect sensitive personal information as defined by Cal. Civ. Code § 1798.121, such as Social Security numbers, financial account credentials, or biometric data.

Purposes for Collection

See Section 4 (Purposes and Legal Bases).

Sale and Sharing of Personal Information

We do not sell your personal information and have not done so in the past 12 months. We do not share your personal information for cross-context behavioural advertising.

Your CCPA Rights

  • Right to Know: request disclosure of the categories and specific pieces of personal information collected about you, the categories of sources, the business purposes, and the categories of third parties with whom it is shared.
  • Right to Delete: request deletion of your personal information, subject to exceptions (e.g. legal obligations, security).
  • Right to Correct: request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing: not applicable — we do not sell or share your data for advertising purposes.
  • Right to Limit Use of Sensitive Personal Information: not applicable — we do not collect sensitive personal information within the CPRA definition.
  • Right to Non-Discrimination: we will not discriminate against you for exercising any of your CCPA rights.

To submit a verifiable consumer request, contact us at privacy@marginlock.io with the subject line "CCPA Request". We will respond within 45 days; complex requests may take up to 90 days (with notice within the first 45 days). You may designate an authorised agent to act on your behalf.

Shine the Light (California Civil Code § 1798.83)

California residents may request information about our disclosure of personal information to third parties for their own direct marketing purposes. We do not make such disclosures.

12. Cookies

We use the following types of cookies:

TypePurposeConsent required
Strictly necessaryAuthentication session cookies; CSRF protection; locale preference (NEXT_LOCALE).No — essential for the Service to function.
AnalyticsGoogle Analytics 4 (_ga, _gid, _ga_*) — collect pseudonymised usage statistics to help us understand how the Service is used and improve it.Yes — only placed after your explicit consent.

You can manage your cookie preferences at any time by clicking Cookie Settings in the application. Withdrawing analytics consent stops future cookie placement; it does not affect cookies already set before withdrawal.

For information about Google Analytics data practices, see Google's Privacy Policy.

13. Children's Privacy

The Service is directed to business users (Amazon sellers) and is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us immediately and we will delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes we will notify you by e-mail or by posting a prominent notice within the Service at least 30 days before the changes take effect. The "Last updated" date at the top of this page reflects the date of the most recent revision. Your continued use of the Service after the effective date constitutes acceptance of the revised Policy.

15. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact:

Kenderson Tripaldi
Via Ettore Fico 7, 10090 Castiglione Torinese (TO), Italy
E-mail: privacy@marginlock.io
Privacy Policy – MarginLock