Policy Effective Date: October 31, 2024
1. Introduction and Commitment
The SHIOO-OMS system, operated by us, is an order management system integrated with Amazon Seller Central. This policy specifically elaborates on how SHIOO-OMS collects, uses, stores, protects, and disposes of relevant data through the Amazon Selling Partner API (SP-API).
We are committed to upholding the highest standards of data security and privacy. This policy is designed to ensure our full compliance with all terms of the Amazon SP-API Data Protection Policy (DPP) and the Acceptable Use Policy (AUP).** Your use of our services signifies your understanding and agreement to the practices described in this policy.
2. Data Collection, Use, and Purpose Limitation
We receive and process data solely through the official Amazon SP-API. We do not obtain any Amazon data through any unofficial or unauthorized channels.
The data we collect and process is strictly limited to what is absolutely necessary to provide you with the SHIOO-OMS service, including but not limited to: order information, product information, inventory data, shipment information, and the Personally Identifiable Information (PII) of buyers essential for completing fulfillment, such as recipient name, address, and contact phone number.
2.3 Usage Purposes
All our activities involving Amazon data are based on explicit and limited business purposes and are strictly confined to the following scope:
-
Order Fulfillment and Logistics: Processing orders, arranging transportation, generating shipping labels, and providing delivery tracking.
-
Tax Calculation and Compliance: Calculating and remitting relevant taxes, and generating legally required tax invoices.
-
Customer Service: Responding to buyer inquiries, handling returns and refund requests.
-
System Operations: Ensuring the normal operation of SHIOO-OMS, error diagnosis, and performance improvement (using anonymized or aggregated data).
We strictly prohibit and will not use data for the following purposes:
-
Marketing or advertising campaigns.
-
Training unrelated internal models.
-
Any sales, rental, or data analysis activities unrelated to the explicit purposes stated above.
3. Data Access and Governance
This section details the specific control measures we implement to comply with the Amazon Data Protection Policy.
3.1 Data Access Control
-
Access to production systems is strictly restricted to approved internal employees who have undergone data security training.
-
We implement the principle of least privilege through a Role-Based Access Control (RBAC) model, ensuring employees can only access data essential to their duties.
-
We quarterly review and audit the list of personnel with data access privileges.
3.2 Data Retention and Automatic Disposal
We strictly adhere to the principles of data minimization and limited retention.
-
Core Commitment: After the successful delivery of an order, we will automatically and securely delete or anonymize Personally Identifiable Information (PII) from all active systems and databases within 30 days. We do not create any offline backups for such PII.
-
Legal Exception: We will retain specific non-PII data for the legally mandated period only when required by legal obligations (e.g., tax, audit regulations). Such data will be transferred to an encrypted archive system subject to strict access controls.
3.3 Responding to Amazon Deletion Requests
Upon receiving a written deletion request from Amazon, we commit to:
-
Permanently and securely deleting the specified Amazon information within 72 hours (3 days).
-
Permanently and securely deleting all live (online or network accessible) instances of Amazon information within 90 days.
The data deletion process will adhere to industry-standard sanitization processes such as NIST 800-88.
4. Data Storage and Security
We commit to employing industry-leading technical measures to protect all data.
-
Storage Location: All data is stored within the secure data centers of our cloud service providers (e.g., Alibaba Cloud, AWS).
-
Network Protection: Databases are deployed within isolated private subnets, with all direct access from the public internet strictly prohibited by network firewalls and Access Control Lists (ACLs).
-
Encryption at Rest: All sensitive data, especially PII, is encrypted at rest using the AES-256 encryption algorithm.
-
Encryption in Transit: Data is encrypted end-to-end using TLS 1.2 or higher protocols during transmission, both internally and with external partners.
-
Key Management: Encryption keys are uniformly managed by the cloud service provider’s Key Management Service (KMS), ensuring separation of keys from data and secure key rotation.
5. Data Sharing and Disclosure
We will never sell, rent, or trade any Amazon data.
We share the minimum necessary information with strictly vetted third parties only under the following essential circumstances:
-
Logistics Carriers: To complete fulfillment, we share only the recipient’s name, shipping address, and contact phone number with carriers such as UPS, FedEx, DHL. All data sharing is conducted via encrypted API interfaces and ensured to be bound by legal agreements containing strict confidentiality and data protection clauses.
Except for the above circumstances or as required by law, we will not disclose data to any other third parties.
6. Organizational Compliance Commitment
-
Employee Training and Confidentiality: All employees handling data undergo rigorous data security and privacy training and sign confidentiality agreements.
-
Ongoing Compliance: We have established processes to ensure our operations continuously comply with applicable privacy and security laws and regulations, as well as Amazon’s platform policies.
-
Vulnerability and Incident Management: We maintain vulnerability management processes and an incident response plan, and commit to notifying Amazon (via email to security@amazon.com) within 24 hours of detecting a security incident involving Amazon data.
7. Policy Revisions
We may update this policy from time to time to reflect changes in our practices or the law. Any revisions will be posted on this page. Your continued use of SHIOO-OMS signifies your acceptance of the updated policy.
If you have any questions about this policy, please contact us at:
