Who we are and what this policy covers.
DataDoe, Inc. ("DataDoe", "we", "our", "us") operates a data layer for Amazon sellers, vendors, and agencies. We provide structured access to your Amazon data through pre-built reports, our REST API, MCP integrations for AI clients, and BigQuery dataset sharing.
This Privacy Policy describes how we collect, use, store, and share information when you use our platform. It applies to all users of DataDoe and is designed to comply with the General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA), and to align with Amazon's SP-API Data Protection Policy.
The data that flows through DataDoe.
We collect five categories of information when you use our service:
Account data
When you create an account, we collect your name, email address, and authentication credentials. This is the minimum required to identify you and secure your account.
Amazon Information
You connect your Amazon Seller Central, Vendor Central, or Advertising accounts to DataDoe via OAuth authorization using Amazon's SP-API and Ads API. We never receive or store your Amazon login credentials — only the OAuth tokens Amazon issues to us. Through these APIs we receive:
- Order data, including order line items, settlements, and refunds
- Advertising data, including campaign, ad group, keyword, and search-term performance
- Inventory, listings, catalog, and brand analytics data
- Buyer personally identifiable information (PII) tied to orders — typically customer names and shipping addresses — only if you have enabled the optional Amazon PII access add-on. Without that add-on enabled, your account does not receive PII fields from Amazon's APIs.
Usage metrics
We collect MCP queries, REST API requests, AI prompts you forward to your connected AI clients through DataDoe, exports you run, BigQuery queries you run, and your activity within the platform. This helps us operate the service, debug issues, meter usage for billing, and improve features.
Technical data
We log device information, browser type, IP address, and platform usage logs through AWS RUM (Real User Monitoring) for performance, security, and reliability purposes.
Billing data
Payment is handled by Stripe. We receive limited billing metadata (subscription status, invoice records) but do not store your full payment card number.
What we do — and don't do — with your data.
We use the information we collect strictly to operate and improve DataDoe:
- Service provision — fetching, structuring, and delivering your Amazon data through reports, MCP, REST API, and BigQuery.
- AI insights delivery — powering reports, recommendations, AI-assisted analytics, and connected AI clients.
- Authorized actions — when you explicitly approve them — performing write operations on your Amazon accounts (e.g., bid adjustments, listing updates).
- Communications — service updates, security notices, and platform announcements.
- Platform security — fraud prevention, abuse monitoring, and access control.
Where your data lives and how long we keep it.
Your data is stored on AWS and GCP infrastructure in the United States. All data is encrypted at rest with AES-256-GCM and in transit with TLS 1.3. Secrets and API keys are stored in AWS Secrets Manager.
General retention
We retain your data for the duration of your use of the Service and for 30 days after termination of your account, after which it is permanently and securely deleted from our active systems. Backups containing residual data are overwritten on our standard backup rotation.
Buyer PII from Amazon orders
Where you have enabled the optional Amazon PII access add-on, buyer PII received from Amazon (such as customer names and shipping addresses on orders) is retained no longer than 30 days after order delivery, except where retention is required for legal, tax, or regulatory purposes. This is consistent with Amazon's SP-API Data Protection Policy.
Security and audit logs
We retain access, event, and security logs for a minimum of 12 months. Logs are scrubbed of PII where not legally required and are protected against unauthorized access and tampering.
Who has access to your information.
We do not sell, trade, or rent your personal information. Period.
We share data only with the following vetted subprocessors, each contractually bound by confidentiality and data-protection obligations consistent with this policy and applicable law:
We may also disclose information where required by law, court order, or to protect our rights or those of our users.
What you can do with your data.
Under GDPR, UK GDPR, and CCPA, you have the following rights:
- Access — request a copy of the personal data we hold about you.
- Correction — ask us to correct inaccurate or incomplete data.
- Deletion — request that we delete your personal data (subject to legal retention requirements).
- Restriction — limit how we process your data in specific circumstances.
- Portability — receive your data in a structured, commonly used format.
- Opt-out of data sales — though, as stated above, we do not sell your data.
- Withdraw consent — where processing is based on consent, you may withdraw it at any time.
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, contact us at contact@datadoe.com. We respond to verified requests within the timeframes required by applicable law.
How we protect your data.
We operate the Service in accordance with industry best practices, taking reference from frameworks including ISO/IEC 27001, ISO/IEC 27002, and the NIST Cybersecurity Framework. Key controls include:
- Encryption — TLS 1.3 in transit; AES-256-GCM at rest
- Multi-factor authentication required for all administrative and cloud access
- Least-privilege role-based access via AWS IAM and GCP IAM
- Secrets management — credentials, API keys, and database secrets stored in AWS Secrets Manager and never hardcoded in source
- Quarterly access reviews; access revoked within 24 hours of employee or contractor termination
- Segregated test and production environments with code review and CI/CD gating
- Dark-web monitoring for company domains and employee email accounts
- Annual security training for all employees covering PII handling, phishing, and incident reporting
- Documented Incident Management Plan, reviewed every six months
No system is perfectly secure, but we follow industry best practices and continuously work to harden our platform. If we discover a security incident affecting your data, we will notify you without undue delay, and in any event within the timeframes required by applicable law (such as 72 hours under GDPR), with information sufficient for you to meet your own notification obligations.
Cross-border processing.
DataDoe is operated from the United States, and personal data — including Amazon Information — is stored and processed on AWS and GCP infrastructure located in the United States. If you are located in the EU/EEA, the UK, Switzerland, or another jurisdiction whose laws restrict cross-border transfers of personal data, your data will be transferred to the United States.
For such transfers, we rely on appropriate transfer mechanisms — including the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum — when executing a Data Processing Addendum (DPA) with customers acting as data controllers. You can read or download our DPA here.
Not intended for minors.
DataDoe is a B2B product intended for users 18 years of age or older. We do not knowingly collect personal information from children under 16. If you believe a child has provided personal information to us, contact contact@datadoe.com and we will delete it.
When and how we update this policy.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the platform before the changes take effect.
The "Effective" date at the top of this page reflects when this version was published. Continued use of DataDoe after a policy update means you accept the revised terms.
Questions about this policy or your data?
Reach out and we'll respond within a reasonable timeframe. For data subject requests under GDPR, UK GDPR, or CCPA, please use the email below.
STE 29271
Dover, DE 19904, USA