Amazon Marketplace Data Protection Policy

Amazon Marketplace Data Protection Policy

Last updated: 22 April 2026

This policy explains how EMMANUELA handcrafted for you® (sole proprietor Emmanouela Alevizopoulou, Greece) collects, processes, stores, and disposes of personal data obtained from Amazon Marketplaces in connection with fulfilment of customer orders. This page is published in addition to our general Privacy Policy to comply with Amazon's Data Protection Policy (DPP) requirements for Selling Partner API (SP-API) integrations.

1. Scope

This policy applies only to Personally Identifiable Information (PII) and order data we receive from Amazon Marketplaces (Amazon.com, Amazon.co.uk, Amazon.de, Amazon.fr, Amazon.it, Amazon.es, Amazon.nl, Amazon.se, Amazon.pl, Amazon.be, Amazon.ca, Amazon.com.mx) for orders placed against our Amazon seller account.

2. Data We Collect

Through Amazon Seller Central and the Selling Partner API (SP-API), we collect the following PII strictly required to fulfil and invoice orders:

  • Buyer name (required for invoice issuance under Greek Law 4308/2014)
  • Shipping address (required for delivery)
  • Buyer email (only for legitimate order communication)
  • VAT number (when supplied for B2B orders)
  • Order details: items, quantities, prices, taxes, delivery dates

We do not collect payment card data, login credentials, browsing history, or any data outside what Amazon supplies for order fulfilment.

3. Purpose and Legal Basis (GDPR Art. 6)

  • Order fulfilment — Art. 6(1)(b): performance of contract
  • Invoice issuance and tax compliance — Art. 6(1)(c): legal obligation under Greek Law 4308/2014 (Hellenic Accounting Standards), Greek VAT Code, and EU VAT Directive 2006/112/EC
  • Customer service — Art. 6(1)(b): performance of contract

4. Storage Location

All Amazon order data is stored on infrastructure physically located in the European Union:

  • Primary: on-premises Pylon ERP database in our Greek facility
  • Backup (encrypted): Synology NAS in the same Greek facility
  • Off-site backup (encrypted): Google Drive (EU-region account emmanuela@emmanuela.gr, Google One 2 TB plan)

No data is transferred to non-EU third countries.

5. Security Measures

  • All data in transit encrypted via TLS 1.2+
  • Backup files encrypted at rest using AES-256
  • Cloud storage encryption: AES-256 server-side (Google default)
  • SP-API credentials stored encrypted (Windows DPAPI / Bitwarden vault) — never in plaintext
  • Multi-factor authentication (MFA) enforced on all administrative accounts (TOTP)
  • Access strictly limited to the business owner; no third-party processors
  • Vulnerability scanning monthly; penetration testing annually
  • Security event logging retained 12+ months

6. Retention Periods

Data Type Retention Reason
PII (buyer name, address, contact) 30 days after delivery Amazon DPP Section 2.1
Order metadata (totals, tax, dates) 10 years Greek Law 4308/2014 (fiscal records)
Security and access logs 12 months Amazon DPP Section 2.6

7. Data Sharing

We do not share Amazon-derived PII with any third party, with the following limited and lawful exceptions:

  • Shipping carriers (only the data strictly necessary for delivery: recipient name, shipping address, contact phone)
  • Greek tax authorities (AADE) when required by law, via the official myDATA invoicing platform
  • Our accounting partner (under a written confidentiality agreement and GDPR Art. 28 data-processing agreement)

We do not sell, rent, or trade Amazon customer data under any circumstance.

8. Your Rights Under GDPR

You have the right to:

  • Access the personal data we hold about you
  • Request rectification of inaccurate data
  • Request erasure ("right to be forgotten"), subject to lawful retention obligations under Greek tax law
  • Request restriction of processing
  • Data portability
  • Object to processing
  • Lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr)

9. Data Subject Access Requests (DSAR)

To exercise any right above, contact us at:

EMMANUELA handcrafted for you®
Emmanouela Alevizopoulou (sole proprietor)
Greece
Email: questions@emmanuela.gr

We will respond within 30 days as required by GDPR Art. 12(3).

10. Secure Deletion Procedure

When data reaches the end of its retention period, or upon a verified deletion request from Amazon or a data subject, we permanently delete it using industry-standard sanitization aligned with NIST SP 800-88 Rev. 1 (Clear method): database row deletion, tablespace VACUUM, log flush, and overwrite of removable media. Deletion is completed within 30 days of the request; live instances within 90 days.

11. Breach Notification

In the event of a personal data breach, we notify:

  • The Hellenic Data Protection Authority within 72 hours of awareness (GDPR Art. 33)
  • Amazon Security Team (security@amazon.com) within 24 hours of awareness, per Amazon DPP Section 1.6
  • Affected data subjects without undue delay if there is a high risk to their rights and freedoms (GDPR Art. 34)

12. Updates to This Policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated via our website.

This page satisfies Amazon Marketplace Data Protection Policy (DPP) Sections 2.1, 2.2, 2.3, 2.4, 2.6, 2.7, and 1.6 requirements for Selling Partner API integrations as a Private Self-Authorized Developer.