Back to home

Privacy Policy

Last updated: 12 May 2026 · Effective from: 12 May 2026

1. Who we are

This Privacy Policy explains how POLARSTAR OÜ (Estonian registration: pending, address: Kesklinna linnaosa, Tornimäe tn 5, 10145 Tallinn, Estonia), trading as SellerEngine, collects, uses and protects your information when you use our services (the "Services"), which include the SellerEngine website (sellerengine.app) and the SellerEngine tools (Sniper HUB, Stock Control, and PricePricer).

For the purposes of the EU General Data Protection Regulation ("GDPR"), POLARSTAR OÜ is the data controller for the personal data described below.

Contact: privacy@sellerengine.app

2. What data we collect

2.1 Account data

When you create a SellerEngine account, we collect:

  • Email address
  • Business name and country (optional)
  • Authentication metadata (hashed password or third-party identifier)

2.2 Amazon Ads API data

When you connect your Amazon Ads account via Login with Amazon ("LwA"), you authorize SellerEngine to read and write specific data on your behalf through the Amazon Ads API. We process:

  • Read-only metrics: campaigns, ad groups, keywords, product targets, search terms, impressions, clicks, spend, orders, sales, and bid history.
  • Write actions you initiate: bid changes, negative keyword additions, harvested keywords, and ASIN targets. Every write goes through an explicit user action — we never write on a schedule without your confirmation.
  • OAuth tokens: a refresh token issued by Amazon, which we store encrypted at rest. We do not store your Amazon password — the credential exchange happens entirely on Amazon's domain.

2.3 Operational logs

We keep audit logs of every write action initiated through our tools, including:

  • Timestamp, action type (e.g. SUBIR PUJA, NEGATIVIZAR, COSECHAR), and the parameters sent to Amazon.
  • Amazon's response (success, error code, error message).
  • A snapshot of relevant metrics at the moment of the change, so you can evaluate whether your changes worked.

These logs are retained for 180 days, then deleted automatically.

2.4 Technical data

When you use the Services, we collect minimal technical data: IP address, browser type, and request timestamps. This is used to investigate abuse and operational issues, and is kept for 30 days.

2.5 What we do not collect

  • Your Amazon Seller Central credentials.
  • Customer-facing data such as orders received by your Amazon storefront (we operate against advertising data, not transactional buyer data).
  • Buyer personally identifiable information (PII).
  • Payment card data — billing, when applicable, is processed by a certified PCI-DSS payment processor; we only store the processor's customer reference.

3. Why we process your data (legal basis)

Under GDPR, we rely on the following legal bases:

  • Contract (Art. 6(1)(b) GDPR): to provide the Services you signed up for — read your Amazon advertising data, execute the changes you initiate, and show you the results.
  • Legitimate interest (Art. 6(1)(f) GDPR): to keep the Services secure, prevent abuse, debug operational issues, and improve the product. You can object to this processing at any time.
  • Legal obligation (Art. 6(1)(c) GDPR): when we have to retain certain records for accounting, tax, or compliance reasons.

4. Who we share data with

We share the minimum necessary data with the following categories of recipients:

  • Amazon Web Services: when you execute a write action, we forward the relevant payload to Amazon Ads. This is the core service mechanism — we do not "share" data in a marketing sense.
  • Infrastructure providers: our hosting provider (EU-based) processes the data only to deliver the Services. They are bound by Data Processing Agreements compliant with GDPR.
  • Authorities: where required by law (e.g. tax audits, valid court orders). We will notify you unless prohibited from doing so.

We do not sell, rent, or trade your data. We do not share your advertising data with other SellerEngine users.

5. International transfers

Your data is stored on infrastructure located within the European Economic Area. When Amazon processes requests in their regional infrastructure (e.g. advertising-api-eu, advertising-api-na, advertising-api-fe), the data routes through Amazon's relevant region — this is determined by the marketplace you chose when you opened your Amazon Ads account, not by SellerEngine.

For transfers outside the EEA, we rely on Standard Contractual Clauses approved by the European Commission.

6. Your rights

Under GDPR you have the right to:

  • Access: ask us what data we hold about you.
  • Rectification: ask us to correct inaccurate data.
  • Erasure: ask us to delete your account and associated data.
  • Restriction: ask us to stop processing while a dispute is resolved.
  • Portability: receive a copy of your data in a machine-readable format (JSON).
  • Objection: object to processing based on legitimate interest.
  • Withdraw consent: revoke the LwA authorization at any time directly from your Amazon account — we will no longer be able to read or write on your behalf from that moment.
  • Complain: lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or your local supervisory authority.

To exercise any right, email privacy@sellerengine.app. We will reply within 30 days.

7. Account deletion

When you delete your SellerEngine account:

  • We delete your account record, refresh tokens, and any in-product preferences within 7 days.
  • Audit logs that reference your account are anonymized within the same window. The metric snapshots may be kept in aggregated form for product improvement, with no reference to your identity or your Amazon account.
  • Backups containing your data are purged on the regular rotation cycle (maximum 30 days).

Revoking the LwA authorization in Amazon also stops all data flow from Amazon to SellerEngine. Doing both (delete + revoke) gives you a complete clean state.

8. Cookies

We use strictly necessary cookies only: a session cookie to keep you logged in. We do not use analytics or advertising cookies on the SellerEngine application. The marketing site (sellerengine.app) may use a minimal first-party analytics cookie to count visits — no third-party trackers, no fingerprinting.

9. Security

We follow industry best practices: TLS 1.2+ for all traffic, encryption at rest for OAuth tokens, principle of least privilege for staff access, audit trails for every administrative action. If a security incident affects your data, we will notify you within 72 hours of becoming aware, as required by GDPR Art. 33.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the most recent revision.

11. Contact

Questions or concerns about your data:
Email privacy@sellerengine.app
Postal: POLARSTAR OÜ — Kesklinna linnaosa, Tornimäe tn 5, 10145 Tallinn, Estonia