Trade & Data Protection Policy

This Policy describes how AJD Tecnologia LTDA (“we”, “us”) handles data in connection with integration services. For the institutional website and cookie preferences, see also our Privacy Policy.

1. Overview

This Trade & Data Protection Policy (“Policy”) describes how we collect, process, store, and protect data obtained through integrations with third-party platforms, including e-commerce marketplaces, payment providers, and logistics systems (collectively, “Platforms”), via APIs such as the Amazon Selling Partner API (SP-API).

We are committed to:

  • Protecting all data obtained through Platform integrations
  • Complying with platform-specific policies (e.g., Amazon SP-API Data Protection Policy)
  • Following applicable data protection laws (e.g., LGPD, GDPR)
  • Applying strict security and data minimization principles

This Policy applies to all systems, employees, and subprocessors handling Platform data.

2. Types of Data Processed

Depending on user authorization and platform permissions, we may process:

2.1 Operational Data

  • Orders and fulfillment data
  • Product and inventory data
  • Pricing and catalog information
  • Financial and reporting data

2.2 Sensitive Data (PII)

When strictly necessary, we may process limited Personally Identifiable Information (PII), such as:

  • Customer name
  • Shipping and billing address
  • Phone number
  • Email address

We only access sensitive data when required to perform authorized operations (e.g., order fulfillment or support).

3. Purpose Limitation

We process Platform data strictly for legitimate and authorized purposes, including:

  • Order processing and fulfillment
  • Customer support
  • Logistics and shipping operations
  • Financial reconciliation and reporting
  • Platform synchronization and automation

We explicitly do NOT:

  • Sell or monetize Platform data
  • Use data for unrelated marketing or profiling
  • Share data outside the scope of the service

4. Data Minimization

We follow strict data minimization principles:

  • Only collect data that is strictly necessary
  • Avoid storing sensitive data when possible
  • Prefer anonymization or aggregation whenever feasible

5. Security Measures

We implement industry-standard and platform-required security practices.

5.1 Encryption

  • Data in transit is protected using TLS 1.2+
  • Data at rest is encrypted using AES-256 or equivalent
  • Sensitive fields may be additionally encrypted or tokenized

5.2 Access Control

  • Role-based access control (RBAC)
  • Least-privilege principle enforced
  • Multi-factor authentication (MFA) required for privileged access
  • Periodic access reviews

5.3 Credential Management

  • API credentials and tokens are securely stored (e.g., secret managers)
  • No hardcoded credentials in source code
  • Regular credential rotation
  • Immediate revocation upon compromise or deauthorization

5.4 Infrastructure Security

  • Secure cloud infrastructure (e.g., AWS, GCP, Azure)
  • Firewalls and network segmentation
  • Regular patching and updates
  • Restricted production access

5.5 Monitoring & Logging

  • All access to sensitive data is logged
  • Logs are retained for security and auditing purposes (minimum 90 days)
  • Automated monitoring for suspicious behavior

5.6 Vulnerability Management

  • Regular vulnerability scans
  • Periodic penetration testing
  • Continuous monitoring for threats

5.7 Incident Response

We maintain an incident response process that includes:

  • Rapid detection and containment
  • Internal escalation procedures
  • Notification to affected parties and platforms when required
  • Remediation and prevention measures

6. Data Retention & Deletion

We enforce strict retention limits, especially for sensitive data:

  • Sensitive data (e.g., PII) is retained only as long as necessary
  • For marketplace data (e.g., Amazon), PII is typically deleted or anonymized within 30 days after order fulfillment, unless legally required otherwise
  • Non-sensitive data may be retained for operational or legal purposes

Deletion Methods

  • Secure deletion from databases
  • Automated expiration policies
  • Backup lifecycle management
  • Data anonymization where deletion is not immediately feasible

7. Data Sharing

We do not share Platform data except when:

  • Required to deliver the service (e.g., logistics providers)
  • Required by law or legal process
  • Explicitly authorized by the user

All third parties (subprocessors):

  • Must adhere to equivalent or stricter security standards
  • Are contractually bound to protect data

8. Data Storage

  • Data is stored in secure, access-controlled environments
  • Sensitive data is always encrypted
  • Data residency depends on infrastructure providers but follows applicable legal requirements

9. User Rights & Control

Where applicable, users may:

  • Request access to their data
  • Request correction or deletion
  • Revoke platform access at any time

Upon revocation:

  • API access is immediately disabled
  • Data retention policies begin enforcement

10. Compliance

We continuously ensure compliance with:

  • Platform-specific policies (e.g., Amazon SP-API DPP)
  • Data protection regulations (LGPD, GDPR, etc.)
  • Internal security and audit standards

We maintain documentation of:

  • Data flows
  • Security controls
  • Processing activities

11. Prohibited Use

We strictly prohibit:

  • Unauthorized data access or scraping
  • Use of data outside approved scopes
  • Attempting to re-identify anonymized data
  • Retaining data beyond allowed limits

12. Policy Updates

This Policy may be updated to reflect:

  • Platform policy changes
  • Legal requirements
  • Security improvements

Continued use of our services implies acceptance of updates.

13. Contact

For questions or requests regarding this Policy:

← Back to home