Data Handling Policy

This Data Handling Policy explains how FlipAcross collects, processes, stores, uses, shares, and disposes of data, including Amazon SP-API data and restricted personally identifiable information (PII).

We apply purpose limitation, data minimization, and least-privilege access for all data processing activities.

Scope and data categories

We process the following categories of data:

• General account data: account owner information, billing information, business profile details, and support communications.
• Amazon operational non-PII data: ASIN, catalog attributes, listing details, pricing signals, inventory signals, and performance metrics.
• Amazon restricted PII: recipient name, delivery address, and required shipment contact fields needed for fulfillment workflows.
• Usage and security data: logs, access metadata, diagnostics, and security event records.

How we collect and process data

We collect data from three primary sources:

• Data provided by the seller during account setup and service use.
• Data received from Amazon APIs under seller authorization.
• Operational data created during fulfillment and support workflows.

For restricted PII, we only collect and process the minimum fields required to complete merchant-fulfilled shipping operations.

Purpose limitation for restricted PII

Restricted PII is used only for the following purposes:

• Pick, pack, and ship execution for merchant-fulfilled orders.
• Carrier label generation and shipment handoff.
• Legal, tax, invoice, and compliance obligations when required by law.

Restricted PII is not used for:

• Advertising.
• Profiling.
• Resale or unrelated commercial use.

Storage and security controls

We implement layered technical and organizational controls, including:

• Encryption in transit and at rest.
• Role-based access control with least-privilege permissions.
• Authentication and authorization controls for internal systems.
• Centralized access logging and security monitoring.
• Protection of API credentials and service secrets.
• Backups protected under the same security baseline as primary systems.

Data sharing and subprocessors

We share data only when necessary to provide the service or comply with law.

• Logistics carriers: Required shipment fields are shared with carriers such as FedEx, UPS, and DHL to create labels and complete delivery.
• Infrastructure and service providers: Hosting, monitoring, and support vendors process data only within contracted service scope.
• Legal authorities: Data may be disclosed if legally required.

We do not perform broad third-party sharing of Amazon restricted data.

Retention schedule

We retain data according to purpose and legal requirements:

• Amazon restricted PII: Up to 30 days after delivery or fulfillment completion.
• Legal exception: If applicable law requires longer retention, we retain only what is required and for the required period.
• Amazon operational non-PII data: Up to 2 years for operations, analytics, and service quality.
• Account data: For the life of the account and up to 30 days after account closure, unless longer retention is required by law.
• Billing and tax records: According to statutory retention obligations.

Disposal and deletion

When retention periods expire, data is removed through scheduled deletion workflows. Disposal controls include:

• Automated hard deletion of expired records in active systems.
• Secure deletion processes for storage media and derived artifacts.
• Backup lifecycle enforcement to ensure expired data ages out from backups.
• Support for verified seller deletion requests, subject to legal constraints.

Government and legal requests

When we receive legal requests, we apply the following principles:

• Validate request legitimacy and scope.
• Disclose the minimum data required by law.
• Maintain internal records of the disclosure process.

Security incidents and notification

If a security incident involves Amazon information, we notify Amazon within 24 hours of confirmation. We also handle additional notices required by applicable law, including notices to affected parties or regulators when legally required.

International data transfers

Data may be processed in jurisdictions where our systems or service providers operate. We apply contractual and technical safeguards appropriate to applicable privacy laws.

Your data rights

Depending on your jurisdiction, you may have rights to access, correct, delete, or restrict processing of your personal data. To submit a request, contact us using the details below.

Policy governance and updates

We may update this policy from time to time. Material changes are posted on this page with an updated effective date.

Applicable policy references

FlipAcross operates Amazon integrations under applicable Amazon SP-API agreements and data protection requirements, in addition to applicable privacy and security laws.

• Amazon Acceptable Use Policy
• Amazon Data Protection Policy
• Amazon Solution Provider Agreement

Contact us

If you have questions about this Data Handling Policy, contact us:

• By email: support@flipacross.com
• By phone number: +1 (201) 357-6592
• At this address: 8 The Green STE D, Dover, County of Kent, Delaware 19901, United States