Data Handling Policy

Effective date: April 28, 2026 ¬∑ Last updated: April 28, 2026

This Data Handling Policy describes the technical, organizational, and contractual measures that Solara Interactive LLC (dba Launitec) ("Launitec") applies to data retrieved from the Amazon Selling Partner API ("SP-API") and the Amazon Ads API on behalf of Launitec Seller Insights clients (each a "Client"). It is published as part of our compliance with Amazon's Acceptable Use Policy ("AUP"), Data Protection Policy ("DPP"), and Solution Provider Agreement.

Plain-English summary. We retrieve only the data we need to deliver the services you have purchased. We use it only for you. We never aggregate it across our clients, never share insights about Amazon's business, and never sell or resell any of it to anyone, ever.

1. The data we access through SP-API

For each authorizing Client, and only with respect to that Client's account, Launitec Seller Insights retrieves the following categories of data:

Category	Source	Why we need it
Brand Analytics ‚Äî Search Query Performance	SP-API `getReport` (Brand Analytics role)	To produce the weekly Search Query Performance report and PPC keyword recommendations the Client purchased.
Brand Analytics ‚Äî Top Search Terms, Item Comparison, Repeat Purchase Behavior, Demographics	SP-API `getReport` (Brand Analytics role)	To inform listing optimization and growth advisory contracted by the Client.
Sales and Traffic Business Reports (aggregated, non-PII)	SP-API Reports	To compute advertising metrics (TACoS, ACoS, ROAS) and growth dashboards.
Catalog metadata for Client ASINs	SP-API Catalog Items	To map performance data to ASINs and produce listing recommendations.
Advertising performance reports	Amazon Ads API (separate authorization)	To manage and optimize Sponsored Ads campaigns when contracted.

2. Data we never request or store

No shopper PII. We do not request the Restricted Roles that grant access to Personally Identifiable Information about Amazon shoppers (names, addresses, phone numbers, emails). The Brand Analytics role does not grant such PII, and we do not need or want it.
No Seller Central credentials. We never ask for, store, or use a Client's Seller Central username or password. All access is granted through Amazon's official OAuth authorization flow.
No payment card data. Payment card details are handled directly by Stripe; no card numbers ever touch Launitec systems.

3. AUP ¬ß4.4 ‚Äî No aggregation across clients

Launitec does not aggregate data across our Clients' businesses or customers obtained through the Amazon Selling Partner API to provide or sell to any party, including competing Clients, market-research firms, advertising networks, data brokers, or any other third party. Each Client's data is processed and stored in a logically isolated workspace, accessible only by personnel assigned to that Client's account. We do not produce or distribute "industry benchmarks", "market reports", "competitive intelligence", or similar products derived from cross-client SP-API data.

4. AUP ¬ß4.5 ‚Äî No insights about Amazon's business

Launitec does not promote, publish, or share insights about Amazon's business, and we do not use insights about Amazon's business for our own business purposes. Our analyses are limited to the contracted Client's own performance and account, and the deliverables we produce are licensed to that Client for their internal business use only.

5. Data flow

Client authorizes Launitec Seller Insights through the OAuth consent screen in Seller Central.
Amazon issues a refresh token to Launitec scoped to the roles the Client has granted (Brand Analytics + any other agreed roles).
Launitec's data-ingestion service, hosted on Amazon Web Services in the us-east-1 region, exchanges the refresh token for short-lived access tokens and calls the Selling Partner API on a fixed schedule (typically once per 24 hours).
Retrieved reports are written to a per-client encrypted Amazon S3 bucket. Each bucket is access-controlled by IAM roles assigned to the analyst working on that account.
An ETL pipeline transforms the raw reports into the dashboards and weekly action lists that the Client receives. The dashboards are served from a separate, per-client database schema.
Deliverables (PDF reports, dashboard links, in-account changes) are sent to the Client's authorized contacts only.

6. Security controls

Transport encryption: TLS 1.2 or higher for all SP-API, Amazon Ads API, dashboard, and email traffic.
At-rest encryption: AES-256 (server-side encryption with KMS-managed keys) for all S3 objects, RDS databases, and EBS volumes containing Client data.
Secrets management: SP-API refresh tokens, Amazon Ads tokens, and other credentials are stored in AWS Secrets Manager with strict IAM policies. Tokens are rotated on the cadence required by Amazon.
Identity and access: Single sign-on with mandatory multi-factor authentication for all employee access to production systems. Production access is provisioned per Client and revoked within 24 hours of an analyst leaving the engagement.
Network isolation: All data-processing workloads run in a private VPC with no public ingress; outbound calls to the Amazon APIs are made through a NAT gateway with allow-listed destinations.
Logging and monitoring: CloudTrail and CloudWatch logs of all API and data-store access are retained for at least 90 days. Anomalies trigger alerts to the on-call engineer.
Vulnerability management: Dependency and container scans on every deployment; high-severity findings remediated within the SLAs required by Amazon.
Background checks and training: All personnel with production access undergo background checks consistent with their jurisdiction and complete annual security and AUP/DPP training.

7. Retention and deletion

Launitec retains Client SP-API and Ads API data only for the duration of the Client engagement, plus a 30-day grace period intended solely to support continuity of service in the event of accidental disconnection. After the grace period, all production and backup copies of the Client's SP-API data are securely destroyed using NIST-aligned procedures.

A Client may request immediate deletion at any time by emailing comunicaciones@launitec.com. Launitec will confirm completion within 7 business days.

8. Sub-processors

Launitec engages a small number of vetted sub-processors who may process data on our behalf:

Amazon Web Services, Inc. ‚Äî cloud hosting, storage, and key management (US regions).
Stripe, Inc. ‚Äî payment processing.
Google LLC (Google Workspace) ‚Äî business email and document storage.

Each sub-processor is bound by a written data-processing agreement that requires AUP/DPP-compatible safeguards. We will provide 30 days' notice before adding a new sub-processor that processes SP-API data.

9. Incident response

Launitec maintains a written security-incident response plan covering detection, triage, containment, eradication, recovery, and post-incident review. In the event of a confirmed security incident affecting Client SP-API data, Launitec will:

Notify the affected Client by email and phone as soon as possible and no later than 24 hours after detection.
Notify Amazon as required under the Solution Provider Agreement and Data Protection Policy.
Provide a written post-incident report including root cause, scope, mitigations, and remediation steps within 30 days of containment.

10. Right to audit

Upon reasonable written request and no more than once per twelve-month period, a Client may request an attestation of the controls described in this policy. Launitec will respond with documented evidence within 30 days, subject to confidentiality obligations.

11. Contact

For data-handling, security, or privacy inquiries, contact comunicaciones@launitec.com.