Privacy Policy & Data Protection Policy

Organization InArt Studio
Effective Date January 10, 2026
Last Updated January 9, 2026
Back to Home

Table of Contents

  1. Introduction
  2. Compliance
  3. Data Collection
  4. Data Usage
  5. Data Storage & Security
  6. Data Retention
  7. Third-Party Sharing
  8. Employee Access & Monitoring
  9. Incident Response
  10. Security Controls
  11. Testing & Development
  12. Monitoring & Logging
  13. Backup & Disaster Recovery
  14. Vulnerability Management
  15. User Rights
  16. Policy Updates
  17. Contact Information

1. Introduction

InArt Studio ("we", "us", or "our") is committed to protecting the privacy and security of data obtained through Amazon Selling Partner API. This policy describes how we collect, use, store, and protect Amazon data, including Personally Identifiable Information (PII).

2. Compliance

We comply with:

  • Amazon Services API Solution Provider Agreement
  • Amazon Acceptable Use Policy (AUP)
  • Amazon Data Protection Policy (DPP)
  • Applicable data protection laws (GDPR, CCPA, Indian IT Act 2000)

3. Data Collection

We collect data exclusively from Amazon Selling Partner API for:

  • Inventory management and synchronization
  • Order fulfillment and shipping label generation
  • Catalog management and product listing optimization
  • Sales analytics and advertising optimization

Data Types Collected:

  • Product catalog information (SKUs, titles, attributes, images)
  • Inventory levels and fulfillment data
  • Order information (order IDs, shipping addresses, buyer names)
  • Sales and performance metrics

4. Data Usage

Amazon data is used solely for:

  • Managing inventory across fulfillment channels
  • Generating shipping labels for direct-to-consumer orders
  • Optimizing product listings and advertising campaigns
  • Business analytics and reporting for authorized sellers
  • Compliance with Amazon seller requirements

We DO NOT:

  • Sell or share Amazon data with third parties
  • Use data for purposes unrelated to Amazon seller operations
  • Access buyer information for marketing or unauthorized purposes

5. Data Storage & Security

5.1 Encryption

  • In Transit: All data transmitted via HTTPS/TLS 1.3
  • At Rest: AES-256 encryption for all stored data
  • Key Management: AWS KMS (Key Management Service)

5.2 Access Controls

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA) required for all system access
  • Individual user accounts with audit trails
  • Access granted on need-to-know basis only

5.3 Infrastructure Security

  • AWS cloud infrastructure with VPC isolation
  • Network security: Firewalls, IDS/IPS, DDoS protection
  • Database access restricted via security groups
  • Regular security patches and updates

6. Data Retention

Data Type Retention Period
PII (Buyer Information) 31-90 days after order shipment
Order Data 1 year for compliance and analytics
Catalog Data While actively managing product listings
Audit Logs Minimum 12 months

Data Disposal: Secure deletion using cryptographic erasure and overwriting methods.

7. Third-Party Sharing

We do NOT share Amazon Information with any third parties. All data is processed internally for authorized seller account management only.

8. Employee Access & Monitoring

  • Access to Amazon data restricted to authorized employees only
  • Background checks for employees with data access
  • Regular security training and awareness programs
  • Monitoring systems prevent data access from personal devices
  • USB/external device access disabled on production systems
  • Mobile Device Management (MDM) for company devices

9. Incident Response

In the event of a security incident:

  1. Immediate containment and investigation (within 1 hour)
  2. Notification to [email protected] within 24 hours
  3. Root cause analysis and remediation
  4. Post-incident review and security improvements

Incident Management Point of Contact:

Name: Jay Patel
Email: [email protected]
Phone: +917715972129

10. Security Controls

10.1 Network Security

  • Perimeter firewalls and WAF (Web Application Firewall)
  • Intrusion Detection/Prevention Systems (IDS/IPS)
  • Network segmentation (production isolated from development)
  • Anti-virus/anti-malware on all endpoints

10.2 Application Security

  • Code scanning before each release (SAST/DAST)
  • Vulnerability scans every 30 days
  • Annual penetration testing by certified firms
  • Critical vulnerabilities remediated within 7 days
  • High vulnerabilities remediated within 30 days

10.3 Change Management

  • Formal change approval process
  • Dedicated test environment (staging)
  • Code review required before production deployment
  • Automated testing and CI/CD pipelines

10.4 Password Management

  • Minimum 12 characters with special characters
  • Multi-Factor Authentication (MFA) mandatory
  • 90-day password expiration
  • Password history enforcement (10 previous passwords)
  • Credentials stored in AWS Secrets Manager

11. Testing & Development

  • PII is masked/anonymized in test environments
  • Production data never used in development
  • Synthetic test data generation for testing
  • Separate AWS accounts for dev/staging/production

12. Monitoring & Logging

  • Centralized logging (AWS CloudWatch, CloudTrail)
  • Real-time alerting for suspicious activities
  • Bi-weekly log reviews by security team
  • 12-month log retention minimum
  • SIEM (Security Information and Event Management) integration

13. Backup & Disaster Recovery

  • Automated daily backups with encryption
  • Geographically separated backup storage (multi-region)
  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 1 hour
  • Monthly disaster recovery drills

14. Vulnerability Management

  • Automated vulnerability scanning (AWS Inspector, Qualys)
  • Tracking via ticketing system (Jira) with SLA enforcement
  • Monthly security dashboard review
  • Third-party dependency scanning
  • Bug bounty program for responsible disclosure

15. User Rights

Authorized sellers can:

  • Request access to their data
  • Request data deletion
  • Revoke API access at any time
  • Receive breach notifications

16. Policy Updates

This policy is reviewed every 6 months and updated as needed. Users will be notified of material changes.

Last Review Date: January 9, 2026
Next Review Date: July 9, 2026

17. Contact Information

Data Protection Officer

Organization: InArt Studio
Email: [email protected]
Website: https://inart.co.in

For security incidents: [email protected]
For privacy inquiries: [email protected]

© 2026 InArt Studio. All rights reserved.