Back to Home

Privacy Policy & Data Protection Policy

Last updated: April 21, 2026

Your Privacy Matters

At Gauditor, we take your privacy and data security seriously. This Privacy Policy explains how we collect, use, protect, and handle your information when you use our catalog auditing platform.

This policy applies to all data we collect, including information you provide directly, data accessed through Amazon Services API on your behalf, and technical information about your use of our Service. This Policy supplements our Terms and Conditions.

1. What Information We Collect

We collect the following types of information:

  • Account Information: Your name, email address, organization information, and account credentials
  • Product Data: Product information, catalog data, and audit results from your Amazon accounts
  • Usage Data: Information about how you use Gauditor, including access logs and activity data
  • Technical Data: IP addresses, browser type, device information, and other technical data
  • Amazon Data: Data accessed through Amazon Services API on your behalf, with your explicit authorization

We only access Amazon data that is necessary to provide the catalog auditing and management features you've requested. We do not access, store, or use Amazon data for any purpose other than providing our Service to you.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve Gauditor's features and functionality
  • Process your requests and support your catalog management needs
  • Communicate with you about the Service, updates, and important notices
  • Detect, prevent, and address technical issues and security threats
  • Comply with legal obligations and enforce our agreements
  • Support your business operations with Amazon

Important: We do not use Personally Identifiable Information (PII) about Amazon customers for any purposes other than merchant fulfilled shipping or to meet legal requirements, including tax and regulatory requirements.

3. Information Sharing and Disclosure

We do not sell, rent, or share your information with third parties except in the following limited circumstances:

  • Service Providers: We may share information with trusted third-party service providers who help us operate our Service, subject to strict confidentiality obligations
  • Legal Requirements: We may disclose information if required by law or in response to valid legal process
  • Business Transfers: Information may be transferred in connection with a merger, acquisition, or sale of assets (with notice to you)
  • With Your Consent: We may share information with your explicit consent

We only share data with parties that have data security standards at least as strict as our own. We do not share your data with other Gauditor users or aggregate data across different clients' businesses.

4. Your Rights and Choices

You have the following rights regarding your information:

  • Access: You may request access to your personal information
  • Correction: You may request correction of inaccurate information
  • Deletion: You may request deletion of your information, subject to legal requirements
  • Portability: You may request a copy of your information in a portable format
  • Objection: You may object to certain processing of your information
  • Restriction: You may request restriction of processing of your information

To exercise these rights, please contact us at sales@gauditor.comor through the support channels in your account.

5. Data Retention

We retain your information only for as long as necessary to fulfill the purposes outlined in this Policy, unless a longer retention period is required or permitted by law:

  • Customer PII: Retained for no longer than 30 days after order delivery, except as required by law
  • Non-PII Data: Deleted within 18 months unless required for longer retention by applicable laws
  • Account Information: Retained for the duration of your account and for a reasonable period thereafter for legal and business purposes

When you delete your account, we will securely delete your data in accordance with our data retention policies and applicable law, unless we are required to retain it for legal purposes.

6. How We Protect Your Information

We implement industry-leading security measures to protect your information from unauthorized access, alteration, disclosure, or destruction. Our security practices include:

6.1 Encryption

All data is encrypted both in transit (using TLS 1.2+ protocols) and at rest (using AES-128 or RSA with 2048-bit key size or higher). This means your data is protected whether it's being transmitted or stored.

6.2 Access Controls

We maintain strict access controls:

  • Multi-Factor Authentication (MFA) required for all accounts
  • Strong password requirements (minimum 12 characters with complexity requirements)
  • Access granted on a "need-to-know" basis only
  • Regular review of access permissions
  • Account lockout after failed login attempts

6.3 Network Security

We protect our networks with:

  • Firewalls and network access controls
  • Intrusion detection and prevention systems
  • Regular security monitoring and threat detection
  • Anti-virus and anti-malware protection

6.4 Incident Response

We have comprehensive incident response procedures in place to quickly detect, respond to, and remediate any security incidents. If a security incident affects your data, we will notify you as soon as practicable and in accordance with applicable law.

Amazon Compliance Requirement

As an Amazon Solution Provider, we maintain compliance with Amazon's Data Protection Policy. We notify Amazon within 24 hours of any security incidents affecting Amazon data via email to security@amazon.com. We maintain comprehensive logging, monitoring, vulnerability management, and data governance practices in accordance with Amazon requirements.

7. Amazon Services API Compliance

This section outlines our compliance with Amazon Solution Provider requirements. As an approved Amazon Solution Provider, Gauditor adheres to all applicable Amazon data protection and security requirements.

7.1 Our Commitment to Amazon Compliance

As a Solution Provider using Amazon Services API, we are committed to full compliance with Amazon's data protection and security requirements, including:

  • Compliance with Amazon Solution Provider Portal Agreement
  • Adherence to Amazon Data Protection Policy
  • Compliance with Amazon Acceptable Use Policy
  • Strict adherence to Amazon Services API Developer Agreement terms
  • Regular security assessments and compliance audits
  • Immediate notification to Amazon of any security incidents

7.2 Detailed Security Requirements

In accordance with Amazon's Data Protection Policy, we maintain the following security measures:

Network Protection

  • Network firewalls and network access control lists to deny access to unauthorized IP addresses
  • Network segmentation and intrusion detection and prevention mechanisms
  • Anti-virus and anti-malware tools updated at least monthly
  • Controls to prevent employees from disabling anti-virus software
  • Restricted system access only to approved internal employees with coding and development responsibilities
  • Secure coding practices and annual data protection and IT security awareness trainings

Access Management

  • Formal user access registration process with unique IDs for each person
  • No generic, shared, or default login credentials
  • Prevention of user account sharing
  • Account lockout after 10 or fewer unsuccessful login attempts
  • Quarterly review of people and services with access to information
  • Access disabled and/or removed within 24 hours for terminated employees
  • Fine-grained access control mechanisms following the principle of least privilege

Credential Management

  • Minimum password length of 12 characters
  • Passwords must include mix of upper-case letters, lower-case letters, numbers, and special characters
  • Passwords cannot include any part of the user's name
  • Minimum password age of 1 day and maximum 365-day password expiration
  • Password history maintained to prevent reuse of the last 10 passwords
  • Multi-Factor Authentication (MFA) required for all user accounts
  • API keys encrypted with only required employees having access
  • API keys and associated credentials rotated at minimum once every 12 months

Risk Management and Incident Response

  • Risk assessment and management process reviewed by senior management annually
  • Incident response plan to detect and handle security incidents
  • Plan identifies incident response roles, responsibilities, and escalation procedures
  • Plan reviewed and verified every six months and after major infrastructure changes
  • Notification to Amazon (via email to security@amazon.com) within 24 hours of detecting a security incident
  • Investigation and documentation of each security incident
  • Designated Incident Management Point of Contact (IMPOC): sales@gauditor.com

Data Retention and Deletion

  • Permanently and securely delete information within 30 days of Amazon's deletion requests, unless required by law
  • Non-PII data deleted within 18 months unless required for longer retention by applicable laws
  • Secure deletion in accordance with industry-standard sanitization processes (NIST 800-88)
  • Data attribution: information stored in separate databases or tagged to identify origin

PII-Specific Requirements

For Personally Identifiable Information (PII), we maintain additional security measures:

  • PII retained for no longer than 30 days after order delivery, except as required by law
  • PII only granted for select tax and merchant fulfilled shipping purposes, on a must-have basis
  • Documented privacy and data handling and classification policy
  • Record of data processing activities for all PII
  • Baseline standard configuration for information systems
  • Regular installation of patches, updates, defect fixes, and upgrades
  • Quarterly updated inventory of software and physical assets with access to PII
  • Change management process with segregation of duties
  • PII not stored in removable media, personal devices, or unsecured public cloud applications unless encrypted
  • Data loss prevention (DLP) controls to monitor and detect unauthorized movement of data
  • Logs reviewed in real-time or on a bi-weekly basis
  • Logs retained for at least 12 months
  • Vulnerability scans performed at least every 30 days
  • Penetration tests conducted at least every 365 days
  • Critical vulnerabilities remediated within 7 days; high-risk within 30 days

Third-Party Service Providers

We conduct regular third-party risk assessments on an annual basis of vendors or subcontractors before granting them access to Amazon data. All third-party service providers are subject to strict contractual obligations requiring them to maintain data security standards at least as strict as our own.

8. Data Breach Notification

In the event of a security incident or data breach that may affect your information or Amazon data, we will:

  • Notify Amazon within 24 hours via email to security@amazon.com (if Amazon data is affected)
  • Notify affected users as soon as practicable and in accordance with applicable law
  • Conduct a thorough investigation of the incident
  • Take immediate steps to contain and remediate the incident
  • Document all aspects of the incident and our response
  • Implement additional security measures to prevent similar incidents

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure that appropriate safeguards are in place to protect your information in accordance with this Policy and applicable data protection laws.

10. Children's Privacy

Gauditor is not intended for children under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at security@gauditor.com.

11. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons. We will notify you of any material changes by:

  • Posting the new Policy on this page
  • Updating the "Last updated" date
  • Sending an email notification to registered users (for material changes)
  • Displaying a prominent notice in the Service (for significant changes)

We encourage you to review this Policy periodically. Your continued use of Gauditor after we post any changes will constitute your acceptance of those changes. If any change is unacceptable to you, you may terminate your use of the Service in accordance with our Terms and Conditions.

12. Contact Us

If you have questions about this Policy or our data practices, please contact us:

General Inquiries:

Email: contact@gauditor.comor through the support channels in your account.

Security Incidents:

For security incidents, please contact our Incident Management Point of Contact (IMPOC) immediately:

Amazon Security Contact:

For Amazon-related security incidents, we notify Amazon at: security@amazon.com

We will respond to all inquiries within a reasonable timeframe and in accordance with applicable data protection laws.