Nestos Shop | SellerUX Compliance

Privacy and Data Handling Policy

Effective date: 2026-03-08

This policy applies to Nestos Shop systems and staff handling SellerUX operations, Amazon SP-API integrations, and restricted Amazon Information.

1) Scope and purpose

SellerUX by Nestos Shop collects and processes Amazon Information only for approved operational purposes: order fulfillment support, shipment and tracking workflows, tax and legally required documents, and customer support activities permitted by Amazon policy and applicable law.

2) Data collection and minimization

  • We collect only data fields required to complete approved business functions.
  • Access to restricted data is role-based, least-privilege, and limited to personnel with a documented business need.
  • Access rights are reviewed at least quarterly and revoked within 24 hours of termination.
  • We do not collect Amazon customer data for advertising, profiling, or unrelated analytics.

3) Processing and use controls

  • All processing is tied to documented workflows and approved operators/services.
  • Service-to-service and human access are authenticated, authorized, and auditable.
  • Change activity affecting restricted data is logged with action, actor, timestamp, and outcome metadata.

4) Storage and protection

  • Data in transit is protected with TLS 1.2+.
  • Data at rest is encrypted with at least AES-256.
  • Encryption keys are managed via dedicated key-management controls and are accessible only to authorized processes and administrators.

5) Sharing and third parties

  • Data sharing is limited to subprocessors required to deliver contracted services.
  • Third parties are reviewed for security and contractual data-protection obligations before access is approved.
  • We do not sell Amazon Information.

6) Retention and disposal

  • Amazon customer PII is retained no longer than 30 days after order delivery unless longer retention is required by law.
  • Upon expiration, data is deleted from active systems and removed from backup sets according to backup lifecycle schedules.
  • Disposal methods include secure logical deletion and media sanitization controls aligned with NIST SP 800-88 guidance.

7) Legal disclosure and exceptional circumstances

  • We disclose Amazon-related information only when required by law, court order, regulator request, or to protect rights/security under applicable law.
  • Any exceptional disclosure is limited to the minimum necessary scope and is documented under internal governance controls.

8) Communication preferences and cookies

  • Users can opt in or opt out of campaign and promotional communications through account settings or message unsubscribe controls.
  • We use cookies for authentication/session continuity, security signals, and aggregated usage analytics.
  • Cookie settings can be managed through browser controls, and policies are updated as controls evolve.