Anhui Hengjuan Technology Co., Ltd. Privacy and Data Processing Policy

This policy is formulated by Anhui Hengjuan Technology Co., Ltd. (hereinafter referred to as "we") to regulate the collection, processing, storage, use, sharing and disposal of Amazon-related data through Amazon Selling Partner API (SP-API). It strictly complies with Amazon's Data Protection Policy (DPP), Acceptable Use Policy (AUP), as well as applicable laws and regulations such as the EU GDPR, US CCPA, and China's Personal Information Protection Law. This policy only applies to data management activities involved in providing services to sellers based on Amazon SP-API. In case of any conflict, Amazon's official policies shall prevail.

I. Scope and Definition of Data

1.1 Data Scope

We only obtain data through officially authorized Amazon SP-API interfaces (including but not limited to Products API, Orders API, Fulfillment API), and do not collect any Amazon-related data through unauthorized channels such as web crawlers or third-party tools. The data source is limited to the explicit authorization of Amazon sellers using our services (hereinafter referred to as "authorized sellers") and information legally provided by Amazon platforms.

1.2 Core Data Definitions

• Personally Identifiable Information (PII): Including but not limited to buyers' names, contact phone numbers, shipping addresses and other information that can identify individuals in Amazon orders;
• Non-PII Data: Including but not limited to product information, inventory data, order numbers (after desensitization), logistics status, API call logs and other information not directly associated with personal identities;
• Amazon Credential Information: Including but not limited to SP-API Client ID, Client Secret, Access Token, Refresh Token and other interface call credentials of authorized sellers.

II. Full-Lifecycle Data Management

2.1 Data Collection

We only collect necessary Amazon data for the purpose of providing agreed services to authorized sellers, following the principle of "minimum necessity":

1. After obtaining confirmation and consent from authorized sellers, collect the minimum scope of data required for order processing, product listing and logistics docking through SP-API interfaces;
2. The entire collection process is encrypted and transmitted via HTTPS/TLS 1.2+ protocol to ensure data is not tampered with or leaked during transmission;
3. Do not collect any data irrelevant to the services, and do not force authorized sellers to provide information beyond the scope of services.

2.2 Data Processing

Data processing is strictly limited to service purposes, and necessary security control measures are adopted:

1. Implement real-time desensitization of PII data, such as hiding the last 4 digits of buyers' phone numbers and detailed house numbers of addresses. The desensitized data is only used for order fulfillment, tax calculation and legal document generation, not for other purposes;
2. Data processing complies with Amazon DPP requirements, without secondary development, commercial analysis or reverse engineering;
3. Establish records of data processing activities, detailing data fields, processing purposes, processing time and responsible persons, updated quarterly and retained for inspection.

2.3 Data Storage

We adopt strict storage security controls to ensure static data security:

1. PII data is stored at rest with AES-256 encryption algorithm, stored in separate databases from non-PII data. Storage servers are deployed on compliant cloud service providers (such as Alibaba Cloud, AWS) with network segmentation and access control implemented;
2. The storage period of PII data is strictly controlled within 30 days after order delivery. Unless otherwise required by laws and regulations, permanent and secure deletion shall be carried out in accordance with NIST 800-88 standards upon expiration;
3. The storage period of non-PII data shall not exceed 18 months, and it shall be automatically cleaned up upon expiration. If storage needs to be extended for business reasons, it shall be confirmed by authorized sellers and comply with Amazon policies;
4. Amazon credential information is encrypted and stored in a dedicated encrypted configuration center, managed by a Key Management System (KMS), and forced to be rotated every 180 days, not hard-coded in code or stored in plaintext;
5. Establish a geographically dispersed backup mechanism. Backup data is also stored with encryption, and regular backup recovery tests are carried out to ensure data availability.

2.4 Data Use

Data is only used to provide agreed SP-API-related services to authorized sellers, including:

1. Multi-site product listing, localized price configuration and inventory synchronization;
2. Order reception, logistics information docking and fulfillment status synchronization;
3. Generating tax invoices, logistics documents and other files that comply with regulatory requirements;
4. Statistical analysis of API call logs and system operation data (excluding any sensitive information) to improve service stability.

We commit not to use Amazon data for any purpose not agreed by authorized sellers, nor for our own commercial promotion or providing data services to third parties.

2.5 Data Sharing

We strictly restrict the scope of data sharing. Unless in the following circumstances, we will not share Amazon data with any third party:

1. With the written consent of authorized sellers, share the minimum scope of data with subcontractors necessary for completing services (such as logistics service providers, tax service providers). Subcontractors must pass our annual third-party risk assessment, sign a data protection agreement, and assume equal security responsibilities;
2. Provide necessary data within a reasonable scope in accordance with the mandatory requirements of laws and regulations, judicial authorities or regulatory agencies;
3. Provide data to Amazon, its affiliates and agents to cooperate with Amazon's compliance audits and security testing, in line with Amazon DPP requirements.

2.5.1 Supplementary Rules for Data Sharing

We only conduct data sharing activities for the purpose of providing services to authorized sellers and performing legal obligations, and all sharing activities strictly comply with the following requirements:

1. Sharing objects are limited to partners with sound data security protection capabilities, and the partner's business scope is highly matched with the use purpose of shared data, without irrelevant data sharing;
2. Sign a formal data confidentiality and data protection agreement with all data sharing partners, clarify the data security responsibilities of both parties, and require partners to process shared data in strict accordance with this policy and relevant regulations;
3. Do not sell, lease or transfer the Amazon data of authorized sellers to any third party without business relevance, and do not use the data for the own commercial operation of partners;
4. Establish a data sharing ledger, detailing the fields, scope, sharing objects, sharing purposes and sharing period of shared data. The ledger shall be retained for no less than 24 months and can be provided for verification at the request of Amazon and regulatory authorities.

2.6 Data Disposal

When data reaches the storage period or is no longer needed, take secure disposal measures to ensure data is irrecoverable:

1. Upon expiration of PII data, permanently destroy it in accordance with NIST 800-88 standards through data overwriting, physical deletion and other methods, including all backup copies;
2. Upon receiving Amazon's deletion notice or termination of services by authorized sellers, complete secure deletion of all relevant data within 30 days, clear all online accessible instances within 90 days, and provide written destruction certification upon request;
3. Retain records of data disposal processes, including disposal time, method and responsible person, for a retention period of not less than 12 months.

2.7 Data Protection Technical Measures

To fully protect the security of authorized sellers' data and Amazon-related data, we adopt a triple encryption protection system for transmission layer, storage layer and access layer, combined with industry-leading security technical means to build a full-link data security protection barrier. The specific measures are as follows:

1. Transmission layer protection: All data transmission between client and server, server and Amazon SP-API interface adopts TLS 1.2 and above encryption protocols to ensure that data is not stolen, tampered with or monitored during transmission;
2. Storage layer protection: In addition to PII data stored at rest with AES-256 symmetric encryption algorithm, all sensitive business data adopts a hybrid encryption scheme. The key is managed through RSA-2048 asymmetric encryption algorithm, and the key storage is physically isolated from business data;
3. Access layer protection: Implement dual control of "minimum privilege + multi-factor authentication" for data access. Employees can only access the data necessary for their work. All data access operations trigger real-time log recording, and abnormal access behavior will immediately trigger system alarm;
4. Environment layer protection: All data storage and processing systems are deployed in a private network environment, and a network security boundary is built through firewalls, WAF (Web Application Firewall) and IDS (Intrusion Detection System) to reject all unauthorized external network access;
5. Operation and maintenance layer protection: All system operation and maintenance operations are carried out through dedicated operation and maintenance terminals, using jump server login mechanism, no direct server access rights, the whole process of operation and maintenance operations is recorded and logs are retained, and the log retention period is not less than 12 months.

2.8 Exercise of Data Rights by Authorized Sellers and Data Subjects

Authorized sellers as the authorizer of Amazon data, and data subjects (such as Amazon buyers) have statutory rights such as access, correction, deletion and portability to relevant data in accordance with applicable laws and regulations such as the Personal Information Protection Law, GDPR and CCPA. We will provide necessary assistance for the exercise of rights in accordance with the law, and the specific exercise methods are as follows:

1. Right to data access: Authorized sellers may request to view and copy the Amazon business data and data processing records authorized to us for processing at any time, and data subjects may request to view their personal identifiable information processed by us;
2. Right to data correction: If authorized sellers and data subjects find that the relevant data processed by us is incorrect or incomplete, they may request us to correct and supplement it;
3. Right to data deletion: Authorized sellers may request to delete all relevant business data after terminating the service, and data subjects may request to delete their personal identifiable information (except in compliance with the retention requirements of laws, regulations and Amazon policies);
4. Right to data portability: Authorized sellers may request us to export their business data in a structured, general and machine-readable format for easy data migration or independent management;
5. Method of exercising rights: Authorized sellers and data subjects may submit a written application for exercising rights through the phone and email published in "IV. Compliance and Responsibilities" of this policy. The application shall clearly specify the type of right exercise, relevant data information and identity verification materials;
6. Response time limit: After receiving a valid application, we will complete the verification and respond to the processing within 15 working days. If the application matter is complex, we will inform the processing progress and expected completion time within 30 working days.

III. Security Control Measures

3.1 Network and Access Security

1. Implement network firewalls and access control lists to reject access from unauthorized IP addresses, and restrict public access rights only to approved users;
2. Assign a unique ID to each system access person, prohibit the use of generic, shared or default accounts, and implement an "account lockout" mechanism—automatically lock the account after 10 failed login attempts;
3. Follow the principle of least privilege, refine data access rights, only grant corresponding rights to necessary personnel, review the access rights list quarterly, and disable and remove the rights of resigned employees within 24 hours;
4. Force multi-factor authentication (MFA) for all system access. Passwords must be at least 12 characters long, mixed with uppercase and lowercase letters, numbers and special characters, with a maximum validity period of 365 days, and retain the last 10 password history records.

3.2 Monitoring and Log Management

1. Deploy a SIEM (Security Information and Event Management) tool to conduct real-time monitoring of API calls, data access and system operations, and configure alert rules for abnormal behaviors (such as multiple unauthorized access attempts, abnormal batch data extraction);
2. Log records include event status, time (UTC+0), source IP, user account, API interface name and operation type, excluding PII data. The log retention period is not less than 12 months;
3. Logs are only accessible to authorized security teams, with full audit of access behaviors, and tampering or deletion of logs is prohibited.

3.3 Vulnerability and Risk Management

1. Conduct vulnerability scans monthly, entrust qualified third-party institutions to conduct penetration tests annually, and perform code vulnerability scans before each application release;
2. Classify and dispose of vulnerabilities according to severity: critical vulnerabilities repaired within 7 days, high-risk vulnerabilities repaired within 30 days, medium-risk vulnerabilities repaired within 90 days, low-risk vulnerabilities repaired within 180 days or included in the system upgrade plan;
3. Use a dedicated vulnerability management platform to track remediation progress, update vulnerability status in real time (Pending → In Progress → Remediated → Verified), and generate monthly remediation reports submitted to management for review;
4. Establish a risk assessment process, reviewed annually by senior management to evaluate potential threats and vulnerabilities and formulate response measures; review and update the incident response plan every six months and after major system changes.

3.4 Incident Response

1. Designate a dedicated Incident Management Point of Contact (IMPOC), establish a 24-hour response mechanism, and notify Amazon via email (3p-security@amazon.com) within 24 hours of detecting security incidents such as database hacks, unauthorized access and data leaks;
2. Incident disposal process: immediately isolate the affected system → preserve evidence (logs, intrusion traces) → fix vulnerabilities → restore data from clean backups → conduct Root Cause Analysis (RCA) → implement corrective measures to prevent recurrence;
3. Notify affected parties and regulatory authorities in accordance with legal requirements, do not communicate with third parties on behalf of Amazon, and retain incident disposal records for inspection.

IV. Compliance and Responsibilities

4.1 Compliance Commitment

Anhui Hengjuan Technology Co., Ltd. regularly organizes employees to receive training on Amazon policies, data security and privacy laws and regulations. Confidentiality clauses are included in labor contracts with employees handling data to clarify data protection responsibilities. We establish a process for handling Data Subject Access Requests (DSAR) to promptly respond to inquiries, corrections and deletion requests from authorized sellers and data subjects, in line with applicable regulatory requirements.

4.2 Policy Updates

This policy will be revised in a timely manner according to updates to Amazon SP-API policies, changes in laws and regulations and business adjustments. Updated versions will be published on the official website (https://hengjuan.product-demo.cn/) and take effect 7 days after publication. Authorized sellers continuing to use our services are deemed to accept the revised policy.

4.3 Contact Information

For questions about this policy, or to report data security-related issues and exercise statutory rights related to data, please contact us through the following methods:

Email: 766240847@qq.com

Phone: 18056019328