Privacy Policy · v1.0 · 24 April 2026
Privacy Policy
Plain English summary at the top, full terms below. Governing law: England and Wales.
Plain English summary
- We process the minimum data needed to run your license and call Amazon on your behalf.
- We hold an Amazon refresh token (encrypted at rest, AES-256-GCM) so Claude can ask Amazon things on your behalf. Your business data — sales, ads, inventory, listings — is not warehoused by us; every question hits Amazon fresh and the answer flows back to your Claude session.
- Our skills are scoped to the business surface — we don't request buyer PII from Amazon in the first place.
- We do not sell your data. We do not train AI models on it.
- You can export or delete your data at any time from your Account page.
1. Who we are
This service is operated by Lumitec AI Ltd, a company registered in England and Wales, company no. 16173119, registered office Cedar Lodge, York Road, Shiptonthorpe, York, YO43 3PH ("we", "us", "our"). Data protection queries: privacy@lumitec.ai.
2. What we process
- Account data: email address, hashed password, optional store name.
- Billing data: processed by Stripe; we hold only a customer ID and invoice history.
- License data: license code, issue date, status, attached OAuth grants.
- Amazon refresh tokens: issued by Amazon's Login with Amazon flow when you connect, stored in our backend encrypted at rest with AES-256-GCM envelope encryption. Used only to mint short-lived access tokens for SP-API and Ads API calls on your behalf; access tokens stay in memory for the duration of a single call and are never persisted.
- Audit logs: every write to Amazon is logged (skill, payload, actor, outcome), retained 90 days.
- Operational data: error traces, request latencies, minus any PII.
3. What we do not hold
- Buyer names, addresses, or message content from SP-API.
- Payment card details (Stripe holds these).
- Your Amazon Seller Central password.
4. Lawful basis
Contract performance (Art. 6(1)(b) UK GDPR) for delivering the service; legitimate interests (Art. 6(1)(f)) for security, fraud prevention, and product improvement; legal obligation (Art. 6(1)(c)) for tax and regulatory record-keeping.
5. Sharing
We share data only with named sub-processors listed on our sub-processors page — for hosting, database, payments, error monitoring, and email delivery. We will give at least 30 days' notice before adding or changing a sub-processor.
6. Retention
- Active accounts: for the life of the account.
- Cancelled accounts: up to 30 days, then hard-deleted.
- Audit logs: 90 days.
- Backups: 30-day rolling window.
- Invoices: 6 years, as required by UK tax law.
7. Your rights
Under UK GDPR you have the right of access, rectification, erasure, portability, restriction, objection, and to lodge a complaint with the ICO. To exercise any right, email privacy@lumitec.ai. We aim to respond within 7 days and always within the 30 days mandated.
8. International transfers
Our primary infrastructure is in the UK and EU. Where data is transferred to sub-processors outside the UK/EEA, transfers rely on the UK International Data Transfer Addendum or equivalent Standard Contractual Clauses.
9. Security
Summarised on our security page. In brief: stateless architecture (no business-data warehouse), TLS 1.3 in transit, per-skill write controls, preview-before-write on every mutation, 90-day audit logs.
10. Contact
Email privacy@lumitec.ai or write to Lumitec AI Ltd, Cedar Lodge, York Road, Shiptonthorpe, York, YO43 3PH, United Kingdom.
11. Changes
We will update this page with at least 30 days' notice for any material change, and email all active accounts.