Privacy Policy

Last updated: 9/25/2025

Wilen Consulting (“Wilen Consulting,” “we,” “our,” or “us”) respects your privacy. This Privacy Policy explains how we collect, use, store, protect, share, and delete information—including Amazon Selling Partner API (“SP-API”) data—when you use our services, applications, or website.

1. Information We Collect

  • Amazon Information: Orders, listings, inventory, pricing, fulfillment, and limited PII only where permitted by Amazon roles (e.g., shipping labels, tax).

  • Business/Account Data: Client contact, billing, and configuration details.

  • Website Data: Form submissions and support requests.

  • Technical/Log Data: IP address, device info, user agent, audit and event logs.

2. How We Use Information

  • Provide integrations, automations, reporting, and analytics for authorized sellers.

  • Process Amazon Information only for seller-authorized purposes and in compliance with Amazon’s Data Protection Policy.

  • Support security, auditing, abuse detection, and compliance.

  • We do not sell or use Amazon Information for advertising or marketing.

3. Sharing of Information (AUP 4.6)

  • Amazon Information is shared only with systems authorized by the Selling Partner (e.g., their ERP or WMS, such as NetSuite, Extensiv, or SellerCloud).

  • We use secure sub-processors (e.g., AWS hosting, monitoring, email delivery) where required to deliver services.

  • All sub-processors are vetted for compliance and security.

  • We never disclose Amazon Information to unrelated third parties.

4. Storage & Protection

  • Encrypted in transit (TLS 1.2+) and at rest (AES-256).

  • Segmented networks, firewalls, IDS/IPS, endpoint protection, and MFA.

  • No hard-coded secrets; keys and credentials stored securely.

  • Test and production environments are fully separated.

5. Access Management & Least Privilege

  • Each employee/contractor has a unique account; no shared credentials.

  • Role-based access control (RBAC) ensures least privilege.

  • Access is reviewed quarterly and removed within 24 hours of offboarding.

  • Access is tied to HR records to individually identify employees.

  • Amazon Information may not be stored on personal devices.

6. Credential Management

  • Passwords: Minimum 12 characters, must include uppercase, lowercase, numbers, and special characters.

  • Password reuse is prevented; rotation enforced at least every 90 days.

  • MFA is required for all administrative accounts.

  • API keys are encrypted at rest and never stored in code or public repositories.

7. Logging & Monitoring

  • Centralized, tamper-evident logs capture authentication events, access attempts, data changes, and errors.

  • Logs are retained ≥90 days and reviewed daily; alerts fire in real-time for anomalies (e.g., unusual request rates, canary record access).

8. Vulnerability Management

  • Secure configuration baselines and routine patching.

  • Static code analysis before release; vulnerability scans at least every 180 days.

  • High-severity findings are remediated within 30 days.

  • All issues are tracked until resolved.

9. Incident Response & Risk Management

  • Documented IR plan covers detection, containment, eradication, recovery, and root-cause analysis.

  • Amazon is notified at security@amazon.com within 24 hours of any Security Incident involving Amazon Information.

  • Clients are notified as required by law or contract.

  • IR plan is reviewed every 6 months and after material changes.

10. Data Retention & Deletion

  • Amazon PII is retained no longer than 30 days after order delivery, unless required by law (e.g., tax).

  • Secure deletion follows NIST 800-88 standards.

  • Upon Amazon’s request, data is deleted within 30 days and all live instances removed within 90 days; certification of deletion is available.

11. Your Rights

You may request access, correction, or deletion of your data as required by law. Contact us at [support@wilenconsulting.com] or by using the details on our website.