Privacy Policy

Last Updated: 26 March, 2026

This Privacy Policy describes Our policies and procedures on the collection, use, processing, storage, and disclosure of Your information when You use the Service and explains Your privacy rights and how applicable laws protect You.

This Policy is governed by the laws of India. Any disputes arising from this Policy shall be subject to the exclusive jurisdiction of the courts located in Hyderabad, Telangana, India.

We process Personal Data strictly for providing the Service and in compliance with Amazon’s Data Protection Policy (DPP), Amazon Services API Developer Agreement, and applicable data protection laws.

1. Interpretation and Definitions

1.1 Interpretation

Words with capitalized initial letters have meanings defined under the following conditions.

1.2 Definitions

Account means a unique account created for You.

Company refers to GoDash Solutions Private Limited, a company incorporated under the laws of India, having its registered office in Hyderabad, Telangana, India, operating the product Zippyy.ai.

Service refers to the website and platform accessible at https://zippyy.ai

Personal Data means any information relating to an identified or identifiable individual.

PII (Personally Identifiable Information) includes name, address, email, phone number, IP address, or any data that can identify an individual.

Amazon Marketplace Data means any data accessed via Amazon SP-API on behalf of sellers including order, shipment, financial, and buyer information.

You means the individual or legal entity using the Service.

2. Amazon Marketplace Data

2.1 Authorization

All Amazon Marketplace Data is accessed exclusively via seller-authorized OAuth 2.0 (Login with Amazon). Only explicitly granted permissions are used.

2.2 Purpose Limitation

Amazon Marketplace Data is processed strictly:

• On behalf of the seller

• For purposes explicitly authorized by the seller

• For order fulfillment, shipping, analytics, and reconciliation

Under no circumstances is Amazon Marketplace Data used for the Company’s own purposes.

2.3 Data Isolation

Each seller’s data is logically isolated. No cross-seller data access is permitted.

2.4 Data Sharing Restrictions

Amazon Marketplace Data:

• Is not sold, rented, or monetized

• Is not used for advertising, profiling, or marketing

• Is shared only with:

  • Carrier partners for shipment execution (minimum required PII only)

  • Authorized subprocessors bound by confidentiality obligations

  • Legal authorities when required

2.5 Data Minimization

Only the minimum data required to perform a specific function is accessed and processed.

2.6 Roles

• Seller acts as Data Controller

• Company acts strictly as Data Processor

3. Collection and Use of Personal Data

3.1 Data Collected

• Name, email, phone number

• Address details

• Usage data (IP address, browser, device information)

3.2 Use of Data

Personal Data is used strictly for:

• Providing and maintaining the Service

• Account management

• Customer support

• Legal and regulatory compliance

4. Data Retention

4.1 Personal Data

Retained only for as long as necessary.

4.2 Amazon Marketplace Data — PII

Buyer PII is retained no longer than 30 days after order delivery confirmation, unless retention is required by applicable law.

4.3 Non-PII Data

Retained for up to 18 months unless legally required otherwise.

4.4 Deletion Requests

All data is securely deleted within 30 days upon request using industry-standard sanitization (NIST 800-88).

5. Data Storage and Security

5.1 Infrastructure

Hosted on secure cloud infrastructure (AWS) with Virtual Private Cloud (VPC), private subnets, and network segmentation.

5.2 Encryption

• Data at rest: AES-256 encryption

• Data in transit: TLS 1.2 or higher

5.3 Access Controls

• Role-based access control (RBAC)

• Unique user IDs (no shared credentials)

• Multi-Factor Authentication (MFA) mandatory

Access strictly follows the Principle of Least Privilege (need-to-know basis).

User accounts are locked after 10 unsuccessful login attempts.

Access reviews are conducted quarterly, and access is revoked within 24 hours of termination.

5.4 Credential Management

• Secrets stored securely in managed vaults

• No hardcoding of credentials

• API keys encrypted and rotated at least annually

5.5 Password Policy

• Minimum 12 characters

• Must include uppercase, lowercase, numbers, special characters

• Cannot include user-identifiable data

• Last 10 passwords cannot be reused

• Maximum validity: 365 days

• MFA enforced

5.6 Device Restrictions

Amazon Marketplace Data and PII are never stored or accessed on personal devices. Access is restricted to company-managed secure systems.

5.7 Secure Development Practices

• Separate development, testing, and production environments

• No real PII used in testing

• Code scanned for vulnerabilities before deployment

5.8 Logging and Monitoring

• Logs retained for a minimum of 12 months

• Covers APIs, databases, storage systems, and administrative access

• Logs do not contain unnecessary PII

Monitoring systems detect:

• Unauthorized access attempts

• Abnormal API activity

• Data exfiltration

Systems also monitor for unauthorized exposure of data outside protected environments, including public repositories and dark web sources.

5.9 Vulnerability Management

• Monthly vulnerability scans

• Annual penetration testing

• Critical issues resolved within 7 days

• High-risk issues resolved within 30 days

5.10 Data Loss Prevention

• DLP controls implemented

• USB storage disabled

• Unauthorized data transfer restricted

6. Security Incident Response

6.1 Incident Handling

In the event of a security incident:

• Amazon will be notified within 24 hours

• Affected systems will be isolated

• Credentials will be revoked

• Evidence will be preserved

6.2 Investigation

All incidents are documented with root cause analysis and remediation steps.

6.3 Plan Review

The Incident Response Plan is reviewed every six (6) months and after any major system change.

6.4 Contact

Incident Contact: support@godash.ai

7. Data Governance and Compliance

7.1 Record of Processing

A Record of Processing Activities (RoPA) is maintained.

7.2 Compliance

The Company complies with applicable data protection laws and Amazon policies.

7.3 Employee Obligations

• Mandatory annual security training

• Confidentiality agreements enforced

8. Data Subject Rights

Users and sellers have the right to:

• Access their data

• Request correction

• Request deletion

The Company maintains systems and processes to support Data Subject Access Requests (DSAR), including access, rectification, and erasure.

9. Transfer of Data

Data may be transferred securely with appropriate safeguards.

10. Disclosure of Data

Data is disclosed only:

• To comply with legal obligations

• To provide the Service

11. Children’s Privacy

The Service is not intended for individuals under 13 years of age.

12. Changes to This Policy

We may update this Privacy Policy periodically.

13. Amazon Acceptable Use Compliance

Zippyy.ai complies with Amazon’s Acceptable Use Policy (AUP) and uses Amazon Services API (SP-API) strictly in accordance with Amazon policies and agreements.

13.1 Authorized Use

Zippyy.ai accesses Amazon Marketplace Data solely on behalf of Authorized Users (sellers) who have explicitly granted permission via OAuth (Login with Amazon). No data is accessed without such authorization.

13.2 Prohibited Activities

Zippyy.ai does not:

• Facilitate or promote violations of Amazon policies

• Circumvent Amazon systems, APIs, or throttling limits

• Modify or manipulate Amazon data in a misleading manner

• Request or store Amazon account credentials (usernames, passwords)

• Allow scraping or manual extraction of data from Amazon portals

13.3 Data Usage Restrictions

Amazon Marketplace Data:

• Is accessed only as necessary for application functionality

• Is not aggregated across sellers for resale or competitive advantage

• Is not used for advertising, marketing, or profiling

• Is not used to generate or publish insights about Amazon’s business

Personally Identifiable Information (PII):

• Is used strictly for order fulfillment and legal compliance

• Is never used for customer targeting or marketing

13.4 Transparency

Zippyy.ai clearly informs users about:

• What data is accessed

• Why it is accessed

• How it is processed

Any analytics or automated insights are based on available data and reasonable assumptions and may involve algorithmic processing.

13.5 Application Integrity

Zippyy.ai ensures:

• Compliance with Amazon API rate limits and throttling

• Monitoring and minimization of API errors

• Validation checks for analytics and automated outputs

13.6 Monitoring and Enforcement

Zippyy.ai monitors platform usage for potential violations of Amazon policies.

If misuse is detected:

• Access may be suspended or terminated

• The activity may be reported to Amazon at spapi-abuse@amazon.com

13.7 Organizational Changes

Zippyy.ai will notify Amazon within 30 days of any organizational changes, including mergers, acquisitions, or significant changes in services that impact the use of Amazon data.

13.8 Compliance Commitment

Zippyy.ai complies with:

• Amazon Acceptable Use Policy (AUP)

• Amazon Data Protection Policy (DPP)

• Amazon Services API Developer Agreement

• Applicable data protection and privacy laws

14. Contact Us

GoDash Solutions Private Limited
Hyderabad, Telangana, India
Email: support@godash.ai
Website: https://zippyy.ai