Privacy Policy

Last Updated: 29 January, 2026

This Privacy Policy describes Our policies and procedures on the collection, use, and disclosure of Your information when You use the Service and explains Your privacy rights and how the law protects You.

We use Your Personal Data to provide and improve the Service. By using the Service, You agree to the collection and use of information in accordance with this Privacy Policy.

1. Interpretation and Definitions

1.1 Interpretation

Words with capitalized initial letters have meanings defined under the following conditions. These definitions apply regardless of whether they appear in singular or plural form.

1.2 Definitions

Account means a unique account created for You to access our Service or parts of our Service.

Affiliate means an entity that controls, is controlled by, or is under common control with a party.

Amazon Marketplace Data means any data accessed through the Amazon Selling Partner API (SP-API) on behalf of an authorized seller, including order information, shipment and delivery details, fulfillment status, tracking information, buyer PII required for shipping, financial event data, and related logistics and operational data.

Company refers to GoDash Solutions Private Limited, Hyderabad, Telangana, India, operating the product Zippyy.ai.

Cookies are small files placed on Your device that store browsing details.

Device means any device that can access the Service.

Personal Data means any information relating to an identified or identifiable individual.

PII (Personally Identifiable Information) means information that can be used on its own or with other information to identify, contact, or locate an individual, including but not limited to name, address, email address, and phone number.

Service refers to the Zippyy.ai website and platform, accessible at https://zippyy.ai.

Service Provider means any entity that processes data on behalf of the Company.

Usage Data refers to data collected automatically through use of the Service.

You means the individual or legal entity accessing or using the Service.

2. Amazon Marketplace Data

2.1 Data Accessed via SP-API

Amazon Marketplace Data refers to data accessed through the Amazon Selling Partner API (SP-API) on behalf of authorized sellers, including but not limited to:

• Order information (order IDs, status, item details, fulfillment channel)
• Shipment and delivery details (carrier, tracking number, delivery status, delivery exceptions)
• Buyer PII required for shipping label generation (recipient name, delivery address, phone number)
• Financial event data (settlement amounts, fees, refunds, and adjustments accessed via the Finances API for accounting reconciliation)
• Inventory and catalog data (SKUs, ASINs, stock levels)
• Fulfillment status and Return-to-Origin (RTO) data
• Operational analytics and performance reports

Such data is accessed only after explicit authorization by the seller via Amazon’s OAuth 2.0 flow (Login with Amazon) and is processed solely to provide services requested by the seller.

2.2 Authorization

All Amazon Marketplace Data is accessed exclusively via seller-authorized OAuth 2.0 tokens through Login with Amazon (LWA). Zippyy.ai accesses only the data scopes explicitly authorized by each individual seller. Each seller’s data is fully isolated — no cross-seller data access occurs at any point in our systems.

2.3 Purpose of Processing

When authorized by a seller, the Company accesses and processes Amazon Marketplace Data strictly to provide:

• Order and inventory tracking via a unified seller dashboard
• Shipping label generation via the Merchant Fulfillment API (multi-carrier)
• Shipment booking and tracking via the Amazon Shipping API
• Shipment and delivery performance monitoring
• Return-to-Origin (RTO) analysis
• Financial reconciliation and accounting support
• Operational analytics and seller performance insights
• Automated alerts for delivery exceptions and order delays

Amazon Marketplace Data is processed solely on behalf of the seller and only for purposes explicitly authorized by the seller.

2.4 Restrictions on Use and Sharing

Amazon Marketplace Data:

• Is not sold, rented, licensed, or monetized in any form
• Is not used for advertising, marketing, profiling, or any secondary purpose
• Is not shared with other sellers or any unauthorized third party
• Is shared only with integrated carrier partners (Xpressbees, Delhivery, Blue Dart, Ecom Express, Shadowfax, Ekart, Amazon Shipping, DTDC) solely for shipment creation and delivery fulfillment, and only the minimum PII necessary (recipient name, address, phone number) is shared for this purpose
• Is shared with authorized subprocessors (such as cloud infrastructure and monitoring providers) bound by confidentiality and data protection obligations
• May be disclosed when legally required by applicable law or regulation

2.5 Data Minimization

Zippyy.ai accesses only the minimum PII and data fields strictly necessary to fulfill each specific workflow. Buyer PII is never accessed, stored, or used beyond the shipping transaction for which it was provided. No additional buyer data is requested or retained beyond operational necessity.

2.6 Clarification of Roles

For Amazon Marketplace Data:

• The seller is the data controller
• The Company acts solely as a data processor
• Data is processed only in accordance with seller instructions and Amazon SP-API policies and Developer Agreement

3. Collecting and Using Your Personal Data

3.1 Types of Data Collected

Personal Data

While using Our Service, We may ask You to provide certain personally identifiable information, including but not limited to:

• Email address
• First name and last name
• Phone number
• Address, city, state, and postal code

Usage Data

Usage Data is collected automatically and may include:

• IP address
• Browser type and version
• Pages visited and time spent
• Time and date of visits
• Device identifiers and diagnostics

3.2 Use of Your Personal Data

The Company may use Personal Data for the following purposes:

• To provide and maintain the Service
• To manage Your Account
• To perform contractual obligations
• To contact You regarding service updates
• To provide information about related services (unless You opt out)
• To manage requests and customer support
• For business transfers
• For analytics and service improvement

3.3 Tracking Technologies and Cookies

We use Cookies and similar tracking technologies to track activity and improve the Service. Cookies may be session-based or persistent and are used for authentication, functionality, and analytics.

4. Data Retention

4.1 Personal Data

The Company retains Personal Data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy and to comply with applicable legal obligations.

4.2 Amazon Marketplace Data — PII

Buyer PII (including name, delivery address, and phone number) is retained for no longer than 30 days after order delivery confirmation or order cancellation, whichever comes first. PII is purged thereafter unless retention is required by applicable law, including tax or regulatory requirements. At no point is PII transmitted or stored unprotected.

4.3 Amazon Marketplace Data — Non-PII

Non-PII Amazon Marketplace Data (such as order performance metrics, fulfillment rates, and financial summaries) is retained for no longer than 18 months unless retention is required by applicable laws or regulations, or unless the seller’s active account requires continued access for operational purposes.

4.4 Deletion on user’s Request

Upon User’s written request, all Amazon Marketplace Data including PII will be permanently and securely deleted within 30 days. Secure deletion is performed in accordance with industry-standard sanitization processes (NIST 800-88). Upon request, the Company will certify in writing that all data has been securely destroyed.

4.5 Seller Account Termination

Upon termination of a seller’s account, all Amazon Marketplace Data associated with that seller is securely deleted or anonymized within 30 days, unless retention is required by applicable law.

5. Data Storage and Security

5.1 Infrastructure

Zippyy.ai’s infrastructure is hosted on Amazon Web Services (AWS). All production systems are deployed within a Virtual Private Cloud (VPC). Databases and file servers are placed in private subnets with no direct public internet exposure. Public access is limited to load balancers and API gateways only.

5.2 Data Attribution and Separation

Amazon Marketplace Data is stored in logically separated data stores, tagged to identify Amazon as the data source, distinct from data originating from other channels or integrations. This ensures clear data attribution and compliance with Amazon’s data handling requirements.

5.3 Encryption at Rest

All Data and buyer PII is encrypted at rest using AES-256 encryption. Encryption keys are managed via AWS Key Management Service (KMS) with full key lifecycle management including key generation, secure storage, rotation, and revocation. Customer-managed keys (CMKs) are used for sensitive data. No plaintext Amazon data is written to disk at any time.

5.4 Encryption in Transit

All Data and PII is encrypted in transit using TLS 1.2 or higher. This security control is enforced on all internal and external endpoints. No PII is transmitted over unencrypted channels under any circumstance.

5.5 Access Controls

Access to user’s Data is restricted to authorized systems and personnel on a strict need-to-know basis, enforced via role-based access control (RBAC). Each employee or system component is assigned a unique identifier — no shared, generic, or default credentials are permitted. Multi-factor authentication (MFA) is required for all user accounts with access to Amazon data. Access is reviewed quarterly and revoked within 24 hours of employee termination or role change.

5.6 Credential Management

All credentials and API keys are stored in AWS Secrets Manager with automatic rotation enabled. Credentials are never hardcoded in source code, configuration files, or exposed in code repositories. API keys provided by Amazon are encrypted and access is restricted to authorized personnel only. API keys are rotated at minimum once every 12 months.

5.7 Secure Coding Practices

Zippyy.ai enforces secure coding practices across its development lifecycle. Sensitive credentials are never hardcoded in source code or exposed in public or private code repositories. Test and production environments are fully separated. Code is scanned for vulnerabilities prior to each release. Static code analysis (SAST) and dependency vulnerability scanning are performed on every pull request.

5.8 Logging and Monitoring

Security logs covering all access to Amazon Marketplace Data — including authentication events, data access, API calls, and system errors — are collected and retained for a minimum of 12 months. Logs are reviewed on at least a bi-weekly basis using centralized monitoring tools (AWS CloudTrail and CloudWatch). Logs do not contain PII unless required by applicable law. Access controls prevent unauthorized access to or tampering with logs.

Automated monitoring alarms are in place to detect suspicious activities including failed authentication attempts, unusual API call volumes, unauthorized access attempts, and unexpected data retrieval patterns.

5.9 Vulnerability Management

Zippyy.ai conducts vulnerability scans at least every 30 days and penetration tests at least annually. Critical-risk vulnerabilities are remediated within 7 days of discovery. High-risk vulnerabilities are remediated within 30 days of discovery. All vulnerability findings are tracked to closure in a dedicated issue management system with severity-based SLAs.

5.10 Asset Management

Zippyy.ai maintains a quarterly-updated inventory of all software and physical assets (including computers and mobile devices) with access to Amazon Marketplace Data or PII. A formal change management process governs all software and hardware changes, with segregation of duties between change approvers and testers. PII is never stored on removable media or personal devices unless encrypted using at least AES-128 or RSA-2048.

5.11 Data Loss Prevention

Data loss prevention (DLP) controls are implemented to monitor and detect unauthorized movement or exfiltration of Amazon Marketplace Data. Employees are prohibited from storing Amazon data on personal devices or unauthorized cloud applications. USB storage is disabled on company-managed devices via endpoint controls.

5.12 Subcontractor and Vendor Management

Annual third-party risk assessments are conducted on all vendors and subcontractors with access to Amazon Marketplace Data. All subcontractors are bound by confidentiality and data protection obligations at least as stringent as those set out in this policy and Amazon’s Data Protection Policy.

5.13 PII Protection During Testing

Real Amazon PII is never used in test or development environments. All testing is performed using synthetically generated or anonymized data that mimics production data structures. Test environments are fully isolated from production systems with separate credentials and access controls.

6. Security Incident Response

6.1 Incident Detection and Notification

In the event of a confirmed or suspected security incident involving Amazon Marketplace Data, the Company will:

• Notify Amazon at security@amazon.com within 24 hours of detecting the incident
• Isolate affected systems and revoke compromised credentials immediately
• Preserve logs and evidence for forensic analysis
• Assess the scope and impact of the incident
• Notify affected sellers in accordance with applicable data protection laws

It is the Company’s sole responsibility to inform relevant government or regulatory agencies as required by applicable local laws. The Company will not represent or speak on behalf of Amazon to any regulatory authority unless Amazon specifically requests this in writing.

6.2 Investigation and Remediation

The Company will investigate each security incident and document the incident description, remediation actions, and corrective controls implemented to prevent future recurrence. Root cause analysis is completed within 7 days of incident confirmation. Documentation and chain of custody for all evidence will be maintained and made available to Amazon upon request.

6.3 Incident Management Contact

The Company has designated an Incident Management Point of Contact (IMPOC) who can be reached in the event of any data leakage or security breach. Contact: support@godash.ai

7. Data Governance and Compliance

7.1 Record of Processing Activities

Zippyy.ai maintains a formal Record of Processing Activities (RoPA) for all data processing involving Amazon Marketplace Data. This record documents specific data fields, how they are collected, processed, stored, used, shared, and disposed of, and is maintained to establish accountability and demonstrate compliance with applicable regulations and Amazon’s Data Protection Policy.

7.2 Privacy and Data Classification Policy

The Company maintains an internal privacy and data handling policy that governs the appropriate conduct and technical controls applied in managing and protecting Amazon Marketplace Data. This policy is reviewed and updated at least annually and after any major infrastructure or system change.

7.3 Employee Obligations

All employees with access to Amazon Marketplace Data or PII are subject to contractual confidentiality obligations. Data protection and IT security awareness training is conducted at least annually for all personnel with access to Amazon data.

7.4 Compliance Monitoring

The Company maintains processes to detect and comply with privacy, security, and regulatory requirements applicable to its business. Documented evidence of compliance is retained and made available to Amazon upon request, including during audits or assessments.

8. Transfer of Your Personal Data

Your information may be transferred to and maintained on systems located outside Your jurisdiction. The Company ensures appropriate safeguards are in place to protect such data in accordance with applicable data protection laws.

9. Your Data Rights

You have the right to request access to, rectification of, or deletion of Your Personal Data. You may update or delete information through Your account settings or by contacting Us at support@godash.ai, subject to applicable legal retention requirements.

Sellers may request full deletion of their Amazon Marketplace Data at any time. Such requests will be fulfilled within 30 days.

10. Disclosure of Your Personal Data

Personal Data may be disclosed in the following circumstances:

• During business transactions such as mergers or acquisitions, with appropriate safeguards in place
• To comply with legal obligations, court orders, or regulatory requirements
• To protect the rights, safety, or property of the Company, its users, or the public
• To carrier partners strictly for shipment fulfillment as described in Section 2.4

11. Children’s Privacy

The Service does not address anyone under the age of 13. The Company does not knowingly collect Personal Data from children under 13. If You are a parent or guardian and believe Your child has provided Personal Data, please contact Us at support@godash.ai.

12. Links to Other Websites

The Service may contain links to third-party websites. The Company is not responsible for the privacy practices or content of those websites and encourages You to review their privacy policies.

13. Changes to This Privacy Policy

The Company may update this Privacy Policy periodically to reflect changes in practices, technology, legal requirements, or other factors. Changes are effective when posted on this page. The ‘Last Updated’ date at the top of this policy indicates when it was most recently revised. We encourage You to review this policy periodically.

14. Contact Us

If You have any questions about this Privacy Policy, Your data rights, or our data handling practices, You can contact Us at:

GoDash Solutions Private Limited

Email: support@godash.ai

Website: https://zippyy.ai

Privacy Policy URL: https://zippyy.ai/privacy-policy/