Amazon Data Use Notice

Effective May 30, 2026Last updated May 30, 2026

This notice is a focused summary of how Paleo Prime LLC handles data received from the Amazon Selling Partner API ("Amazon Information"). It is intended for Amazon's Solution Provider reviewers, our Customers' compliance teams, and anyone evaluating our data-handling practices specifically for Amazon-connected work. The full Privacy Policy governs all data Paleo Prime LLC handles; this notice describes the additional commitments that apply specifically to Amazon Information.

1. Who we are

Paleo Prime LLC is a limited liability company organized under the laws of the State of Illinois, operating the brand Modulus Ops. We build inventory and demand-planning software and provide related professional services to consumer-goods brands. Where we connect our software to a Customer's Amazon Seller Central account on the Customer's behalf, we act as a data processor with respect to Amazon Information; the Customer (the Amazon seller) remains the data controller and the party accountable to Amazon under the Amazon Services API Solution Provider Agreement.

Privacy contact: privacy@modulusops.com Security contact: security@modulusops.com

2. What "Amazon Information" we receive

Under the SP-API roles requested in our Solution Provider Profile, we may receive the following categories of Amazon Information from a Customer's Seller Central account, on the Customer's instruction:

  • Order data: order identifiers, line items, SKUs, quantities, order statuses, purchase and last-update dates, ship-to state/postal-code/country, prices, taxes.
  • FBA inventory data: fulfillable quantity, inbound (working/shipped/receiving) quantities, reserved, unfulfillable, researching; ASIN; FNSKU; fulfillment-network metadata.
  • Catalog and product data: ASINs, seller SKUs, product attributes.
  • Operational reports germane to demand planning (e.g., flat-file order reports, inventory summaries).

We do not request and do not retrieve buyer names, email addresses, phone numbers, or full street addresses beyond what is necessary for ship-region analytics (state-level and postal-code-level).

3. How we protect Amazon Information

3.1 Encryption in transit

All transmission of Amazon Information across the public Internet uses TLS 1.2 or higher:

  • Calls to Amazon SP-API — HTTPS with mandatory certificate verification; no plaintext fallback.
  • End-user browser ↔ application UI — HTTPS only, served by Vercel with HSTS enabled and HTTP-to-HTTPS automatic redirects.
  • Application UI ↔ backend API — HTTPS only in production; CORS restricted to the verified production frontend origin.
  • Backend ↔ database — TLS via the AWS-hosted Supabase connection pooler; sslmode=require enforced at the connection-string level; the database rejects non-TLS connections.
  • Authentication tokens — Supabase Auth JWTs and the SP-API LWA refresh token are transmitted only over HTTPS and stored in TLS-protected database columns.

3.2 Encryption at rest

Amazon Information stored in our database is hosted by Supabase on Amazon Web Services (AWS) and is encrypted at rest using AES-256.

3.3 Access controls

  • Role-based access control (RBAC). Internal access to Amazon Information is restricted to a small number of authorized personnel whose job duties require it, on a least-privilege basis.
  • Multi-factor authentication. All administrative access requires MFA.
  • Password policy. Minimum 12 characters with special characters; 365-day maximum age; annual rotation; credentials are never stored in source code, shared with others, or kept in public repositories.
  • Tenant isolation. Amazon Information is segregated by tenant. Tenant isolation is enforced at the database row level via PostgreSQL Row-Level Security policies. No Customer can view another Customer's Amazon Information through the application.
  • Service-to-service authentication. Background sync workers authenticate using rotating service credentials stored in encrypted environment variables.

3.4 Credential storage

Customer-specific Amazon credentials (the LWA refresh token authorized by each Customer) are stored in an encrypted credentials field within our Supabase database, encrypted at rest by AWS and accessible only via tenant-scoped queries. The platform-level LWA credentials (client_id and client_secret) are stored as environment variables on our backend host; they are never committed to source control and are rotated on personnel change.

4. How we use Amazon Information

We use Amazon Information exclusively to provide demand-planning, inventory-projection, replenishment, and reporting functionality to the Customer from whom we received the information.

We do not use Amazon Information for:

  • Marketing or advertising of any kind.
  • Analytics for third parties, syndication, or benchmarking.
  • Training, fine-tuning, or evaluating artificial-intelligence or machine-learning models.
  • Sale, lease, license, or any other monetization.
  • Disclosure to any party other than the Customer who controls the data and our limited set of sub-processors described in Section 5.

We do not retain Amazon Information beyond what is required to provide the Service, and we delete it on Customer request as described in Section 6.

5. Sub-processors that receive Amazon Information

Amazon Information is shared only with the following sub-processors, each contractually bound to handle it only to deliver the service for which we engaged them. None of them is authorized to use Amazon Information for their own purposes.

Provider Legal entity Role with respect to Amazon Information Categories received Location
Supabase Supabase, Inc. Hosted PostgreSQL — primary storage of Amazon Information. Tenant-isolated via PostgreSQL Row-Level Security. AES-256 encryption at rest. All categories listed in Section 2 United States (AWS)
Vercel Vercel, Inc. Frontend hosting — serves the application UI only to the Customer's authenticated users. No persistent storage of Amazon Information; data is rendered transiently in the browser. UI rendering only United States
Fly.io Fly.io, Inc. Compute layer — runs SP-API sync workers and the application API. No long-term storage; Amazon Information transits this layer. All categories in transit United States
OpenAI OpenAI, Inc. LLM provider for the optional "Ask Data" natural-language analytics feature. Server-side allow-list restricts the LLM's SQL execution to aggregated fact and dimension tables only. The LLM cannot reach staging tables, raw order line items, ship-to fields, or any other Amazon Information PII. The data the LLM receives is limited to SKU-level aggregated unit totals, on-hand inventory counts, ASINs, and product/supplier metadata. Operated under OpenAI's API tier, which contractually does not retain or train on API inputs. Aggregated SKU-level data and ASINs only; no PII, no raw order rows, no buyer information United States
Anthropic Anthropic, PBC Alternate LLM provider for the same "Ask Data" feature; identical allow-list enforcement and identical data category as OpenAI. Operated under Anthropic's API tier, which contractually does not retain or train on API inputs. Same as OpenAI United States

A current and complete list of sub-processors is maintained in our Privacy Policy (Section 6) and is available on request. We notify Customers in advance of any new sub-processor that will process their Amazon Information.

What we do NOT share

  • We do not share Amazon Information with any analytics, advertising, marketing, affiliate, or reseller platform.
  • We do not transmit Amazon Information PII (buyer-level data, ship-to information, raw order rows) to OpenAI, Anthropic, or any other LLM provider. The optional AI features in the platform operate exclusively on aggregated, de-identified operational data, enforced by a code-level table allow-list.
  • We do not share one Customer's Amazon Information with another Customer.

6. Retention and deletion

We retain Amazon Information only as long as necessary to provide the Service to the Customer. On request, or upon termination of a Customer's use of the Service, we will delete the Customer's Amazon Information from all systems we control within thirty (30) days, except where retention is required by law (in which case we will isolate, mark for deletion, and delete as soon as the legal hold expires).

Routine retention guidelines:

  • Raw staging data (staging tables holding original Amazon-shape rows): retained for the rolling window required by forecasting (typically the trailing 13 months) and pruned by automated job.
  • Aggregated fact data (forecast inputs and outputs): retained for the life of the Customer's engagement.
  • Operational logs containing Amazon Information references: 30–90 days.
  • Audit logs (who accessed what, when): retained at least 12 months.

A Customer may request deletion at any time by emailing privacy@modulusops.com. We will confirm receipt within 5 business days and complete the deletion within the 30-day window above.

7. Incident response

We maintain a written incident-response plan with the following commitments specifically with respect to Amazon Information:

  1. Detection and triage — incidents affecting Amazon Information are escalated to the security contact immediately on detection.
  2. Amazon notification — we will report security incidents involving Amazon Information to security@amazon.com within twenty-four (24) hours of detection, in accordance with the Amazon Data Protection Policy.
  3. Customer notification — we will notify the affected Customer(s) within the same 24-hour window via the primary contact on file.
  4. Containment and remediation — credentials affected by an incident are rotated immediately; affected systems are isolated; root cause is documented.
  5. Post-incident review — every incident affecting Amazon Information is reviewed within 30 days; lessons learned are incorporated into the response plan.
  6. Plan maintenance — the incident-response plan is reviewed at least every six (6) months.

8. Audits and demonstrable compliance

We maintain documentation supporting each commitment in this notice, including:

  • A current sub-processor list (this notice + Privacy Policy Section 6).
  • Records of credentials rotation and access reviews.
  • The written incident-response plan and review history.
  • Service contracts with each sub-processor establishing data-protection obligations.
  • The code-level table allow-list that enforces the LLM/PII boundary (verifiable in our source repository).
  • Database role grants demonstrating tenant isolation and least-privilege.

On reasonable request, we will provide these materials to Amazon (under the Solution Provider Agreement) or to a Customer (under our agreement with that Customer), subject to appropriate confidentiality protections.

9. Affirmation of compliance

Paleo Prime LLC, d/b/a Modulus Ops:

  • Has read and agrees to the Amazon Services API Solution Provider Agreement.
  • Has read and agrees to the Acceptable Use Policy for the Selling Partner API.
  • Has read and agrees to the Data Protection Policy for Restricted Roles.

We will comply with these policies as they may be updated from time to time. Where any provision of this notice conflicts with Amazon's policies, the more protective provision controls.

10. Changes to this notice

We may update this notice as our practices evolve, as new sub-processors are added or removed, or as Amazon's policies change. Material changes will be reflected in an updated "Last updated" date at the top of this notice, and we will notify Customers whose use of the Service is materially affected.

11. Contact

For questions about this notice or our handling of Amazon Information:

Paleo Prime LLC (d/b/a Modulus Ops) Privacy inquiries: privacy@modulusops.com Security incidents: security@modulusops.com