TheSeller.app
Sign inTry EasyBoard

Legal

Privacy Policy

Last updated: 2026-05-09

This Privacy Policy explains how GAMM TRIBE OÜ (registry code 17123416, registered office at Narva mnt 5, 10117 Tallinn, Estonia), trading as TheSeller.app (“we”, “us”, “our”), collects, uses, stores and discloses personal data when you visit theseller.app, create an account, or use any of our applications (currently EasyBoard; collectively the “Service”).

We are the data controller for the personal data described below. For any privacy matter, contact us at privacy@theseller.app.

1. Scope

This policy applies to data we process about (a) visitors of our public website, (b) users who create an account, and (c) Amazon sellers who connect a Selling Partner account to one of our applications. Where a separate notice applies (e.g. inside a specific app), it will be linked from that surface.

2. Personal data we collect

  • Account data. Email address and a hashed password (or third-party identity if you sign in via OAuth). Optional profile information you choose to provide.
  • Amazon authorization material. The OAuth refresh token issued to us by Amazon when you authorize one of our applications via Login with Amazon. The token grants read-only access to a defined set of Selling Partner API (“SP-API”) scopes that you explicitly approve at authorization time.
  • Selling Partner data. Business data returned by SP-API when our applications make requests on your behalf — orders, financial events, settlement reports, fees, advertising spend, catalog metadata and similar operational signals. This data is your business data; we process it only to render the analytics, dashboards and tools you signed up for.
  • Usage and device data. Minimal logs needed to keep the Service running (request errors, response codes, timestamps, IP address, user agent). Logs are sampled, retained for a limited period, and never contain Selling Partner content.
  • Communications. Messages you send to privacy@theseller.app or other support addresses, and our replies.

3. What we do not collect

  • Buyer personally identifiable information (PII): names, shipping addresses, email addresses or phone numbers of your customers. Where SP-API responses contain PII fields by default, we discard them on receipt and never persist them.
  • Payment card numbers. When billing is enabled, payments will be handled by a PCI-DSS certified processor and we will receive only non-sensitive billing tokens.
  • Special categories of personal data within the meaning of Article 9 GDPR.

4. Legal bases for processing

We rely on the following legal bases under Article 6 GDPR:

  • Performance of a contract (Art. 6(1)(b)) — processing your account data and Selling Partner data is necessary to provide the Service you requested.
  • Legitimate interests (Art. 6(1)(f)) — keeping the Service secure, preventing fraud and abuse, debugging, and improving the product. We balance these interests against your rights and you can object at any time.
  • Consent (Art. 6(1)(a)) — for any optional processing that is not strictly necessary (for example product analytics, if introduced in the future). You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)) — to comply with Estonian and EU law, including responses to lawful requests from competent authorities.

5. How we use your data

  • To create, authenticate and secure your account.
  • To call SP-API on your behalf, transform the responses into the metrics shown in your dashboard, and present them to you.
  • To respond to your support requests.
  • To send transactional emails (account verification, password reset, security alerts).
  • To detect, investigate and prevent abuse, fraud, or security incidents.
  • To meet legal, accounting and tax obligations.

We do not sell or rent your data. We do not use your Selling Partner data, refresh tokens or aggregated metrics to train any machine learning or artificial intelligence model. Selling Partner data is used exclusively for the purposes you granted at authorization time.

6. Subprocessors

We rely on a small set of vetted subprocessors to operate the Service. Each is bound by a data processing agreement and processes data solely on documented instructions from us.

SubprocessorPurposeRegion
SupabaseAuthentication and managed Postgres databaseEuropean Union
VercelApplication hosting, edge network and build pipelineEuropean Union (with global edge)
Amazon Web Services / Amazon Selling Partner APIAuthorization issuer and source of Selling Partner data you authorize us to readPer your Amazon marketplace

We may, in the future, engage additional subprocessors for transactional email, payment processing, product analytics or error tracking. We will update this list and notify registered users by email at least 30 days before any new subprocessor begins processing your data, giving you a reasonable opportunity to object.

7. International data transfers

Our primary infrastructure is hosted in the European Union. Where a subprocessor processes data outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) and supplementary technical measures (encryption in transit and at rest, key separation, access logging) to ensure an adequate level of protection.

8. Data retention

  • Account data is retained for as long as your account is active and for up to 30 days after you delete it, after which it is purged from primary systems. Backups are retained for up to 90 days and then rotated out.
  • Refresh tokens are retained for as long as the corresponding Amazon authorization is active. When you disconnect a marketplace from our application, the token is revoked and deleted.
  • Selling Partner data is retained for the duration of your subscription to the relevant application, plus a short rolling window required to render historical views. On account deletion or marketplace disconnection, derived data is deleted within 30 days.
  • Operational logs are retained for up to 90 days.
  • Records required by law (e.g. invoicing, tax) are retained for the period required by Estonian and EU law (typically 7 years for accounting records).

9. Storage and security

  • All data is encrypted in transit using TLS 1.2 or higher.
  • Data at rest is encrypted using industry-standard algorithms.
  • Refresh tokens and other credentials are encrypted with a separate key and stored apart from general application data.
  • Tenant isolation is enforced at the database level using row-level security so that no account can read data belonging to another.
  • Access to production systems is restricted to a minimum number of authorized personnel, authenticated via SSO with mandatory multi-factor authentication. Access is logged.
  • We follow the security commitments described on our Security page and the data-protection requirements set out in Amazon's SP-API Data Protection Policy.

10. Your rights

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the GDPR:

  • Right of access to your personal data (Art. 15).
  • Right to rectification of inaccurate data (Art. 16).
  • Right to erasure (“right to be forgotten”) (Art. 17).
  • Right to restrict processing (Art. 18).
  • Right to data portability (Art. 20).
  • Right to object to processing based on legitimate interests (Art. 21).
  • Right not to be subject to solely automated decision-making (Art. 22).
  • Right to withdraw consent at any time, where consent is the legal basis.
  • Right to lodge a complaint with a supervisory authority. Our lead authority is the Estonian Data Protection Inspectorate (www.aki.ee).

California residents have rights under the CCPA/CPRA, including the right to know, the right to delete, the right to correct and the right to opt out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising).

To exercise any of these rights, write to privacy@theseller.app. We will respond within 30 days. We may need to verify your identity before fulfilling certain requests.

11. Children

The Service is intended for business users and is not directed at individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Automated decision-making

We do not engage in solely automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR.

13. Security incidents

We maintain a written incident response plan. If we become aware of a security incident affecting your personal data or your Selling Partner data, we will:

  • Contain the incident and revoke any compromised credentials.
  • Notify Amazon at security@amazon.com within 24 hours of discovery, where Amazon Information is involved, in line with the SP-API Data Protection Policy.
  • Notify the Estonian Data Protection Inspectorate within 72 hours where required by Article 33 GDPR.
  • Notify affected users without undue delay where the incident is likely to result in a high risk to their rights and freedoms.
  • Investigate root cause, remediate, and publish a post-incident summary.

14. Changes to this policy

We may update this policy as the Service evolves. The date at the top of this page reflects the latest revision. Material changes will be announced by email to registered users at least 14 days before they take effect, with a clear summary of what changed and why.

15. Contact

For privacy questions or to exercise any of your rights: privacy@theseller.app.
Postal address: GAMM TRIBE OÜ, Narva mnt 5, 10117 Tallinn, Estonia.