1. Scope
This page describes the operational practices that govern data we hold on behalf of paying members. It complements our public Privacy Policy and is the document Amazon's SP-API security review team is referred to.
Two categories of data are in scope:
- Amazon Information — data we read from your Amazon Seller Central account via the Selling Partner API: financial events, inventory snapshots, product titles, SKU↔ASIN mappings, competitive pricing observations, and outbound listing-price patches we apply on your behalf.
- Personal Information — your name, email address, Discord ID and username, and Stripe subscription metadata.
2. Storage location
- Database: Supabase managed PostgreSQL, EU region.
- Compute: Vercel serverless functions, EU region.
- No Amazon Information or Personal Information is replicated outside the EU.
3. Encryption
In transit: all connections use HTTPS / TLS 1.2+. SP-API calls to Amazon are made over HTTPS only.
At rest — SP-API refresh tokens: encrypted with AES-256-GCM. The encryption key is held as a Vercel server-side environment variable, separate from the encrypted ciphertext stored in the database. Compromise of either alone does not yield plaintext.
At rest — all other tables: encrypted via Supabase's baseline at-rest encryption (AES-256).
4. Access controls
- Application data access uses Supabase Row Level Security (RLS): every member can only read or modify rows tagged with their own Discord ID.
- The service-role key that bypasses RLS is held exclusively in Vercel server-side environment variables and is never exposed to the browser.
- Database admin access is restricted to the founder (Lew Hull). No employees, contractors, or third parties have direct console access to the production database.
- Multi-factor authentication is enforced on all infrastructure provider accounts (Supabase, Vercel, Stripe, GitHub, AWS Developer Console).
5. Logging & monitoring
- Application errors are reported to Sentry. PII is redacted before transmission.
- Server-side API requests are recorded in Vercel's request log.
- SP-API calls are logged with timestamp, endpoint, and the seller's merchant token. Response payload contents are not logged.
- Authentication failures and admin actions trigger an alert to the founder.
- Logs are retained per the underlying provider's default retention (typically 30–90 days) and then purged.
6. Sub-processors
The following providers process Amazon Information or Personal Information on our behalf:
| Provider | Role | Data accessed |
|---|
| Supabase | Database hosting | All stored data |
| Vercel | Serverless compute & hosting | All in-flight data |
| Stripe | Payment processing | Subscription metadata only — no Amazon Information |
| Discord | Member authentication & community | Discord ID and username only |
| Sentry | Error monitoring | Stack traces with PII redacted |
No Amazon Information is shared with any party not listed here.
7. Retention
- Amazon Information: deleted within 30 days of membership cancellation or seller disconnect.
- Personal Information: deleted within 90 days of cancellation.
- Database backups: retained per Supabase's standard backup policy and then purged.
- Earlier deletion is available on request — see Section 8.
8. Deletion procedure
Self-service: the "Disconnect" button on your dashboard wipes our copy of your SP-API refresh token immediately and stops further sync runs against your account.
Email request: write to support@theinnercirclefba.com from the email associated with your membership. Identity is verified within 24 hours; all related Amazon Information and Personal Information is deleted within 30 days.
All deletion events are logged with timestamp and seller ID for compliance audit.
9. Incident response
- An error spike or integrity-check failure triggers an alert to the founder.
- If a breach involving Amazon Information is suspected, all SP-API refresh tokens are revoked en-masse as a precaution.
- Affected sellers are notified within 72 hours via email and Discord DM, with the scope of the incident and the steps taken.
- Amazon's SP-API team is notified within 24 hours where Amazon Information is involved, per their Data Protection Policy.
- The UK Information Commissioner's Office (ICO) is notified within 72 hours where Personal Information is involved and the breach poses a risk to the rights of data subjects.
- A post-incident summary is published to affected members within 7 days.
10. Annual review
This document is reviewed annually. The next scheduled review is May 2027.