Privacy Policy

1. Who We Are

The Inner Circle FBA ("we", "us", "our") is a private Amazon FBA mentoring and leads community operated by Lew Hull, based in the United Kingdom. This Privacy Policy explains how we collect, use, store, and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

For data protection queries, contact us at: support@theinnercirclefba.com

2. Data We Collect

We collect and process the following types of personal data:

• Identity & Contact Data: Your name and email address, collected when you purchase a membership or contact us.
• Payment Data: Payment card details are processed by Stripe and are not stored by us. We retain transaction records (amount, date, subscription status) for accounting purposes.
• Discord Data: Your Discord username, user ID, and account information collected when you authorise Discord access as part of onboarding.
• Usage Data: Information about how you interact with our website, including IP address, browser type, pages visited, and referral source (collected via cookies and analytics tools).
• Communications: Any messages you send to us via email or Discord.

3. How We Use Your Data

We use your personal data to:

• Process your membership and manage your subscription (legal basis: contract performance)
• Grant and manage your access to our Discord community (legal basis: contract performance)
• Send you service-related communications, such as billing updates and membership changes (legal basis: contract performance)
• Respond to your enquiries and support requests (legal basis: legitimate interests)
• Improve our website and services through analytics (legal basis: legitimate interests)
• Comply with our legal and regulatory obligations (legal basis: legal obligation)

4. Third Parties We Share Data With

We share your data only where necessary with trusted third parties:

• Stripe: Payment processing. Stripe is PCI-DSS compliant. See Stripe's Privacy Policy.
• Discord: Community platform. Your Discord account is governed by Discord's Privacy Policy.
• Supabase: Secure database storage for subscriber records. Data is stored in EU/UK regions.
• Vercel: Website hosting. See Vercel's Privacy Policy.
• Calendly: Booking system for mentorship calls. See Calendly's Privacy Policy.

We do not sell your personal data to any third parties.

5. Cookies & Affiliate Tracking

Our website uses essential cookies required for the site to function (including a session cookie for the member portal and a 30-day referral-attribution cookie when you arrive via a member's share link). We may also use analytics cookies (such as those set by Vercel Analytics) to understand how visitors use our site.

Affiliate cookies set by third parties: When you click an outbound link to a partner we have an affiliate relationship with — including Amazon Associates UK, software providers (SellerAmp, Sellerboard, Profit Protector Pro, Sagemailer), business-banking partners (Tide, American Express), and cashback platforms (TopCashback, Quidco, Honey, Pouch) — that partner may set a cookie on your browser to attribute any subsequent purchase or sign-up back to The Inner Circle FBA. We do not set or have access to these cookies; they are governed by each partner's own privacy policy. See our affiliate disclosure for full details.

You can control cookies through your browser settings. Note that disabling cookies may affect site functionality.

6. Data Retention

We retain your personal data for as long as your membership is active and for a period of 7 years thereafter for accounting and legal compliance purposes. Discord access is revoked upon cancellation. You may request earlier deletion of your data (see Your Rights below).

7. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right of access — request a copy of the data we hold about you
• Right to rectification — request correction of inaccurate data
• Right to erasure — request deletion of your data ("right to be forgotten")
• Right to restriction — request we limit how we use your data
• Right to portability — request your data in a portable format
• Right to object — object to processing based on legitimate interests

To exercise any of these rights, contact us at support@theinnercirclefba.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. All payment processing is handled by Stripe and is never stored on our own servers.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via Discord or email. Continued use of our Service after changes constitutes acceptance of the updated policy.

10. Amazon Selling Partner API (SP-API) Access

Members on paid tiers may choose to connect their Amazon Seller Central account to The Inner Circle FBA via Amazon's Login With Amazon (LWA) authorisation flow. This connection is entirely optional. The terms below apply only if you grant this consent.

What we access: we read only the data needed to compute the dashboard, repricer recommendations, and accounting exports we offer:

• Finance and Accounting role — financial events (shipments, refunds, fees, reimbursements, ad spend, storage fees) for the seller's own account.
• Inventory and Order Tracking role — current FBA inventory summaries (fulfillable, inbound, reserved quantities) for the seller's own ASINs.
• Pricing role — competitive pricing and Buy Box data for the seller's own ASINs, used to generate repricing recommendations.
• Product Listing role — product titles and SKU↔ASIN mappings to label dashboard rows with recognisable product names.

What we do NOT access: we never request or read buyer personally-identifiable information (names, email addresses, shipping addresses), payment instrument data, order-personalisation messages, or any data outside the seller's own account.

How it's stored: the long-lived refresh token issued by Amazon is encrypted at rest using AES-256-GCM with a key held separately as an environment variable. Synced records (financial events, inventory snapshots, cost-of-goods you enter) are stored in our managed PostgreSQL database (Supabase, EU region) which itself encrypts every table at rest as part of its baseline. Data is used only to render your own dashboard — never aggregated, anonymised, sold, or used in model training.

How long we keep it: for the duration of your active membership. If you disconnect your Amazon account or cancel your membership, we delete your synced Amazon data within 30 days. Earlier deletion is available on request via the email address below.

How to disconnect: click "Disconnect" on the Amazon connection card inside your dashboard. This wipes our copy of your refresh token immediately and stops any further sync runs against your account.

Sub-processors for SP-API data: Supabase (PostgreSQL hosting, EU region) and Vercel (serverless compute, EU region). No other third party processes Amazon Information.

For our internal incident response procedure governing this data, see Data Handling.

11. Chrome Extension (Inner Circle Companion)

Members may install the Inner Circle Companion Chrome extension, which surfaces live profit, ROI, eligibility and inventory data on Amazon UK product pages. The terms below apply only if you install and connect the extension.

What the extension reads on the page: when you visit an Amazon UK product page (amazon.co.uk/dp/...), the extension reads the ASIN from the URL and the displayed sell price from the page DOM. It does not read product reviews, customer details, your Amazon account information, or any data unrelated to the product itself.

What is sent to our servers: the ASIN and (when you click Calculate or save a buy price) the buy/sell prices you enter. These are sent to theinnercirclefba.com over HTTPS so we can compute fees, eligibility, inventory and verdict for you. No browsing history, no other-tab content, and no data from non-Amazon pages is transmitted.

What we store: per-ASIN viewing history (so we can show "you viewed this 5× before"), buy prices you save (canonical ex-VAT for accuracy across VAT modes), and verdict snapshots for the personal accuracy feedback loop. All of this is stored in our managed PostgreSQL database (Supabase, EU region) under your Discord ID. It is used only to render your own dashboard — never aggregated, anonymised, sold, or used to train models.

Authentication: the extension uses Chrome's chrome.identity.launchWebAuthFlow API to complete a one-time OAuth handshake with our dashboard. Your Discord login happens in our normal web flow — the extension never sees your Discord password or session cookie. The result is an opaque bearer token (prefix eict_) stored in chrome.storage.local on your machine. Server-side we only keep sha256(token); we cannot recover the original token if it leaks from your machine.

Seller Central helper: the extension also activates on sellercentral.amazon.co.uk ungating-application pages. There it pre-fills the application form with your saved invoice/supplier defaults to save typing — it never reads or transmits your seller account credentials, sales data, or order data. All form-fills are local to your browser tab.

Permissions explained:

• storage — to keep the bearer token (icc_token) and your collapsed/expanded UI preference between page loads.
• identity — required by chrome.identity.launchWebAuthFlow for the OAuth handshake.
• host_permissions: amazon.co.uk — to inject the profit/eligibility/inventory overlay on product pages.
• host_permissions: sellercentral.amazon.co.uk + sellercentral-europe.amazon.com — for the ungating-application auto-fill helper.
• host_permissions: theinnercirclefba.com — to call our API endpoints (/api/extension/*) for fee, eligibility, inventory and Keepa lookups.

How to disconnect / uninstall: click Disconnect in the extension popup to wipe the local token and revoke server-side access. To remove the extension entirely, go to chrome://extensions, find Inner Circle Companion, and click Remove. To delete the data we stored about your viewing history and saved buy prices, email support@theinnercirclefba.com from your registered address and we will erase it within 30 days.

Data we never collect: we never read or transmit your browsing history, bookmarks, passwords, autofill data, payment methods, content from non-Amazon tabs, your Amazon order history, or your buyer messages. The extension is single-purpose: surface profitability data on Amazon UK product pages.

12. Inner Circle FBA Mobile App (iOS & Android)

This section supplements (does not replace) the rest of this policy. The mobile app is a thin native shell around theinnercirclefba.com — all login, dashboard, leads, scan-lookup and account activity follow the same data-handling rules as the website. Three mobile-specific data flows are disclosed below.

Camera access (barcode scanning):

• No images or video are captured. The camera feed is processed live, on-device, by Google ML Kit. Frames never leave your phone.
• What we receive: only the numeric barcode digits (8–14 digits). We send those to the Amazon Selling Partner API to look up the matching product.
• What we don't receive: any image data, GPS location, ambient sound, or other sensor readings.
• Permission control: Settings → Inner Circle FBA → Camera. Revoking it disables scanning; the rest of the app works fine.

Push notifications:

• What we store: an opaque device token (a random string assigned by Google FCM / Apple APNS per app install), the platform (ios/android), and timestamps. Stored against your Discord ID.
• What we use it for: notifying you about Buy Box price drops, competitor exits, and Amazon-joined-listing events on deals you have explicitly saved to watch. No marketing or promotional pushes.
• What we don't do: sell or share tokens with anyone (including advertisers). Tokens are not used for analytics or attribution.
• Permission control: the permission prompt fires only after you deliberately tap "Enable alerts" — never on launch. Revoke at any time via Settings → Inner Circle FBA → Notifications.
• Token lifecycle: tokens get rotated by Google/Apple on reinstall. Old tokens are kept (marked revoked) for diagnostic trace, then auto-purged after 90 days.

Third-party SDKs in the mobile app:

• Google Firebase Cloud Messaging — used only if you opt into push. No Firebase Analytics or Crashlytics.
• Google ML Kit Barcode Scanning — runs entirely on-device. No data transmitted.
• Apple Push Notification service — only contacted by Apple's OS after you grant push permission.

Data we never collect from the mobile app: your contacts, photo library, calendar, microphone, location, camera images, browsing history outside our domain, other apps installed on your device, biometric data, advertising identifiers (no IDFA on iOS, no AAID on Android), or device hardware fingerprints.

How to delete your mobile app data: tap "Disable alerts" in the app or revoke notification permission in your device Settings. To purge all push tokens for your account, email support@theinnercirclefba.com — processed within 7 days. Deleting your Inner Circle FBA account (see section 7) automatically purges all mobile-side data including tokens.

Children: the mobile app is not directed at children under 16. We do not knowingly collect data from anyone under 16.

13. Contact

For any privacy-related questions or to exercise your rights, contact us at:

support@theinnercirclefba.com