Privacy Policy

Last updated: May 27, 2026

1. Introduction

4TR is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our e-commerce management platform.

For specific information about how we handle Amazon marketplace data in compliance with the Amazon Acceptable Use Policy (AUP) 4.6 and Amazon Data Protection Policy, please see our Data Protection Policy and Data Sharing Policy.

2. Information We Collect

Personal Information (Account)

  • Name and contact information
  • Email address
  • Company information
  • Marketplace account credentials (OAuth tokens, encrypted at rest)

Marketplace Data

  • Product listings and inventory data
  • Order information
  • Customer shipping addresses and contact details (for fulfillment only)
  • Customer messages
  • Sales analytics and financial events (fees, payouts)

We only collect the minimum data necessary to deliver the functionality you have authorized.

3. How We Use Your Information

  • Provide and maintain our service
  • Sync data between marketplaces
  • Generate reports and analytics
  • Purchase and print shipping labels on your behalf (when authorized)
  • Improve our platform
  • Communicate with you about our service

We do not sell your data. We do not use Amazon Information for advertising, profiling, or any purpose other than fulfilling the seller's shipment and order management operations.

4. Data Security

We implement the following technical and organizational measures to protect your data:

  • Encryption at rest: AES-256 via PostgreSQL pgcrypto. Encryption keys are managed by Supabase Vault (KMS) with environment-isolated keys.
  • Encryption in transit: TLS 1.2+ enforced on every connection.
  • Access control: Row-Level Security (RLS) policies on every tenant-scoped database table, enforcing strict multi-tenant isolation.
  • Authentication: Supabase Auth (JWT). Password minimum 12 characters with complexity requirements. Multi-factor authentication (TOTP) is supported and required for administrators.
  • Audit logging: All sensitive operations (token decryption, admin actions, bulk operations) are recorded in an append-only audit log with 12-month minimum retention.
  • Vulnerability management: Automated weekly dependency scanning (Dependabot), static code analysis (CodeQL), and secret scanning. Critical findings are remediated within 7 days, high within 30 days.
  • Backups: Daily encrypted backups with point-in-time recovery, stored in geographically separated regions.

For full details, see our Data Protection Policy.

5. Sub-Processors

We use the following sub-processors to deliver the service. Each is bound by a data processing agreement and provides appropriate technical and organizational measures:

  • Vercel (USA/EU): Application hosting and edge network
  • Supabase (EU): Database, authentication, file storage
  • Anthropic (USA): AI-assisted customer-message drafting (opt-in)
  • OpenAI (USA): AI-assisted customer-message drafting (opt-in)
  • Marketplace APIs: eBay, Amazon SP-API (for the data you authorize us to sync)
  • Shipping carrier APIs: DHL, Royal Mail, DPD, Evri, Deutsche Post, Amazon Buy Shipping (only when you create a shipment)

Cross-border transfers outside the EEA are protected by Standard Contractual Clauses under GDPR Article 46. We do not share Amazon Information with third parties beyond what is strictly required to fulfill the seller's order.

6. Third-Party Services

We integrate with marketplace APIs (eBay, Amazon, etc.) to provide our services. We only access data necessary for the functionality you have authorized.

For detailed information about how we handle Amazon marketplace data, see our Data Sharing Policy.

7. Data Retention

We retain personal data only as long as necessary to provide our services or as required by law.

  • Amazon customer PII (shipping addresses, contact details): automatically purged 30 days after order shipment, except where retention is required by tax or legal obligation
  • Account data: retained while your account is active and for 90 days after deletion (to support reversal and legal claims)
  • Financial records: retained for the period required by applicable tax law (typically 5–10 years)
  • Audit and security logs: minimum 12 months
  • Backups: overwritten on a 7-day rolling basis (Pro plan); legal-hold backups retained as required

8. Your Rights

Under GDPR and similar laws, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data (subject to legal retention obligations)
  • Export your data in a portable format
  • Withdraw consent and disconnect marketplace integrations at any time
  • Object to or restrict processing
  • Lodge a complaint with your supervisory authority

To exercise these rights, contact us at the address below. We respond within 30 days.

9. Security Incident Notification

In the event of a personal data breach, we will notify affected customers without undue delay and the relevant supervisory authority within 72 hours, as required by GDPR Article 33. Security incidents involving Amazon Information are additionally reported to security@amazon.com within 24 hours.

See our Security Policy for responsible disclosure procedures.

10. Contact Us

If you have any questions about this Privacy Policy, please contact us at:

Email: damian.waniczek@gmail.com

Security reports: damian.waniczek@gmail.com (subject prefix [SECURITY])

See also: Data Sharing Policy · Data Protection Policy