SutiCraftShop – Privacy and Data Handling Policy (Amazon Selling Partner API)

1. Who we are

SutiCraftShop is an Amazon Brand Registered seller (brand: "SutiCraftShop"). We sell on Amazon (currently FBM, with FBA planned), on Etsy, and on our own website https://suticraftshop.com/. This policy describes how we collect, process, store, use, share, and dispose of Amazon data accessed through the Amazon Selling Partner API (SP-API).

2. What data we access

We access Amazon order data solely to fulfill customer orders. This includes order identifiers, order items, order status, and the buyer's shipping address (recipient name, postal address, and—where provided—phone number). Personally Identifiable Information (PII) such as the shipping address is accessed only through Amazon's Restricted Data Token (RDT) mechanism. We do not collect, store, or use buyer email addresses.

3. How we collect and process it

Order and shipping-address data is retrieved on demand through the official SP-API Orders API and Tokens (RDT) API using a Login with Amazon (LWA) refresh token. We do not scrape, cache externally, or resell any Amazon data. Processing is limited to (a) generating shipping labels for FBM orders, and (b) confirming shipment and submitting tracking numbers back to Amazon via the SP-API confirmShipment operation.

4. How we store it

Shipping information needed to prepare a shipment is held only temporarily in a private, access-controlled Google Sheet used as a working buffer. This buffer does not contain buyer email addresses. Access is restricted to authorized personnel of SutiCraftShop via authenticated Google accounts.

5. How we use and share it

Amazon data is used exclusively to fulfill the corresponding Amazon order (label creation and tracking confirmation). We do not use Amazon data for marketing, profiling, or any purpose unrelated to order fulfillment. We do not sell Amazon data. Data is shared only with the shipping carrier strictly to the extent required to deliver the package, and with Amazon itself to confirm shipment and tracking.

6. How we dispose of it

The temporary shipping data in the working Google Sheet is deleted immediately after the shipment is created and the tracking number has been submitted to Amazon. We retain no long-term copies of Amazon buyer PII beyond what is legally required for tax and order-record purposes, and any such records are kept secured and access-controlled.

7. Security controls

Access to the SP-API is authenticated with LWA credentials kept confidential and not exposed publicly. PII is requested only through Amazon's RDT mechanism and only for the specific order being fulfilled. Working data is stored in access-restricted, authenticated systems and deleted promptly after fulfillment.

8. Contact

For privacy questions regarding Amazon data, contact us through https://suticraftshop.com/.