Last Updated: May 4, 2026

MyDepot Inc. doing business as MyDepot Warehousing ("MyDepot," "we," "us," or "our") is committed to protecting the privacy and security of data processed through our logistics and fulfillment services. This Privacy Policy describes how we collect, use, store, and protect information, including data obtained through the Amazon Selling Partner API (SP-API).

This policy applies to all services provided through mydepotlogistics.com and our SWIMS warehouse management platform.

1. INFORMATION WE COLLECT

1.1 From Our Clients (Amazon Selling Partners & Other Merchants):
- Account registration information (name, email, company name, phone number)
- Platform credentials for API integrations (stored encrypted)
- Business information necessary to provide fulfillment services

1.2 From Amazon SP-API (Processed on Behalf of Selling Partners):
- Order information (order IDs, product details, SKUs, quantities, prices)
- Buyer shipping information (name, address, phone number) — classified as Personally Identifiable Information (PII)
- Inventory data (stock levels, fulfillment center data, shipment details)
- Financial and settlement data
- Brand Analytics data (search terms, market basket analysis, demographics)
- Catalog and listing information

1.3 Automatically Collected Information:
- Server logs (IP address, browser type, access times)
- Website usage data via cookies

2. HOW WE USE INFORMATION

We use information obtained through Amazon SP-API solely for the following purposes:
- Providing warehousing, fulfillment, and logistics services to authorized selling partners
- Processing, picking, packing, and shipping orders on behalf of selling partners
- Managing inbound shipments and FBA prep services
- Generating inventory reports and analytics for authorized selling partners
- Calculating and remitting applicable taxes
- Producing shipping labels, tax invoices, and other legally required documents

We DO NOT:
- Sell, rent, lease, or share Amazon buyer PII with any third party
- Use buyer information for marketing, solicitation, or advertising purposes
- Contact Amazon buyers directly for any reason whatsoever
- Use Amazon Information to compete with Amazon or selling partners
- Use data for any purpose not explicitly authorized by the selling partner and Amazon's policies
- Share Brand Analytics data between different selling partner accounts

3. DATA RETENTION AND DELETION

3.1 Personally Identifiable Information (PII):
- Retained for no longer than 30 days after order delivery
- Automatically purged from all production systems after the 30-day period
- Exception: Retained beyond 30 days ONLY when required by specific laws:
  • U.S. Internal Revenue Code (IRC) Section 6001: Transaction records for tax compliance (3 years)
  • State tax regulations: Sales tax records as required by applicable state law
- Data retained for legal purposes is stored in AES-256 encrypted cold storage with documented legal basis and automatic expiration dates

3.2 Non-PII Data (Order IDs, SKUs, Quantities, Aggregated Metrics):
- Retained for a maximum of 18 months
- Securely deleted upon expiration

3.3 Deletion Methods:
- Secure deletion compliant with NIST SP 800-88 standards
- Data anonymization or hashing is NOT used as a substitute for deletion
- Deletion completeness verified through quarterly audits
- All deletion events are logged for audit purposes

3.4 Amazon Deletion Requests:
- Information is permanently deleted within 30 days of Amazon's request unless retention is required by law

4. DATA SECURITY MEASURES

4.1 Encryption:
- At rest: AES-256 encryption for all stored data including PII, credentials, and backups
- In transit: TLS 1.2 or higher for all data transmission
- API credentials stored in dedicated Key Management System (AWS KMS)
- SP-API refresh tokens and client secrets are never stored in plain text

4.2 Access Controls:
- Role-based access control (RBAC) with least-privilege principle
- Multi-factor authentication (MFA) required for all accounts accessing Amazon data
- Unique user identifiers — no shared or generic accounts
- Quarterly access reviews with immediate revocation for terminated personnel (within 24 hours)
- Account lockout after 5 consecutive failed login attempts

4.3 Password Management:
- Minimum 12 characters with uppercase, lowercase, numbers, and special characters
- Password history prevents reuse of last 10 passwords
- Maximum password expiration: 365 days
- Minimum password age: 1 day
- Passwords must not contain any part of the user's name

4.4 Infrastructure Security:
- Network segmentation with firewalls and access control lists
- Intrusion detection and prevention systems (IDS/IPS)
- Anti-malware on all servers and endpoints, updated monthly
- Monthly vulnerability scanning across all systems
- Annual penetration testing by qualified security professionals
- Security logs retained for minimum 12 months
- Bi-weekly log reviews for anomalous activity
- Critical vulnerabilities remediated within 7 days; high-risk within 30 days

4.5 API Security:
- SP-API credentials rotated at least annually
- API key inventory maintained and reviewed quarterly
- Rate limiting and anomaly detection on all API calls
- All API communications encrypted via TLS 1.2+

5. INCIDENT RESPONSE

In the event of a security incident involving Amazon data:
- Amazon is notified within 24 hours at security@amazon.com
- Affected selling partners are notified promptly
- Incident response plan is activated covering: preparation, identification, containment, eradication, recovery, and lessons learned
- Government agencies are notified as required by applicable law
- Incident response plan is reviewed every six months and updated after any major incident

6. THIRD-PARTY DATA SHARING

We do not share Amazon SP-API data with third parties except:
- Cloud infrastructure providers operating under strict data processing agreements (DPAs) with equivalent security controls
- Shipping carriers — limited to shipping label data (name, address) necessary to deliver packages
- As required by law (court orders, subpoenas, regulatory requirements)
- With explicit written consent of the selling partner

All subcontractors and third-party vendors:
- Undergo annual security risk assessments before access is granted
- Are contractually bound to equivalent data protection standards
- Are prohibited from retaining Amazon data beyond operational necessity

7. SELLING PARTNER RIGHTS

Our clients (Amazon Selling Partners) have the right to:
- Access their data stored in our systems at any time via the SWIMS dashboard
- Request immediate deletion of their data
- Revoke SP-API authorization at any time through Amazon Seller Central
- Export their data in standard formats (CSV, JSON)
- Receive notification of any security incident affecting their data

8. COOKIES AND WEBSITE ANALYTICS

Our website uses essential cookies for functionality. We do not use tracking cookies to collect Amazon buyer information. For details on website cookies, please contact us.

9. COMPLIANCE

Our data practices comply with:
- Amazon SP-API Data Protection Policy (DPP)
- Amazon SP-API Acceptable Use Policy (AUP)
- Amazon Solution Provider Agreement
- California Consumer Privacy Act (CCPA)
- General Data Protection Regulation (GDPR) where applicable
- Payment Card Industry Data Security Standard (PCI DSS) for payment data

10. CHILDREN'S PRIVACY

We do not knowingly collect personal information from children under 13. Our services are designed for business-to-business use only.

11. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Continued use of our services constitutes acceptance of the revised policy.

12. CONTACT US

For privacy-related inquiries:
Email: tony@mydepot.com 
Phone: +1 714-360-2659
Address: 1551 S Lilac Ave, Bloomington, CA 92316

For data deletion requests or security concerns:
Email: tony@mydepot.com 

For Amazon SP-API related questions:
Email: tony@mydepot.com