Privacy Policy
SellerSlice LLC — Mission Control
| Document version | v2.0 |
| Effective date | June 1, 2026 |
| Supersedes | v1.1 (effective May 21, 2026) |
| Last updated | June 1, 2026 |
| Owner | SellerSlice LLC privacy team — privacy@sellerslice.com |
| Companion documents | Terms of Service (v2.0) · Cookie Policy · Data Retention Policy · Sub-processors · Data Processing Agreement · AI Disclosure · Acceptable Use Policy · Security & Trust · Aviso de Privacidad (México) · Legal Hub |
📌 TL;DR — The plain-language version
This summary is not the Policy — the numbered sections are. It's here so you can get the gist fast.
- Who we are. SellerSlice LLC, a Washington State (USA) company. Mission Control is our B2B software + client portal for Amazon sellers and the agencies that serve them. It's for businesses and people 18+.
- What we collect. Your account and business details, the work product we create for you, payment references (via Stripe), usage/analytics data, and — where you authorize it — data from your Amazon Seller Central / Advertising accounts.
- Why. To run the Service you signed up for, keep it secure, comply with law, and (with your consent) send marketing and set non-essential cookies.
- Your Amazon data is treated specially. We use no Restricted SP-API roles, so we hold no buyer names, addresses, emails, or phone numbers. We use your Amazon data only to support your own business, never pool it with other clients', never benchmark you against other sellers, and we delete it (not "anonymize" it) within 30 days when you disconnect.
- We do not sell or share your personal information. We honor Global Privacy Control signals.
- Your rights. Wherever you live, you can access, correct, delete, port, or object to the processing of your personal data. Use our Data Request form or email privacy@sellerslice.com. We respond within 30 days (45 in some US states).
- AI is a co-pilot. Our AI features are advisory; a human reviews before anything affects your account. We never use your data — or your Amazon data — to train anyone's AI models.
Table of Contents
- Who we are
- Scope and our role (controller vs. processor)
- Information we collect
- How we use your information, and our lawful bases
- Who we share it with (recipients and sub-processors)
- How long we keep it
- Your privacy rights
- International data transfers
- Cookies and similar technologies
- Children
- Automated decision-making and AI
- Amazon API data handling
- Security and breach notification
- Data Processing Agreement
- Region-specific disclosures
- Representatives, officers, and contacts
- Changes to this Policy
1. Who we are
SellerSlice LLC ("SellerSlice," "we," "us," "our") is a Washington State-based Amazon agency that provides services to Amazon and multi-marketplace sellers worldwide. Mission Control ("the Service") is our internal operations platform and client portal.
For the personal data we determine the purposes and means of processing, SellerSlice LLC is the controller.
Registered address: SellerSlice LLC, 1625 SE 192nd Ave, Suite 210, Camas, WA 98607, USA
Privacy contact: privacy@sellerslice.com
EU representative (Art. 27 GDPR): To be appointed and published here before accepting EU personal data.
UK representative (UK GDPR / DPA 2018, s. 84): To be appointed and published here before accepting UK personal data.
Québec privacy officer (Law 25, s. 3.1 — "Person in charge of the protection of personal information"): Jordache Perozzo, President — privacy@sellerslice.com.
2. Scope and our role (controller vs. processor)
This Policy explains how we handle personal data across the Mission Control platform (public pages, the employee application, and the client portal) and the agency services delivered through it.
Our role depends on the data:
- We act as a controller for the personal data of our own account holders and prospects — for example, employee and client-user account details, billing and contact information, audit logs, security data, and our own marketing.
- We act as a processor for personal data that our agency clients upload, generate, or authorize us to access on their behalf within the client portal and through connected Amazon accounts. For that data, our client is the controller and our processing is governed by the Data Processing Agreement (§14).
Where the same dataset has both characteristics, the more protective obligation applies. This dual-role mapping flows through every downstream obligation in this Policy (lawful basis, transfer mechanism, breach roles, and sub-processor objection rights).
3. Information we collect
When you sign up for and use the Service, we collect:
- Account information — name, email, password (stored hashed, never in plaintext), optional phone, profile photo, role, and team membership.
- Business information — business name, website, marketplaces, ASINs, brand summary, goals, concerns, logo, and the free-text context you provide at signup.
- Service data — Amazon listings, advertising performance, profit-and-loss data, brand plans, copy, photos of products, the work product we produce on your behalf, and — for the agency's own quality measurement — the before/after performance of changes we make to your listings (used only for your account; see §12).
- Payment information — processed directly by Stripe. We receive only a customer reference, the last four digits of your card, and a billing-address summary. We never receive or store full card numbers.
- Usage data — IP address, browser, device, pages visited, and timestamps. Used for product analytics, security, and abuse prevention.
- Communications — messages, support requests, and notifications you exchange with us.
- Cookies and similar technologies — see our Cookie Policy and §9.
- Amazon Information — where you authorize it, data from your Amazon Seller Central, Vendor Central, or Advertising accounts (see §12 for the full, specific treatment).
We do not knowingly collect special-category / sensitive personal data, and we ask you not to provide it.
4. How we use your information, and our lawful bases
Under the GDPR / UK GDPR (Art. 6), we process personal data on the following bases. (Equivalent bases apply under Canadian, Mexican, Australian, and US state law.)
| Purpose | Lawful basis |
|---|---|
| Providing and operating the Service you signed up for; account management; delivering agency services | Contract — Art. 6(1)(b) |
| Measuring the impact of the work we perform on your listings (before/after performance), to improve the quality of your service | Legitimate interests — Art. 6(1)(f); per-client only, never cross-client (balancing test on file) |
| Security, fraud prevention, abuse detection, audit logging, product analytics | Legitimate interests — Art. 6(1)(f); you may object at any time |
| Marketing communications and non-essential cookies | Consent — Art. 6(1)(a); withdrawable at any time |
| Tax, accounting, and regulatory record-keeping; responding to lawful requests | Legal obligation — Art. 6(1)(c) |
Your right to object (Art. 21). You have an absolute right to object to processing of your personal data for direct marketing at any time, and a right to object to processing based on legitimate interests on grounds relating to your particular situation. To object, email privacy@sellerslice.com or use the Data Request form.
We do not use your personal data for purposes materially incompatible with those above without telling you and, where required, obtaining your consent.
5. Who we share it with (recipients and sub-processors)
Upstream data sources. Where you authorize the Service to access third-party platforms on your behalf (for example, the Amazon Selling Partner API or Amazon Advertising API), the data we receive originates from those platforms under your direct authorization. Those platforms are independent controllers of the data they hold and are not our sub-processors. §12 describes our specific commitments regarding Amazon-sourced data.
Our sub-processors. We use a small set of vendors to operate the Service. The current, authoritative list — with each vendor's purpose, location, and whether it touches Amazon Information — is maintained at /subprocessors, which also states our advance-notice and objection process. As of the effective date it includes:
- Supabase Inc. — database, authentication, realtime, and storage hosting (US). EU/UK personal data covered by Standard Contractual Clauses / the UK Addendum.
- Vercel Inc. — web hosting, scheduled jobs, and product analytics / Web Vitals (US). Covered by the EU-US Data Privacy Framework, with SCC fallback.
- Vercel AI Gateway — AI inference routing layer (prompts in transit only).
- Resend Inc. — transactional email delivery (US).
- Stripe Payments Company — payment processing. Stripe acts as an independent controller for payment data under its privacy policy and is certified under the EU-US Data Privacy Framework.
- Anthropic, OpenAI, and xAI — AI inference for specific features (see §11 and the AI Disclosure). Inputs are not used to train their models.
- Google LLC — Calendar and Meet integration for users who connect it (US).
We do not sell, rent, or trade your personal information. We may disclose information when required by law, to enforce our Terms, or in connection with a merger or acquisition (with notice where required).
6. How long we keep it
We keep personal data only as long as we have a lawful purpose for it. The full, category-by-category schedule lives in our Data Retention Policy. In summary:
- Active accounts — retained while your subscription is active.
- Cancelled / Free-tier accounts — account and business data retained while the relationship continues; deletable on request.
- Deleted accounts — 30-day soft-delete grace period (cancellable). After 30 days, personal data is anonymized or deleted; non-personal, non-Amazon business records may be retained under Art. 6(1)(f) with this disclosure.
- Amazon Information — deleted (not anonymized) within 30 days of de-authorization, offboarding, or account closure (§12).
- Billing and tax records — 7 years.
- Security and audit logs — at least 12 months (an explicit, Amazon-required exception to the 30-day deletion rule).
- Consent and proof-of-consent records — at least 24 months; subscription-consent proof retained 3 years / 1 year post-termination, whichever is longer. These records are themselves personal data kept under a legal-obligation basis and are excluded from the general erasure cascade.
7. Your privacy rights
Regardless of where you live, you can ask us to:
- Access the personal data we hold about you (GDPR Art. 15 / CCPA §1798.110);
- Correct inaccurate data (Art. 16 / CCPA §1798.106);
- Delete your data (Art. 17 / CCPA §1798.105);
- Receive a portable, machine-readable copy (Art. 20);
- Object to or restrict processing (Arts. 18, 21);
- Withdraw consent at any time (Art. 7(3)).
How to exercise them. Use the Data Request form or email privacy@sellerslice.com. You do not need an account to make a request, and you may use an authorized agent. We verify your identity before acting and respond within 30 days (up to 45 days for certain US-state requests, with notice). If we deny a request, you may appeal — appeal instructions are provided with any denial.
We do not sell or share your personal information, and we honor Global Privacy Control (GPC) signals: a GPC signal is treated as a valid opt-out of sale/sharing and targeted advertising, and — because we set no advertising cookies — as a decline of the optional Analytics cookie category (you may re-enable analytics affirmatively in our cookie settings).
Your US state privacy rights. If you are a resident of California, Virginia, Colorado, Connecticut, Texas, or another state with a comprehensive privacy law, you have the rights above plus the right to opt out of the sale/sharing of personal information, targeted advertising, and certain profiling, and the right to appeal a denied request. California uniquely extends these rights to business contacts and employees. We do not discriminate against you for exercising any right. You may also complain to your state Attorney General.
You may lodge a complaint with your local supervisory authority — for example, the UK ICO, the relevant EU data protection authority, the OAIC (Australia), the OPC (Canada) or Commission d'accès à l'information (Québec), or the Secretaría Anticorrupción y Buen Gobierno (Mexico). We'd appreciate the chance to resolve it first.
8. International data transfers
We are headquartered in the United States, and our infrastructure is primarily US-based. Where we transfer personal data internationally, we rely on the following mechanisms, by recipient and destination:
- EU/EEA → US: EU-US Data Privacy Framework (Stripe, Vercel) with Standard Contractual Clauses as fallback (and for Supabase, Resend). A transfer impact assessment is on file.
- UK → US: the UK International Data Transfer Agreement / Addendum to the SCCs.
- Switzerland → US: Swiss-US Data Privacy Framework where applicable.
- Mexico → US: disclosure in the Aviso de Privacidad plus contractual equivalence with recipients (LFPDPPP Arts. 35–37).
- Canada/Québec → US: comparable-protection contractual safeguards; for Québec personal data, a privacy impact assessment under Law 25 s. 17 precedes the transfer.
- Australia → US: APP 8 contractual "reasonable steps" binding each US recipient to APP-equivalent handling. We name the United States as a likely recipient country in our collection notices.
9. Cookies and similar technologies
We use cookies and similar device-storage technologies for authentication, theme preferences, and limited analytics. Non-essential technologies (including our Web-analytics beacon) load only after you consent, and you can change or withdraw your choice at any time. Our full inventory, categories, and controls — and how we honor GPC — are in the Cookie Policy.
10. Children
The Service is intended for B2B users — businesses selling on Amazon or other marketplaces. It is not directed to anyone under 18, and we do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us data, contact privacy@sellerslice.com and we will delete it.
11. Automated decision-making and AI
We use AI to suggest copy edits, score listings for Marketing Readiness, generate report drafts, and surface internal news (our "Morning Review"). These outputs are advisory decision-support: a human reviews them, and you can edit or reject them, before anything affects your account. We do not make decisions that produce legal or similarly significant effects about you solely by automated means (GDPR Art. 22 / UK DUAA 2025). To request human review of, or contest, an AI-assisted output, contact privacy@sellerslice.com.
We use a small number of AI vendors (Anthropic, OpenAI, xAI, and the Vercel AI Gateway routing layer). We do not use your Customer Data or Amazon-sourced data to train, fine-tune, or improve any third-party AI model, and we require this prohibition of our AI vendors by contract. Full detail is in the AI Disclosure.
12. Amazon API data handling
Where you authorize SellerSlice to access your Amazon Seller Central, Vendor Central, or Amazon Advertising account through the Amazon Selling Partner API (SP-API) or the Amazon Advertising API, this section describes how we handle that data ("Amazon Information"). These commitments are in addition to, and intended to align with, the Amazon Services API Solution Provider Agreement, Acceptable Use Policy, and Data Protection Policy (collectively, the "Amazon DPP").
12.1 Source and authorization. We access Amazon Information only after you grant our application explicit OAuth authorization within your Amazon console. You may revoke that authorization at any time through the same surface; upon revocation we cease new API calls immediately and begin the deletion process in §12.4.
12.2 Categories of Amazon Information we may access: catalog data (listings, ASINs, attributes, images, variations); inventory and FBA data; orders and order metrics; financial data (settlements, fees, reimbursements, payouts); advertising data (campaigns, keywords, targeting, performance); Brand Analytics aggregates (where Brand Registered); and seller account metadata.
We operate under no "Restricted" SP-API roles. This means we do not access buyer-identifying information (buyer name, shipping address, email, phone), tax-invoice detail, or tax-remittance detail. If we ever request Restricted roles, we will update this Policy and obtain any additional authorizations required.
12.3 Permitted use — your data serves you, and only you. We use Amazon Information solely to support your own business with Amazon (SPA §D-7.1/§D-7.5). We do not sell, rent, or share it; we do not aggregate it across clients; and we do not use it to benchmark you against — or to benefit — any other seller, even in aggregated or de-identified form (AUP §4.4/§4.6). Where we measure the before/after impact of work we perform on your listings, that measurement is computed from your own data, retained while your authorization is active, shown only to you and your service team, and never pooled with other clients' data.
12.4 Retention and deletion. Amazon-sourced PII (which, per §12.2, we do not hold) would be retained no longer than 30 days. On de-authorization, offboarding, or account closure, we permanently delete (destroy, consistent with NIST SP 800-88) the connection credentials and all ingested Amazon Information for the affected account within 30 days — we do not "anonymize" it and keep it, because anonymization is not an accepted substitute for deletion under the Amazon DPP. The sole exception is data we are legally required to retain (e.g., tax records), which is access-restricted and deleted when the obligation lapses. Non-PII transactional Amazon data is retained for up to 18 months while your authorization is active. Security and audit logs of API access are retained at least 12 months. See the Data Retention Policy.
12.5 Security controls. Amazon Information is protected by AES-256 encryption at rest (with OAuth refresh tokens and connection secrets additionally encrypted at the application layer using AES-256-GCM, key-versioned to support rotation), TLS 1.2+ in transit, Row-Level Security tenant isolation, role-based access governed by job-duty need with quarterly access reviews and prompt deprovisioning, multi-factor authentication and a 12-character minimum password for employees, vulnerability scanning at least every 30 days, annual penetration testing, and at least annual key rotation. OAuth refresh tokens are encrypted; secret keys live in managed environment variables and are never committed to source control. See Security & Trust.
12.6 No AI training. Amazon Information is never used to train, fine-tune, or improve any AI/ML/LLM model, and this prohibition is flowed down to our AI sub-processors by contract.
12.7 Incident reporting and misuse. We notify Amazon at security@amazon.com within 24 hours of detecting a security incident affecting Amazon Information (§13). Our Information Security Point of Contact is reachable via privacy@sellerslice.com. Suspected misuse can be reported to us at privacy@sellerslice.com and to Amazon at spapi-abuse@amazon.com; we may suspend access for violations.
13. Security and breach notification
We maintain a written information-security and incident-response program with defined roles, a documented review cadence, AES-256 at rest / TLS 1.2+ in transit, Row-Level Security tenant isolation, MFA, audit logging, and the controls summarized in Security & Trust. No system is perfectly secure, but we work hard to protect your data.
In the event of a confirmed personal-data breach, we observe the following distinct notification clocks (we do not conflate them):
- Amazon — at security@amazon.com within 24 hours of detection, where Amazon Information is involved (Amazon DPP).
- EU/UK supervisory authority — within 72 hours of becoming aware, where required (GDPR/UK GDPR Art. 33).
- Our controller-clients — without undue delay, where we act as processor (Art. 33(2) / DPA).
- Australia — a 30-day assessment on suspicion of an eligible breach, then notification to the OAIC and affected individuals as soon as practicable (Notifiable Data Breaches scheme).
- Mexico — to affected titulares "de forma inmediata" where their patrimonial or moral rights are significantly affected (LFPDPPP).
- Canada — to the OPC and affected individuals on a real risk of significant harm (PIPEDA), and to the Québec CAI promptly on a risk of serious injury, with a confidentiality-incident register maintained for at least 24 months.
Affected individuals are notified without undue delay where required by applicable law.
14. Data Processing Agreement
For business customers whose use of the Service involves us processing personal data on their behalf (GDPR Art. 28, UK GDPR, Québec Law 25, or equivalent), our Data Processing Agreement is incorporated into the Terms of Service on acceptance (clickwrap) and is also available on request at privacy@sellerslice.com. It includes the Art. 28(3) terms, a technical-and-organizational-measures annex, and the international-transfer mechanisms in §8.
15. Region-specific disclosures
- Mexico (LFPDPPP). Mexican users are covered by our Spanish-language Aviso de Privacidad, which separates necessary from voluntary processing purposes, states ARCO rights (response within 20 business days; implementation within 15 business days), provides transfer accept/reject, and names our internal Departamento de Datos Personales.
- Australia (Privacy Act 1988 / APPs). Our collection notices identify the United States as a likely overseas recipient (APP 5, APP 1.4(f)); we take reasonable steps under APP 8 to bind overseas recipients and accept accountability under s. 16C. You may access and correct your personal information (APPs 12–13).
- Canada / Québec. We obtain meaningful consent and identify US processors and US storage (PIPEDA). Québec residents have the published-officer contact above, plus rights to portability, de-indexing, and to contest decisions based exclusively on automated processing (Law 25); cross-border transfers of Québec personal data follow a privacy impact assessment (s. 17).
- European Union / United Kingdom. The bases, rights, transfer mechanisms, and representative details above apply. Once appointed, the EU Art. 27 and UK representatives in §16 are your local points of contact.
16. Representatives, officers, and contacts
| Role | Contact |
|---|---|
| Privacy / data-subject requests | privacy@sellerslice.com · Data Request form |
| Legal | legal@sellerslice.com |
| General / support | help@sellerslice.com |
| Billing | billing@sellerslice.com |
| EU Art. 27 representative | To be appointed and published here |
| UK representative | To be appointed and published here |
| Québec privacy officer (Law 25 s. 3.1) | Jordache Perozzo, President · privacy@sellerslice.com |
| Amazon security incident contact (IMPOC) | Reachable via privacy@sellerslice.com · security@amazon.com (24h channel) |
17. Changes to this Policy
We will update this Policy as the Service evolves. We maintain a dated version history and an archive of previous versions. For material changes, we will notify active customers by email at least 30 days in advance and, where the change requires fresh consent, obtain it before the new processing begins.
| Version | Effective | Summary of changes |
|---|---|---|
| v2.0 | 2026-06-01 | Added controller/processor mapping; per-purpose lawful-basis matrix and Art. 21 objection; corrected Amazon data handling to delete-only (no anonymization) and added the no-cross-client and per-client-metrics commitments; expanded recipients to the full sub-processor list (incl. AI vendors and Google); added US-state rights with appeal, GPC honoring, and the explicit no-sell/no-share statement; added Mexico, Australia, and Canada/Québec disclosures and the six breach clocks; linked the DPA, Cookie, Data-Retention, AI, AUP, and Security documents. |
| v1.1 | 2026-05-21 | Prior version. |