Privacy Policy

Effective Date: February 20, 2026
Last Updated: February 20, 2026

1. Introduction

Sellercharter ("we," "our," or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information in compliance with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, "PDPL").

2. Data Residency (UAE PDPL Article 21)

All user personal data and operational logs are stored exclusively in Google Cloud Region me-central1 (Doha) in compliance with UAE PDPL Article 21 (Data Residency Requirements).

  • Data Location: Google Cloud Platform (GCP) me-central1 region
  • Physical Location: Doha (Qatar)
  • Backup Location: Within UAE boundaries only
  • Processing Location: Cloud Run services in me-central1

No personal data is transferred outside the UAE without explicit consent and contractual safeguards.

3. Data We Collect

3.1 Personal Data

We collect the following personal data when you create an account:

  • Name: Your full name for account identification
  • Email Address: Used for authentication, account recovery, and service notifications
  • Encrypted Password: Stored using Firebase Authentication with bcrypt hashing (never stored in plain text)

3.2 Amazon Business Data

With your explicit consent, we access the following data via Amazon Selling Partner API (SP-API):

  • Product Catalog Data: ASINs, titles, prices, sales rank
  • Sales Metrics: Revenue, units sold, profit margins (aggregated, no buyer PII)
  • Inventory Data: Stock levels, FBA/FBM fulfillment status

3.3 What We Do NOT Store

Amazon Buyer PII Protection:

  • We explicitly DO NOT store: Amazon buyer names, addresses, phone numbers, or email addresses
  • Incidental PII: Any Amazon buyer PII accessed through SP-API is automatically deleted within 30 days per Amazon Data Protection Policy (DPP)
  • Aggregated Data Only: Sales reports contain only aggregated metrics (no individual buyer identifiers)

3.4 Technical Data

  • Login Timestamps: Recorded for security and audit purposes
  • IP Address: Captured during consent acceptance for audit trail
  • User Agent: Browser and device information for security
  • Session Cookies: __session cookie for authentication (HttpOnly, Secure)

4. How We Use Your Data

We process your data for the following purposes:

  • Service Delivery: Provide product research, profit tracking, and analytics features
  • Authentication: Manage user accounts and secure access
  • Compliance: Maintain audit logs for PDPL Article 30 (Records of Processing)
  • Support: Respond to customer inquiries and technical issues
  • Service Improvement: Analyze aggregated usage patterns (no individual tracking)

Legal Basis (PDPL Article 9): Your explicit consent is required before we process any personal data. You can withdraw consent at any time by contacting privacy@sellercharter.com.

5. Third-Party Data Processors

We use the following third-party processors, all contractually bound to PDPL compliance:

Stripe (Payment Processing)

  • Data Shared: Billing email, payment method (credit card tokens only)
  • Purpose: Process subscription payments securely
  • Location: PCI-DSS Level 1 compliant global infrastructure
  • Privacy Policy: stripe.com/privacy

Google Cloud Platform (Hosting)

  • Data Shared: All application data (processed in me-central1 region only)
  • Purpose: Data hosting, database storage, serverless compute
  • Location: me-central1 (UAE) exclusively
  • Compliance: ISO 27001, SOC 2, GDPR compliant
  • Privacy Policy: cloud.google.com/privacy

Firebase Authentication (Google)

  • Data Shared: Email, encrypted password hash
  • Purpose: User authentication and session management
  • Location: Multi-region with data mirrored to me-central1
  • Privacy Policy: firebase.google.com/support/privacy

6. Amazon Data Protection Policy (DPP) Compliance

We adhere to Amazon's Data Protection Policy (DPP). Any incidental Amazon PII (buyer personal information) accessed through Amazon SP-API is:

  • Accessed only when necessary for service functionality
  • Never stored in our databases
  • Automatically deleted within 30 days
  • Never shared with third parties
  • Protected with encryption in transit (TLS 1.3)

For more information, see Amazon SP-API Data Protection Policy.

7. Data Security (UAE PDPL Article 25)

We implement industry-standard security measures to protect your data:

  • Encryption in Transit: TLS 1.2+ for all network communications (TLS 1.3 negotiated when supported)
  • Encryption at Rest: AES-256 for all database storage (Firestore and BigQuery)
  • Password Security: bcrypt hashing with salts (Firebase Auth)
  • Access Control: Role-based access control (RBAC) with multi-tenant isolation
  • Audit Logging: Immutable consent logs and access logs (365-day retention)
  • Regular Audits: Quarterly PDPL compliance reviews

8. Data Retention

We retain your data for the following periods:

  • Account Data: Retained while your account is active
  • Operational Logs: 365 days (BigQuery audit logs)
  • Consent Records: 7 years (PDPL Article 30 compliance)
  • Payment Records: 7 years (UAE tax law requirement)
  • Deleted Accounts: All personal data deleted within 30 days of account deletion request

9. Your Rights Under UAE PDPL

Under UAE PDPL, you have the following rights:

Right to Access (Article 13)

Request a copy of all personal data we hold about you. We will provide this within 30 days in machine-readable format (JSON).

Right to Rectification (Article 14)

Correct any inaccurate or incomplete personal data. You can update your name and email in Account Settings.

Right to Erasure (Article 15)

Request deletion of your account and all associated personal data. We will delete within 30 days (except records required by law).

Right to Data Portability (Article 16)

Export your data in JSON format for transfer to another service. Available via Dashboard → Settings → Export Data.

Right to Object (Article 17)

Object to automated processing of your data. Contact us to disable AI-powered features.

Right to Withdraw Consent (Article 9)

Withdraw consent for data processing at any time. This will result in account closure within 7 days.

To exercise these rights, contact us at:

Email: privacy@sellercharter.com
Response Time: Within 30 days per PDPL Article 13
No Fee: First request free; subsequent requests may incur administrative costs

10. Cookies

We use only essential cookies required for authentication:

  • __session: HttpOnly session cookie for authentication (expires after 14 days)
  • localStorage: Firebase Auth tokens (cleared on logout)

We do NOT use: Tracking cookies, advertising cookies, or third-party analytics cookies.

11. Children's Privacy

Sellercharter is not intended for individuals under 18 years of age. We do not knowingly collect data from children. If you believe we have inadvertently collected data from a minor, contact us immediately at privacy@sellercharter.com.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be published on this page with an updated "Last Updated" date. Material changes will be notified via email 30 days in advance.

Consent Version Tracking: Your consent record includes the policy version you agreed to. If we make material changes, we will request new consent upon your next login.

13. Contact Us

For questions about this Privacy Policy or to exercise your PDPL rights:

Company: Sellercharter
Privacy Officer: Data Protection Team
Email: privacy@sellercharter.com
Phone: +971 XX XXX XXXX
Address: Dubai, United Arab Emirates
UAE Data Protection Office: tdra.gov.ae

UAE PDPL Compliance Statement

This Privacy Policy complies with UAE Federal Decree-Law No. 45 of 2021 (Personal Data Protection Law). All data processing is conducted within the UAE (Google Cloud me-central1 region). For questions about PDPL compliance or to file a complaint, contact the UAE Data Protection Office via tdra.gov.ae.

Last Reviewed: February 20, 2026
Next Review: May 20, 2026 (Quarterly per Article 41)