Privacy Policy

1. Controller

The data controller responsible for the processing of personal data described in this policy is:

2. Scope of This Policy

This privacy policy applies to all personal data processed by INtrenDU GmbH in connection with our e-commerce operations, including data obtained through the Amazon Selling Partner API (SP-API) and other marketplace platforms. We operate as a private seller on Amazon and use the SP-API exclusively for the internal management of our own seller account.

3. Data We Collect and Process

In the course of our business operations, we may collect and process the following categories of personal data:

• Order data: Order IDs, product details, quantities, order status, and shipping information
• Buyer information (PII): Customer names, shipping addresses, and contact details as provided by Amazon for order fulfillment
• Financial data: Transaction amounts, fees, and payment settlement information from marketplace platforms
• Inventory and fulfillment data: Stock levels, FBA shipment details, and logistics information
• Communication data: Buyer-seller messages exchanged through marketplace messaging systems

4. Purpose of Data Processing

We process personal data solely for the following purposes:

• Fulfilling and shipping customer orders (including direct-to-consumer shipments)
• Processing returns and refunds
• Managing inventory across fulfillment channels (FBA and merchant-fulfilled)
• Complying with legal obligations, including tax reporting and accounting requirements under German law (GoBD, HGB, AO)
• Responding to customer inquiries through marketplace messaging
• Analyzing sales performance and optimizing product listings

We do not sell, rent, or share personal data with third parties for marketing or advertising purposes.

5. Legal Basis for Processing

We process personal data on the following legal bases under the EU General Data Protection Regulation (GDPR):

• Art. 6(1)(b) GDPR: Performance of a contract – processing order and shipping data to fulfill purchases
• Art. 6(1)(c) GDPR: Legal obligation – retaining financial and transaction records as required by German tax and commercial law
• Art. 6(1)(f) GDPR: Legitimate interest – analyzing sales data to improve our business operations

6. Data Retention

We retain personal data only as long as necessary for the purposes described above, subject to the following retention periods:

• Buyer PII (names, addresses, contact details): Deleted within 30 days after order delivery. PII is only retained beyond 30 days where required by law (e.g., for tax invoices), in which case it is stored encrypted and access-restricted.
• Non-PII Amazon data (order totals, product data, inventory): Retained for a maximum of 18 months, unless longer retention is required by law.
• Financial and tax-relevant records: Retained for 10 years in compliance with German statutory requirements (§ 147 AO, § 257 HGB). These records contain transaction amounts and tax information but are stored separately from buyer PII.
• Security and access logs: Retained for a minimum of 12 months. Logs do not contain PII.
• Communication records: Retained for the duration required by the respective marketplace platform's policies.

After expiration of the applicable retention period, data is permanently and securely deleted in accordance with industry-standard processes.

7. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of PII at rest using AES-256-CBC
• Access controls limiting data access to authorized personnel only, following the principle of least privilege
• Multi-factor authentication (MFA) on all systems with access to Amazon information
• Regular vulnerability scans (every 30 days) and annual penetration tests
• Secure storage of API credentials as encrypted environment variables, with key rotation at least every 12 months
• Security logging with a minimum retention of 12 months, reviewed twice per week
• Incident response procedures in compliance with GDPR Art. 33 and Art. 34, with mandatory notification to Amazon within 24 hours

8. Data Sharing and Third Parties

We may share personal data with the following categories of recipients, solely for the purposes described in this policy:

• Shipping carriers: Names and addresses for order delivery (e.g., DHL, DPD)
• Tax advisors and accounting services: Financial records for tax compliance
• Marketplace platforms: As required by Amazon, Otto, and Kaufland marketplace operations
• Hosting providers: For secure storage of business data (with encryption at rest)

All third-party processors are contractually obligated to handle personal data in accordance with GDPR requirements. We do not share Amazon information with any other external parties.

9. International Data Transfers

As we operate across European marketplaces (Germany, Italy, France, Spain), personal data may be transferred within the European Economic Area (EEA). Any transfer of data outside the EEA is conducted in compliance with GDPR Chapter V, using appropriate safeguards such as Standard Contractual Clauses (SCCs).

10. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): Request information about the data we hold about you
• Right to rectification (Art. 16): Request correction of inaccurate data
• Right to erasure (Art. 17): Request deletion of your data, subject to legal retention obligations
• Right to restriction (Art. 18): Request limited processing of your data
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to object (Art. 21): Object to processing based on legitimate interest

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

11. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The responsible authority for our business is:

12. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our data processing practices or legal requirements. The current version is always available at this URL. We encourage you to review this page periodically.