AlphaMax Product Privacy Notice

AlphaMax is the trading name for our eCommerce platforms, products, and website. Our platform is operated by DOWNTON TECH LIMITED Company number 16249160, a UK-based company. Our registered office is at Venture House, 2 Arlington Square, Bracknell, Berkshire RG12 1WA, United Kingdom, and our UK company registration number is 16249160.

We are registered as a data controller with the UK Information Commissioner’s Office (ICO) under registration number ZB927519.

Downton Tech Ltd (“we”, “our”, “us”) respects your privacy and is committed to protecting the personal information we process through our software and services. This Privacy Policy explains what information we collect, how we use it, how we protect it, and your rights.

We comply with UK Data Protection law, the UK GDPR, the EU GDPR, and Amazon’s Acceptable Use Policy (AUP) and Data Protection Policy (DPP).

  1. Information We Collect

Depending on how you use our software, we may collect and process:

  • Identity & Contact Data – name, job title, business contact details.
  • Transaction Data – order details, invoicing, and payment information.
  • Amazon Order Data (PII) – names, addresses, phone numbers of Amazon customers (only when authorized through Amazon SP-API).
  • Technical Data – IP addresses, device/browser information, system logs (no PII stored in logs).
  • Profile Data – login credentials for our software (never Amazon portal credentials).
  • Marketing Data – business contact details for legitimate interest marketing (opt-out available).

We do not request or accept Amazon Seller Central usernames, passwords, or access keys. All access to Amazon data occurs via Amazon’s official authorization process.

  1. How We Use Information

2.1 Direct-to-Consumer Shipping

When authorized by an Amazon seller, our software retrieves customer shipping data (name, address, phone number) from Amazon. This data is used exclusively to:

  • Generate shipping labels,
  • Arrange courier collection and delivery,
  • Provide shipment status updates.

We do not use this data for analytics, profiling, or marketing. It is deleted within 30 days of delivery, unless required longer by law (see Section 4).

Order Processing Steps (PII-Compliant)

Authenticate and Connect to Amazon

Securely establish a connection with Amazon using Client authorized credentials.

Retrieve New Orders

Fetch new orders based on creation time or order status.

Ensure data is handled securely during retrieval.

Store Order Data Securely

Save order details (e.g., order ID, items, shipping address, buyer name) in AlphaMax database associated with Client Account.

Encrypt all personally identifiable information (PII) during storage.

Check Fulfilment Type

Identify if each order is Fulfilled by Amazon (FBA) or Fulfilled by Merchant (FBM).

Route orders to the correct processing path accordingly.

Fetch and Record Item Details

Get detailed information about each item in the order (SKU, quantity, etc.).

Log this data for packaging and fulfilment.

Process for Fulfilment

Confirm inventory availability.

Prepare a packing slip.

Generate and assign a shipping label.

Arrange for pickup or drop-off with the courier.

Update Internal Order Status

Mark the order as “Ready for Shipment,” “Shipped,” or other statuses in your system.

Attach shipping and tracking details where applicable.

Monitor Order Progress

Track delivery status for shipped orders.

Handle returns, cancellations, or customer service issues as needed.

Handle PII Retention

Automatically remove or anonymize all PII (e.g., buyer name, address) within 30 days of order processing.

Ensure no backups or logs retain unencrypted PII beyond this period.

Maintain Access Logs

Log all internal access to PII securely.

Regularly review logs for unauthorized access attempts.

Generate Reports (PII-Free)

Use anonymized data to create sales, fulfilment, and performance reports.

Exclude any personal data from these reports.

2.2 Tax Invoicing

The default invoicing available through Seller Central does not meet our operational needs because our platform aggregates and manages sales across multiple Amazon marketplaces on behalf of third-party sellers. These sellers often require localized and compliant invoices in real time, which Amazon’s default tools cannot support at scale or with the required level of customization (e.g., branding, item-level breakdowns, or split-tax reporting per product category).

For regions that require VAT/GST-compliant invoices, our software may process Amazon order data (including customer name and billing address) to:

  • Generate legally compliant tax invoices according to regional requirements (e.g., UK VAT Act, EU VAT Directive).
  • Supplement Seller Central invoicing where local law requires additional fields.

2.3 Tax Remittance

Seller Central tax settings are suitable for individual sellers, but our platform manages tax obligations for hundreds of sellers with different business profiles, obligations, and jurisdictions. Seller Central lacks the flexibility for:

  • Real-time tax rate updates across multiple tax authorities.

  • Complex remittance logic (e.g., marketplace facilitator vs seller liability).

  • Multi-seller reconciliation and tax remittance reports.

For sellers who opt in, our software supports automated calculation and reporting of taxes. Customer data is used only to:

  • Calculate applicable taxes,
  • Generate compliant tax records,
  • Support government reporting standards (e.g., HMRC, EU VAT OSS).

2.4 Professional Services

We require access to limited PII (e.g., buyer name, shipping address) strictly for the purpose of:

  • Generating accurate tax-compliant invoices.

  • Mapping transactions to the correct tax jurisdiction (based on destination address).

  • Providing localized customer service on behalf of sellers, including invoice resends or corrections upon request.

  • Provide account management, reporting, or advisory service.

All PII is handled in compliance with GDPR, CCPA, and Amazon’s Acceptable Use Policy, and securely stored with encryption and access control.

  1. Security and Monitoring
  • Access Control: Data is accessible only to authorized personnel with a business need.
  • Encryption: Data is encrypted in transit and at rest.
  • System Logs: We log technical activity for diagnostics and security, but PII is never stored in logs.
  • Monitoring: We monitor for malicious activity using automated tools and alerts.

We conduct routine security checks on all application and network components that interact with Personally Identifiable Information (PII) at least every 120 days. This includes regular vulnerability scanning, as well as periodic penetration testing conducted by internal teams or external security professionals. Any identified risks are assessed and remediated promptly to maintain the security and integrity of our systems and data.

Prior to new releases

we scan our application code for vulnerabilities prior to each release. Our development process includes automated security checks using code analysis tools to identify and remediate vulnerabilities in both custom code and third-party dependencies. These scans are an integral part of our CI/CD pipeline to ensure secure releases and protect Personally Identifiable Information (PII).

  1. Data Retention
  • Amazon order PII is retained for a maximum of 30 days after order delivery.
  • Retention beyond 30 days occurs only where legally required (e.g., VAT/tax record retention under UK law = 6 years).
  • When no longer required, data is securely deleted or anonymized.
  1. Incident Response

We maintain an incident response plan. In the event of unauthorized access, data leak, or database hack:

  • Investigation begins immediately.
  • Impacted users are notified as required by law.
  • Amazon is notified within 24 hours at security@amazon.com, in compliance with Amazon’s DPP.
  1. Data Sharing

We may share data with trusted service providers who support our operations (e.g., hosting, CRM, audit, IT support). We ensure:

  • Data is only shared on a need-to-know basis,
  • Providers maintain security standards at least equal to ours,
  • No Amazon customer data is shared for marketing or resale.
  1. Your Rights

You have the right to access, correct, delete, or restrict the processing of your personal data. You may also object to processing or request data portability.
To exercise these rights, contact us at: dpo@alpha-max.co.uk.

  1. International Transfers

If we transfer personal data outside the UK/EU, we use safeguards such as Standard Contractual Clauses (SCCs) to ensure protection.

  1. Data Disposal

    Data disposal follows NIST SP 800-88 Rev. 1 and ISO/IEC 27001 standards for secure deletion.

    At the end of a retention period or project lifecycle, data is purged from all systems, including backups.

    Disposal actions are logged and verified during compliance audits.

  2. Questions & complaints

For any privacy concerns, contact our Data Protection Officer at dpo@alpha-max.co.uk.

UK residents may also file a complaint with the Information Commissioner’s Office (ICO) at https://ico.org.uk/make-a-complaint/.
EU residents may contact the Estonian Data Protection Inspectorate at https://www.aki.ee/en.

We encourage you to contact us first so we can resolve any concerns directly.

Updates

This Privacy Policy may be updated. The latest version will always be available at: https://alpha-max.co.uk/software-privacy-policy.