Contents
1. Who we are
EKE Consulting ("EKE," "we," "us," or "our") is a professional services agency providing Amazon Seller Central account management and advertising services to brands and sellers ("clients"). This policy explains how we collect, use, protect, retain, and dispose of information in the course of delivering those services, including information we access through our clients' Amazon Selling Partner accounts.
2. Scope
This policy applies to all information EKE handles on behalf of clients, all EKE personnel and contractors, and all systems and devices used to deliver our services. Where we access Amazon Selling Partner accounts, we do so only with the client's authorization and only to the extent required to perform the contracted service. We handle all such information in accordance with Amazon's Acceptable Use Policy and Data Protection Policy.
3. Information we access
In the course of managing client accounts, we may access:
- Business and catalog data — product listings, pricing, inventory, advertising campaigns, sales and performance reports, and account settings.
- Order and operational data — order status and fulfillment information needed to manage the account.
- Limited personally identifiable information (PII) — only where strictly necessary to resolve an operational issue (e.g., a specific customer case). We do not bulk-download, store, or process buyer PII for any purpose beyond the specific task at hand.
- Client contact information — the details our client points of contact provide to us directly.
We minimize by default. We access the least data necessary to perform the service, retain it for the shortest time necessary, and never use client or buyer data for any purpose other than delivering the contracted service.
4. How we use information
We use the information we access solely to deliver contracted services — operating and optimizing the account, managing advertising, resolving issues, and reporting results to the client. We do not sell client or buyer data, do not use it to train unrelated models, and do not use it for advertising to consumers outside the client's own account.
5. Sharing & disclosure
We do not share client data with third parties except: (a) with sub-processors and tooling strictly necessary to deliver the service, each bound by confidentiality and data-protection obligations no less protective than this policy; (b) where required by law; or (c) with the client's explicit instruction. A current list of sub-processors is available to clients on request.
6. How we protect data — security controls
We maintain administrative, technical, and physical safeguards appropriate to the sensitivity of the information we handle. These include:
Network protection
- Access to client accounts and internal systems is performed only from company-managed devices over trusted, encrypted networks; public and untrusted networks are used only through an encrypted VPN.
- Endpoints run host-based firewalls; inbound public access to any internal system is denied by default.
- We do not operate publicly exposed databases or servers containing client data. Data-hosting services we use are private by default, restricted by network and identity controls, and never open to the public internet.
Encryption
- Data is encrypted in transit (TLS) and at rest on all managed devices and storage.
- Company laptops use full-disk encryption and automatic screen locking.
Credential management
- All accounts use unique, strong credentials stored in a dedicated password manager. Credentials are never shared in plain text, email, or chat.
- Multi-factor authentication (MFA) is enforced on Amazon Seller Central, email, the password manager, and all critical business systems.
- Credentials and access tokens are rotated on personnel changes and on any suspected compromise.
7. Access controls
- Access to client data is granted on a least-privilege, need-to-know basis and is limited to personnel actively working on that client's account.
- Access is reviewed periodically and revoked promptly when a team member no longer requires it or leaves the organization.
- Administrative actions in client accounts are traceable to individual users.
8. Data retention & disposal
We retain client information only for as long as necessary to deliver the service and to meet legal or contractual obligations. Any PII incidentally accessed to resolve a specific issue is not retained beyond the resolution of that issue. Upon termination of an engagement, or on client request, we delete or return client data and revoke all access to the client's accounts within 30 days, except where retention is required by law. Data is disposed of using secure deletion methods.
9. Incident response
We maintain a written Incident Response Plan to detect, contain, and remediate security incidents such as unauthorized access, database compromise, or data leakage. In summary, our plan provides that we will:
- Detect & report — surface suspected incidents through monitoring and alerts, and require all personnel to report suspected incidents immediately to the designated security owner.
- Contain — immediately isolate affected systems and accounts, revoke and rotate potentially compromised credentials and access tokens, and disable affected access.
- Assess — determine the scope, root cause, and what data and accounts were affected.
- Eradicate & recover — remove the cause, restore systems from known-good state, and confirm the threat is resolved.
- Notify — notify affected clients and Amazon without undue delay, and within any timeframe required by our agreements and applicable law (and within 24 hours to Amazon where an incident affects Amazon Information).
- Review — conduct a post-incident review and update controls to prevent recurrence.
10. Organizational-change notification
EKE maintains a policy to notify Amazon within 30 days of any organizational change or event that changes our need for, or use of, Amazon Information — including changes in ownership or control, changes to the services we provide, changes to our data-handling practices, or a security incident affecting Amazon Information. We treat this as a standing obligation under Amazon's Data Protection Policy.
11. Your rights
Clients may request access to, correction of, or deletion of the information we hold on their behalf, and may withdraw our access to their accounts at any time. Where applicable law grants individuals privacy rights, we will support our clients in honoring those rights. Requests can be sent to the contact below.
12. Changes to this policy
We may update this policy from time to time. Material changes will be reflected by the "Last updated" date above, and, where changes affect our handling of Amazon Information, communicated in accordance with Section 10.
13. Contact
Questions about this policy or our data practices can be directed to:
EKE Consulting
Email: amazon@ekeconsulting.com