Privacy and Data Handling Policy

Company: Connectify ApS

CVR: 35682821

Address: Søndergade 8, 2 TV, 8000 Aarhus C, Denmark

Last updated: April 2026

1. Overview

This policy describes how Connectify ApS collects, processes, stores, and protects data obtained through the Amazon Selling Partner API (SP-API), including any Restricted Data as defined under Amazon's Data Protection Policy (DPP).

Connectify ApS operates as a middleware integration layer between Amazon Seller Central and our customers' ERP systems (e.g. Microsoft Dynamics 365 Business Central) and warehouse management systems. The integration automates order processing, inventory synchronisation, fulfilment workflows, and financial reconciliation on behalf of authorised Amazon sellers.

2. Data We Collect

We collect only the minimum data necessary to provide the integration service. The following categories of data may be retrieved via the Amazon SP-API with explicit authorisation from the seller:

Data Category	Specific Elements	Purpose	SP-API Role Required
Buyer Shipping Information (Restricted Data)	Full name, delivery address (street, city, postal code, country), phone number, email address	Generating shipping labels and dispatching Fulfilled-by-Merchant (FBM) orders directly to buyers. Confirming shipments and uploading tracking numbers to Amazon.	Direct-to-Consumer Shipping
Order Data	Order ID, order status, items ordered, quantities, marketplace, order date	Order processing, inventory management, status synchronisation with ERP systems	Inventory and Order Tracking
Financial Settlement Data	Settlement ID, transaction amounts, fee breakdowns, deposit dates	Financial reconciliation against invoices in Business Central ERP	Finance and Accounting
Inventory Data	SKU, stock levels, fulfilment centre data	Inventory synchronisation across channels	Inventory and Order Tracking / Amazon Fulfillment
Pricing Data	Listed prices, competitive pricing	Price management and automated repricing	Pricing

3. How We Use the Data

Amazon data — including Restricted Data — is used solely for the operational purposes described above. Specifically:

Buyer Restricted Data (name, address, phone, email) is used exclusively to create shipping labels and dispatch FBM orders. It is never used for marketing, profiling, analytics, or any secondary purpose.
Financial settlement data is used solely for invoice reconciliation within the authorised seller's ERP system.
No Amazon data is used to build user profiles, serve advertising, or train machine-learning models.
No Amazon data is sold, licensed, or distributed to any party other than as described in Section 5 (Data Sharing).

4. Data Storage and Security

All Amazon data, including Restricted Data, is stored within secure cloud infrastructure hosted on Amazon Web Services (AWS) in the European Union.

Encryption at rest: AES-256 encryption enforced via AWS KMS (Customer Managed Keys) on all databases (AWS RDS), object storage (Amazon S3), and EBS volumes. Production, staging, and development environments use separate, isolated key sets. Keys are rotated automatically on an annual basis.
Encryption in transit: All data transmitted between our systems and the Amazon SP-API is encrypted using TLS 1.2 or higher (HTTPS). No unencrypted connections are permitted.
Network protection: All systems run inside an AWS VPC. Databases and file servers have no public internet access. AWS WAF is deployed on public endpoints. Admin access is exclusively via AWS Systems Manager Session Manager with MFA — no open SSH ports.
Access control: Role-based access following the principle of least privilege. MFA is required for all accounts with access to Amazon data. Access is reviewed quarterly.
Logging: All API calls and administrative actions are logged via AWS CloudWatch. Personally Identifiable Information (PII) is never written to log files. Log access is restricted via IAM — only the security team has read access; no user has delete permissions. All log access is audited via CloudTrail. Logs are retained for 12 months in CloudWatch, then archived to S3 for a further 24 months.
Monitoring: AWS GuardDuty and CloudWatch Alarms monitor continuously for suspicious activity. Alerts reach the security team within 15 minutes.

5. Data Sharing

Buyer Restricted Data is shared only with the shipping carrier(s) designated by the authorised seller, solely for the purpose of completing the physical delivery of FBM orders. All carriers receiving buyer data are bound by Data Processing Agreements (DPAs) obligating them to use the data exclusively for shipment delivery and to delete it upon completion.

Settlement and financial data is transmitted to the authorised seller's ERP system within the seller's own environment. Connectify ApS does not sell, rent, or otherwise disclose Amazon data to any third party for commercial purposes.

6. Data Retention and Deletion

Data Type	Retention Period	Deletion Method
Buyer Restricted Data (name, address, phone, email)	Deleted within 30 days of confirmed delivery or order closure	Automated deletion job — permanently removed, not archived
Order metadata (non-PII: order IDs, status, items)	Up to 3 years for operational and audit purposes	Securely deleted or anonymised after retention period
Financial settlement data	Up to 5 years (Danish Bookkeeping Act compliance)	Securely deleted after retention period
System logs (non-PII)	12 months active in CloudWatch; 24 months archived in S3 (36 months total)	Automatically purged via CloudWatch and S3 lifecycle policies

7. Backups and Recovery

Data is backed up daily via automated AWS snapshots (RDS automated backups and S3 versioning). Backups are stored in a geographically separated AWS region from the primary data store (primary: eu-west-1 / Ireland; backup replica: eu-central-1 / Frankfurt). All backups are encrypted at rest using AES-256 via AWS KMS.

Recovery Time Objective (RTO): 4 hours. Recovery Point Objective (RPO): 24 hours. Restore procedures are documented and tested annually.

8. Security Monitoring and Incident Response

Connectify ApS maintains 24/7 automated monitoring via AWS CloudWatch and AWS GuardDuty. In the event of a confirmed or suspected security incident involving Amazon buyer data or Restricted Data:

Affected systems are isolated immediately and API credentials are rotated.
Amazon is notified within 24 hours at security@amazon.com.
Affected data subjects are notified in accordance with GDPR Article 34 where applicable.
A post-incident report is delivered within 5 business days.

9. Your Rights (GDPR)

If you are an individual whose personal data has been processed through our Amazon integration, you have rights under the EU General Data Protection Regulation (GDPR), including the right to access, correct, or request deletion of your data. To exercise your rights, contact us at: privacy@connectify.dk

10. Changes to This Policy

This policy may be updated periodically. The date of the most recent revision is shown at the top of this page.

11. Contact

Connectify ApS
Søndergade 8, 2 TV
8000 Aarhus C, Denmark
privacy@connectify.dk