Your Data is Safe With Us
- ·Overview
- 1Data We Collect
- 2How We Use Data
- 3Amazon SP-API Data
- 4Managed Services Data
- 5Data Sharing
- 6Data Security
- 7Your Rights
- 8Data Retention
- 9Cookies
- 10Children's Privacy
- 11Changes to Policy
- 12Contact Us
Your Data Rights
- Access your data
- Correct inaccuracies
- Delete your account
- Withdraw API access
- Port your data
INSTYLE ("we", "us", "our") operates the Ecom Assistance® platform and managed ecommerce services. This Privacy Policy explains what personal and business data we collect, how we use it, who we share it with, and how you can control it.
This policy applies to all our services — the AI platform at app.ecomassistance.com, the website at ecomassistance.com, and all managed ecommerce services provided by our team. By using our Services, you consent to the practices described in this policy.
📥 Data We Collect
| Data Category | What We Collect | When Collected |
|---|---|---|
| Account Information | Name, email address, business name, phone number, GSTIN (optional), and login credentials | During registration |
| Amazon Seller Data | Order IDs, product ASINs, delivery dates, marketplace names, buyer communication eligibility, settlement data, listing information | After SP-API authorization |
| Financial Data | COGS entries you upload, P&L data you configure, settlement report data from Amazon. We do not collect credit card or bank account numbers. | During platform use |
| Payment Metadata | Payment status, invoice number, subscription plan, billing date. Actual card/bank processing is handled by Razorpay. | On subscription payment |
| Usage Data | Pages visited, features used, session duration, IP address (anonymised after 90 days), browser type, device type | During platform use |
| Communication Data | Emails, WhatsApp messages, and support queries you send us | When you contact us |
| Managed Service Data | Seller account credentials (held securely for managed service operation), brand assets, product catalogues, PPC campaign data | During managed service onboarding |
We collect only the data necessary to provide our Services. We apply data minimisation principles — if data isn't needed to operate a specific feature, we don't collect it.
⚙️ How We Use Your Data
To Provide & Operate the Platform
- Send Amazon review and feedback requests via the official Solicitations API on your behalf
- Generate P&L dashboards, payment reconciliation reports, and settlement analyses
- Monitor listing health, detect suppressed listings, and alert you to account issues
- Sync order data and display analytics in your dashboard
- Manage your subscription, process payments, and generate GST invoices
To Provide Managed Services
- Access and manage your marketplace seller accounts on your behalf with your authorisation
- Create and optimise listings, manage PPC campaigns, and coordinate inventory
- Generate monthly P&L and performance reports for your review
- Coordinate APOB, VPOB, and FSSAI registrations using your business documents
- Prepare Plan of Action (POA) documents for account reinstatement services
To Communicate With You
- Send transactional emails — payment confirmations, invoices, account notifications
- WhatsApp messages for managed service updates and urgent account alerts
- Monthly performance summaries and COGS reminders (managed clients)
- Policy updates and changes to these Terms or this Privacy Policy
To Improve Our Services
- Analyse aggregated, anonymised usage patterns to improve platform features
- Debug errors and improve system reliability
- Train and improve AI models using anonymised, aggregated data only — never your identifiable business data
🔗 Amazon SP-API Data
When you connect your Amazon seller account via the OAuth authorization flow, we access the following data types through Amazon's official Selling Partner API:
| API Data Type | Purpose |
|---|---|
| Orders API | Identify eligible orders for review requests; sync order history for analytics |
| Solicitations API | Send review/feedback requests to eligible buyers on your behalf |
| Listings API | Display listing health status and detect suppressed listings |
| Reports API | Download settlement reports, flat-file order data for reconciliation and P&L |
| Finances API | Access financial event data for fee verification and reconciliation |
| Catalog API | Access product information for COGS matching and listing management |
Your Amazon refresh tokens are encrypted using AES-256 encryption and stored in our secure database. They are never shared, never transmitted insecurely, and are permanently deleted when you disconnect your account or cancel your subscription. You can revoke our access at any time from Amazon Seller Central → Apps & Services → Manage Your Apps.
Our SP-API application is registered under Amazon's developer program. All data accessed through the API is governed by Amazon's Developer Agreement in addition to this Privacy Policy. We do not use your Amazon data for any purpose beyond what is described in this policy.
🤝 Managed Services Data Handling
For brands on our managed service plans, we handle additional sensitive data as part of our operational responsibilities:
Data We Access for Managed Services
- Marketplace seller account login credentials (stored in encrypted, access-controlled systems)
- Brand assets including logos, product images, and marketing materials
- Business documents for APOB/VPOB/FSSAI registrations (GST certificates, PAN, Aadhaar — handled per legal requirements)
- Inventory data, cost sheets, and supplier information you share with us
- Financial data for P&L preparation and reconciliation
How Managed Service Data is Protected
- Access to client credentials is restricted to the assigned account manager and senior operations staff only
- All credentials are stored in encrypted password managers, never in plain text or email
- Physical documents provided for APOB/VPOB/FSSAI are handled with strict confidentiality and destroyed after registration completion
- We do not share client business data with other clients under any circumstances
- Upon service termination, all client credentials and business data are permanently deleted within 90 days after account handover
🔄 Data Sharing & Third Parties
We never sell, rent, or trade your personal or business data to any third party. Full stop. Our business model is built on subscription fees and service fees — not data monetisation.
We share data only where strictly necessary to operate our Services:
| Third Party | Data Shared | Purpose |
|---|---|---|
| Amazon | Order IDs, ASIN data (via SP-API calls) | Required to operate marketplace integrations and send review requests |
| Razorpay | Name, email, subscription amount | Payment processing. Razorpay does not receive your Amazon or business data |
| Amazon Web Services (AWS) | All platform data (encrypted at rest) | Cloud hosting infrastructure. Mumbai region (ap-south-1) — data stays in India |
| Email Provider (SMTP) | Your email address, message content | Transactional emails — invoices, notifications, platform alerts |
| WhatsApp Business | Phone number, message content | Managed service communication. Only used with your consent |
All third-party providers are bound by confidentiality agreements and their own privacy policies. We do not use advertising networks, tracking pixels, or behavioural profiling services.
Legal Disclosure
We may disclose data if required by law, court order, or government regulation in India. We will notify you of such requests where legally permitted to do so.
🔐 Data Security
We implement industry-standard security measures across our platform and internal processes:
- Encryption in transit: All data is transmitted over HTTPS/TLS 1.2+ with valid SSL certificates. Plain HTTP is automatically redirected.
- Encryption at rest: Database contents are encrypted at rest on AWS infrastructure. Amazon SP-API refresh tokens use AES-256 encryption with separate key management.
- Access controls: Platform access is role-based. Employees only access data needed for their specific function. All admin actions are logged.
- EC2 security: Our server (AWS Mumbai) uses SSH key-based authentication only. Password-based SSH access is disabled.
- Database: SQLite in WAL mode with regular encrypted backups. Database is not directly internet-accessible.
- Session security: Sessions use secure, HttpOnly cookies with appropriate expiry. CSRF protection is implemented on all state-changing endpoints.
- Rate limiting: All API endpoints have rate limiting to prevent abuse and brute-force attacks.
- Login security: Account lockout after repeated failed login attempts. Login anomalies trigger email notifications.
No system is 100% secure. In the event of a data breach affecting your personal data, we will notify you within 72 hours of discovery via the email address on your account, as required under applicable data protection regulations.
✊ Your Data Rights
As a user of our platform or a managed service client, you have the following rights regarding your personal and business data:
👁️ Right to Access
Request a complete export of all personal data we hold about you and your business.
✏️ Right to Correction
Request correction of any inaccurate or incomplete information in your account.
🗑️ Right to Deletion
Request permanent deletion of your account and all associated data. Data will be removed within 30 days.
🔌 Withdraw SP-API Access
Disconnect your Amazon seller account at any time from Seller Central. This immediately stops all API access.
📦 Data Portability
Request your data in a machine-readable format (JSON/CSV) for transfer to another service.
🚫 Right to Object
Object to processing of your data for purposes beyond direct service delivery.
To exercise any of these rights, email info@ecomassistance.com with the subject "Data Rights Request" and your registered email address. We will respond within 15 business days. For managed service clients, WhatsApp is also accepted.
🗓️ Data Retention
| Active Account Data | Retained for the duration of your active subscription or managed service contract |
| After Subscription Ends | Account data retained for 90 days to allow data export and reactivation. Permanently deleted after 90 days. |
| Amazon API Tokens | Deleted immediately upon account disconnection or subscription cancellation |
| Payment Records | Retained for 7 years as required under Indian Accounting Standards and GST regulations |
| Communication Records | Support emails and WhatsApp history retained for 2 years for dispute resolution |
| Usage Logs | Anonymised after 90 days. Raw logs deleted after 180 days |
| Managed Service Data | Business data and credentials permanently deleted within 90 days of service termination after account handover |
| Registration Documents | Physical/digital documents for APOB/VPOB/FSSAI held only during the registration process, then destroyed |
You may request early deletion of your data at any time by contacting us. Payment records required for legal compliance cannot be deleted early regardless of request.
🍪 Cookies & Tracking
Platform (app.ecomassistance.com)
- Session cookies only — we use one session cookie to keep you logged in. It expires when you close your browser or after 24 hours of inactivity.
- No advertising cookies — we do not use Google Ads, Facebook Pixel, or any retargeting/advertising cookie.
- No tracking cookies — we do not track your activity across other websites.
- No third-party cookies — no embedded widgets, social share buttons, or external scripts that set cookies.
Website (ecomassistance.com)
- Basic analytics to understand page traffic — visitor counts, popular pages, referral sources. Data is aggregated and not linked to individuals.
- No personal identifiers are collected through website analytics.
- The WhatsApp click-to-chat button (Wa.me link) does not set cookies on our website — it redirects to WhatsApp's infrastructure.
You can disable cookies in your browser settings. Disabling the session cookie will prevent platform login. Disabling analytics cookies has no impact on platform functionality.
👶 Children's Privacy
Our Services are designed exclusively for registered businesses and authorised marketplace sellers. We do not knowingly collect personal data from individuals under the age of 18. Our platform requires a valid business registration, marketplace seller account, and GSTIN (for Indian users) to access — which legally cannot be held by minors.
If you believe we have inadvertently collected data from a minor, please contact us immediately at info@ecomassistance.com and we will delete such data within 48 hours.
📝 Changes to This Policy
We may update this Privacy Policy from time to time as our services evolve or as legal requirements change. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Send an email notification to all active account holders at least 14 days before significant changes take effect
- Display an in-app notice in the platform dashboard for platform subscribers
- For managed service clients, notify directly via WhatsApp for changes that affect how we handle your business data
Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically.
📬 Contact Us & Data Requests
For privacy inquiries, data rights requests, or concerns about how we handle your data:
| Company | INSTYLE |
| Brand | Ecom Assistance® |
| Address | Ahmedabad, Gujarat 380 001, India |
| Privacy Requests | info@ecomassistance.com Subject: "Data Rights Request" + your registered email |
| General Enquiries | info@ecomassistance.com |
| +91 99985 44339 | |
| Response Time | Within 15 business days for data rights requests · Within 2 hours for WhatsApp (managed clients) |
This Privacy Policy is governed by and construed in accordance with the laws of India, including the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Disputes are subject to the jurisdiction of courts in Ahmedabad, Gujarat, India.
Your Privacy is Our Commitment
Questions about how we handle your data? Our team responds within 2 hours on WhatsApp and 15 business days for formal data requests.