⚠️ DRAFT — Controller and processing activities are documented. Fields marked with [TODO] (full address, data-protection contact email, EU representative per Art. 27 GDPR with physical EU address, DPO if applicable) must be completed before public launch and reviewed by a data- protection lawyer. Without a designated Art. 27 representative, the platform may not be offered to EU residents.

Privacy Policy

1. Controller

The controller for the processing of personal data on this site within the meaning of the GDPR is:

AMZSTAY - FZCO (Freezone Company), operating under the trade name Sellerwerk
represented by MHD RATEB KAISAR
[TODO Street + Number]
DSO-IFZA, IFZA Properties
[TODO Postal Code] Dubai Silicon Oasis
United Arab Emirates
Email: [TODO datenschutz@…]

1a. EU representative (Art. 27 GDPR)

Because the controller is established outside the European Union but offers GDPR-relevant processing to individuals located in the EU, AMZSTAY-FZCO has designated an EU representative pursuant to Art. 27 GDPR:

[TODO Name of the EU representative]
[TODO Street + Number]
[TODO Postal Code City]
[TODO EU member state]
Email: [TODO contact email of the representative]

The EU representative is the contact point for supervisory authorities and data subjects regarding all questions related to the processing of personal data.

2. Purposes and legal bases of processing

Sellerwerk (AMZSTAY-FZCO) processes personal data for the following purposes:

Operation of the Sellerwerk SaaS platform (Art. 6(1)(b) GDPR — performance of contract)
Authentication and access management (self-operated auth infrastructure on our own servers in Germany)
Payment processing via Stripe (Art. 6(1)(b) GDPR)
Connection to the Amazon Advertising API on behalf of the customer (Art. 6(1)(b) GDPR + processor relationship)
Audit-log recording of actions (Art. 6(1)(c) GDPR — legal obligation)

3. Recipients / third countries

Personal data is shared with the following processors (Art. 28 GDPR):

EU infrastructure:

Dedicated hosting in Germany — physical hosting of the dedicated servers at an EU data-center provider established in Germany. All application, database, and mail infrastructure runs on these servers. No third-country transfer. Category of processor: hosting / data-centre (EU, Germany). The specific provider identity is disclosed on request in the Data Processing Agreement (DPA).
Self-operated services on our own EU infrastructure: application database (relational + time-series), background processing (in-memory cache for sessions and asynchronous job execution — sync, reports, rule evaluations, rate limits), self-operated authentication and realtime layer, self-operated mail server (no Resend or Mailgun), and self-operated error monitoring with IP and request-body scrubbing (no US telemetry provider).

Processors with third-country transfer (USA):

Stripe Payments Europe, Ltd. (Ireland) / Stripe, Inc. (USA) — payment processing, invoicing, subscription management. Stripe is certified under the EU-US Data Privacy Framework (DPF).
Amazon Advertising LLC(USA, via Amazon EU S.à.r.l., Luxembourg) — managing advertising campaigns on the customer's behalf. The customer authorizes Sellerwerk via OAuth to access their Amazon Ads account.

Third-country safeguards: Transfer to the USA is based on the EU-US Data Privacy Framework (Commission Implementing Decision of 2023-07-10), supplemented by Standard Contractual Clauses (Art. 46(2)(c) GDPR). Note that under the U.S. CLOUD Act and FISA 702, U.S. authorities may, under specific conditions, access data stored in the USA; the listed providers address these risks via encryption, contractual safeguards, and DPF self-certification.

3a. Automated decision-making (Art. 22 GDPR)

Sellerwerk includes automated processing systems that adjust advertising campaigns on behalf of the customer:

Automation rules: customer-configured rules (e.g., “pause keyword if ACoS > 60% over 7 days”) executed on a schedule at campaign / ad-group / keyword level.
Bid recommendations: statistical suggestions based on historical performance. Suggestions take effect only after explicit customer approval.
Keyword Intelligence: AI-supported suggestions for new keywords, negative keywords, and budget shifts.

Scope:these systems act exclusively on advertising-campaign settings in the customer's Amazon Ads account. No decisions with legal effect or significant impact on natural persons within the meaning of Art. 22(1) GDPR are made.

Logic:rules are defined by the customer and transparently visible in the application. Bid recommendations and keyword suggestions are computed solely by Sellerwerk's own statistical algorithms based on impressions, clicks, conversions, and historical ACoS/ROAS — without external AI providers.

Your rights: as a data subject you have the right to an explanation of the underlying logic (Art. 13(2)(f) GDPR), to human review (Art. 22(3) GDPR), and to object to the automated processing. All automations can be disabled in account settings.

4. Your rights

You have the following rights:

Access to stored data (Art. 15 GDPR)
Rectification of inaccurate data (Art. 16 GDPR)
Erasure of your data, unless statutory retention obligations preclude this (Art. 17 GDPR)
Restriction of processing (Art. 18 GDPR)
Data portability (Art. 20 GDPR)
Objection to processing (Art. 21 GDPR)
Complaint to a supervisory authority (Art. 77 GDPR — in Germany the State Data Protection Commissioner of your federal state)

5. Retention period

Sellerwerk retains personal data only as long as necessary to fulfil the purposes listed above or as required by statutory retention obligations (e.g., commercial and tax law). Audit logs are retained per plan limit (30 days for Starter, up to 2 years for higher tiers). Amazon refresh tokens are stored encrypted (AES-256) and deleted immediately upon disconnection; Amazon access tokens are never persisted and have a maximum lifetime of 60 minutes.

6. Cookies and local storage

Sellerwerk uses only technically necessary cookies for authentication (session cookie) and preferences (language, theme). No tracking, analytics, or advertising cookies are set. A consent banner is therefore not required for core functionality; payment functions via Stripe are loaded only after explicit consent.

7. Data security (Art. 32 GDPR)

Sellerwerk applies the following technical and organisational measures:

Transport encryption via TLS 1.2+ for all client-server and server-to-server communication
Row-Level Security at the database level — a request authenticated as organisation A cannot read or write rows of organisation B
VPN-based administrative access to backend systems; admin interfaces are not reachable on the public internet
Encryption of sensitive fields (Amazon tokens) with AES-256; keys are stored separately from the tokens in a dedicated secrets store
Daily backups with point-in-time recovery; WAL archiving and regular restore drills
Scrubbing of IP addresses and request bodies before submission to error monitoring

8. Contact

For data-protection inquiries, please email [TODO datenschutz@…] or use the postal address listed above. EU residents may also contact the EU representative listed under section 1a.

9. Supervisory authority

The competent supervisory authority is determined by the seat of the EU representative (section 1a) and will be added here once the representative is designated: [TODO supervisory authority for the EU representative].

10. Data Protection Officer

[TODO DPO name or justification for not appointing a DPO (Art. 37 GDPR — optional unless processing constitutes large- scale processing of special-category data).] Contact: dpo@sellerwerk.de or via the EU representative listed under section 1a.

11. Trade-name notice

“Sellerwerk” is the trade name under which AMZSTAY- FZCO offers the services described here. The contracting party and GDPR controller remains AMZSTAY-FZCOat all times. All rights and obligations under this Privacy Policy attach to AMZSTAY-FZCO; the trade name “Sellerwerk” serves only as the product designation.