EasyManager Privacy Policy
Privacy Policy
Effective Date: May 21, 2026 · Last updated: April 21, 2026
At EasyManager, we are committed to protecting your privacy and ensuring the security of your personal and business data. This Privacy Policy explains how we collect, use, store, protect, share, and delete your information when you use our ERP platform, including integrations with third-party services such as Amazon Selling Partner API (SP-API).
1. Information We Collect
1.1. Account Information: When you create an account, we collect your name, email address, phone number, company name, and other business information necessary to provide our services.
1.2. Business Data: As an ERP platform, we store and process data you upload, including but not limited to: products, sales orders, customer information, inventory data, financial records, tasks, and reports.
1.3. Usage Information: We automatically collect information about how you interact with our platform, including IP address, browser type, device information, and pages visited.
1.4. Integration Data: If you connect third-party services (such as Amazon Selling Partner API), we may receive data from those services as explicitly authorized by you. This includes:
- Amazon SP-API Data: Order information, shipping details, buyer shipping addresses, product listings, and inventory data. This data is collected solely through authorized API calls after you grant access via Amazon's OAuth authorization flow.
- We only request and access the minimum data necessary to provide the specific features you have enabled (e.g., shipping label generation, order management, inventory synchronization).
2. How We Use Your Information
2.1. Service Provision: To provide, maintain, and improve our ERP platform and its features, including sales management, inventory tracking, customer relationship management, shipping label generation, and reporting.
2.2. Account Management: To manage your account, process payments, and provide customer support.
2.3. Communication: To send you service-related notifications, updates, security alerts, and administrative messages.
2.4. Analytics: To analyze usage patterns and improve user experience, platform performance, and feature development. We do not use personally identifiable information (PII) from third-party integrations for analytics purposes.
2.5. Security: To detect, prevent, and address technical issues, fraud, and security threats.
2.6. Amazon SP-API Data Usage: Data received through Amazon SP-API is used exclusively for the purposes authorized by the seller, including:
- Processing and managing orders placed on Amazon marketplaces.
- Generating shipping labels and managing fulfillment workflows.
- Synchronizing product listings and inventory levels.
- Generating sales reports and business analytics for the seller.
We do not use Amazon customer data (including buyer names, addresses, and order details) for any purpose other than fulfilling the seller's authorized operations. We do not use this data for marketing, advertising, or any unauthorized purpose.
3. Data Storage
3.1. Multi-Tenant Architecture: EasyManager operates as a multi-tenant SaaS platform. Your data is logically isolated from other customers' data using dedicated database schemas per tenant. Each tenant's data is accessible only by authorized users within that organization.
3.2. Infrastructure: Our platform is hosted on secure cloud infrastructure located in data centers within the European Union (Germany). Data is stored on encrypted volumes with regular automated backups.
3.3. Amazon SP-API Data Storage: Data received from Amazon SP-API is stored in the same secure, tenant-isolated infrastructure. We do not store Amazon customer data longer than necessary to fulfill the authorized purpose. Specifically:
- Order data is retained for as long as the seller's account is active, to support order history and reporting.
- Buyer shipping addresses are stored only for the purpose of generating shipping labels and are not used for any other purpose.
- When a seller disconnects their Amazon integration or deletes their account, all associated Amazon data is deleted within 30 days.
4. Data Protection and Security
4.1. Encryption in Transit: All data transmitted between your browser and our servers, and between our servers and third-party APIs (including Amazon SP-API), is encrypted using TLS 1.2 or higher.
4.2. Encryption at Rest: Sensitive data, including API credentials, secrets, and tokens, is encrypted at rest using industry-standard encryption (AES-256 / Fernet symmetric encryption).
4.3. Authentication and Access Controls: We implement strict access controls including:
- Multi-Factor Authentication (MFA): TOTP-based 2FA via authenticator apps (Google Authenticator, Authy, 1Password). SMS-based 2FA is not supported as it is considered insecure against SIM-swap attacks.
- Mandatory MFA for privileged accounts: User accounts with superuser privileges are required to enable MFA and cannot disable it. Enforcement is performed at the login flow, permission layer, and administrative endpoints.
- Password policy enforcement:
- Minimum 12 characters with at least one uppercase letter, one lowercase letter, one digit, and one special character.
- Passwords cannot contain the user's username, first name, last name, or email address (case-insensitive substring check).
- The last 10 passwords are blocked from reuse.
- Minimum password age of 24 hours between changes (bypass available for email-based password reset).
- Maximum password age of 90 days (expired passwords trigger forced change at login).
- Account lockout after 10 consecutive failed login attempts (auto-unlock after 30 minutes, or manual unlock by a system administrator).
- Role-based access control (RBAC): restricts data access within your organization according to assigned permissions.
- Session management: JWT-based with short-lived access tokens (5 minutes) and secure httpOnly cookies.
- Rate limiting: authentication endpoints enforce per-IP request throttling (20 requests per minute) to prevent brute-force attacks.
- Audit logging: all authentication events (successful logins, failures, lockouts, MFA changes, password changes, administrative unlocks) are recorded in an audit log for security review.
4.4. API Credential Security: Amazon SP-API credentials (refresh tokens, access keys) are encrypted at rest and are never exposed through our user interface or API responses. Access to these credentials is restricted to the backend services that require them for API calls.
4.5. Infrastructure Security: Our servers are protected by firewalls, intrusion detection systems, and regular security monitoring. We conduct regular security reviews and maintain audit logs of all access to sensitive data.
4.6. Incident Response: We maintain an incident response plan to promptly address any security breaches. In the event of a data breach affecting your data, we will notify you and any applicable regulatory authorities within 72 hours of becoming aware of the breach.
5. Data Sharing and Disclosure
5.1. No Sale of Data: We do not sell, rent, or trade your personal or business data to third parties. We do not sell or share Amazon customer information with any third party.
5.2. Service Providers: We may share data with trusted third-party service providers who assist in operating our platform, subject to strict confidentiality agreements and data processing agreements. These include:
- Cloud Infrastructure: Hetzner Cloud (EU/Germany) for server hosting.
- Object Storage: Amazon Web Services (AWS S3) for file storage.
- Payment Processing: Stripe for subscription billing.
- Email Delivery: Amazon Simple Email Service (SES) for transactional emails.
These providers are contractually obligated to protect your data and may only use it for the specific services they provide to us.
5.3. Amazon SP-API Data Sharing: We do not share data received from Amazon SP-API with any third party except as required to fulfill the authorized purpose (e.g., passing shipping information to a carrier API for label generation). Amazon customer personally identifiable information (PII) is never shared with unauthorized parties.
5.4. Legal Requirements: We may disclose information when required by law, court order, or governmental authority.
5.5. Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction, with prior notice provided to you. Any acquirer will be required to honor this Privacy Policy.
6. Data Deletion
6.1. Account Deletion: You may request deletion of your account and all associated data at any time by contacting our support team. Upon receiving a deletion request:
- Your account will be deactivated immediately.
- All personal data, business data, and integration data (including Amazon SP-API data) will be permanently deleted from our systems within 30 days.
- Backup copies will be purged within 90 days of the deletion request.
6.2. Integration Disconnection: When you disconnect a third-party integration (such as Amazon SP-API):
- API credentials (tokens, keys) are immediately revoked and deleted.
- Data received from that integration is deleted within 30 days, unless you explicitly request to retain order history for your records.
6.3. Amazon SP-API Data Deletion: In compliance with Amazon's Data Protection Policy:
- Upon request from Amazon or the seller, we will delete all Amazon-originated data within 30 days.
- We will certify the deletion upon request.
- Amazon customer PII is not retained beyond the period necessary to fulfill the authorized purpose.
6.4. Data Retention: We retain your data for as long as your account is active or as needed to provide services. Upon account termination, data is deleted or anonymized within the timeframes specified above, except where retention is required by applicable law or for legitimate business purposes (e.g., financial records required by tax regulations).
7. Your Rights
7.1. Access: You can access and review your personal and business data through your account dashboard at any time.
7.2. Correction: You can update or correct your account information at any time through your account settings.
7.3. Export: You can export your data in standard formats (CSV, PDF) through our platform's export features.
7.4. Deletion: You can request deletion of your account and associated data as described in Section 6.
7.5. Opt-Out: You can opt out of marketing communications at any time by following the unsubscribe instructions in our emails.
7.6. Restrict Processing: You can request that we restrict the processing of your data in certain circumstances, such as when you contest the accuracy of the data.
8. Cookies and Tracking
8.1. We use cookies and similar technologies to maintain your session, remember your preferences, and ensure the security of your account. The cookies we use include:
- Essential cookies: Required for authentication, session management, and platform security. These cannot be disabled.
- Preference cookies: Used to remember your settings such as theme, sidebar state, and default views.
8.2. We do not use third-party advertising or tracking cookies. We do not use cookies to track your activity across other websites.
9. Children's Privacy
Our platform is intended for business use and is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children.
10. International Data Transfers
Your data is primarily stored on servers located in the European Union (Germany). In cases where data is transferred to other regions (e.g., for AWS services), we ensure appropriate safeguards are in place, including standard contractual clauses and data processing agreements with all service providers.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a prominent notice on our platform at least 30 days before the changes take effect. Your continued use of the platform after such changes constitutes acceptance of the updated policy.
12. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:
Email: privacy@easymanager.com
For data protection inquiries or to exercise your rights, please contact our Data Protection Officer at: dpo@easymanager.com
13. Amazon Selling Partner API Compliance
EasyManager is a registered Amazon Selling Partner API application. Our handling of data obtained through Amazon SP-API complies with Amazon's Data Protection Policy and Acceptable Use Policy. Specifically:
- We access Amazon data only with explicit seller authorization and only for the purposes described in this policy.
- Amazon customer PII is used exclusively for order fulfillment and shipping label generation as authorized by the seller.
- We do not use Amazon data for marketing, advertising, or any unauthorized purpose.
- We do not share Amazon data with unauthorized third parties.
- All Amazon API credentials and tokens are encrypted at rest and never exposed to end users.
- We implement all required security controls including encryption, access controls, multi-factor authentication, and credential management in compliance with Amazon's security requirements.
- We will delete all Amazon-originated data upon request from the seller or Amazon within 30 days and provide certification of deletion upon request.