Marketplace Data Protection Policy

Data Retention & PII Policy

This policy explains how OTOECOM collects, uses, stores, retains, deletes and protects seller data, customer PII, order data, reports, credentials, authorization data and marketplace information while providing ecommerce services for Amazon, Flipkart, Meesho and other online selling portals.

Applies to Amazon, Flipkart, Meesho and other portals Publicly accessible policy page
Policy Scope

Applies to marketplace services across Amazon, Flipkart, Meesho and other portals

This policy applies when OTOECOM provides ecommerce services such as account management, cataloging, listing optimization, A+ content, advertising optimization, seller training, reporting, marketplace onboarding, order support and operational assistance.

Amazon and Amazon SP-API related services Includes Seller Central user access, SP-API access where applicable, catalog data, order data, buyer PII, reports, listing content, inventory data, advertising data and account health information. Amazon data is handled according to Amazon Data Protection Policy, Acceptable Use Policy and applicable role requirements.
Flipkart, Meesho and other Indian marketplaces Includes seller panel access, catalog information, order and shipment data, buyer contact or delivery details, returns, inventory, advertising reports, payment reports and marketplace support data. Where a marketplace policy requires stricter retention or deletion, the stricter rule is followed.
D2C, Shopify, WooCommerce and other ecommerce tools Includes product catalog, order details, shipping details, customer support records, analytics, inventory reports and business performance data used only to provide agreed ecommerce services.
Training, consulting and support Includes account screenshots, screen-share observations, training notes, support questions, issue lists, SOP documents, performance reports and other information voluntarily shared by the seller for training or consulting.
Data Categories

What data may be collected or processed

OTOECOM does not collect every category in every engagement. Data is collected only when it is required for the agreed marketplace service.

Seller PII / Business Info

Seller and business contact information

Used to communicate, onboard, provide support, create reports and manage service delivery.

  • Seller name, business name and contact person
  • Email address, phone number and business address
  • GST, PAN, tax or invoice details where required for billing or marketplace work
Customer PII

Buyer, order and shipment information

Used only for order handling, shipment support, returns, customer support, issue investigation or marketplace operations.

  • Customer name, shipping address and phone number
  • Order ID, invoice, shipping label and tracking data
  • Buyer messages or return details when needed for support
Marketplace Access

Access permissions and authorization records

Used only for approved account management, API integration, catalog, advertising, reporting or training work.

  • Seller Central or marketplace sub-user invitations
  • Role permissions, authorization tokens or API credentials where applicable
  • Access logs and permission review records
Catalog Data

Product, listing and catalog information

Used for listing creation, cataloging, keyword optimization, images, A+ content, variation setup and suppression fixes.

  • ASIN, SKU, FSN, product title, attributes and category
  • Images, videos, brand assets and packaging information
  • Listing quality, keyword and catalog error reports
Performance Data

Reports, advertising and business metrics

Used for account review, performance improvement, PPC optimization, inventory planning and growth reporting.

  • Sales reports, business reports and payment reports
  • Advertising data such as ACoS, ROAS, spend, impressions and keywords
  • Inventory, returns, buy box, conversion and ranking data
Support Data

Support, training and issue-resolution records

Used to manage tasks, resolve marketplace cases, create SOPs, track issues and improve seller operations.

  • Support tickets, issue trackers and case notes
  • Training notes, screen-share observations and checklists
  • Internal task records and service communication
Retention Schedule

How long data is retained

OTOECOM keeps data only for the period required to provide services, meet marketplace requirements, comply with law, resolve disputes, maintain security, or support legitimate business records.

Data Type Retention Period Deletion / Handling Method
Amazon customer PII and order PII Maximum 30 days after order delivery unless a shorter retention period applies, or retention is required by applicable law, tax obligation, dispute resolution, fraud prevention, chargeback, return, refund or a permitted marketplace business purpose. Deleted, anonymized, redacted or securely archived according to the permitted purpose. Customer PII is not used for marketing, resale, profiling or unrelated activity.
Flipkart, Meesho and other marketplace customer PII Default maximum 30 days after order delivery or service completion unless the marketplace requires a stricter rule or applicable law requires a longer period. Deleted or redacted from active working files once the support, shipment, return, billing or marketplace purpose is complete.
Seller business contact, onboarding and service records For the duration of the service relationship plus a reasonable business/legal retention period where required for invoices, contracts, support history, tax compliance or dispute resolution. Reviewed periodically. Records no longer required are deleted, anonymized or archived with restricted access.
Marketplace authorization tokens, API credentials and user access records Only while authorization is active and required for the approved service. Access is removed when the service ends, the seller requests revocation, or the role is no longer required. Tokens are revoked, access is removed, credentials are rotated or deleted, and permissions are reviewed under least-privilege principles.
Non-PII marketplace data, catalog data and performance reports Amazon non-PII data is not retained beyond 18 months unless required by law or a permitted service purpose. For other portals, OTOECOM follows the marketplace requirement or this same conservative limit where practical. Aggregated, anonymized, deleted or archived for legitimate business analysis, reporting, training or service improvement without exposing customer PII.
Support tickets, case notes and training records Retained only while needed for the service, issue resolution, training completion or follow-up support. PII included in notes is removed or redacted when no longer required. Working files are reviewed periodically. Sensitive screenshots or screen-share notes are deleted or redacted after the approved purpose is complete.
Security logs, access logs and audit logs Maintained for at least 12 months where required for security monitoring and auditability, unless a longer period is required by law, investigation or contract. Logs are access-controlled and used for security, investigation, incident response and compliance validation.
Backups and disaster recovery copies Retained only according to the backup rotation schedule. Backup data is encrypted and not used for active processing. If deleted PII is restored during disaster recovery, it is re-deleted or re-redacted promptly after recovery validation.
Invoices, tax and statutory records Retained as required by applicable Indian tax, accounting, company, contract or legal obligations. Stored with restricted access. Unnecessary customer PII is not kept inside invoice or accounting files unless legally required.

If multiple retention rules apply to the same data, OTOECOM follows the stricter marketplace requirement unless a longer retention period is legally required. Data that is no longer needed is deleted, anonymized, redacted or securely archived with restricted access.

Marketplace Commitments

One clear privacy standard for every seller portal.

Amazon has specific data protection requirements. For Flipkart, Meesho and other portals, OTOECOM applies the marketplace policy or this same conservative standard where the marketplace requirement is not stricter.

30 days Default Amazon customer PII control after delivery unless a permitted reason applies.
18 months Amazon non-PII data ceiling unless legal or approved marketplace reasons require otherwise.
Least Access is limited to the people and permissions needed for the approved service.
No reuse Customer data is not sold, rented, profiled or used for unrelated marketing.
Purpose limitation Data is processed only for the seller service, marketplace operation, support, billing, tax, return, refund or legally required purpose.
Minimum data access Only required reports, screenshots, account areas, user roles and records are accessed for the approved scope of work.
Deletion and redaction Working files with customer PII are removed, anonymized or redacted once the permitted operational need is complete.
01

Amazon and Amazon SP-API data

Strictest Review Focus

OTOECOM treats Amazon data according to Amazon data protection, acceptable use, security and role-access requirements. Amazon customer PII is collected only for approved business purposes such as order processing, support, tax, return, refund, shipping, fraud prevention or permitted marketplace operations.

  • Amazon customer PII is not retained beyond 30 days after order delivery unless allowed or required for a permitted purpose.
  • Amazon non-PII data is not retained longer than 18 months unless legally required or permitted by Amazon policy.
  • Security logs and access logs are maintained for audit, incident response and monitoring.
  • Access is requested through official user permissions or authorized integrations, not through master password sharing.
02

Flipkart seller data

Same or Stricter

Flipkart seller data may include product catalog, order details, customer shipment details, return data, payment reports, inventory and advertising reports. OTOECOM uses this data only to provide catalog, account management, order support, ads, training or operational services requested by the seller.

  • Buyer PII and shipment information is retained only for the support or operational purpose.
  • Customer information is not used for unrelated marketing or direct customer outreach.
  • Working files containing buyer PII are deleted or redacted after the service purpose is complete.
03

Meesho seller data

Limited Purpose

Meesho seller data may include catalog listings, SKU information, order and return data, logistics data, payments, penalties, inventory and customer delivery information. OTOECOM processes this data only for approved seller services.

  • Buyer and shipment PII is used only for order, return, logistics, billing or seller support requirements.
  • Screenshots or reports shared for training or issue resolution are redacted when practical.
  • Data is not sold, rented, transferred or reused for unrelated campaigns.
04

Other portals, D2C stores and ecommerce tools

Controlled Access

For other seller portals, D2C stores, Shopify, WooCommerce, logistics tools, ad platforms and analytics tools, OTOECOM applies data minimization, least-privilege access and purpose limitation.

  • Access is granted only to team members who need it for service delivery.
  • Data is retained only as long as needed for the approved scope.
  • Seller can request access removal, deletion or correction using the contact process listed in this policy.
Security Controls

How PII and marketplace data are protected

OTOECOM applies administrative, technical and operational controls to reduce unauthorized access, disclosure, loss, misuse or retention of marketplace data.

Encryption and secure transfer

Data is stored and transmitted using secure systems. Sensitive data is protected using encryption, secure transfer methods and access-controlled storage where applicable.

Least-privilege access

Only authorized personnel with a business need can access seller data, buyer PII, reports or marketplace accounts. Access is reviewed and removed when no longer required.

Data classification and tagging

Data is classified by sensitivity such as customer PII, seller PII, credentials, operational reports or non-PII catalog data so the correct retention and access controls are applied.

Audit logs and monitoring

Access logs, security logs and audit records are maintained to support monitoring, investigation, incident response, compliance validation and misuse detection.

Credential management

Master passwords, OTPs and personal login sessions are not requested. Where integrations or tokens are required, access is limited, protected, rotated or revoked when no longer needed.

Secure deletion

Data that reaches the end of its retention period is deleted, anonymized, redacted or securely archived according to the data type and legal requirement.

Incident response

Suspected data incidents are investigated, contained, documented and escalated. Marketplace partners and affected parties are notified where required by policy or law.

Controlled exports

Reports and exports containing PII are minimized, access-controlled, shared only with authorized recipients and deleted or redacted when the service purpose ends.

Requests & Deletion

Sellers can request access review, correction, deletion or revocation.

OTOECOM responds to privacy and data-retention requests after verifying the requester's identity and authority over the relevant seller account or data.

01

Submit the request

Seller may request data access, correction, deletion, export, retention clarification, access removal or permission revocation through the OTOECOM contact page or WhatsApp support channel.

02

Verify authority

OTOECOM verifies that the requester is the seller account owner, authorized contact, authorized employee, or authorized representative before disclosing or deleting data.

03

Process the request

Valid requests are processed within a reasonable period, normally within 30 days unless legal, marketplace, security or technical constraints require additional time.

04

Confirm completion

Once completed, OTOECOM confirms whether the data was deleted, redacted, corrected, anonymized, exported, retained due to legal requirement, or scheduled for backup-cycle deletion.

Privacy and data retention requests Submit request through Contact Page Message on WhatsApp
Prohibited Use

What OTOECOM does not do with marketplace data

Marketplace data is used only for approved seller services. OTOECOM does not use seller or customer information in ways that violate marketplace requirements or the seller's trust.

No sale or rental of customer PII

Customer PII, buyer information, shipping information and order details are not sold, rented, transferred, traded or used for unrelated third-party marketing.

No unauthorized customer contact

OTOECOM does not contact marketplace customers outside the approved marketplace communication or seller-support purpose.

No master credential collection

OTOECOM does not ask sellers to share master passwords, OTPs, personal login sessions or unrestricted administrator credentials.

No indefinite PII storage

Customer PII is not retained indefinitely. PII is deleted, redacted, anonymized or restricted according to the retention schedule and legal requirements.

Privacy and retention requests

Need deletion, access review, correction or retention clarification?

Contact OTOECOM with your seller account name, marketplace, request type and authorized contact details. We will verify the request and respond according to this policy.