Legal · Privacy
Privacy Policy
v1.0 · Last updated June 1, 2026 · Effective June 1, 2026
This Privacy Policy explains what personal information CircuitVista Inc. (“SellerArmor,” “we,” “us,” or “our”) collects when you use the SellerArmor service, how we use and share it, how long we keep it, and the choices and rights you have. It applies to our website, the SellerArmor application, and the data we access through the Amazon Selling Partner API (“SP-API”) when you connect an Amazon seller account.
If you have questions, contact our privacy team at privacy@sellerarmor.com.
1. Who we are
SellerArmor is a business-to-business software service for Amazon FBA sellers. The service is operated by CircuitVista Inc., a corporation incorporated in Ontario, Canada. References to “SellerArmor,” “we,” “us,” or “our” mean CircuitVista Inc. operating the SellerArmor service.
We are the controller of personal information about our account holders and users. For the Amazon business data you direct us to access on your behalf, we act as a service provider/processor and handle that data under your instructions and these terms. Our processing of that data as a service provider/processor is governed by our Data Processing Addendum(“DPA”), available at https://sellerarmor.com/dpa.
2. The personal information we collect
We collect personal information in the following categories. Not all of it relates to every user.
Account and identity information. Your name, business name, email address, login credentials, and authentication data when you create and manage an account. Authentication is handled through our identity provider.
Billing information. Subscription tier, billing contact details, and transaction history. Card payments are processed by our payment processor; we do not store full payment card numbers.
Amazon connection data.When you connect an Amazon seller account: your Amazon selling partner ID, marketplace IDs, the SP-API role set you authorized, and an OAuth refresh token. Refresh tokens are encrypted at rest using envelope encryption — a per-account data encryption key whose master key is held in our key management service.
Amazon business and report data. Inventory ledger transactions, FBA reimbursement records, settlement details, removal-shipment and removal-order data, customer-return records, fee data, and case records that we retrieve through read-only SP-API roles to detect reimbursement opportunities. You may also upload cost-of-goods (COGS) data.
Usage and technical information. IP address, device and browser information, log data, and product-usage and analytics data generated when you use the website and application.
Communications. The contents of support requests, emails, and other correspondence you send us.
Cookies and similar technologies. See Section 13.
We do not intentionally collect special or sensitive categories of personal information (such as government identifiers, health, biometric, or precise geolocation data), and we ask that you not provide them.
3. End-customer information is removed at the source
We deliberately minimize personal information about your customers (the Amazon buyers). Customer names, shipping addresses, phone numbers, and email addresses contained in Settlement and customer-return reports are stripped at parse time, before any data is written to our database or stored. We do not need this information to detect reimbursable discrepancies, and we do not retain it.
4. How we use personal information
We use personal information to:
- Provide, operate, secure, and maintain the SellerArmor service and your account.
- Connect to your authorized Amazon seller account and ingest the report data needed to detect inventory discrepancies, fee miscalculations, customer-return shortfalls, removal shortages, and inbound-shipment losses.
- Draft reimbursement case appeals for your review. To do this, the business data needed to generate a draft — with personal information removed first — is transmitted to our third-party AI provider (see Section 6). The seller remains the final actor and submits cases in Amazon Seller Central.
- Score case-template variants against the historical outcomes of filed cases. This is variant selectiononly — we do nottrain, fine-tune, or otherwise develop machine-learning models on Amazon-derived data, consistent with Amazon Business Solutions Agreement §4.2.
- Maintain an audit trail of system activity in your account — report ingestion, detection runs, case drafting and filing, and outcome matching — available to you and exportable.
- Provide monthly summaries, send service and transactional communications, and respond to support requests.
- Process billing and prevent fraud and abuse.
- Comply with legal obligations and enforce our Terms of Service.
Where applicable law requires a legal basis to process personal information, we rely on the performance of our contract with you, your consent, our legitimate interests in operating and improving the service, and compliance with legal obligations.
5. Automated processing
Detection and case drafting are automated, but they do not produce decisions that have legal or similarly significant effects on individuals without human involvement: every case is reviewed and submitted by the seller. Detection results and estimated recovery amounts are informational and are not guarantees (see our Terms of Service).
6. How we share personal information — service providers
We do not sell personal information, and we do not share it for cross-context behavioral advertising.
We share personal information with service providers who process it on our behalf, under contracts that restrict their use of it to providing services to us. Current categories and key providers include:
- Cloud hosting and application platform— to run the website and application.
- Database, storage, authentication, and key management — to store data (including raw report data), encrypted at rest, in the United States; to authenticate users; and to protect encryption keys.
- Third-party AI service provider— to generate draft case-appeal text. We remove personal information before transmitting data to the provider, and the provider does not use your data to train its models.
- Email delivery— to send transactional and service emails.
- Error monitoring and analytics— to detect faults and understand product usage.
- Payment processing— to process subscription payments.
We maintain a current list of subprocessors and will provide it on request to connected customers. We may also disclose information to comply with law, respond to lawful requests, protect our rights and the safety of others, and in connection with a merger, acquisition, or sale of assets (subject to this policy).
7. Where your information is stored, and international transfers
Our database and stored report data are hosted in cloud infrastructure located in the United States, encrypted at rest. Because we are incorporated in Canada and use service providers located in the United States and elsewhere, your personal information is transferred across borders, including from Canada to the United States. We take steps to ensure such transfers are protected by appropriate contractual and security safeguards. Information stored or processed in a foreign jurisdiction may be subject to that jurisdiction’s laws.
8. How long we keep personal information
| Data | Retention |
|---|---|
| Account and billing records | For the life of your account, then as required for tax, accounting, and legal purposes |
| Amazon business and report data (parsed) | While your account is connected; deleted within 30 days after you disconnect, except records subject to the audit-trail retention below |
| Stored raw report data | 18 months (one full claim-window cycle plus buffer) |
| Discrepancy, filed-case, and audit-trail records | Up to 7 years, to preserve a complete, verifiable record of actions taken in your account and to meet tax, accounting, and legal-defense needs |
| OAuth refresh tokens | Deleted within 24 hours of OAuth revocation |
| Stripped end-customer PII | Never persisted |
Where the audit-trail retention period applies to a record, it governs even after disconnection. We retain only the minimum needed to serve the stated purpose, and we delete or de-identify personal information when it is no longer required, unless a longer period is required or permitted by law.
9. Your privacy rights
Depending on where you live, you may have some or all of the following rights regarding your personal information:
- Access / know— request the categories and specific pieces of personal information we hold about you.
- Correct— request correction of inaccurate personal information.
- Delete— request deletion of your personal information, subject to legal exceptions (for example, records we must keep for the audit-trail, tax, or legal-defense purposes described above).
- Portability— request a copy of certain information in a portable format.
- Opt out of sale or sharing / targeted advertising — we do not sell or share personal information for these purposes, but you may direct us to refrain at any time.
- Withdraw consent— where we rely on consent, you may withdraw it.
- Non-discrimination— we will not discriminate against you for exercising your rights.
- Appeal— if we decline a request, you may appeal our decision.
How to exercise your rights. Email privacy@sellerarmor.com. We will verify your request, usually through your account email, and respond within the time required by applicable law. You may use an authorized agent where the law allows; we may require proof of authorization. You can also disconnect SellerArmor’s access at any time in Amazon Seller Central (see Section 11).
Where we process personal information on your behalf as a service provider/processor, we will refer requests we receive directly from your personnel or end users to you, and assist you in responding, as set out in the DPA.
United States residents. State privacy laws (including in California, Virginia, Colorado, Connecticut, Texas, and other states) give residents the rights above. We do not sell personal information or use it for cross-context behavioral advertising, and we have not done so in the preceding 12 months. We honor recognized universal opt-out / Global Privacy Control signals where required. If you are a California resident, this policy serves as our notice at collection, and the B2B context does not exempt us from honoring your rights.
Canadian residents. Under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws (including Quebec’s Law 25), you have rights of access and correction and may direct privacy questions or complaints to us, and ultimately to the Office of the Privacy Commissioner of Canada or your provincial regulator. Our designated person responsible for privacy can be reached at privacy@sellerarmor.com.
10. Security
We use technical and organizational measures designed to protect personal information, including:
- TLS encryption in transit and AES-256 encryption at rest.
- Envelope encryption for OAuth refresh tokens, with master keys held in a key management service.
- Read-only SP-API roles, so connected tokens cannot modify your Amazon account.
- Access controls, least-privilege role separation, and audit logging of actions taken in your account.
- Incident response procedures.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
11. Disconnecting and deletion
You can revoke SellerArmor’s access in Amazon Seller Central at any time. Within 24 hours, your OAuth refresh tokens are deleted. Within 30 days, the Amazon account data we ingested is purged from primary storage, except records we retain under the audit-trail, tax, accounting, or legal-defense periods described in Section 8. You can request deletion of your account and associated personal information as described in Section 9.
12. Breach notification
If we become aware of a security incident affecting personal information, we will investigate and, where required by applicable law, notify affected individuals and the relevant regulators (including, where applicable, the Office of the Privacy Commissioner of Canada, Quebec’s Commission d’accès à l’information, and U.S. state authorities) without undue delay and within the timeframes the law requires. We will also notify Amazon of suspected security incidents involving SP-API data within 24 hours, consistent with Amazon’s Data Protection Policy and applicable developer agreements.
13. Cookies and analytics
We use strictly necessary cookies to operate the website and keep you signed in, and we use first-party analytics to understand and improve product usage. You can control non-essential cookies through your browser settings. Where required, we will obtain consent before setting non-essential cookies.
14. Children
SellerArmor is a business service intended for users who are at least 18 years old. It is not directed to children, and we do not knowingly collect personal information from anyone under 18.
15. Changes to this policy
We may update this policy from time to time. We will post the updated version with a new “Last updated” date and, for material changes, notify connected sellers by email at least 30 days before the changes take effect.
16. Contact
CircuitVista Inc. (operating SellerArmor)
Privacy questions and requests: privacy@sellerarmor.com
General contact: hello@sellerarmor.com
SellerArmor is not affiliated with, endorsed by, or sponsored by Amazon.com, Inc.