Agentic Sellar

Privacy Policy

Updated 2026-05-24

Privacy Policy

Last updated: 2026-05-24 Effective: 2026-05-24

This Privacy Policy describes how 11978853 CANADA INC. ("Agentic Sellar," "we," "us," or "our") collects, uses, and discloses information when you use the Agentic Sellar platform at agenticsellar.com (the "Service").

Agentic Sellar is a SaaS platform that provides autonomous optimization of Amazon advertising campaigns using artificial intelligence. We act as a Solution Provider and Registered Advertising Developer with Amazon, operating under the authorization each seller-customer grants us to access their Amazon Advertising and Selling Partner APIs.

1. Information We Collect

1.1 Information You Provide

When you create an account and onboard, we collect:

  • Account credentials — email address, password (stored as a bcrypt hash; we never see the plaintext), organization name, and user display name.
  • Amazon API credentials — OAuth refresh tokens and (where applicable) LWA client IDs/secrets that you authorize us to use on your behalf to call the Amazon Advertising API and Amazon Selling Partner API (SP-API). These are encrypted at rest (AES-256-GCM) using a key that never leaves our server environment.
  • LLM provider credentials — your API key for Anthropic, OpenAI, or Google (whichever model provider you choose). These are encrypted at rest with the same key-management practice as Amazon credentials.
  • Optimization goals — target ACoS, target TACoS, mode (growth / balanced / profitability), per-action permission levels, and optional per-ASIN goal overrides.

1.2 Information We Retrieve From Amazon

With the authorization you grant via OAuth, we fetch the following on a periodic schedule (every 4-6 hours) and store it in our database scoped strictly to your organization:

  • Campaign structure — campaign names, budgets, targeting types, ad groups, keywords (text + bid + match type), negative keywords.
  • Campaign performance — impressions, clicks, cost, sales, purchases, at the daily level, from the Amazon Advertising Reports API.
  • Search term reports — the search queries Amazon shoppers used that triggered your ads, along with impressions, clicks, and conversions for each.
  • (SP-API only, if authorized) — order metrics, inventory, product catalog data necessary for campaign optimization. We do not request or store customer PII (names, addresses, phone numbers, shipping details) from SP-API. We access only the aggregated order-metrics endpoint.

1.3 Information We Do Not Collect

We explicitly do not collect or store:

  • Customer names, addresses, phone numbers, or other end-buyer PII.
  • Your bank or payment information (billing is handled by our payment processor {payment processor}).
  • Browsing history or device fingerprints outside of standard web analytics.

1.4 Technical Information

We collect standard server logs (IP, user agent, request path, timestamp) for security, debugging, and rate-limit enforcement. Logs are retained for 30 days.

2. How We Use Information

2.1 Core Service Functions

  • Authenticating you and maintaining your session.
  • Calling Amazon APIs on your behalf — listing campaigns, pulling performance reports, creating/updating keywords, adjusting bids, adding negative keywords, etc. — per the permission levels you configure.
  • Running the optimization agent — our server computes deterministic metrics (ACoS, ROAS, CTR, CVR, bid-efficiency scores, keyword health scores) from your Amazon data, then passes these pre-computed metrics to a large language model (the provider you chose) which proposes optimization actions.
  • Displaying dashboards and audit logs — presenting the above data back to you in a human-readable format.

2.2 AI/LLM Processing

We use large language models to reason about your campaign data. Specifically:

  • What is sent to the LLM: aggregate, pre-computed performance metrics (e.g., "keyword 'xyz' has ACoS 42% over last 14 days"), our proprietary strategy framework fragments, and your configured goals. The prompt is constructed server-side — you do not see it, and the LLM provider does not see raw Amazon credentials, tokens, or customer data.
  • What is NOT sent to the LLM: OAuth tokens, API keys, encrypted credentials, server secrets, customer PII, order-level data. Search-term text is sent in aggregate but is sanitized for prompt-injection vectors before inclusion.
  • Who runs the model: you do. Under our bring-your-own-LLM ("BYOLLM") model, the API call is made using your API key to your chosen provider (Anthropic, OpenAI, or Google). We proxy the request server-side so you control the cost and the model training/retention terms apply between you and that provider. We do not store your prompts or completions beyond the duration of a single optimization cycle.
  • Training: we do not use your data to train any model. The LLM providers we route through have their own terms — at the time of writing, Anthropic and OpenAI both offer zero-retention API options that we recommend our customers enable on their accounts.
  • Output validation: every LLM output is validated server-side against (a) numerical bounds (bids within acceptable ranges, budget changes within limits, etc.), (b) a leakage check that scans for verbatim repetition of our internal strategy framework, and (c) a permission router that blocks actions outside what you've authorized.

2.3 We Do NOT

  • Sell your data, ever.
  • Share your Amazon data with other customers.
  • Use your Amazon data for advertising to you or anyone else.
  • Train machine-learning models on your data.
  • Access your account or data outside of automated agent operation, except where you explicitly request support and grant us temporary access.

3. How We Share Information

We share information only in these narrow circumstances:

3.1 Service Providers

  • Hosting and compute: Vercel (e.g., Vercel, Neon) process data on our behalf under standard GDPR/CCPA Data Processing Addendums.
  • LLM providers: when you invoke an optimization cycle, we proxy the request to the LLM provider you chose, using your API key. They are a processor of your data per their own terms; we do not contribute additional data retention beyond what you select with them.
  • Error monitoring: {error monitor} receives exception data that is scrubbed of credentials and sensitive fields.

3.2 Amazon

We make authenticated calls to Amazon Advertising and SP-API on your behalf. Amazon's own privacy policies govern their handling of those calls.

3.3 Legal Requirements

We may disclose information if required by law, court order, or to protect our or users' rights, property, or safety.

3.4 Business Transfers

If 11978853 CANADA INC. is involved in a merger, acquisition, or asset sale, user data may transfer as part of that transaction. We will provide notice before your data becomes subject to a different privacy policy.

4. Data Retention and Deletion

  • Account data: retained while your account is active and for 30 days after deletion, unless law requires longer.
  • Amazon credentials: encrypted refresh tokens are deleted immediately upon disconnection from our service.
  • Campaign and performance data: retained for 24 months to support historical reporting. You can request earlier deletion.
  • Audit log: retained for 7 years to comply with tax and financial-record requirements. You may request pseudonymization.
  • Server logs: 30 days.
  • LLM proxy logs: 0 days. We do not persist request/response content.

To request deletion: email privacy@agenticsellar.com with your organization ID. We will confirm deletion within 30 days.

5. Your Rights

5.1 All Users

  • Access — export all data we hold about you, in JSON.
  • Correction — request correction of inaccurate data.
  • Deletion — request deletion subject to the retention schedule above.
  • Portability — we provide exports in standard formats.
  • Opt-out of marketing — any marketing email includes an unsubscribe link. Service emails (security alerts, billing) cannot be opted out of while the account is active.

5.2 GDPR (EEA residents)

If you are in the European Economic Area, you have the rights above plus: the right to object to processing, the right to restrict processing, the right to lodge a complaint with your supervisory authority, and the right to withdraw consent. Our legal basis for processing is (a) contract performance (the service you signed up for), (b) legitimate interest (security, fraud prevention), and (c) your consent (for LLM processing where you chose the provider).

5.3 CCPA (California residents)

California residents have the right to know what personal information we collect, use, disclose, and sell; the right to delete; and the right to non-discrimination for exercising these rights. We do not sell personal information.

5.4 Contact

Privacy requests: privacy@agenticsellar.com Data Protection Officer: privacy@agenticsellar.com

6. Security

  • Encryption at rest: AES-256-GCM for all credentials and tokens. Keys are managed in our hosting provider's secret manager and never logged.
  • Encryption in transit: TLS 1.2 minimum for all API traffic.
  • Access control: database access is scoped by organization_id at the query layer (multi-tenant row-level isolation is enforced in application code and verified on every query).
  • Authentication: bcrypt password hashing (cost factor 12). API keys are stored as SHA-256 hashes.
  • Least privilege: staff access to production data is role-restricted and logged; production access requires MFA.
  • Vulnerability management: we run automated dependency scanning and patch critical vulnerabilities within 72 hours.

Despite these measures, no system is perfectly secure. If you believe your account has been compromised, contact security@agenticsellar.com immediately.

7. International Data Transfers

Data is stored and processed in the United States. If you are outside the US, your data is transferred to the US under Standard Contractual Clauses (for EEA customers) or your explicit consent at signup.

8. Children

The Service is not directed to anyone under 18. We do not knowingly collect information from anyone under 18. If we learn we have collected information from a minor, we will delete it.

9. Changes to This Policy

We will notify you by email at least 30 days before material changes take effect. Continued use after that period constitutes acceptance of the new policy.

10. Contact

11978853 CANADA INC. 225 Walmer Road, Toronto, ON M5R 3P7, Canada Privacy: privacy@agenticsellar.com Security: security@agenticsellar.com Support: support@agenticsellar.com