Privacy Policy

Last updated: 7 June 2025

1. Who we are

XEWI ("we", "us", "our") operates the XEWI Amazon Seller Operations Platform accessible at xewi.app. XEWI is the data controller for personal data processed through this platform. If you have any questions about this policy, contact us at privacy@xewi.app.

2. Data we collect

2a. Account information

When you create an account we collect your email address and a hashed password (or OAuth identity token if you sign in via a third party). We use this solely to authenticate you.

2b. Amazon Seller Central data (SP-API)

After you authorise your Amazon Seller Central account via Amazon's OAuth flow, XEWI retrieves the following data on your behalf using the Amazon Selling Partner API (SP-API):

  • Order headers and line items (order IDs, statuses, amounts, SKUs, quantities)
  • Inventory levels and listing details (SKU, ASIN, quantity, price, fulfilment channel)
  • Financial events (settlements, fees, refunds, principal amounts)
  • Competitive pricing data (buy-box prices, offer counts)
  • Product catalogue metadata (titles, categories)

This data is stored on a per-account (tenant) basis. No seller's data is accessible to any other seller or to XEWI staff except for technical support purposes with your explicit consent.

2c. Amazon Advertising data (Ads API)

After you connect your Amazon Advertising account, XEWI retrieves the following data using the Amazon Advertising API:

  • Search term reports (search terms, impressions, clicks, spend, orders, campaign and ad group identifiers)
  • Campaign and ad group names and identifiers
  • Keyword identifiers and match types

This data is used exclusively to:

  • Identify search terms that have generated spend but no conversions ("zero-conversion terms")
  • Calculate wasted advertising spend at campaign level
  • Present negative keyword suggestions for the authenticated seller's review
  • Submit approved negative keywords back to Amazon Advertising on the seller's explicit instruction

Amazon Advertising data is never used for cross-seller benchmarking, sold to third parties, or used for any purpose other than those listed above.

2d. OAuth tokens

To maintain your Amazon connections between sessions, XEWI stores your SP-API and Advertising API refresh tokens. These tokens are encrypted at rest using AES-256 encryption before being written to our database. Encryption keys are stored separately from the encrypted data.

2e. Usage data

We collect standard server logs (IP address, request path, timestamp, HTTP status code) for security monitoring and debugging. These logs are retained for 30 days and are not used for marketing profiling.

3. Legal basis for processing

We process your data under the following lawful bases (UK GDPR / GDPR):

  • Contract — processing your Amazon seller and advertising data is necessary to deliver the XEWI service you have subscribed to.
  • Legitimate interests — server logs and security monitoring to protect the platform and our users.
  • Consent — where you explicitly authorise us to connect to your Amazon accounts via OAuth, you are providing informed consent to that specific data access.

4. Data storage and infrastructure

XEWI is hosted on Amazon Web Services (AWS) in the eu-west-1 (Ireland) region. We use the following sub-processors:

Sub-processor Purpose Location
Supabase (PostgreSQL) Operational database — orders, inventory, ads queue AWS eu-west-1
Amazon S3 Long-term data lake (Parquet files for analytics) AWS eu-west-1
Amazon ECS Application hosting AWS eu-west-1
Amazon Athena Analytics queries over historical data AWS eu-west-1

All data remains within the European Economic Area. We do not transfer personal data to countries outside the EEA without appropriate safeguards.

5. Data retention

Data type Retention period
Account credentials Until account deletion
Amazon SP-API data (orders, inventory, finances) 24 months from ingestion, then deleted
Amazon Advertising data (search terms, spend) 12 months from ingestion, then deleted
OAuth refresh tokens Until you disconnect your Amazon account or delete your XEWI account
Server logs 30 days
Negative keyword queue history 12 months from creation

When you delete your account, all your data is removed from our operational database within 30 days and from our data lake within 90 days.

6. Data sharing

We do not sell, rent, or share your data with any third party for marketing or commercial purposes. The only disclosures we make are:

  • Infrastructure sub-processors listed in Section 4, who process data only on our instructions and under data processing agreements.
  • Legal obligation — if required to do so by law, court order, or a regulatory authority.
  • Amazon APIs — when we submit actions you have explicitly approved (e.g. adding negative keywords), we transmit only the minimum data needed to complete that action.

7. Security

XEWI implements the following security controls:

  • All data in transit is encrypted with TLS 1.2+
  • OAuth refresh tokens are encrypted at rest with AES-256
  • Database access is restricted to application services via VPC; no public database endpoint is exposed
  • Row-level security (RLS) policies ensure each seller's data is isolated from other sellers
  • Access tokens are short-lived and rotated automatically

8. Your rights

Under UK GDPR and GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — request deletion of your account and associated data
  • Portability — receive your data in a machine-readable format
  • Restriction — ask us to pause processing of your data
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — disconnect your Amazon accounts at any time via the Account settings page

To exercise any of these rights, email privacy@xewi.app. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

9. Cookies

XEWI uses only essential session cookies required to keep you logged in. We do not use advertising cookies, tracking pixels, or analytics cookies. No third-party cookies are set by XEWI.

10. Amazon API compliance

XEWI's use of the Amazon Selling Partner API and Amazon Advertising API complies with Amazon's Developer Agreement and API Usage Policies. Specifically:

  • API data is accessed only on behalf of the authenticated seller who granted authorisation
  • Data retrieved via the Ads API is used solely to provide advertising optimisation functionality to that seller
  • We do not aggregate or combine data across sellers for any purpose
  • Sellers can revoke XEWI's access to their Amazon accounts at any time via Amazon's Developer Permissions page or the XEWI Account settings page
  • Upon revocation, we cease all API calls for that seller and delete their data in accordance with Section 5

11. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or by displaying a prominent notice in the platform at least 14 days before the changes take effect. Continued use of XEWI after that date constitutes acceptance of the updated policy.

12. Contact

For any privacy-related queries:
Email: privacy@xewi.app
Website: xewi.app