Last updated: 7 June 2025
XEWI ("we", "us", "our") operates the XEWI Amazon Seller Operations Platform accessible at xewi.app. XEWI is the data controller for personal data processed through this platform. If you have any questions about this policy, contact us at privacy@xewi.app.
When you create an account we collect your email address and a hashed password (or OAuth identity token if you sign in via a third party). We use this solely to authenticate you.
After you authorise your Amazon Seller Central account via Amazon's OAuth flow, XEWI retrieves the following data on your behalf using the Amazon Selling Partner API (SP-API):
This data is stored on a per-account (tenant) basis. No seller's data is accessible to any other seller or to XEWI staff except for technical support purposes with your explicit consent.
After you connect your Amazon Advertising account, XEWI retrieves the following data using the Amazon Advertising API:
This data is used exclusively to:
Amazon Advertising data is never used for cross-seller benchmarking, sold to third parties, or used for any purpose other than those listed above.
To maintain your Amazon connections between sessions, XEWI stores your SP-API and Advertising API refresh tokens. These tokens are encrypted at rest using AES-256 encryption before being written to our database. Encryption keys are stored separately from the encrypted data.
We collect standard server logs (IP address, request path, timestamp, HTTP status code) for security monitoring and debugging. These logs are retained for 30 days and are not used for marketing profiling.
We process your data under the following lawful bases (UK GDPR / GDPR):
XEWI is hosted on Amazon Web Services (AWS) in the eu-west-1 (Ireland) region. We use the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase (PostgreSQL) | Operational database — orders, inventory, ads queue | AWS eu-west-1 |
| Amazon S3 | Long-term data lake (Parquet files for analytics) | AWS eu-west-1 |
| Amazon ECS | Application hosting | AWS eu-west-1 |
| Amazon Athena | Analytics queries over historical data | AWS eu-west-1 |
All data remains within the European Economic Area. We do not transfer personal data to countries outside the EEA without appropriate safeguards.
| Data type | Retention period |
|---|---|
| Account credentials | Until account deletion |
| Amazon SP-API data (orders, inventory, finances) | 24 months from ingestion, then deleted |
| Amazon Advertising data (search terms, spend) | 12 months from ingestion, then deleted |
| OAuth refresh tokens | Until you disconnect your Amazon account or delete your XEWI account |
| Server logs | 30 days |
| Negative keyword queue history | 12 months from creation |
When you delete your account, all your data is removed from our operational database within 30 days and from our data lake within 90 days.
We do not sell, rent, or share your data with any third party for marketing or commercial purposes. The only disclosures we make are:
XEWI implements the following security controls:
Under UK GDPR and GDPR you have the right to:
To exercise any of these rights, email privacy@xewi.app. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
XEWI uses only essential session cookies required to keep you logged in. We do not use advertising cookies, tracking pixels, or analytics cookies. No third-party cookies are set by XEWI.
XEWI's use of the Amazon Selling Partner API and Amazon Advertising API complies with Amazon's Developer Agreement and API Usage Policies. Specifically:
We may update this policy from time to time. If we make material changes, we will notify you by email or by displaying a prominent notice in the platform at least 14 days before the changes take effect. Continued use of XEWI after that date constitutes acceptance of the updated policy.
For any privacy-related queries:
Email: privacy@xewi.app
Website: xewi.app