Flapen — Amazon Data Policy
Last updated: May 1, 2026
Flapen is an Amazon seller toolkit developed by Flapen – FZCO. It helps Amazon sellers and brands research profitable products, optimize listings, monitor account health, and analyze advertising. This policy explains how Flapen accesses, processes, stores, and protects data provided through the Amazon Selling Partner API (SP-API), Amazon Advertising API, Amazon Marketing Cloud (AMC), and Brand Analytics for sellers who grant the relevant permissions.
1. Who We Are
Flapen is operated by:
Flapen – FZCO
Dubai, UAE
Website: https://flapen.com
Support: joel@flapen.com
Privacy: privacy@flapen.com
Security: joel@flapen.com
Flapen is responsible for ensuring all personal and Amazon account data is handled securely and in compliance with Amazon's Data Protection Policy, Acceptable Use Policy, and SP-API program requirements. Flapen is not affiliated with Amazon.com, Inc. or its subsidiaries.
2. Roles Requested Through Amazon SP-API
When you authorize Flapen through Login with Amazon (OAuth), we request the SP-API roles below. Each role gives us a narrow, named permission. We never request a role we do not actively use.
| Role | Purpose |
|---|---|
| Selling Partner Insights | Read marketplace participations and account performance metrics. |
| Product Listing | Read and update listing content, status, and visibility. |
| Pricing | Read pricing data and competitor offers; surface anomalies. |
| Inventory and Order Tracking | Read inventory levels and order data at the SKU level. |
| Amazon Fulfillment | Track FBA fulfillment status and inbound shipments. |
| Direct-to-Consumer Shipping | Required for the Buy Shipping API when sellers fulfill their own orders. |
| Buyer Communication | Read buyer-seller messages so sellers can reply to urgent enquiries. |
| Buyer Solicitation | Send the Amazon-permitted Request a Review messages on behalf of the seller. |
| Finance and Accounting | Read settlement and payment data for reconciliation. |
| Brand Analytics | Surface Amazon Brand Analytics insights for the seller's own brand. |
For Amazon Advertising and AMC, Flapen requests the equivalent campaign-management, reporting, and AMC scopes under the Amazon Ads developer program. Ads scopes are granted in a separate consent flow.
3. How We Use the Data
Flapen uses Amazon data only to provide its product features:
- Product research and niche scoring from public Amazon data.
- Listing optimization grounded in the seller's own catalog and ad performance.
- Profit forecasts and unit economics from the seller's own fees, sales, and inventory.
- Account health, inventory, and review monitoring for the seller's own SKUs.
- Advertising and AMC analytics for the seller's own campaigns.
Flapen never:
- Uses Amazon data for advertising or marketing of Flapen.
- Sells, rents, or shares Amazon data with third parties.
- Combines data across sellers to build benchmarks or datasets.
- Uses seller data to train external models.
- Resells Amazon data in any form.
All usage complies with Amazon's Developer Terms, Acceptable Use Policy, and SP-API program requirements. We enforce strict tenant isolation: one seller's data is never visible to another seller's account.
3.1 Personally Identifiable Information (PII) Handling
Where Flapen accesses buyer-derived PII — names, shipping addresses, phone numbers, and buyer-seller messages — we use Amazon's Restricted Data Token (RDT) flow. Each PII fetch uses a short-lived token scoped to the specific operation. PII is:
- Encrypted at rest with AES-256.
- Never written to logs or error trackers.
- Never sent to AI inference providers.
- Never used to train models.
- Never aggregated across sellers.
- Deleted within 30 days of fetch.
Current scope (as of May 1, 2026): Flapen stores only marketplace participation data. We do not yet ingest order, message, or other PII-bearing data. Before that changes, this policy will be updated, sellers will be re-notified through Seller Central messaging, and the controls above will be in place from the first ingest.
3.2 Use of Brand Analytics Data
For sellers who grant access to the Brand Analytics role:
- Brand Analytics data is processed only to generate insights for the seller's own catalog.
- Brand Analytics data is not stored longer than required to generate those insights.
- Brand Analytics data is never aggregated, shared, or compared across sellers.
- Brand Analytics data is never used for model training or product development.
- Brand Analytics data is never exported to external vendors.
- All Brand Analytics data is deleted within 30 days of processing or immediately on access revocation.
4. Data Retention
Flapen separates retention rules by data type. PII has a hard ceiling regardless of subscription state. Non-PII operational data is retained while the seller has an active Flapen account.
| Data type | Retention |
|---|---|
| Buyer PII (names, addresses, phone, messages) | Maximum 30 days from fetch. No exceptions other than legal or tax hold. |
| Brand Analytics datasets | Deleted within 30 days of processing. |
| SP-API operational data (listings, inventory, sales, ads) | Retained while the Flapen account is active. Deleted within 30 days of cancellation or revocation. |
| User profile and account configuration | Retained until account deletion. |
| Encrypted refresh tokens | Retained until revocation; deleted within 24 hours after revocation. |
5. Access and Revocation
You are in full control of your data.
To revoke access or request deletion, see the Data Deletion page for the full procedure. In summary:
- Revoke SP-API access at any time in Seller Central → Apps & Services → Manage Your Apps.
- Email privacy@flapen.com to request export, correction, or deletion of your stored data.
Once access is revoked, all associated Amazon data is deleted within 30 days.
6. Sub-Processors
Flapen uses the third-party services below to operate the platform. Each is contractually required to protect the confidentiality and security of the data they process. None receive Amazon PII unless noted.
| Vendor | Purpose | Region | Receives PII? |
|---|---|---|---|
| Vercel | Application hosting and edge functions. | US, EU | No (PII is not present in HTTP responses) |
| Supabase | Postgres database and object storage. | EU | Yes (PII rows are encrypted at rest) |
| Sentry | Error and performance monitoring. | EU | No (configured to scrub PII before send) |
| Anthropic | AI inference for listing optimization and assistant features. | US | No (PII is filtered from prompts) |
| OpenAI | AI inference for selected features. | US | No (PII is filtered from prompts) |
| Amplitude | Product analytics on Flapen's own UI. | US | No (Amazon data is never sent) |
| Mux | Video hosting for marketing and onboarding content. | US | No |
Flapen never shares Amazon data with advertisers, data brokers, or unauthorized entities.
7. Security
Flapen treats Amazon Selling Partner data as Restricted PII when any PII role is granted. Our public commitments:
- Encryption at rest: AES-256 for refresh tokens and any PII columns.
- Encryption in transit: TLS 1.2 or higher on every internal and external connection.
- Multi-factor authentication: required for every employee and contractor with access to systems that store Amazon data.
- Least-privilege access: role-based access to production systems with a documented quarterly access review.
- Audit logging: every read or write of PII is logged and retained for 12 months.
- Incident response: Flapen will notify Amazon within 24 hours of any confirmed PII breach, in addition to applicable regulators.
- Vulnerability disclosure: reports to joel@flapen.com are acknowledged within 5 business days.
- Annual security assessment: a third-party security review is performed each year.
8. Your Rights
Depending on your region, you may have the right to:
- Access your data.
- Request deletion or correction.
- Withdraw consent.
- Restrict certain processing.
- Receive an export of your configuration data.
To exercise any of these rights, email privacy@flapen.com.
9. Children's Privacy
Flapen is intended for users aged 18 and older. We do not knowingly collect data from minors. If such data is identified, it will be deleted immediately.
10. Updates to This Policy
This policy may be updated to reflect product changes or legal requirements. When updates are made, we will revise the effective date at the top of this page. Continued use of Flapen constitutes acceptance of any updated terms.
11. Legal Notice
Amazon, Amazon Seller Central, SP-API, Amazon Advertising, Amazon Marketing Cloud, and related marks are trademarks of Amazon.com, Inc. or its affiliates. Flapen is an independent application and is not endorsed by Amazon.