Privacy Policy
1. Who we are
This Privacy Policy explains how your personal data is collected, used, shared, retained and protected when you use eCOMeX. In this Policy, "eCOMeX", "we", "us" and "our" mean Mr. Milan Jethva, an individual carrying on business as a sole proprietorship under the trade name "eCOMeX" (also styled "eCOMeX AI").
Our principal place of business is at eCOMeX AI, Ahmedabad – 380008, Gujarat, India. We operate the eCOMeX web application available at https://ecomex.app (the "Platform" or "Service"). Our contact details, including those of our Grievance Officer, are set out in Sections 12 and 16.
For the purposes of the Digital Personal Data Protection Act, 2023 (the "DPDP Act") and the Information Technology Act, 2000 together with the rules made thereunder (including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, the "SPDI Rules"), eCOMeX is the entity that determines the purposes and means of processing the personal data described in this Policy (the Data Fiduciary / body corporate). In respect of the business data that a seller brings into the Platform, including any personal data of the seller's own customers contained within it, we act on the seller's behalf and process such data on the seller's instructions and for the seller's purposes.
2. Scope of this Policy
This Policy applies to personal data that we collect and process through the Platform, including when you visit our website, create an account, set up a Workspace, upload or connect data, interact with our in-app AI assistant ("Juno"), contact our support, or otherwise use the Service.
eCOMeX is a multi-tenant, AI-powered software-as-a-service application for Amazon sellers and their teams. It helps a seller ingest, organise and analyse their own Amazon business data (sales, orders, inventory, advertising, settlements, returns and Brand Analytics), generate reports and a monthly profit-and-loss statement, plan shipments and purchases, manage tasks, approvals and work-updates, draft Amazon seller-support replies and product listing copy, and chat with Juno.
When you sign up, you create a Workspace. Each Amazon store is its own Workspace, and data is isolated per Workspace so that one Workspace can never read another's data.
This Policy should be read together with our Terms of Service, our Cookie Policy, our Refund and Cancellation Policy, and any product-specific notices we provide. Where a third party (for example, Amazon or one of our sub-processors) operates its own service, that third party's own privacy policy governs its handling of your data on its systems.
3. What personal data we collect
We collect and process the following categories of data. Certain of these categories — in particular passwords, financial information, and Amazon integration credentials — constitute "sensitive personal data or information" (SPDI) under the SPDI Rules, and we treat them accordingly.
3.1 Account and identity data
- Your name and email address;
- An optional mobile number;
- Your password, which is stored only as a salted cryptographic hash and is never stored, transmitted to us, or visible to us in plain text;
- Your avatar colour, your Workspace role and permissions; and
- An audit log of significant actions taken within your Workspace, for security and accountability.
3.2 Workspace business data
This is the business data that you bring into your Workspace, including the Amazon reports and data described above, your product catalogue, suppliers, tasks, and similar operational records.
Buyer personal data within Amazon order data — please read carefully. Amazon "Order Reports" and similar order data contain personal information about Amazon customers and buyers, such as buyer names, shipping addresses and contact details. When you upload such reports or connect your Amazon account, this buyer personal information enters your Workspace. eCOMeX processes this buyer personal information strictly as part of, and solely in order to provide, the seller's own service to that seller. We do not use it for our own purposes, we do not sell it, we do not use it for advertising or marketing, we do not disclose it to unauthorised third parties, and we handle it in line with Amazon's Acceptable Use Policy and Data Protection Policy as described in Section 10 ("Amazon data") below. If you are a seller, you are responsible for having a lawful basis to provide such buyer data to us and for complying with applicable law in respect of your own customers.
3.3 Amazon integration credentials
If you choose to connect your Amazon account, we collect and store the Amazon Selling Partner API (SP-API) and Amazon Advertising API refresh tokens and credentials needed to access your own Amazon data at your direction. We collect only the minimum scope of access needed to provide the features you use. These credentials are stored encrypted at rest using Fernet symmetric (AES-based) encryption, are never written to logs or stored in any public location, and are accessible only to the running Service.
3.4 AI interaction data
When you use Juno or other AI features, we retain your chat prompts and Juno's responses in order to provide you with chat history and a per-Workspace AI memory that improves the relevance of future answers within your Workspace.
3.5 Technical and usage data
- Your IP address, browser and device information, and log data;
- Cookies that maintain your login session and remember your preferences (described in Section 6 below).
For our public, signed-out front-door chat, we do not store the raw visitor IP address. Instead, we store only an irreversible hash of the visitor IP, salted with a secret value, which we use solely to limit abuse of the free chat.
3.6 Payment and billing data
eCOMeX does not currently process live payments and stores no card data. When paid billing goes live, payments will be handled by a third-party, PCI-DSS-compliant payment processor; eCOMeX will not store full card numbers. We may retain limited billing records (such as invoices, plan, billing name and a payment reference or token returned by the processor) as required for accounting, tax and audit purposes. Refunds and cancellations are governed by our Refund and Cancellation Policy.
4. How and why we use your data, and our lawful bases
We use personal data for the following purposes:
- To provide, operate, maintain and improve the Service;
- To ingest, validate, store and analyse the seller's data and to generate reports, insights, the profit-and-loss statement and AI answers;
- To create and administer your account and Workspace and to apply role-based access controls;
- To maintain the security and integrity of the Service, detect and prevent fraud and abuse, and keep audit logs;
- To process billing and payments and to maintain accounting and tax records when paid billing is live;
- To provide customer support and respond to your requests and grievances;
- To send you service-related communications (for example, transactional, security, account and policy-update notices);
- To comply with applicable law and to establish, exercise or defend legal claims.
We process personal data only for the purposes for which it was collected or for purposes compatible with them, and we limit our collection to what is necessary for those purposes.
Lawful bases under the DPDP Act, 2023. We process personal data on the basis of your consent and, where applicable, on the basis of certain legitimate uses recognised under the DPDP Act and for the performance of our contract with you (the provision of the Service you have requested) and to comply with our legal obligations. By providing sensitive personal data under the SPDI Rules, you consent to its collection and use for the purposes set out in this Policy. Where we rely on consent, you may withdraw it at any time as easily as you gave it, as described in Section 11; withdrawal does not affect the lawfulness of processing carried out before withdrawal, and may limit or prevent our ability to provide some or all of the Service.
5. AI processing and third-party AI providers
To power Juno and our other AI features, we send relevant data to third-party AI model providers, which process it to generate the output you request and return it to us. We are transparent about how this works:
- For some features, we send relevant Workspace data necessary to answer your request.
- For other features, we send only column header names or pre-aggregated figures, and never the underlying raw values.
Our current AI model providers are Anthropic (Claude) and DeepSeek. Under the applicable API terms with these providers, they do not use eCOMeX customers' submitted data to train their models. We do not send Amazon buyer personal information to these providers for any purpose other than providing the seller the feature they have requested, and we do not use Amazon Information to train any model.
Important about AI output. AI output can be wrong or incomplete. You must independently verify important numbers and decisions, and you must never treat AI output as professional, legal, tax, accounting or financial advice.
6. Cookies
We use a small number of cookies that are strictly necessary to run the Service and to remember your preferences. We do not set any third-party advertising, analytics or cross-site tracking cookies.
| Cookie | Type | Purpose |
|---|---|---|
| sessionid | Strictly necessary | Maintains your logged-in session |
| csrftoken | Strictly necessary | Protects against cross-site request forgery (security) |
| darkMode | Preference | Remembers your theme choice |
| sidebarCollapsed | Preference | Remembers your layout choice |
You can control or delete cookies through your browser settings. Please note that blocking the strictly-necessary cookies (sessionid and csrftoken) will break login and prevent you from using the Service. Our fonts are loaded from Google Fonts when pages are viewed, which involves a network request to Google's servers; this is not an eCOMeX cookie and we set no advertising cookies. For full details, please see our Cookie Policy.
7. Who we share data with: sub-processors and cross-border transfers
We do not sell your personal data, and we do not share it with anyone for their own independent advertising or marketing. We share data only with the service providers (sub-processors) listed below, who process it on our behalf to help us deliver the Service, under contractual obligations of confidentiality and security, and only as needed for that purpose. Where required by law or to protect rights, safety and property, we may also disclose data to authorities, courts or regulators, or in connection with a legal process, a merger, or a business transfer.
| Sub-processor / third party | Role |
|---|---|
| Railway | Cloud hosting and infrastructure (application and database) |
| Anthropic (Claude) | AI processing |
| DeepSeek | AI processing |
| Resend | Transactional email delivery |
| Amazon Web Services / S3-compatible object storage | Encrypted file and document storage |
| Sentry | Optional error monitoring |
| Google Fonts | Serves fonts to your browser when pages are viewed (a network request to Google; no eCOMeX advertising cookies are set) |
| The seller's own Amazon account (SP-API / Advertising API) | A data source, accessed only at the seller's direction |
| A future PCI-DSS-compliant payment processor | Payment processing (when paid billing goes live) |
Cross-border transfers. Some of our sub-processors store or process data outside India (for example, in the United States). Where we make such a transfer, we do so with appropriate safeguards and contractual protections, and only to the extent permitted under the DPDP Act, 2023 and the SPDI Rules, subject to any restrictions notified by the Government of India in respect of transfers to particular countries or territories. By using the Service, you acknowledge that your data may be processed in such jurisdictions for the purposes described in this Policy.
8. How we protect your data
We maintain reasonable security practices and procedures, and technical and organisational security measures, appropriate to the nature of the data we hold and consistent with the standards expected under the SPDI Rules, including:
- Encryption in transit using TLS / HTTPS;
- Encryption at rest for sensitive credentials and stored files using Fernet symmetric (AES-based) encryption;
- Single-database, row-level tenant isolation, so that one Workspace can never read another Workspace's data;
- Role-based access control and least-privilege access, with access to sensitive data restricted to authorised personnel on a need-to-know basis;
- Salted cryptographic hashing of passwords;
- Audit logging of significant actions;
- Secret and credential management practices that keep credentials out of source code, logs and public repositories;
- Per-statement database timeouts and upload size caps to protect availability and integrity.
While we work hard to protect your data, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security. We maintain a documented incident-response plan. If we become aware of a personal data breach, we will act in accordance with applicable law and our incident-response procedures, will take prompt steps to investigate and remediate, and will notify affected persons and the relevant authorities (including the Data Protection Board of India) where and as required by law. Where any security incident involves Amazon Information, we will additionally notify Amazon promptly and in any event within twenty-four (24) hours, as set out in Section 10.
9. Data retention
We retain Workspace data while your account is active and for as long as needed to provide the Service to you, and thereafter only for as long as required to comply with our legal, accounting, tax or regulatory obligations or to establish, exercise or defend legal claims.
Amazon Information, including buyer personal information, is handled in line with Amazon's Acceptable Use Policy and Data Protection Policy. It is retained only for as long as needed to provide the seller the service they requested, and not longer than thirty (30) days after order delivery for personal information used for order-fulfilment-type purposes, except where a longer retention period is required by law (for example, for tax, accounting, legal or fraud-prevention purposes), in which case it is retained only for that purpose and for the minimum period required. Throughout retention it is kept encrypted and access-restricted, and it is deleted upon the seller's request, upon revocation of the Amazon connection, or on account closure.
On account deletion, we delete or irreversibly anonymise personal data within a reasonable period, unless we are required to retain it to comply with a legal obligation, resolve disputes, or enforce our agreements.
10. Amazon data
Because eCOMeX processes data that originates from Amazon ("Amazon Information"), we make the following commitments, which apply in addition to everything else in this Policy and which are designed to comply with Amazon's Acceptable Use Policy and Data Protection Policy:
- We comply with Amazon's Acceptable Use Policy and Amazon's Data Protection Policy;
- We encrypt Amazon Information both in transit (TLS / HTTPS) and at rest (using AES-based / Fernet symmetric encryption);
- We collect and retain only the minimum Amazon Information needed to provide the features the seller uses, and we keep Amazon Information logically segregated and isolated per Workspace;
- We restrict access to Amazon Information to authorised personnel on a strict need-to-know basis, and we maintain least-privilege access controls, credential-management controls, and audit logging of access;
- We do not sell Amazon Information, and we do not use it for advertising or marketing or share it with unauthorised third parties;
- We use Amazon Information solely to provide the seller the service they requested, and for no other purpose;
- We retain Amazon Information only as long as needed to provide that service, and not longer than thirty (30) days after order delivery for personal information used for order-fulfilment-type purposes, except where a longer period is required by law;
- We maintain a documented incident-response plan, and in the event of any security incident involving Amazon Information we will notify Amazon promptly and in any event within twenty-four (24) hours, investigate, remediate, and cooperate with Amazon;
- We keep records of our processing of Amazon Information;
- We delete Amazon Information upon the seller's request, upon revocation of the Amazon connection, or upon Amazon's request; and
- We will provide information about our security controls and handling of Amazon Information to Amazon upon request.
eCOMeX is an independent, third-party application. eCOMeX is not affiliated with, sponsored by, or endorsed by Amazon. "Amazon", "Amazon Seller Central", "Selling Partner API" and related marks are the property of Amazon.com, Inc. or its affiliates, and are referred to only to describe interoperability.
11. Your rights under the DPDP Act, 2023, and how to exercise them
Subject to applicable law, as a Data Principal you have the following rights in respect of your personal data:
- Right to access a summary of the personal data we process about you and of our processing activities;
- Right to correction and erasure — to seek correction, completion, updating or erasure of your personal data;
- Right of grievance redressal — to a readily available means of registering a grievance with us;
- Right to nominate another individual to exercise your rights in the event of your death or incapacity;
- Right to withdraw consent at any time, where our processing is based on your consent, as easily as you gave it; and
- Right to be informed, where applicable, and to opt out of communications that are not strictly service-related.
To exercise any of these rights, please email us at privacy@ecomex.app, or contact our Grievance Officer at grievance@ecomex.app. You may also withdraw consent or manage your account directly within the Service where such controls are provided. We may need to verify your identity before acting on a request, and we will respond within the timelines required by applicable law.
Your duties as a Data Principal. Under the DPDP Act, you are required, among other things, to provide authentic and accurate information when exercising your rights, not to impersonate another person, and not to register false or frivolous grievances or complaints.
12. Grievance redressal and Grievance Officer
In accordance with the Information Technology Act, 2000 and the rules thereunder (including the SPDI Rules and applicable Intermediary/Consumer Protection (E-Commerce) Rules, 2020), and the DPDP Act, 2023, we have appointed a Grievance Officer to address your concerns regarding the processing of your personal data and the Service:
- Grievance Officer: Mr. Milan Jethva
- Email: grievance@ecomex.app
- Address: eCOMeX AI, Ahmedabad – 380008, Gujarat, India
We will acknowledge your grievance within forty-eight (48) hours of receipt and endeavour to resolve it within one (1) month from the date of receipt, or such shorter period as may be prescribed by applicable law. If you are not satisfied with our response, you have the right to make a complaint to the Data Protection Board of India in the manner prescribed under the DPDP Act, 2023, and you may also pursue any other remedy available to you under applicable law, including under the Consumer Protection Act, 2019 and the Consumer Protection (E-Commerce) Rules, 2020.
13. Children's data
The Service is not directed to, or intended for use by, persons under the age of 18 years. We do not knowingly collect or process the personal data of children. We do not undertake tracking, behavioural monitoring, or targeted advertising directed at children, and we will not process a child's personal data without verifiable consent of a parent or lawful guardian as required by the DPDP Act. If you believe that a child has provided us with personal data, please contact us at privacy@ecomex.app so that we can take appropriate action, including deletion.
14. Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. When we make material changes, we will update the "Last updated" date shown on this page and, where appropriate, notify you through the Service or by email. Your continued use of the Service after the changes take effect constitutes your acknowledgement of the updated Policy.
15. Governing law and jurisdiction
This Privacy Policy is governed by and construed in accordance with the laws of India. Subject to any non-waivable rights you may have under applicable consumer-protection law, the courts at Ahmedabad, Gujarat, India shall have exclusive jurisdiction over any dispute arising out of or in connection with this Policy or your use of the Service.
16. Contact us
If you have any questions, requests or concerns about this Privacy Policy or our handling of your personal data, please contact us:
- Operator (legal name): Mr. Milan Jethva, sole proprietor trading as "eCOMeX" (also styled "eCOMeX AI")
- General support: support@ecomex.app
- Privacy and data-protection requests: privacy@ecomex.app
- Grievance Officer: Mr. Milan Jethva, grievance@ecomex.app
- Address: eCOMeX AI, Ahmedabad – 380008, Gujarat, India
- Website: https://ecomex.app