01Who we are
SellerStack3P ("SellerStack3P," "we," "us," or "our") is a software service operated by Quickmitts LLC, a Colorado limited liability company. We provide tools for Amazon FBA sellers to track product costs, fees, and the true margin remaining after credit card, portal, and gift card cash back stacking. We also provide outreach tools that let sellers manage brand contact lists and send email campaigns through their own connected Gmail account.
Our website is https://www.sellerstack3p.com. The data controller for purposes of this policy is Quickmitts LLC. You can reach us at sellerstack3p@gmail.com.
02Scope of this policy
This policy applies to information collected when you:
- Visit sellerstack3p.com or any subdomain
- Create an account or use the SellerStack3P web application
- Install or use the StackBuddy Chrome extension
- Connect your Amazon Selling Partner account to SellerStack3P
- Connect your Gmail account to send outreach email through SellerStack3P
- Subscribe to a paid plan or start a free trial
- Contact us by email
This policy does not cover websites or services operated by third parties, even when linked from our site. Their privacy practices are governed by their own policies.
03Information we collect
Information you provide directly
- Account information: email address, display name, password hash (we never store passwords in plain text), and authentication identifiers from Google OAuth if you sign in with Google.
- Workspace and membership data: workspace names, the role each user holds within a workspace (owner, admin, virtual assistant, etc.), and pending invitations.
- Product and purchase data: ASINs, supplier names, costs, quantities, dates, and notes you enter into the app.
- Cash back source data: names of credit cards, portals, and gift card balances you choose to track. We do not collect credit card numbers, CVVs, or banking credentials.
- FBA fee data: dimensions, weights, prices, and category data you enter or sync via the StackBuddy extension.
- Outreach contact data: brand names, contact names, email addresses, phone numbers, job titles, company information, notes, and any tags or categories you attach to brands you add to your outreach lists.
- Outreach content: email templates, campaign sequences, send schedules, and the bodies and subjects of messages sent through the outreach system. We also record reply-tracking metadata (whether a reply came back, and the timestamp) so the system can stop sending follow-ups to brands who have responded.
- Customer-supplied API keys: if you choose to use the integrations below, you may paste your own API keys into your workspace settings. These are encrypted at the database column level before storage and used only to make API calls on your behalf:
- Apollo.io — for contact enrichment on brand records you add.
- MillionVerifier — for email address verification on outreach contacts.
- Google Gemini (or another AI provider you configure) — for AI-assisted features such as template suggestions and content rewriting.
- Support correspondence: any information you send us by email.
Information we collect automatically
- Usage data: pages viewed, features used, errors encountered, and approximate timing of requests, used to improve the service.
- Device data: browser type, operating system, screen size, and IP address (used for security and abuse prevention; not used for advertising).
- Cookies and local storage: see Section 10.
Information we collect from third parties
- From Stripe: subscription status, plan tier, and last four digits of your payment card. We do not store full card numbers; Stripe handles all payment data.
- From Google (if you use Google Sign-in): your name, email address, and Google account identifier.
- From Gmail (if you connect your Gmail account for outreach): a refresh token granting our service the limited ability to send email on your behalf, plus message identifiers for the outreach messages we send through your account. We do not read your inbox, your contacts, your drafts, or any email that was not sent by SellerStack3P.
- From Amazon (if you connect your Amazon Selling Partner account): see Section 4.
- From your configured integrations (Apollo, MillionVerifier, AI provider): the responses returned for the specific requests you initiate (e.g., the contact record Apollo returns for a domain you enrich, or the verification result MillionVerifier returns for an email you check). We do not query these services unless you have provided your own API key and you have initiated the request.
04Amazon Selling Partner data
Authorization
We access your Amazon Selling Partner data only after you explicitly authorize us through Amazon's standard OAuth flow in Seller Central. You may revoke this authorization at any time by visiting Seller Central → Apps and Services → Manage Your Apps and disconnecting SellerStack3P.
Data we access
The specific endpoints and data we access depend on the SP-API roles you authorize. We request access only to data necessary to provide our core service:
- Product Listings: ASIN, SKU, title, dimensions, weight, category, and listing status.
- Pricing and Fees: current sale price, referral fee, FBA fulfillment fee, and other fees returned by the Product Fees API.
- Inventory: on-hand and inbound quantities by SKU (used for the Inventory & Margin and Reorder sections of the app).
- Orders (optional, if you enable the Sales Dashboard): order-level totals, units shipped, and order counts pulled from the SP-API Orders endpoint. We store these as monthly aggregates (revenue in cents, units sold, order count) bucketed by Pacific calendar month for the workspace whose owner authorized the connection. We do not store individual order numbers, buyer names, buyer email addresses, shipping addresses, or any other order-level personally identifiable information.
We do not access buyer personally identifiable information (PII) such as buyer names, email addresses, or shipping addresses. If our service expands to include features that would require such data, we will update this policy and re-request your authorization before doing so.
How Amazon data is used
- Data accessed via SP-API is used only to provide the SellerStack3P service to you, the authorizing seller.
- Your Amazon data is never sold, licensed, or shared with other SellerStack3P users.
- Your Amazon data is never used for advertising, marketing, or training machine learning models.
- Aggregated, anonymized statistics (e.g., "average FBA fee in the home goods category") may be used internally for product development, but only in a form that cannot be linked back to you or your account.
Storage and security of Amazon data
- Your Amazon Selling Partner refresh token is encrypted at the database column level before storage. The encryption key is held outside the database and is not accessible to anyone other than the SellerStack3P production environment.
- Access tokens (short-lived) are held in memory only and not written to disk.
- All API calls between SellerStack3P and Amazon are made over TLS 1.2 or higher.
- Database records containing your Amazon data are protected by row-level security so that no other SellerStack3P user can read them.
Retention and deletion of Amazon data
- When you disconnect SellerStack3P from Seller Central, we delete your stored refresh token within 24 hours.
- Derived data (ASIN details, fee snapshots, inventory levels, etc.) is retained while your SellerStack3P account is active so your historical reports remain intact. You may request deletion of this data at any time by emailing us.
- Upon account closure, all Amazon-derived data is deleted within 30 days, except where retention is required by law (e.g., tax records related to a paid subscription).
05How we use information
We use the information we collect to:
- Provide and operate the SellerStack3P service
- Authenticate you and secure your account
- Process subscription payments (via Stripe)
- Sync FBA fees and product data from Amazon and the StackBuddy extension
- Sync monthly sales aggregates from Amazon if you have enabled the Sales Dashboard
- Send outreach email through your connected Gmail account on your behalf, only to recipients and at times you have configured, and only for the campaigns you have started
- Enrich brand contact records using your own Apollo and MillionVerifier API keys, only on records you choose to enrich
- Generate AI-assisted content suggestions using your own AI-provider API key, only on the inputs you submit
- Compute reports, margins, and recommendations within the app
- Respond to support requests
- Send service announcements (e.g., billing notices, security alerts, material policy changes). These cannot be unsubscribed from while your account is active because they are essential to providing the service.
- Send optional product updates and tips, only if you have opted in. You can unsubscribe at any time using the link in any such email.
- Detect, investigate, and prevent fraud, abuse, and security incidents
- Comply with legal obligations
We do not sell your personal information. We do not share it with advertisers or data brokers.
06Sub-processors and sharing
To operate the service, we share data with a small number of vetted vendors ("sub-processors"). Each is contractually bound to handle data only on our instructions and only for the purposes described below.
| Vendor | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase | Database, authentication, realtime sync | Account data, product data, encrypted refresh tokens, encrypted API keys | United States |
| Vercel | Web hosting and serverless functions | Requests, IP addresses, function logs | United States |
| Stripe | Subscription billing and payment processing | Name, email, payment card (handled by Stripe directly) | United States |
| Google (Sign-in) | OAuth sign-in (only if you choose it) | Name, email, account identifier | United States |
| Google (Gmail API) | Sending outreach email on your behalf (only if you connect Gmail) | Gmail send-permission refresh token, message identifiers for messages we send | United States |
| Amazon | Source of Selling Partner data (only if you connect your account) | OAuth authorization, API requests | United States |
| Apollo.io | Contact enrichment (only if you supply an Apollo API key and initiate enrichment) | Brand domains and identifiers you submit for enrichment | United States |
| MillionVerifier | Email address verification (only if you supply a MillionVerifier API key and initiate verification) | Email addresses you submit for verification | United States |
| AI provider (Google Gemini or another you configure) | AI-assisted content suggestions (only if you supply an AI API key and submit content) | Prompt text and template content you submit for AI assistance | United States (varies by provider) |
We may also disclose information when required by law, valid legal process, or to protect the rights, property, or safety of SellerStack3P, our users, or the public. If we receive a government request for your data, we will notify you unless legally prohibited from doing so.
If SellerStack3P is involved in a merger, acquisition, or sale of all or part of its assets, your information may be transferred as part of that transaction. We will notify you by email before any such transfer takes effect, and you will have an opportunity to delete your account before the transfer.
07Security
We take security seriously and apply industry-standard practices:
- All traffic to and from sellerstack3p.com is encrypted in transit via TLS 1.2 or higher.
- Data at rest in our database is encrypted using the underlying provider's encryption (AES-256).
- Sensitive credentials such as Amazon refresh tokens are additionally encrypted at the database column level using application-layer keys.
- Row-level security in our database isolates each user's data from every other user's data.
- Production access is restricted to authorized personnel and protected by multi-factor authentication.
- We do not store full payment card numbers; payments are handled exclusively by Stripe, a PCI DSS Level 1 certified provider.
No security program is perfect. If we discover a security incident affecting your data, we will notify you by email without undue delay, and in any event within 72 hours of becoming aware of the incident where required by applicable law.
08Data retention
- Active accounts: we retain your data for as long as your account is active.
- Canceled subscriptions: if you cancel your paid subscription but do not delete your account, we retain your data so you can resume later. After 12 months of inactivity, we will email you and, if there is no response, delete the account within 30 days.
- Account deletion: when you request deletion of your account, we delete your personal data within 30 days. Some records may be retained longer where required by law (for example, transaction records for tax purposes).
- Backups: deleted data may persist in encrypted backups for up to 90 days, after which it is purged.
- Amazon refresh tokens: deleted within 24 hours of disconnection in Seller Central.
- Gmail refresh tokens: deleted within 24 hours of disconnection from within SellerStack3P or revocation in your Google Account settings.
- Customer-supplied API keys (Apollo, MillionVerifier, AI provider): deleted from our database within 24 hours of removal from your workspace settings, and within 30 days of account closure.
09Your rights and choices
Regardless of where you live, you can exercise the following rights with respect to your SellerStack3P account:
- Access: request a copy of the personal data we hold about you.
- Correction: update inaccurate data either directly in the app or by emailing us.
- Deletion: request deletion of your account and associated data.
- Portability: export your ASIN, purchase, cash back, brand, contact, and campaign data from within the app at any time.
- Withdraw consent: disconnect your Amazon Selling Partner account, disconnect your Gmail account, delete any API keys you have stored for Apollo / MillionVerifier / AI provider, revoke Google OAuth, or cancel your subscription at any time.
- Opt out of optional emails: use the unsubscribe link in any marketing message.
California residents (CCPA / CPRA)
If you are a California resident, you have the right to know what personal information we collect, to request deletion, to correct inaccurate information, and to opt out of "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under California law. To exercise any California right, email sellerstack3p@gmail.com. We will not discriminate against you for exercising these rights.
European Economic Area, United Kingdom, and Switzerland
SellerStack3P is operated from the United States and is primarily intended for sellers operating on Amazon US, Canada, and Mexico marketplaces. If you are located in the EEA, UK, or Switzerland and choose to use our service, you have the additional rights provided by GDPR or UK GDPR, including the right to lodge a complaint with your supervisory authority. The legal basis for our processing is the performance of a contract with you (when you have an account) and our legitimate interests (for security and product improvement). We are not currently established in the EU and do not maintain an Article 27 representative; we will revisit this if we begin serving EU sellers materially.
To exercise any right, email sellerstack3p@gmail.com. We will respond within 30 days.
11Children's privacy
SellerStack3P is a business tool intended for adults. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal data, please contact us and we will delete it.
12International users
SellerStack3P is operated from the United States, and all of our sub-processors named in Section 6 store data in the United States. By using the service, you understand that your information will be transferred to and processed in the United States, which may have data protection laws different from those of your country of residence.
13Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Effective" date at the top of this page,
- Post the new policy at this URL, and
- Notify active users by email at least 14 days before the new policy takes effect.
Continued use of SellerStack3P after the effective date constitutes acceptance of the updated policy.
14Contact us
If you have questions about this policy or wish to exercise any of your rights, contact us at:
This policy is governed by the laws of the State of Colorado, United States, without regard to its conflict of laws principles.