StarQuester

Data Policy

Last updated: March 2026. This Data Policy describes how StarQuester LLC ("StarQuester," "we," "us") collects, processes, stores, secures, and disposes of data—including data obtained via Amazon's Selling Partner API (SP-API). It supplements our Privacy Policy and aligns with Amazon's Data Protection Policy (DPP), applicable data protection laws (e.g., GDPR, CCPA/CPRA), and industry standards.

1. Types of Data We Process

1.1 Amazon-Sourced Data

Data we receive through the SP-API includes order and fulfillment information (e.g., order IDs, status, dates, ASIN/SKU) used to sync orders, determine eligibility for review requests, and send solicitations via Amazon's official Request a Review system. We do not request or store buyer PII (e.g., names, addresses) for review requests; the solicitation is sent through Amazon's systems.

We also store encrypted SP-API credentials (e.g., refresh tokens, client credentials) necessary to call the API on your behalf. These are encrypted at rest and used only to provide our services.

1.2 Account and Platform Data

We process account data (email, hashed password, name, username), subscription and billing-related identifiers (e.g., Stripe customer and subscription IDs), usage data (e.g., review requests used vs plan limit, schedule settings), support/contact form data (name, email, message), and marketing preferences (e.g., email address and opt-in status for newsletters) as described in our Privacy Policy.

2. Purposes of Processing

Data is used only to:

  • Provide and operate our services (e.g., order sync, review request automation, dashboard, billing).
  • Authenticate users and enforce access control.
  • Respond to support requests and communicate with you.
  • Send marketing emails and newsletters where you have opted in (see our Privacy Policy).
  • Improve security, performance, and compliance.
  • Comply with legal and regulatory obligations and with Amazon's DPP and Solution Provider requirements.

3. Data Storage and Retention

Data is stored in secure, access-controlled environments. We retain data only as long as necessary for the purposes above or as required by law or Amazon's DPP. In particular:

  • Amazon-sourced data: We follow retention limits consistent with Amazon's Data Protection Policy. Order-related and other non-PII from the SP-API is not retained longer than necessary for our services or as permitted by Amazon (e.g., typically not beyond 18 months for non-PII unless a longer period is required by law).
  • Account and subscription data: Retained while your account is active and for a reasonable period after closure for legal, dispute, and compliance purposes.

When retention periods expire or you request deletion (subject to legal exceptions), we delete or anonymize data in a secure manner.

4. Security Measures

We implement technical and organizational measures in line with Amazon's DPP and industry practice, including:

  • Encryption: Data in transit using TLS; sensitive data (e.g., SP-API credentials) encrypted at rest (e.g., AES-256).
  • Access control: Unique user IDs, least-privilege access, and no shared production credentials.
  • Credential management: No hardcoded secrets; credentials stored encrypted and rotated as appropriate.
  • Network and system security: Firewalls, secure configuration, and monitoring where applicable.
  • Incident response: Procedures to detect, respond to, and report security incidents. In the event of a security incident involving Amazon data, we will notify Amazon and affected users as required by Amazon's DPP and applicable law (e.g., within 24 hours where required).

We do not sell or share Amazon-sourced or account data for marketing or other purposes outside providing our services.

5. Data Sharing and Third Parties

We share data only with trusted service providers (e.g., hosting, Stripe for payments) under contracts that require them to protect data and use it only for the services they provide to us. We may disclose data when required by law or to protect our or others' rights and safety.

Amazon-sourced data is not shared with third parties for their own marketing or other purposes. We may share it only as necessary to operate our service (e.g., with our hosting provider under strict confidentiality) or as required by law or Amazon.

6. Data Disposal and Deletion

Upon account closure, revocation of Amazon authorization, or when retention periods end, we securely delete or anonymize data in accordance with our retention policy and Amazon's deletion requirements. Upon request and where legally required, we can provide confirmation of secure deletion of your or Amazon-related data.

7. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, port, or restrict processing of your personal data, and to object to certain processing. To exercise these rights, contact us at support@starquester.com. We will respond within the timeframes required by applicable law. Our Privacy Policy contains more detail on your rights, including for California (CCPA/CPRA) and GDPR.

8. Changes to This Policy

We may update this Data Policy to reflect changes in our practices, Amazon's requirements, or the law. We will post the updated policy on this page and update the "Last updated" date. Material changes may be communicated via the platform or email where appropriate.

9. Contact

For questions about this Data Policy or our data practices, contact us at support@starquester.com. For Amazon-specific compliance (e.g., DPP), we also follow the requirements set out in Amazon's SP-API policies and agreements.