Privacy and Data Handling Policy for all API Connections.

Latest Document Update: 25/09/25

 

API connections are used to facilitate order fulfilment for orders placed on marketplace platfroms such as Amazon, eBay and our own website. This policy outlines how data collected by API connections is processed, stored and disposed of. 

 

1. Purpose and Scope

This Privacy and Data Handling Policy sets out how Prima Industries Ltd (“the Company”, “we”, “us”) collects, processes, stores, uses, shares, and disposes of customer and business data obtained from:

  • Amazon’s Selling Partner API (SP-API),
  • Other third-party sales platforms APIs, such as eBay and OnBuy,
  • Our own company website.

This policy is designed to ensure compliance with applicable data protection regulations, including but not limited to the UK Data Protection Act 2018, the EU General Data Protection Regulation (GDPR), and any other mandatory privacy and security laws applicable to our operations.

It applies to all employees, contractors, and systems that handle personal or business data on behalf of Prima Industries Ltd.

 

2. Data Governance and Classification

  • Data Classification: All data obtained through Amazon SP-API and other channels is classified into categories:
    • Personal Identifiable Information (PII): customer name, shipping address, email (where applicable), phone number.
    • Transactional Data: order IDs, product SKUs, order amounts, shipping status.
    • Non-PII Business Data: aggregated sales reports, product listings, inventory information.
  • Data Records: We maintain a documented record of all processing activities, including the type of data collected, processing purposes, storage locations, retention timelines, and disposal procedures.

 

3. Data Collection

We collect data strictly for legitimate business purposes:

  • Amazon SP-API: Customer order details, shipping information, and communication necessary for fulfilment.
  • eBay and Website: Equivalent customer order and shipping details for the fulfilment of orders placed on these platforms.
  • Newsletter Sign-Up (Relevant to www.ekofuel.org only): Customer email address where explicit consent has been given.

 

4. Data Processing and Use

  • PII is processed only for the fulfilment of orders and related after-sales support.
  • PII from Amazon and eBay customers is not used for marketing.
  • Website newsletter data is used solely for marketing where explicit opt-in consent has been provided.
  • Data processing is limited to what is necessary, in line with the principle of data minimisation.

 

5. Data Storage and Security

  • All customer and order data is stored securely in Microsoft Dataverse tables within a controlled Power Platform environment. Data stored in this environment is encrypted and access is limited.
  • Access is restricted by role-based permissions, and all access is logged and auditable.
  • Data is encrypted at rest and in transit.
  • Technical and organisational measures are in place to prevent unauthorised access, alteration, or disclosure of data.

 

6. Data Retention and Disposal

  • Amazon and eBay customer PII: Retained for 30 days solely to facilitate order delivery, customer service, and returns. After this period, PII is permanently deleted or anonymised.
  • Website (www.ekofuel.org) customer PII: Same 30-day retention unless the customer opts into the newsletter.
  • Newsletter subscribers (relevant for www.ekofuel.org only): Data is retained until the customer withdraws consent.
  • Transactional/non-PII business data: Retained in line with statutory requirements (e.g., financial data up to 7 years).
  • Secure Disposal: Data no longer required is permanently deleted from Microsoft Dataverse using secure deletion protocols.

 

7. Data Sharing

  • PII is shared only with third parties necessary for order fulfilment, such as shipping carriers.
  • Data is not sold, leased, or shared with unauthorised third parties.
  • All third-party processors are bound by contractual agreements requiring compliance with data protection laws.

 

8. Data Subject Rights

Customers have the right to:

  • Request access to their data,
  • Request correction or rectification,
  • Request erasure of their data (subject to legal obligations),
  • Request restriction of processing, and
  • Object to processing (where applicable).

We have established procedures to respond promptly to data subject access requests (DSARs) and provide customers with responses within statutory timelines.

 

9. Compliance and Accountability

  • We maintain documented evidence of compliance with applicable data protection regulations and Amazon SP-API requirements.
  • We actively monitor regulatory changes and update this policy as necessary.
  • Regular audits and access reviews are carried out to ensure continued compliance.

 

10. Employee Confidentiality

  • Employees with access to PII are bound by contractual confidentiality provisions.
  • Employees are trained in data protection and security best practices.
  • Access is limited to employees whose roles require handling PII.

 

11. Policy Review and Updates

This policy will be reviewed annually or sooner if required by changes in regulations, technology, or business processes.

 

Company No 05688373

Email: enquiries@primaind.co.uk

Tel: +44 (0) 1709 524162

Privacy Policy