Privacy Policy

This Privacy Policy explains how Insiders Agency (“Insiders Agency”, “we”, “us”, or “our”) collects, uses, protects, discloses, and retains personal data when you visit insiders.agency (the “Site”), request an audit, subscribe to our newsletter, book a call, or engage us to manage your Amazon Advertising or Seller Central account (collectively, the “Services”).

We take privacy seriously. As a service provider to brands who sell on Amazon, we routinely handle commercially sensitive information on behalf of our clients, and we are bound by Amazon’s own strict data-protection requirements when we access Amazon Advertising data on a client’s behalf. Section 7 of this policy sets out those obligations in detail.

If you do not agree with any part of this Privacy Policy, do not use the Site or engage our Services. If you have questions, contact us at privacy@insiders.agency.

Insiders Agency is an Amazon advertising agency founded in 2017. We provide Amazon PPC management, Amazon FBA consulting, and white-label Amazon advertising services to brands, sellers, and partner agencies worldwide.

For the purposes of the EU General Data Protection Regulation (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), and equivalent laws, Insiders Agency is the data controller of the personal data we collect through the Site and in the course of our marketing and client-onboarding activities.

When we access and process Amazon Advertising data or Seller Central data on behalf of an engaged client, we act as a data processor on that client’s behalf and under their instructions, in accordance with our service agreement and Amazon’s applicable API policies.

Primary contact for privacy matters: privacy@insiders.agency

This Privacy Policy applies to:

• Visitors to insiders.agency and its sub-pages;
• People who submit audit requests, newsletter signups, contact or booking forms;
• Prospective clients who evaluate our Services;
• Clients who engage Insiders Agency to manage Amazon Advertising or Seller Central activity;
• Partner agencies who refer clients to us or engage our white-label services.

This policy does not cover third-party websites we link to, or the privacy practices of any third-party platform (including Amazon) that you use independently of our Services. Those are governed by their respective privacy policies.

4.1 Information you provide directly

We collect information you give us when you interact with the Site or our team, including:

• Identifiers — name, email address, company name, phone number, role or job title.
• Commercial context — brand name, category, target marketplaces, monthly ad spend range, and any other information you share in an audit request, sales call, or proposal discussion.
• Communications — email threads, call notes, voicemail, and any content you send us through the Site, email, or other channels.
• Account credentials and permissions — when you engage us as a client, you grant us access to your Amazon Advertising account and/or Amazon Seller Central through Amazon’s own Manager Account or delegation workflows. We never ask for, and never accept, your Amazon login credentials. See Section 7.
• Billing information — company name, billing address, and VAT number where applicable, used to issue invoices. Payment data is handled by our payment provider; we do not store full card numbers on our systems.

4.2 Information collected automatically

When you visit the Site, we automatically collect limited technical information:

• Log and device data — IP address, user agent, browser type, operating system, approximate geolocation derived from IP, referring URL, timestamps.
• Usage data — pages visited, interactions with forms and buttons, time on page, navigation path through the Site.
• Cookies and similar technologies — see Section 15 for a full description, purposes, and how to control them.

4.3 Information from third parties

We may receive information about you from:

• Referrers — existing clients, partners, or professional contacts who introduce you to Insiders Agency.
• Publicly available sources — business directories, LinkedIn, Amazon storefronts, to research the brand you represent before an intro call.
• Amazon Advertising API and Amazon Selling Partner API — when you engage us and grant access, we retrieve advertising performance data, campaign data, keyword data, product listings, and related metrics about your own account. We do not access or store buyer personal data from Amazon outside of what is strictly necessary for an authorized client service and in compliance with Amazon’s policies (Section 7).

We use personal data for the following purposes:

• Respond to enquiries — audit requests, proposal requests, partnership enquiries, and support questions.
• Deliver the Services — manage and optimize your Amazon advertising campaigns, produce reports, and communicate results to you under our engagement.
• Invoicing and administration — issue invoices, collect payments, keep statutory accounting records.
• Newsletter and marketing — send articles, educational content, and occasional product news to people who have subscribed or are existing clients who have not opted out.
• Site analytics and improvement — understand how visitors use the Site so we can improve content, performance, and user experience.
• Security and fraud prevention — detect and block abuse, spam form submissions, scraping, or unauthorized access attempts.
• Legal compliance — comply with applicable laws, respond to lawful requests, and enforce our terms.

We do not sell your personal data. We do not use personal data to make solely automated decisions that produce legal or similarly significant effects.

Under the EU and UK GDPR, we rely on the following legal bases:

• Contract (Art. 6(1)(b)) — to negotiate, enter into, and perform our service agreement with clients, including accessing and managing your Amazon accounts as authorized.
• Consent (Art. 6(1)(a)) — for newsletter subscriptions and non-essential cookies. You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Legitimate interests (Art. 6(1)(f)) — to understand how the Site is used, to secure the Site against abuse, to respond to business enquiries, and to contact people who have engaged with our content in a professional capacity. We balance these interests against your rights and freedoms and have concluded they are not overridden. You have the right to object (Section 13).
• Legal obligation (Art. 6(1)(c)) — to meet tax, accounting, and other regulatory duties.

Because our Services involve accessing Amazon Advertising and Seller Central data on behalf of our clients, we accept additional obligations under Amazon’s own policies. We publish these in detail so that clients, Amazon, and regulators can verify our practices.

7.1 How we access Amazon data

When you engage Insiders Agency, we access your Amazon Advertising account and, where agreed, your Amazon Seller Central account exclusively through Amazon’s official delegation workflows (Amazon Advertising Manager Account, Amazon Ads API, and the Amazon Selling Partner API). We do not ask for, receive, or store your Amazon Seller Central login credentials. You can revoke our access at any time from within your Amazon account.

7.2 Data we access

Depending on the scope of engagement, we may access:

• Amazon Advertising campaign data (campaigns, ad groups, keywords, targets, negatives, bids, budgets);
• Advertising performance data (impressions, clicks, spend, sales, ACoS, TACoS, conversion, attribution);
• Amazon Marketing Cloud (AMC) aggregated and anonymized signals where the client has activated AMC;
• Seller Central reports required for account management, such as business reports, inventory, search query performance, and Brand Analytics (where the client grants access).

We access the minimum data necessary to deliver the Services you have engaged us for. We do not request access to buyer personally identifiable information (PII) unless strictly required for a specific, authorized task, and we handle any such data in accordance with Amazon’s Data Protection Policy requirements described below.

7.3 Compliance with Amazon policies

Insiders Agency accesses Amazon data in compliance with the Amazon Advertising API Data Protection Policy and the Amazon Advertising API Acceptable Use Policy, and, where applicable, the Amazon Selling Partner API Data Protection Policy. Among other things, we commit to the following practices:

• Purpose limitation. We only use Amazon data to provide authorized services to the specific Amazon Advertising Participant who granted us access. We never use one client’s Amazon data to benefit another client.
• No resale, republication or unauthorized disclosure. We never sell, rent, or publish Amazon data (individually labeled or aggregated) to third parties, except as required by law or to our authorized sub-processors bound by equivalent confidentiality and security obligations.
• No cross-client insights. We do not aggregate data across clients to produce market intelligence products, and we do not calculate or publish insights about the health of Amazon’s business.
• No model training without consent. We do not use Amazon data to train machine-learning or artificial intelligence models for general purposes. Any AI-assisted feature inside our operations is scoped to the individual client and documented transparently.
• Need-to-know access. Only Insiders Agency personnel who require access to your Amazon data to deliver the Services have it. Each team member has a unique credential; no shared or generic accounts are used.
• Quarterly access reviews. We review who has access to Amazon data at least quarterly and remove access for anyone who no longer needs it, including promptly when a team member leaves.
• No personal devices. Amazon data is not stored on personal devices. All access and storage occur on managed corporate infrastructure.

7.4 Security controls for Amazon data

• Encryption in transit — all data exchanged with Amazon APIs and with our systems is transmitted over TLS 1.2 or higher (HTTPS).
• Encryption at rest — stored data is encrypted using industry-standard algorithms provided by our cloud infrastructure and database providers.
• Network protection — network-level controls restrict access to authorized IP ranges and approved personnel.
• Authentication — multi-factor authentication is enforced on all employee accounts that can reach Amazon data.
• Monitoring and anomaly detection — we monitor access patterns and implement account lockout for anomalous behavior or repeated failed logins.
• Incident response — we maintain a documented incident response plan, reviewed at least every six months and after any major system change. If we become aware of a confirmed security incident involving Amazon data, we will notify Amazon at 3p-security@amazon.com within 24 hours, and notify affected clients without undue delay.

7.5 Retention and deletion of Amazon data

• During engagement — we retain Amazon data only as long as it is necessary to deliver the Services and produce your reports.
• On client request — where you request deletion, we will securely delete your Amazon data and confirm deletion to you.
• On Amazon request — where Amazon requires deletion of specific data, we comply within 72 hours of Amazon’s notice.
• On termination — within 90 days of the end of our engagement, we securely delete all live (online or network-accessible) instances of Amazon data in our possession. Deletion follows industry-standard sanitization processes (NIST SP 800-88 or equivalent).
• Audit records — we keep limited records (such as logs of who accessed what, and when) required to demonstrate compliance for at least 12 months after engagement ends, or for as long as applicable law requires, whichever is longer.

7.6 Amazon is a separate controller

Amazon.com, Inc. and its affiliates (“Amazon”) are independent data controllers of the data they hold about you as a seller or advertiser on Amazon’s platforms. Amazon’s own Privacy Notice governs that relationship. This Privacy Policy only covers data as handled by Insiders Agency.

7.7 Trademark acknowledgement

“Amazon”, “Amazon Advertising”, “Amazon Ads”, “Seller Central”, “Sponsored Products”, “Sponsored Brands”, “Sponsored Display”, and related marks are trademarks of Amazon.com, Inc. or its affiliates. Insiders Agency is an independent service provider; we are not endorsed by, certified by, or affiliated with Amazon beyond our role as an authorized user of Amazon’s APIs on behalf of our clients.

We share personal data only in the limited circumstances described below. We do not sell personal data, and we do not share personal data for cross-context behavioral advertising.

• Service providers (subprocessors). We use a small number of trusted technology providers to run the Site, deliver emails, and store business data. See Section 9 for the current list. Each provider is bound by a written agreement that obliges them to equivalent confidentiality and security standards.
• Professional advisors. Accountants, tax advisors, and lawyers, where access is necessary to provide their services and under duties of confidentiality.
• Legal and safety. Where we are required by law, subpoena, court order, or government request, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others, or to investigate fraud or abuse.
• Business transfers. In connection with a merger, acquisition, financing, or sale of all or part of our assets. We will notify affected data subjects of any resulting change in control, and any new controller will be bound by terms no less protective than those in this Privacy Policy.
• With your consent. In any other case, we will ask for your consent before sharing.

We use the following service providers to operate the Site and deliver the Services. Each is bound by a data processing agreement and is used only for the purpose stated.

We may engage additional subprocessors from time to time (for example, accounting, video conferencing, customer support tooling). We will update this list when we make material changes. You can request the current list of subprocessors at any time by emailing privacy@insiders.agency.

Insiders Agency is based in the European Union. Some of our service providers are located in the United States or operate globally. Where we transfer personal data outside the European Economic Area (EEA) or the United Kingdom, we ensure an adequate level of protection through one of the following mechanisms:

• Adequacy decisions — where the European Commission has formally recognized the destination country as providing adequate data protection.
• EU–US Data Privacy Framework (DPF) — where the recipient is certified under the DPF (this applies to Google LLC and Cloudflare, Inc., among others).
• Standard Contractual Clauses (SCCs) — where no adequacy decision or DPF certification applies, we rely on the European Commission’s Standard Contractual Clauses (Decision 2021/914).
• UK Addendum / IDTA — for transfers of UK personal data to third countries, we rely on the UK International Data Transfer Agreement or the UK Addendum to the EU SCCs.

You can request copies of the relevant transfer safeguards by emailing privacy@insiders.agency.

We retain personal data only for as long as is necessary for the purposes described in this policy, unless a longer period is required or permitted by law. Representative retention periods:

• Audit requests and other enquiries — up to 24 months from last interaction, unless we convert to a client engagement.
• Newsletter subscribers — until you unsubscribe, plus a minimal suppression record to honor your opt-out in future.
• Client records and contracts — duration of the engagement plus the period required by tax and accounting law (typically 6 to 10 years, depending on jurisdiction).
• Amazon Advertising / Seller Central data — active during engagement; deleted within 90 days of engagement ending (see Section 7.5).
• Site analytics — 14 months by default in Google Analytics 4.
• Server and security logs — up to 12 months for fraud and security investigations.

After the applicable retention period, we delete or irreversibly anonymize personal data. Anonymized, aggregated data may be retained for statistical or research purposes where it can no longer be used to identify any individual.

We implement technical and organizational measures designed to protect personal data against unauthorized access, loss, alteration, or disclosure. These include:

• Encryption of data in transit (TLS 1.2 or higher) and at rest;
• Role-based access controls and multi-factor authentication for employees;
• Unique, individually assigned credentials (no shared accounts); quarterly access reviews;
• Infrastructure hosted on reputable cloud providers with strong certifications (ISO 27001, SOC 2) and regularly patched systems;
• Network-level protections including firewalls, bot management, and rate limiting;
• A documented incident response plan reviewed at least every six months;
• Confidentiality obligations on all employees and contractors.

No system is perfectly secure. If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours where required, and affected individuals without undue delay, in accordance with applicable law. For Amazon data, we separately notify Amazon within 24 hours as described in Section 7.4.

Depending on your location and applicable law, you have the following rights in relation to your personal data. To exercise any of these rights, email privacy@insiders.agency with the subject line “Privacy Rights Request”. We may need to verify your identity before acting on a request.

• Right of access — request a copy of the personal data we hold about you and information about how we use it.
• Right to rectification — request that we correct inaccurate or incomplete personal data.
• Right to erasure (“right to be forgotten”) — request deletion of personal data where we no longer have a lawful basis to keep it.
• Right to restriction — request that we restrict processing in specific circumstances, for example while an accuracy dispute is investigated.
• Right to data portability — where processing is based on consent or contract and carried out by automated means, receive your data in a structured, commonly used, machine-readable format and have it transmitted to another controller.
• Right to object — object to processing based on legitimate interests or for direct marketing. Where you object to direct marketing, we will stop immediately.
• Right to withdraw consent — where processing is based on consent, withdraw it at any time, without affecting the lawfulness of processing before withdrawal.
• Right not to be subject to automated decisions — we do not make decisions that produce legal or similarly significant effects about you based solely on automated processing.
• Right to lodge a complaint — if you are in the EEA or the UK, you may lodge a complaint with your local data protection supervisory authority. A list of EU authorities is available at edpb.europa.eu/about-edpb/about-edpb/members_en. The UK authority is the Information Commissioner’s Office (ico.org.uk).

We will respond to verified requests within one month under the GDPR/UK GDPR and within 45 days under the CCPA/CPRA. We may extend these periods where legally permitted and will notify you if we do so.

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you specific rights in addition to those listed in Section 13.

Categories of personal information

In the last 12 months, we have collected the following categories of personal information from California residents:

• Identifiers — name, email, IP address, company;
• Commercial information — services considered or engaged;
• Internet or network activity — pages visited, form interactions, cookies;
• Geolocation — approximate location derived from IP;
• Professional or employment-related information — job title, company role.

We do not collect sensitive personal information as defined by CPRA. We do not knowingly sell personal information, and we do not share personal information for cross-context behavioral advertising.

Your California rights

• Right to know categories, sources, purposes, and specific pieces of personal information collected about you;
• Right to delete personal information we have collected, subject to legal exceptions;
• Right to correct inaccurate personal information;
• Right to opt out of sale or sharing for cross-context behavioral advertising (we do not engage in these activities);
• Right to limit the use of sensitive personal information (not applicable — we do not collect it);
• Right to non-discrimination for exercising your rights.

To submit a request, email privacy@insiders.agency with subject “California Privacy Request”. You may designate an authorized agent to submit requests on your behalf; we may ask for written authorization and verify your identity directly.

Shine the Light (Cal. Civ. Code §1798.83). Insiders Agency does not disclose personal information to third parties for their own direct marketing purposes.

We use cookies and similar technologies on the Site to keep it running, remember your preferences, and understand how visitors use it. Strictly necessary cookies are always active; other categories are loaded only with your consent (where required).

We do not currently run advertising pixels on the Site. If we add any (for example, LinkedIn Insight or Meta Pixel), we will update this table and request consent before they load.

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Blocking strictly necessary cookies may break parts of the Site.

The Site and the Services are aimed at business users. They are not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@insiders.agency and we will delete it promptly.

The Site may link to third-party websites, including Amazon storefronts, partner websites, and social media platforms. Those sites are operated by third parties under their own privacy policies, which we do not control. We recommend you review any third party’s privacy policy before providing them with personal data.

Some browsers offer a “Do Not Track” (DNT) signal. Because there is no consistent industry standard for DNT signals, we do not respond to DNT signals at this time. You can control tracking and analytics through the cookie controls described in Section 15 and through the privacy rights described in Sections 13 and 14.

We may update this Privacy Policy from time to time to reflect changes to our Services, our subprocessors, or applicable law. When we make material changes, we will update the “Last Updated” date at the top of this page and, where appropriate, notify you by email or through a notice on the Site. Your continued use of the Site or the Services after a change takes effect indicates your acceptance of the revised policy.

If you have questions, requests, or complaints about this Privacy Policy or our handling of your personal data, please contact us.

For Amazon-specific security incidents involving data accessed through the Amazon Advertising API, we also notify Amazon at 3p-security@amazon.com as described in Section 7.4.