Data Processing Addendum

If your business needs a Data Processing Addendum (DPA), for example because you connect your Amazon Seller data to LumaiScope, this page summarises the terms under which we process data on your behalf. It is written in plain English so you can understand what we do and decide whether you need a signed agreement.

For the data you submit to LumaiScope, including any Amazon Selling Partner API (SP-API) data you authorise us to access, you are the data controller and LumaiScope, Inc. is the data processor. You decide what data to provide and why; we process it only to provide the service and only on your instructions.

The subject matter is the processing necessary to deliver the LumaiScope product-research platform to you. Processing lasts for as long as your account is active and you continue to use the service, plus any short retention period needed to meet legal obligations or to complete deletion, after which the terms below on deletion and return apply.

We process your data to operate the platform you use, including running product research, generating verdicts and scores from measured signals, producing AI-narrated analysis, tracking products you monitor, and surfacing analytics, forecasts, and alerts. Our AI narrates and summarises measured data; it does not invent the underlying numbers. We do not sell your data, and we do not use it to build profiles for advertising.

Depending on how you use LumaiScope, the personal data we process on your behalf may include:

• Account and contact details for you and your authorised users (name, email, plan, and authentication identifiers).
• Your Amazon Seller Central data accessed through SP-API, but only with your OAuth authorisation, such as orders, inventory, fees, performance metrics, and reimbursement-related records.
• Product, keyword, watchlist, pipeline, and configuration data you create in the product.
• Usage and diagnostic data needed to operate and secure the service.

The data subjects are you and any team members or authorised users you add to your account.

We use a small set of vetted subprocessors to run the service, covering hosting, authentication, payments, email, error monitoring, AI processing, and the public-data and keyword sources that power research. Each is bound by data-protection terms consistent with this summary. The current list, and what each one does, is maintained on our Data Sources page.

We apply technical and organisational measures appropriate to the data we handle, including:

• Encryption of data in transit.
• Authenticated, token-verified access controls, with access to personal data limited to staff who need it.
• Logical separation of customer data and least-privilege access to production systems.
• Error and security monitoring to detect and respond to issues.
• Use of reputable infrastructure providers and ongoing review of our security practices.

If an individual exercises their rights under applicable data-protection law, such as access, correction, deletion, or portability, we will provide reasonable assistance so you can respond. Many of these actions can be performed directly in the product, and we will help with the rest on request.

If we become aware of a personal-data breach affecting data we process for you, we will notify you without undue delay and share the information you reasonably need to meet your own notification obligations, including what we know about the nature of the incident and the steps we are taking.

When your account is terminated, or on your written request, we will delete or return the personal data we process on your behalf within a reasonable period, except where we are required by law to retain it. Backups are purged on our standard rotation.

On reasonable request, we will make available the information needed to demonstrate compliance with these processing terms and will cooperate with audits as set out in the executed DPA, subject to confidentiality and to reasonable limits on frequency and scope.

To request a signable Data Processing Addendum, or to ask questions about how we handle your data, email us. We are happy to help business customers complete their own compliance review.