Privacy Policy

The data controller for personal data processed through the BOPOWO platform is MUTAO INTERNATIONAL LIMITED, a company incorporated in Hong Kong, trading as BOPOWO. Our registered office is at 111 TUNG CHAU STREET THE CLOUD, 5/F, RM 509, TAI KOK TSUI 999077, HONG KONG HK.

For all data protection and privacy enquiries, contact our Privacy Team at privacy@bopowo.com. We aim to respond to all privacy enquiries within 5 business days.

This Privacy Policy applies to all individuals who interact with the BOPOWO platform and services operated by MUTAO INTERNATIONAL LIMITED (trading as BOPOWO), including:

• Registered users: Individuals or businesses who create a BOPOWO account to use our tools
• Amazon sellers connecting via OAuth: Sellers who authorize BOPOWO to access their Amazon Selling Partner account through Amazon's OAuth 2.0 authorization flow
• Website visitors: Anyone who visits bopowo.com or any BOPOWO subdomain

This policy covers all data collected through our web application, APIs, and any related services. It describes what data we collect, why we collect it, how we use it, and your rights in relation to it.

We collect the following categories of information:

Account Information: Full name, email address, password (stored as a salted hash — never in plain text), company name, country/region, and account preferences when you register.

Amazon Seller Data (via SP-API): Data we access on your behalf through Amazon's Selling Partner API, subject to your explicit OAuth authorization. The specific data we access is detailed in Section 4 below.

Usage Data: Pages visited, features used, actions taken within the platform, session duration, browser type and version, device type, operating system, and IP address. This is collected for platform performance and security purposes.

Support Communications: Messages, screenshots, or other content you send us via email, in-app support chat, or our contact form. This data is retained to resolve your issue and improve support quality.

Billing Records: Payment method type (e.g., card last four digits), billing address, subscription tier, transaction dates, and amounts. Full payment card numbers are never stored — all payment processing is handled by PCI-DSS compliant third-party processors.

When you connect your Amazon seller account, you explicitly authorize BOPOWO to access specific Amazon data through the official Selling Partner API (SP-API) and Amazon Advertising API. We access only the minimum data necessary for each feature. Below is a complete disclosure of every API we use, what data is accessed, and the purpose:

Listings Items API (used by Listing Suite): We access your product listing data including ASINs, SKUs, listing titles, bullet points, descriptions, images, pricing, and listing status. Purpose: to display, analyze, and enable editing of your product listings within the Listing Suite tool.

Catalog Items API (used by Listing Suite and Brand Hub): We access Amazon's product catalog data including catalog attributes, browse node classification, product type schemas, and Best Seller Rank (BSR) data. Purpose: to enrich your listing data and validate listing content against Amazon's catalog requirements (Listing Suite); and to track competitor BSR trends in your product categories (Brand Hub — Competitor Tracking feature).

Product Type Definitions API (used by Listing Suite): We access Amazon's product type schema definitions and attribute requirements for product categories. Purpose: to validate listing attributes and guide you in creating policy-compliant listings.

A+ Content API (used by Listing Suite): We access your A+ Content modules and Brand Story content associated with your ASINs, including content status, layout modules, and published content. Purpose: to display, create, and manage A+ Content and Brand Story modules within the Listing Suite tool, allowing you to build and update enhanced content without switching to Seller Central.

Orders API (used by Profit Dashboard): We access order-level data including order IDs, order dates, order status, item quantities, sales amounts, marketplace, and fulfillment channel. We also retrieve buyer name and shipping address solely to display within your Profit Dashboard. Buyer contact information from the Orders API is displayed within your authenticated dashboard session only and is NOT stored, cached, or persisted in our databases. See Section 5 for full details on buyer data handling.

Finances API (used by Profit Dashboard): We access financial event data including settlement reports, fee breakdowns (referral fees, FBA fees, advertising costs), reimbursements, and promotional discounts. Purpose: to calculate and display accurate profit and margin data in your Profit Dashboard.

FBA Inventory API (used by Profit Dashboard): We access your FBA inventory levels, reserved quantities, stranded inventory counts, and inbound shipment data. Purpose: to display inventory health metrics and stock-out risk indicators in your Profit Dashboard.

Reports API (used across multiple features): We access Amazon-generated reports including inventory reports, order reports, payment reports, advertising reports, and customer review reports (GET_CUSTOMER_REVIEWS_DATA). Purpose: to power analytics dashboards and enable data export features within BOPOWO (Profit Dashboard), and to retrieve customer review data for review monitoring and sentiment tracking within Brand Hub.

Sponsored Products API (used by Ads Manager): We access your Sponsored Products campaigns, ad groups, keywords, bids, and performance metrics (impressions, clicks, spend, sales). Purpose: to display, analyze, and enable management of your Sponsored Products advertising within Ads Manager.

Sponsored Brands API (used by Ads Manager): We access your Sponsored Brands campaigns, creatives, targeting, and performance metrics. Purpose: to display, analyze, and enable management of your Sponsored Brands advertising within Ads Manager.

Sponsored Display API (used by Ads Manager): We access your Sponsored Display campaigns, targeting options, creatives, and performance metrics. Purpose: to display, analyze, and enable management of your Sponsored Display advertising within Ads Manager.

Brand Analytics API (used by Listing Suite and Brand Hub): We access aggregated brand analytics data including search term performance (Search Query Performance reports), market basket analysis, item comparison, and demographic reports. All Brand Analytics data is aggregated and anonymized by Amazon before delivery to us — we do not receive, process, or store any individual buyer identifiers or personally identifiable information through this API. Purpose: to track organic keyword share-of-voice and search term performance within the Listing Suite Keyword Rank Tracking feature; and to surface brand performance trends and competitive insights within Brand Hub.

Brand Stores API (used by Brand Hub): We access your Amazon Brand Store pages, store metrics, and store performance data. Purpose: to display store analytics and enable store content management within Brand Hub.

Product Pricing API (used by Brand Hub): We access competitive pricing data for ASINs in your product categories, including buy box pricing and listed prices. Purpose: to display competitor pricing trends within the Brand Hub Competitor Tracking feature. We access only publicly available pricing information for ASINs relevant to your connected seller account's product categories.

All API access occurs only within the scope of permissions you explicitly grant during the OAuth authorization flow. We do not access APIs or data scopes beyond what is necessary for the features you use.

The protection of Amazon buyer data is a critical obligation and a core commitment of MUTAO INTERNATIONAL LIMITED. We adhere strictly to Amazon's Buyer Data Protection Policy. The following rules govern our handling of all buyer information:

We do NOT store buyer personally identifiable information (PII). Buyer names, shipping addresses, phone numbers, and email addresses retrieved through the Orders API are displayed within your authenticated seller dashboard session only. This data is NOT written to our databases, NOT cached on our servers, and NOT persisted in any storage medium.

Buyer PII is display-only. When you view order details in your Profit Dashboard, buyer contact information is fetched from Amazon's API in real time and rendered in your browser. It is not retained after your session or used for any other purpose.

We do NOT use buyer data for marketing or profiling. Buyer information is never used to send marketing communications, build audience profiles, create advertising segments, or for any purpose other than displaying it to the authorized seller.

We do NOT share buyer data with third parties. Buyer PII retrieved through the Orders API is never transmitted to, shared with, or made accessible to any third party, including our own service providers and subprocessors.

We do NOT sell buyer data. Under no circumstances does MUTAO INTERNATIONAL LIMITED sell, license, or otherwise monetize buyer information.

Compliance with Amazon Buyer Data Protection Policy. Our data handling practices are designed to comply fully with Amazon's Buyer Data Protection Policy as published in the Amazon Developer Agreement.

Seller responsibility for exports. If you use BOPOWO's data export features to download order data to your own systems, you are solely responsible for handling that exported data in compliance with Amazon's policies, applicable data protection laws, and your own privacy obligations to buyers.

We use the information we collect for the following purposes:

Service Delivery: To provide, operate, maintain, and support all features of the BOPOWO platform, including syncing and displaying your Amazon seller data in your dashboards.

Payments and Billing: To process subscription payments, issue receipts, manage renewals, and handle billing disputes.

Communications: To send transactional emails (account confirmations, billing receipts, password resets, API error alerts you configure), and product updates. Marketing communications are sent only with your consent and can be withdrawn at any time.

Security and Fraud Prevention: To detect, investigate, and prevent unauthorized access, fraudulent activity, abuse of the platform, and security incidents. We analyze usage patterns and access logs for this purpose.

Platform Improvement: To understand how users interact with BOPOWO, identify bugs, improve features, and plan new functionality. Usage analytics are processed in aggregate and do not identify individual users in reports.

Legal Compliance: To comply with applicable laws, regulations, and legal processes, including data protection regulations in Hong Kong, the EU/UK, and other relevant jurisdictions.

• What we explicitly do NOT do:
• We do NOT sell your personal data or Amazon seller data to any third party
• We do NOT train machine learning models on your Amazon seller data for external commercial use or to benefit other customers
• We do NOT use buyer data for any purpose beyond displaying it to you, the authorized seller, within your dashboard session
• We do NOT share your data with advertising networks or data brokers

For users in the European Economic Area (EEA) or United Kingdom (UK), we process personal data under the following legal bases as required by the General Data Protection Regulation (GDPR) and UK GDPR:

Contract Performance (Article 6(1)(b)): Processing your account information and Amazon seller data is necessary to provide the services you have contracted for. Without this processing, we cannot deliver the BOPOWO platform.

Legitimate Interests (Article 6(1)(f)): We process usage data and security logs based on our legitimate interests in maintaining platform security, preventing fraud, improving our services, and operating a sustainable business. These interests do not override your fundamental rights and freedoms.

Consent (Article 6(1)(a)): We send marketing communications only with your explicit consent. You may withdraw consent at any time by clicking the unsubscribe link in any marketing email or by contacting privacy@bopowo.com.

Legal Obligation (Article 6(1)(c)): We retain billing records and process data as required to comply with applicable laws, including financial regulations and data protection obligations.

Hong Kong PDPO: For users in Hong Kong, we process personal data in accordance with the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO). The Data Protection Principles under the PDPO govern our collection, use, accuracy, retention, security, and access-related obligations.

We do not sell your personal data. We share data only in the following limited and controlled circumstances:

Service Providers (Data Processors): We engage trusted third-party providers to operate the BOPOWO platform, including cloud infrastructure providers, payment processors, transactional email delivery services, error monitoring tools, and security services. These providers act as data processors under our instructions and are contractually prohibited from using your data for their own purposes. All subprocessors are required to implement security standards equivalent to our own.

Amazon API Exchange: Data is exchanged with Amazon's Selling Partner API and Advertising API as necessary to retrieve your seller data and display it within BOPOWO. This exchange is governed by Amazon's Developer Agreement and your OAuth authorization.

Legal Compliance: We may disclose personal data if required to do so by applicable law, regulation, court order, subpoena, or lawful government request. Where legally permitted, we will notify you of such requests before disclosure.

Security and Protection: We may disclose data if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of MUTAO INTERNATIONAL LIMITED, our users, or the public.

Business Transfers: In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, user data may be transferred to the acquiring entity. We will provide at least 30 days' notice by email and platform notification before your data becomes subject to a different privacy policy, and you will have the opportunity to delete your account during this period.

What we do NOT do: We do not share your data with advertising networks, data brokers, or any party for commercial data monetization purposes.

We retain different categories of data for different periods based on legal requirements and operational necessity:

• Account data: Retained for the duration of your active account plus 30 days after account deletion, to allow for account recovery requests
• OAuth tokens and Amazon credentials: Deleted within 7 days of access revocation (whether initiated by you in BOPOWO, via Seller Central, or by Amazon)
• Amazon seller data (listings, orders, financials, advertising): Retained for up to 24 months of rolling history while your account is active; deleted within 30 days of account deletion or access revocation
• Buyer contact information: NOT stored — displayed in-session only and never written to persistent storage (see Section 5)
• Billing records: Retained for 7 years to comply with Hong Kong and international financial record-keeping regulations
• Support communications: Retained for 3 years from the date of last correspondence
• Usage logs (server logs, access logs): Anonymized after 90 days; anonymized aggregates may be retained indefinitely for capacity planning and security analysis

How to request deletion: To request deletion of your account and all associated data, email privacy@bopowo.com with the subject "Data Deletion Request." Include the email address associated with your account. We will confirm receipt within 5 business days and complete deletion within 30 days, subject to any legal retention obligations noted above. We will send you a confirmation when deletion is complete.

MUTAO INTERNATIONAL LIMITED implements technical and organizational measures to protect your data against unauthorized access, loss, destruction, or alteration:

Encryption at Rest: All databases, backups, and file storage containing personal data are encrypted using AES-256 encryption. OAuth tokens and API credentials are stored with additional application-layer encryption.

Encryption in Transit: All data transmitted between your browser and our servers, and between our servers and Amazon's APIs, uses TLS 1.2 or higher. We enforce HTTPS on all endpoints and use HSTS headers.

Access Controls: Access to production systems and personal data is restricted to authorized personnel on a strict least-privilege basis. All administrative access requires multi-factor authentication (MFA). Access rights are reviewed quarterly and revoked immediately upon role change or departure.

Network Security: We deploy Web Application Firewalls (WAF) and DDoS protection on all public-facing services. Network traffic is monitored and anomalous patterns trigger automated alerts.

Penetration Testing: We conduct penetration testing and vulnerability assessments by qualified third-party security professionals at minimum annually, with targeted testing following significant platform changes. Critical vulnerabilities are remediated within 48 hours of discovery.

Monitoring: Our systems are monitored 24/7 for security events, unauthorized access attempts, and anomalous behavior. Security alerts are triaged by our engineering team within 4 hours.

Subprocessor Security: All third-party service providers who process personal data on our behalf are required to maintain security standards at least equivalent to our own, evidenced by relevant certifications (SOC 2, ISO 27001, or equivalent).

No method of transmission over the internet or electronic storage is 100% secure. While we implement industry-standard best practices, we cannot guarantee absolute security. To report a potential security vulnerability, email security@bopowo.com.

In the event of a data security incident that affects your personal data or Amazon seller data, MUTAO INTERNATIONAL LIMITED follows this response protocol:

Containment: Upon discovery of a security incident, our team initiates containment procedures within 24 hours to limit the scope and impact of the incident.

Amazon Notification: If the security incident involves Amazon SP-API data or Advertising API data, we will notify Amazon's security team within 24 hours of discovering the incident, as required by Amazon's Developer Agreement and Data Protection Policy. We will cooperate fully with Amazon's investigation and remediation requirements.

User Notification: If the incident is likely to result in a risk to your rights and freedoms, we will notify you within 72 hours of becoming aware of the breach, in compliance with GDPR Article 33/34 requirements. Our notification will describe: the nature of the incident; the categories and approximate number of individuals and records affected; the likely consequences of the incident; and the measures we are taking or propose to take to address the incident and mitigate its effects.

Regulatory Notification: Where required by applicable law, we will notify relevant supervisory authorities within required timeframes (72 hours under GDPR; as required under Hong Kong PDPO guidelines).

Post-Incident Review: Following any significant incident, we conduct a root cause analysis and implement remediation measures to prevent recurrence. Summary findings are retained internally for audit purposes.

To report a suspected security incident or vulnerability, contact security@bopowo.com immediately.

MUTAO INTERNATIONAL LIMITED will access Amazon data exclusively through official APIs upon receiving authorization, in strict compliance with Amazon's developer policies. This section documents our compliance commitments:

APIs Used: We use only the official Amazon Selling Partner API (SP-API) and Amazon Advertising API. We do not use any unofficial methods, scraping techniques, or automation that violates Amazon's Acceptable Use Policy to access Amazon data.

Amazon Developer Agreement: Our access to and use of Amazon SP-API data is governed by the Amazon Developer Agreement. We agree to and comply with all obligations set out therein.

• Amazon Data Protection Policy (DPP): We comply with all requirements of Amazon's Data Protection Policy. Specifically:
• We use Amazon data only for the disclosed purposes stated in this Privacy Policy and in our application description
• We do not sell, share, or monetize Amazon seller data or buyer data for any purpose other than providing the BOPOWO service
• We do not create, compile, or maintain datasets of Amazon buyer information for any purpose
• We maintain technical and organizational security measures as described in Section 10
• We notify Amazon within 24 hours of any security incident involving Amazon data (see Section 11)
• We delete all Amazon data within 30 days of access revocation, account deletion, or as required by Amazon

Amazon Acceptable Use Policy (AUP): We do not engage in scraping, automated access outside the official API, or any activity that violates Amazon's Acceptable Use Policy. All automation in BOPOWO will operate through official API endpoints within Amazon's usage guidelines and rate limits.

Amazon Buyer Data Protection Policy: We comply fully with Amazon's Buyer Data Protection Policy. Buyer PII obtained through the Orders API is not stored, not shared, and not used for any purpose other than display to the authorized seller (see Section 5).

Revoking BOPOWO's Access: You may revoke BOPOWO's access to your Amazon seller account at any time by navigating to Seller Central → Settings → Authorized Applications, and removing BOPOWO from the list of authorized applications. You may also revoke access from within BOPOWO's account settings page. Upon revocation, we will delete your OAuth credentials and queued Amazon data within 7 days.

Depending on your location, you have the following rights in relation to your personal data. To exercise any right, contact privacy@bopowo.com. We will respond within 30 days (or sooner if required by law).

• Rights applicable to all users:
• Access: Request a copy of the personal data we hold about you and information about how we process it
• Correction: Request correction of inaccurate or incomplete personal data
• Deletion: Request deletion of your personal data, subject to legal retention obligations
• Portability: Request your personal data in a structured, commonly used, machine-readable format (e.g., JSON or CSV)
• Withdraw Consent: Withdraw consent for marketing communications at any time without affecting the lawfulness of prior processing

• Additional rights for EEA and UK users (GDPR/UK GDPR):
• Object: Object to processing of your personal data based on legitimate interests
• Restrict: Request restriction of processing in certain circumstances (e.g., while accuracy is disputed)
• Supervisory Authority Complaint: Lodge a complaint with your local data protection supervisory authority (e.g., your national DPA within the EU, or the ICO in the UK) if you believe we have violated your data protection rights

• Rights under Hong Kong PDPO:
• Access and Correction: Request access to and correction of personal data held about you in accordance with the Personal Data (Privacy) Ordinance (Cap. 486)

We will not discriminate against you for exercising any of these rights.

We use cookies and similar technologies in the following limited ways:

Essential Cookies: We use session cookies to maintain your authenticated login session and security state. These are strictly necessary for the platform to function and cannot be disabled.

First-Party Analytics: We use first-party analytics cookies to understand how users navigate BOPOWO, which features are most used, and where errors occur. This data is processed by us directly and is not shared with third-party analytics providers.

No Advertising or Retargeting Cookies: We do NOT use advertising cookies, retargeting pixels, or any third-party tracking technologies. We do not participate in cross-site tracking networks or data brokerage arrangements.

No Third-Party Tracking: We do not embed third-party social media buttons, tracking pixels, or other tracking technologies that would allow third parties to profile your behavior on our platform.

You can control cookie settings through your browser preferences. Blocking essential cookies will prevent you from logging into the platform. Blocking analytics cookies will not affect core platform functionality.

MUTAO INTERNATIONAL LIMITED is based in Hong Kong. We may process or transfer personal data to countries outside of Hong Kong, including cloud infrastructure regions in Asia Pacific, Europe, and the United States, to operate the BOPOWO platform.

For transfers of personal data from the European Economic Area (EEA) or United Kingdom (UK) to countries not recognized as providing adequate protection, we rely on appropriate safeguards including:

• Standard Contractual Clauses (SCCs): European Commission-approved SCCs or UK International Data Transfer Agreements (IDTAs) as applicable
• Adequacy Decisions: Transfers to countries recognized by the European Commission or UK ICO as providing adequate data protection

We keep a record of all international data transfer mechanisms and will provide details on request. Contact privacy@bopowo.com for information about the specific safeguards applicable to your data.

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable laws, or Amazon's developer requirements.

Material Changes: For material changes to how we collect, use, or share your personal data, we will provide at least 14 days' advance notice by email to your registered email address and by displaying a prominent notice within the BOPOWO platform.

Amazon API Changes: If changes to this Privacy Policy are required to reflect updated Amazon SP-API data access or handling practices, we will also update our Amazon Developer Application disclosures to remain consistent with this policy.

Non-Material Changes: We may make non-material changes (such as clarifications, corrections, or formatting updates) without advance notice, though we will always update the "Last updated" date.

Your continued use of BOPOWO after a policy change becomes effective constitutes your acceptance of the updated policy. If you do not agree to a material change, you should discontinue use before the effective date and may delete your account by contacting privacy@bopowo.com.

The current version of this Privacy Policy is always available at this URL.