Privacy Policy

Last Updated: May 2026

Limonene, a service operated by Zed Axis ("we", "our", "us"), respects your privacy and is committed to protecting your personal data. This privacy policy will inform you as to how we look after your data when you visit our website (regardless of where you visit it from) or use our Amazon SP-API applications, and tell you about your privacy rights and how the law protects you.

1. Important Information and Who We Are

We are the data controller responsible for your personal data. If you have any questions about this privacy policy, please contact us at: [email protected].

2. Compliance with Amazon Data Protection Policy (DPP)

Our services integrate with the Amazon Selling Partner API (SP-API). We strictly adhere to Amazon's Data Protection Policy (DPP) and Acceptable Use Policy (AUP). Our full security posture is mapped to the DPP and AUP section-by-section in an internal POLICIES document, available to Amazon's vetting team or to a security researcher on written request to [email protected].

We do not collect or store buyer Personally Identifiable Information (PII) at rest. Buyer name and city are read from SP-API on demand at the moment a tax invoice is rendered or an Amazon-templated review request is sent, then discarded as soon as the request returns.

3. The Data We Collect About You

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Identity Data — first name, last name, business name, tax ID.
  • Contact Data — email address, telephone number, optional Telegram chat ID for notifications.
  • Amazon Selling Partner Data — seller IDs, SP-API refresh tokens (AES-256-GCM encrypted at rest with a per-token random IV), inventory summaries, listings and pricing data, FBA shipment and financial events (including refund and adjustment events used for reimbursement detection), inbound shipment plans, and catalog item metadata. All retrieved only with the SP-API roles you explicitly authorize.
  • Order Data — order IDs, purchase dates, ship dates, and item lists, used to compute review eligibility windows and to render tax invoices on demand. Buyer name and city appear transiently in rendered invoice PDFs; they are not written to any database collection.
  • Buyer Message Metadata — read-only display of buyer-seller message threads. Message bodies are fetched fresh on each request and not persisted.

4. How We Use Your Data

We will only use your data when you authorize it. Specifically:

  • To compute and display insights (out-of-stock, reimbursements owed, slow movers, Buy Box status) from your SP-API data.
  • To execute the one-click actions you authorize: price changes, removal orders, opening Seller Central claim forms.
  • To send Amazon's official Review Request via the Solicitations API for shipped orders — only when you have explicitly enabled "Send automatically" in Settings. These messages are templated and sent by Amazon, not by us.
  • To send you (the seller, not your buyers) Telegram notifications about critical insights — only when you configure a chat ID and enable notifications.
  • To run a per-seller repricer on Listings you have configured rules for, capped at Amazon's 20% per-cycle AI Agent Policy.
  • We never share, sell, or expose your data to other sellers, advertisers, or third parties.

4a. Your Master Kill Switch

The Settings page includes a one-click "Pause everything" button that immediately halts every background worker touching Amazon on your behalf. We honor it within one worker cycle (≤30 minutes).

5. Data Deletion and Retention

If you terminate your account or revoke SP-API access, we permanently delete all Amazon-sourced data from live systems within 30 days, using deletion methods aligned with NIST SP 800-88. Backups containing your data are purged within 90 days. Non-PII analytics data is retained for up to 18 months. You can request immediate deletion any time by emailing [email protected].

6. Subprocessors

The only third parties involved in operating Limonene are:

  • DigitalOcean — droplet hosting and the underlying MongoDB instance.
  • Let's Encrypt — TLS certificate issuance.
  • Telegram Bot API — only used to deliver operator-configured alerts to the seller's own Telegram. No Amazon-sourced data is sent except the seller's own alert text.

No other party receives Amazon-sourced data. We do not sell, share, or aggregate data across sellers. We do not target Amazon customers for marketing and do not fabricate or modify reviews.

7. Security and Incident Response

Our Incident Management Point of Contact is the founder, Mohamed Abouzid ([email protected]). Security incidents affecting Amazon-sourced data are reported to [email protected] within 24 hours of detection. Every write action that crosses the SP-API boundary on your behalf is recorded in an internal audit log retained for at least 12 months.