ALFI
Book

Privacy Policy

Effective date: February 6, 2026

1. Introduction

8291152 Canada Inc., operating as ALFI ("we", "our", or "us"), operates the website thealfi.ca and provides Amazon seller management services and inventory management software (collectively, the "Services"). This Privacy Policy describes how we collect, use, store, protect, share, and delete personal information and business data when you use our Services.

We are committed to complying with Amazon's Data Protection Policy (DPP), Amazon's Acceptable Use Policy (AUP), and all applicable regional privacy regulations including the Personal Information Protection and Electronic Documents Act (PIPEDA), the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA/CPRA).

2. Information We Collect

2.1 Information You Provide

  • Contact information: Name, email address, phone number, and company name when you fill out forms, request quotes, or book consultations.
  • Account information: Login credentials and profile information when you create an account.
  • Business information: Amazon seller details, ASIN catalog information, revenue ranges, and marketplace presence.
  • Communications: Messages, emails, and other correspondence you send to us.

2.2 Information from Amazon SP-API

When you connect your Amazon Seller account to our software, we access data through the Amazon Selling Partner API (SP-API) with your explicit authorization via Amazon's OAuth mechanism. We only request and retrieve data that is necessary for the application's stated functionality. This includes:

  • Inventory data: Stock levels, fulfillment center quantities, and inventory health metrics across FBA, AWD, and 3PL locations.
  • Sales data: Sales velocity, order volumes, and revenue metrics for inventory forecasting and restock recommendations.
  • Product data: ASIN details, product titles, SKUs, and catalog information.
  • Brand Analytics data: Search query performance, market basket analysis, and demand analytics (where authorized).
  • Shipment data: Inbound shipment status, tracking information, and fulfillment data.

2.3 Personally Identifiable Information (PII)

Where authorized and necessary for the Services, we may process limited personally identifiable information obtained through SP-API, which may include:

  • Buyer names and shipping addresses (for merchant-fulfilled order processing)
  • Order-level details necessary for tax calculation and remittance

PII obtained through Amazon SP-API is used exclusively for:

  • Fulfilling merchant-fulfilled shipping obligations on behalf of the authorized selling partner
  • Tax calculation and remittance as required by law
  • Producing legally required documents (e.g., invoices, customs declarations)
  • Meeting legal or regulatory requirements

PII is never used for marketing, advertising, promotional purposes, or any purpose beyond the four categories listed above.

2.4 Automatically Collected Information

  • Usage data: Pages visited, features used, and interactions with our software.
  • Device information: Browser type, operating system, IP address, and device identifiers.
  • Cookies: We use essential cookies for authentication and session management. See Section 9 for details.

3. How We Use Your Information

3.1 Permitted Uses

We use the information we collect solely to:

  • Provide and improve our inventory management software and consulting services on behalf of authorized Amazon selling partners.
  • Generate stock health monitoring, restock recommendations, and inventory analytics.
  • Process quote requests and communicate with you about our Services.
  • Send service-related notifications (e.g., stock alerts, restock reminders).
  • Monitor and resolve client-side errors and maintain service quality.
  • Comply with legal obligations and enforce our Terms of Service.

3.2 Prohibited Uses

We will never:

  • Sell your data: We do not sell, rent, or trade your personal information or Amazon data to any third party.
  • Use data for advertising: We do not use Amazon SP-API data or your personal information for marketing, advertising, or promotional purposes.
  • Aggregate data across sellers: We do not aggregate Amazon data across different selling partners' accounts or their customers.
  • Use data competitively: We do not share Amazon-sourced data with competitors or use it to derive competitive intelligence.
  • Vend data externally: We do not sell, license, or provide Amazon-sourced information as a standalone data service or product.
  • Use data beyond authorization: Amazon SP-API data is used exclusively to provide the inventory management and analytics services you have authorized.

4. Data Storage and Encryption

Your data is stored securely using industry-standard infrastructure:

  • Infrastructure: We use Supabase (built on PostgreSQL) hosted on Amazon Web Services (AWS) with data centers in the United States and Canada.
  • Encryption at rest: All data is encrypted at rest using AES-256 encryption, managed through a Key Management System (KMS) that handles key generation, storage, rotation, and revocation.
  • Encryption in transit: All data transmissions use TLS 1.2 or higher. No personally identifiable information is ever transmitted unencrypted.
  • Backups: Automated daily backups with point-in-time recovery. All backup data is encrypted to the same AES-256 standard.
  • No unprotected storage: PII is never stored on removable media or personal devices. All storage meets the encryption standards described above.

5. Data Protection and Security Controls

We implement comprehensive security measures to protect your data:

5.1 Access Controls

  • Role-Based Access Control (RBAC): Data access is limited to authorized personnel based on role and need-to-know basis, with unique user IDs for each individual.
  • Multi-Factor Authentication (MFA): Required for all accounts that have access to Amazon data and production systems.
  • Account lockout: Accounts are locked after 10 unsuccessful login attempts.
  • Quarterly access reviews: We conduct quarterly reviews of all personnel access to data systems to ensure continued authorization.
  • Employee termination: Access is revoked within 24 hours of personnel termination or role change.
  • No shared credentials: Shared or generic login credentials are prohibited. All access is tied to individual identities.

5.2 Application Security

  • Row-Level Security (RLS): Database-level policies ensure each organization can only access their own data, providing strict data isolation.
  • Authentication: Secure authentication via Supabase Auth with encrypted session management.
  • API security: All API endpoints require authentication. SP-API tokens and secrets are stored encrypted and never exposed to client-side code.
  • Content Security Policy: HTTP security headers including CSP, X-Frame-Options, X-Content-Type-Options, and Strict-Transport-Security are enforced.
  • Data Loss Prevention (DLP): Controls are in place to prevent unauthorized data exfiltration from our systems.

5.3 Network and Infrastructure Security

  • Network protection: Firewalls and network segmentation restrict access to data systems. Intrusion detection and prevention systems monitor for threats.
  • Anti-malware: Endpoint protection and anti-malware software is deployed and updated monthly at minimum.
  • Logging and monitoring: Security events are logged and monitored. Logs are retained for a minimum of 12 months and reviewed for anomalies.

5.4 Vulnerability Management

  • Vulnerability scanning: Automated vulnerability scans are performed at least every 180 days.
  • Penetration testing: External penetration tests are conducted annually.
  • Patch management: Critical vulnerabilities are remediated within 7 days. High-risk vulnerabilities are remediated within 30 days.
  • Dependency monitoring: Third-party dependencies are monitored for known security vulnerabilities.

5.5 Employee and Contractor Security

  • Confidentiality agreements: All personnel with access to data sign confidentiality and data protection agreements.
  • Security training: Personnel receive security awareness training on data handling, incident response, and privacy obligations.
  • Password requirements: Minimum 12 characters with mixed case, numbers, and special characters. Password history prevents reuse of the last 10 passwords.

6. Data Sharing

We share your information only on a need-to-know basis and only in the following circumstances:

  • Service providers: We use trusted third-party services to operate our platform, including Supabase (database and authentication), Vercel (application hosting), Cloudflare (website hosting and security), and Cal.com (appointment scheduling). We conduct due diligence on all third-party data protection practices before granting access to any data. These providers maintain comparable security standards and are bound by their own privacy policies and data protection agreements.
  • Legal requirements: We may disclose information if required by law, regulation, legal process, or government request.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction, with prior notice to you and to Amazon within 30 days of the organizational change.

We do not share Amazon SP-API data with any unauthorized third parties. All data sharing is limited to what is necessary to provide the Services you have authorized, in strict compliance with Amazon's Data Protection Policy. Annual risk assessments are conducted before renewing third-party access to any personally identifiable information.

7. Data Retention and Deletion

7.1 Retention Periods

  • Personally identifiable information (PII): PII obtained through Amazon SP-API is retained for no longer than 30 days after it is no longer needed for the authorized purpose (e.g., 30 days after order delivery for shipping-related PII). PII that must be retained beyond 30 days for legal compliance is stored in encrypted cold storage in physically secure facilities.
  • Non-PII business data: Non-personally identifiable Amazon data (inventory levels, sales velocity, product catalog data) is retained for up to 18 months to provide historical analytics and trend data, unless you request earlier deletion.
  • Account data: Your account information is retained for the duration of your subscription and deleted upon account termination as described below.

7.2 Deletion Rights and Process

  • How to request: Email us at [email protected] with the subject line "Data Deletion Request".
  • Timeline: We process deletion requests within 30 days of receipt.
  • Scope: Upon request, we permanently and securely delete all personal data, Amazon SP-API data, and associated analytics from our systems, including all copies in backups, archives, and disaster recovery stores.
  • Deletion standard: Data sanitization follows NIST SP 800-88 guidelines (Clear, Purge, or Destroy methods as appropriate to the storage medium).
  • No anonymization substitute: Data anonymization is not used as a substitute for deletion. When deletion is requested, data is permanently removed.
  • Legal retention: Where required by law, minimal data may be retained in encrypted cold storage solely for legal compliance purposes, with documentation of the legal basis.

7.3 Amazon-Initiated Deletion

  • Upon notice from Amazon to delete data, we will permanently and securely delete all applicable Amazon information within 30 days.
  • You can revoke our SP-API access at any time through your Amazon Seller Central account. Upon revocation, we delete all associated SP-API data within 30 days.

8. Incident Response and Breach Notification

  • Incident response plan: We maintain a documented incident response plan that is reviewed and updated semi-annually.
  • Detection and monitoring: We employ continuous monitoring and logging to detect potential security incidents.
  • Amazon notification: Any security incident involving Amazon data is reported to Amazon at [email protected] within 24 hours of detection.
  • User notification: Affected users are notified of security incidents per applicable law requirements (PIPEDA: as soon as feasible; GDPR: within 72 hours; CCPA: without unreasonable delay).
  • Investigation and remediation: All incidents are investigated, documented, and remediated. Root cause analysis is performed and preventive measures are implemented.

9. Cookies

Our website uses the following types of cookies:

  • Essential cookies: Required for authentication, session management, and basic website functionality. These cannot be disabled.
  • Analytics cookies: Used to understand how visitors interact with our website. We use privacy-respecting analytics that do not track individual users across sites.

We do not use advertising cookies or third-party tracking cookies.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete personal data.
  • Deletion: Request deletion of your personal data (see Section 7).
  • Portability: Request a machine-readable copy of your data in a commonly used format.
  • Objection: Object to specific processing of your data.
  • Restriction: Request restriction of processing in certain circumstances.
  • Withdrawal: Withdraw consent for data processing at any time, without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (PIPEDA/GDPR) or 45 days (CCPA).

11. International Data Transfers

Our infrastructure is hosted in the United States and Canada. If you are accessing our Services from outside these jurisdictions, your data may be transferred to and processed in these countries. We ensure appropriate safeguards for international data transfers through:

  • Standard Contractual Clauses (SCCs) for transfers from the EU/EEA
  • Adequacy assessments for jurisdictions without formal adequacy decisions
  • Encryption and access controls that apply regardless of data location

12. Amazon SP-API Compliance

Our use of Amazon Selling Partner API data complies with Amazon's Acceptable Use Policy (AUP) and Amazon's Data Protection Policy (DPP). Specifically:

  • We only request and retrieve SP-API data that is necessary to provide the Services you have authorized.
  • We do not use SP-API data for purposes other than providing our inventory management and analytics Services.
  • We do not share SP-API data with unauthorized third parties.
  • We do not aggregate data across different selling partners or their customers.
  • We do not use Amazon data to derive competitive intelligence or vend it as an external data service.
  • We implement all security measures required by Amazon's DPP, including encryption, access controls, vulnerability management, and incident response.
  • We honor data deletion requests, Amazon-initiated deletion notices, and SP-API authorization revocations within 30 days.
  • PII retention does not exceed 30 days after the authorized purpose is fulfilled.
  • We monitor API throttling quotas and client-side errors to ensure adequate service performance.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. We will post any changes on this page and update the effective date. For material changes, we will make reasonable efforts to notify you via email or through our Services. Continued use of our Services after changes constitutes acceptance of the updated policy.

14. Contact Us

For questions about this Privacy Policy, data protection concerns, or to exercise your data rights, contact us at:

For security incidents involving Amazon data, contact Amazon directly at [email protected].