Privacy Policy

Effective Date: June 7, 2026
Last Updated: June 7, 2026

Amazon SP-API Compliance: XTGH Services is a certified Amazon Solution Provider fully compliant with Amazon's Data Protection Policy (DPP). We implement enterprise-grade security controls to protect your marketplace data.

1. Data Collection

XTGH Services collects data from your marketplace integrations (Amazon, Walmart, eBay, TikTok Shop) to provide comprehensive analytics and insights into your multichannel business operations. This includes:

  • Order and transaction data
  • Inventory levels and stock information
  • Product listings and catalog data
  • Performance metrics and sales data
  • Campaign and promotional information
  • User interaction logs within our platform

2. How We Use Your Data

All data collected by XTGH Services is used exclusively for the sole purpose of providing you with data analytics and insights. Your data is never shared, sold, or transferred to other customers or third parties.

Specifically, we use your data to:

  • Generate real-time performance dashboards
  • Provide cross-channel analytics and reporting
  • Identify inventory synchronization issues
  • Monitor listing integrity across marketplaces
  • Calculate key metrics (ROAS, ACOS, conversion rates)
  • Alert you to anomalies and opportunities
  • Improve platform functionality and user experience

3. Data Isolation & Customer Privacy

Your data is completely isolated and never shared with other XTGH Services customers. Each customer maintains complete data segregation, meaning:

  • Your marketplace data cannot be accessed by other users or customers
  • Your analytics and reports are private and confidential
  • We do not aggregate your data with other customers' data for benchmarking or analysis
  • Your business intelligence remains proprietary to you alone
  • Multi-tenant aggregation or anonymized reporting is not performed with your data

4. Data Security & Technical Safeguards

We maintain physical, administrative, and technical safeguards to protect your data against unauthorized access, loss, and misuse:

Encryption & Transport Security:

  • Encryption in Transit: All data transmissions use TLS 1.2 or higher encryption protocols
  • Encryption at Rest: All stored data, including Personally Identifiable Information (PII), is encrypted using AES-128 or higher encryption standards
  • Key Management: Cryptographic keys are managed through a secure Key Management System (KMS) with regular rotation

Access Controls & Authentication:

  • Multi-Factor Authentication (MFA): Required for all system access
  • Least Privilege Principle: Access granted only on a need-to-know basis
  • Unique User IDs: No shared or generic login credentials
  • Account Lockout: Automatic lockout after 10 failed login attempts
  • Password Requirements: Minimum 12 characters with complexity requirements
  • Quarterly Access Reviews: Regular reviews of user access permissions

Network & Infrastructure Security:

  • Network firewalls and intrusion detection/prevention systems (IDS/IPS)
  • Network segmentation and access control lists
  • Anti-virus and anti-malware tools with monthly updates
  • Regular vulnerability scans (at least monthly) and annual penetration testing
  • Data Loss Prevention (DLP) controls to monitor unauthorized data movement

Monitoring & Incident Response:

  • Real-time security monitoring and logging of all system access
  • Automated alerts for suspicious activities and unauthorized access attempts
  • Comprehensive incident response plan reviewed semi-annually
  • Log retention for at least 12 months for security investigation purposes

5. Data Retention & Deletion

We implement strict data retention policies to ensure your data is retained only as long as necessary:

Personally Identifiable Information (PII):

  • Standard Retention: PII (customer names, addresses, email addresses, phone numbers) is retained for no longer than 30 days after order delivery
  • Business Purposes: PII is retained only as long as necessary to fulfill orders, calculate taxes, produce legally required documents, and meet regulatory requirements
  • Extended Retention: PII may be retained beyond 30 days only when required by applicable law (e.g., tax records, regulatory compliance)

Non-PII Data:

  • Non-personally identifiable data is retained for up to 18 months unless required for longer retention by applicable laws
  • Analytics and aggregated business intelligence data follows standard retention policies

Data Deletion:

  • Upon Request: We will permanently and securely delete your data within 30 days of receiving a deletion request
  • Account Termination: All data is securely deleted within 30 days of account closure, except where retention is legally required
  • Secure Deletion: Data deletion follows industry-standard sanitization processes (NIST 800-88 guidelines)
  • Certification: Upon request, we will provide written certification that data has been securely destroyed

6. Marketplace API Compliance & Amazon SP-API

As an authorized Solution Provider, XTGH Services integrates with marketplace APIs including Amazon Services API (SP-API), Walmart API, eBay REST API, and TikTok Shop API on your behalf. We comply with all applicable data protection policies and requirements established by these marketplaces.

Amazon SP-API Data Protection Compliance:

XTGH Services is fully compliant with Amazon's Data Protection Policy (DPP) for Solution Providers. This includes:

  • API Credential Security: Amazon API keys and credentials are encrypted and rotated at least annually
  • Access Restriction: Only authorized employees with documented training have access to Amazon data
  • Data Segregation: Amazon data is stored in separate databases with clear data attribution and tagging
  • PII Protection: Amazon customer PII receives enhanced protection with 30-day retention limits
  • Security Incident Notification: Amazon is notified within 24 hours of any security incident involving their data
  • No Credential Storage: We do not hardcode or store marketplace credentials in code or public repositories
  • Separate Environments: We maintain separate test and production environments

General Marketplace API Security:

  • API connections use secure protocols (TLS 1.2+, SFTP, SSH-2)
  • Access is performed only when necessary to retrieve updated data for analytics
  • We act solely as an authorized intermediary on your behalf
  • All marketplace data privacy policies and terms of service are strictly followed
  • Regular third-party risk assessments conducted annually for any subcontractors

Important: You are responsible for ensuring you have the legal right to grant us access to your marketplace accounts and that our use of marketplace APIs on your behalf complies with each marketplace's terms of service.

7. Your Rights

You have the right to:

  • Access all data we hold about you
  • Request corrections or updates to your data
  • Request deletion of your data and account
  • Obtain a copy of your data in a portable format
  • Opt-out of optional analytics or features

To exercise these rights, contact us at support@xtghservices.com

8. Security Incident Response & Data Breach Notification

We maintain comprehensive incident response procedures to quickly detect, respond to, and remediate security incidents.

Incident Response Plan:

  • Incident Detection: Real-time monitoring and alerting systems detect potential security incidents
  • Incident Response Team: Designated incident response roles and responsibilities with clear escalation paths
  • Investigation & Documentation: All security incidents are investigated with documented remediation actions and root cause analysis
  • Plan Review: Incident response plan is reviewed and updated every six months and after major system changes
  • Evidence Preservation: Chain of custody maintained for all evidence and records collected during investigations

Notification Requirements:

  • Customer Notification: You will be notified within 72 hours if a breach affects your personal information
  • Regulatory Notification: Relevant government and regulatory agencies will be informed as required by applicable laws
  • Marketplace Partners: Amazon and other marketplace partners are notified within 24 hours of detecting any security incident involving their data (via security@amazon.com for Amazon incidents)
  • Incident Management Contact: We maintain a designated Incident Management Point of Contact (IMPOC) available for security incident coordination

Note: XTGH Services will not represent or speak on behalf of Amazon or other marketplace partners to regulatory authorities unless specifically requested in writing.

9. Vulnerability Management & Security Testing

We maintain rigorous vulnerability management procedures to identify and remediate security vulnerabilities:

Vulnerability Scanning & Testing:

  • Regular Scans: Vulnerability scans conducted at least every 30 days on all systems
  • Penetration Testing: Annual penetration tests performed by qualified security professionals
  • Code Security: Code scanned for vulnerabilities prior to each release
  • Patch Management: Security patches and updates installed on a regular basis

Remediation Timelines:

  • Critical Vulnerabilities: Remediated within 7 days of discovery
  • High-Risk Vulnerabilities: Remediated within 30 days of discovery
  • Documentation: All vulnerabilities and remediation actions are documented

Business Continuity:

  • Geographically separated backup sites for disaster recovery
  • Documented procedures to restore data access and availability after incidents
  • Regular testing of backup and recovery procedures

10. Security Audits & Compliance Verification

We maintain comprehensive records and cooperate with security audits to demonstrate compliance:

  • Record Retention: Compliance records maintained for the duration of service plus 12 months
  • Audit Cooperation: We cooperate with audits and assessments by marketplace partners (including Amazon) or their designated auditors
  • Compliance Certification: Upon request, we provide written certification of compliance with applicable data protection policies
  • Remediation: Any deficiencies identified during audits are remediated within agreed timeframes
  • Risk Management: Annual risk assessment reviewed by senior management to identify threats and vulnerabilities
  • Security Training: Annual data protection and IT security awareness training for all employees with data access

16. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated effective date. We recommend reviewing this policy periodically to stay informed about how we protect your data.

11. GDPR & CCPA Compliance

XTGH Services is committed to compliance with data protection regulations including GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act).

GDPR Rights (for EU residents):

  • Right to Access: Request a copy of all personal data we hold about you
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Restrict Processing: Limit how we use your data
  • Right to Object: Object to processing of your personal data
  • Right to Withdraw Consent: Withdraw consent at any time

CCPA Rights (for California residents):

  • Right to Know: Know what personal information is collected, used, shared, or sold
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Opt-out of the sale of personal information (we do not sell your data)
  • Right to Non-Discrimination: Exercise privacy rights without discrimination

To exercise any of these rights, contact us at privacy@xtghservices.com. We will respond to your request within 30 days.

12. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable data protection laws.

When transferring data internationally, we use standard contractual clauses approved by the European Commission or other legally approved transfer mechanisms.

13. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience and gather analytics. Types of cookies we use:

  • Essential Cookies: Necessary for the platform to function (authentication, security)
  • Performance Cookies: Help us understand how you use the platform
  • Functional Cookies: Remember your preferences and settings

You can control cookies through your browser settings. Note that disabling certain cookies may affect platform functionality.

14. Children's Privacy

XTGH Services is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we discover that we have collected data from a child, we will delete it immediately. If you believe we may have collected information from a child, please contact us at privacy@xtghservices.com.

15. Contact Us

If you have questions or concerns about this privacy policy or our data practices, please contact us:

Email: privacy@xtghservices.com

Support: support@xtghservices.com