Amazon Scraper API
Legal Documentation

Privacy Policy

Last updated: April 23, 2026

01 Summary

This document describes what personal data Amazon Scraper API (operated by Chocodata OU, registered in Tallinn, Estonia) collects about you, why we collect it, how long we keep it, and what rights you have over it. It applies to the marketing site at amazonscraperapi.com and the application at app.amazonscraperapi.com.

We only collect what we need to run the service. We do not sell or rent personal data. We comply with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

02 Data Controller

The data controller for the purposes of GDPR is:

Chocodata OU
Tallinn, Estonia
info@amazonscraperapi.com

03 Data We Collect

Three categories, each with a specific purpose:

Account data

  • Email address (used for authentication, billing receipts, and service announcements).
  • Hashed password (argon2id; we never see the plaintext).
  • Google account ID and email when you sign in with Google OAuth.

Usage data

  • API request metadata: timestamp, endpoint, HTTP status, latency, credits charged, originating IP, and the API key prefix (not the full key).
  • Aggregated monthly usage counters for billing and rate limiting.
  • Dashboard activity (pages viewed, actions taken) when you are signed in.

Billing data

  • Payment-method identifiers handled by our payment processor (Stripe). We store only the Stripe customer ID, subscription ID, and invoice history. Full card numbers never touch our servers.
  • Billing address when you supply one for invoicing.

We do not collect data about which ASINs, search queries, or Amazon marketplaces you scrape beyond the metadata above. The structured JSON we return is delivered directly to you and not archived on our side.

04 Purpose and Legal Basis

  • Contract performance (GDPR Art 6(1)(b)): authenticating you, metering credits, processing payments, delivering the service you signed up for.
  • Legitimate interest (Art 6(1)(f)): preventing abuse, enforcing rate limits, detecting fraud, debugging production issues via request logs.
  • Legal obligation (Art 6(1)(c)): keeping tax-relevant invoices for 7 years under EU bookkeeping rules.
  • Consent (Art 6(1)(a)): marketing emails you opt into. You can withdraw at any time via the unsubscribe link in every message.

05 Retention

  • Account data: kept while your account is active, plus 30 days after deletion for restoration, then purged.
  • API request logs: 90 days for debugging + fraud detection, then aggregated-only.
  • Billing records (invoices, tax-relevant data): 7 years per EU accounting rules.
  • Email event logs (sent / opened / clicked): 12 months, then purged.

06 Data Processors

We share the minimum necessary data with the following processors. Each has a signed DPA on file:

  • Stripe - payment processing + invoicing. Receives your email, name, billing address, and card details.
  • Email delivery provider - transactional email (password resets, receipts, onboarding sequence). Receives your email address and message content.
  • Hosting + database providers - process requests and store usage / account data. Servers are located in the EU and US.
  • Error-reporting provider - captures unhandled exceptions. Receives stack traces, request ID, and a hashed user ID. No raw request bodies.

07 International Transfers

When your personal data leaves the EU (e.g. to US-based processors), we rely on the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) to safeguard it. Copies of the SCC texts are available on request.

08 Your Rights

Under GDPR and CCPA, you have the right to:

  • Access your personal data - we'll send you an export in machine-readable form within 30 days.
  • Rectify inaccurate data - edit in-dashboard or email us.
  • Erase your account and associated data - with the retention exceptions above (billing records kept for 7 years where required by law).
  • Port your data to another provider in a standard format.
  • Object to processing based on legitimate interest.
  • Withdraw consent at any time for opt-in marketing.
  • Lodge a complaint with your national data-protection authority. For Estonia, that's the Estonian Data Protection Inspectorate.

Email info@amazonscraperapi.com to exercise any of these rights. We aim to respond within 5 business days.

09 Security

We protect your data with industry-standard controls: TLS 1.2+ on every connection, argon2id for password hashes, HMAC-signed webhooks, per-user request rate limits, and row-level security on our database. We run regular third-party security scans and disclose confirmed vulnerabilities via info@amazonscraperapi.com.

If a breach does occur and is likely to put your rights at risk, we will notify affected users and the supervisory authority within 72 hours as required by GDPR Art 33.

10 Cookies and Analytics

The marketing site uses one session cookie to remember cookie-consent choices, and Google Analytics 4 (with IP anonymisation enabled) for aggregate traffic metrics. The dashboard uses one authentication cookie (HttpOnly, SameSite=Lax) to keep you signed in.

We do not run third-party advertising cookies. No cross-site tracking.

11 Changes to This Policy

Material changes are announced by email at least 14 days before they take effect. The current version is always at amazonscraperapi.com/privacy, with the "Last updated" date at the top of the page.

For any questions: info@amazonscraperapi.com.