GDPR Compliant · Amazon DPP Aligned

Privacy Policy

Last updated: 2026-05-10

Mirox, LDA ("Mirox", "we", "our", "us") is a company registered in Portugal (NIPC PT517994160; registered office in Castelo Branco — see the Legal Notice for full statutory information). This Privacy Policy explains how we process personal data under Regulation (EU) 2016/679 (the General Data Protection Regulation, or "GDPR") and the Portuguese Data Protection Act (Lei n.° 58/2019), and how we handle "Amazon Information" under Amazon's Data Protection Policy.

Data Controller and Processor

For your account details (name, email, billing) Mirox is the Data Controller. For the "Amazon Information" we ingest on your behalf via the Amazon Selling Partner API (SP-API) and Advertising API to operate the agents, Mirox is a Data Processor acting under your instructions, governed by the Data Processing Agreement (DPA) at /legal/dpa.

1. Information we collect and lawful basis

We process your data only under the lawful bases set out in Article 6 GDPR:

A. Performance of a contract (Art. 6(1)(b))

  • Account data: name, email address, company details, billing information needed to provide the Service.
  • Amazon Information: advertising campaigns, search-query performance, FBA stock levels, sales velocity, catalog data, and order summaries (without buyer Personally Identifiable Information — see Section 2 below) ingested via Amazon SP-API and Advertising API to run the Mirox agents.

B. Consent (Art. 6(1)(a))

  • Marketing communications: newsletters and product updates. You can withdraw consent at any time via the unsubscribe link in any email or by emailing info@mirox.pt.
  • Non-essential cookies: analytics and performance cookies, managed via the consent banner.

C. Legitimate interests (Art. 6(1)(f))

  • Platform improvement: aggregated, anonymised metadata (e.g., system-wide latency, feature usage) used to improve the Service. No customer-identifiable data is used for this purpose.
  • Security and fraud prevention: IP addresses and system logs retained per the windows in Section 6.

2. Buyer Personally Identifiable Information (Buyer PII)

Amazon's SP-API exposes endpoints that return buyer Personally Identifiable Information (names, email addresses, shipping addresses, county, tax info). Mirox does not need this data to optimise PPC campaigns and applies the GDPR principle of data minimisation:

  • Mirox does not call buyer-PII endpoints (e.g. /orders/v0/orders/{id}/buyerInfo, /orders/v0/orders/{id}/address). On the order-summary endpoints we do call (/orders/v0/orders and /orders/v0/orders/{id}/orderItems), the dataElements parameter is omitted, which instructs Amazon to return only non-PII fields.
  • As a direct consequence, Buyer PII is never received by our systems — not in memory, not in logs, not in any cache. A field that is never received cannot be leaked.
  • Order summary caches store only the order identifier, total, status, marketplace, and purchase date — no buyer fields. As defence in depth, our log redactor and cache writer would strip any buyer fields if Amazon ever returned them, even though by design they should not.

Zero retention with LLM sub-processors

Where the Service uses third-party large language models, we contract for zero-retention processing. We send only keyword strings, search terms, and product descriptions — never buyer PII, never seller credentials, never Amazon Information beyond what is required to compute a recommendation. Your data is never used to train public models. We do not sell or syndicate your marketplace data.

3. Cookies and consent

In line with the ePrivacy Directive and GDPR, non-essential cookies are only set after your explicit, affirmative consent. You can review or withdraw consent at any time from the cookie banner footer link or your account settings. Essential cookies (session, CSRF, authentication) are set without consent under Art. 5(3) ePrivacy Directive.

4. Your rights as a data subject

You have the following rights under Articles 15-22 GDPR:

  • Access (Art. 15): request a copy of the personal data we hold about you.
  • Rectification (Art. 16): ask us to correct inaccurate or incomplete data.
  • Erasure (Art. 17): request deletion. See the "30-day deletion SLA" commitment in Section 6 below.
  • Restriction (Art. 18): ask us to pause processing in defined circumstances.
  • Portability (Art. 20): receive your data in a structured, machine-readable format.
  • Object (Art. 21): object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
  • Lodge a complaint with the Portuguese supervisory authority, the Comissão Nacional de Proteção de Dados (CNPD) at www.cnpd.pt, or with the supervisory authority of your habitual residence.

To exercise these rights, email privacy@mirox.pt. We respond within 30 days (Art. 12(3) GDPR).

5. International data transfers

The Mirox Service is hosted within the European Economic Area (EEA) on managed infrastructure in Lisbon, Portugal. Where data is transferred outside the EEA — for example, when calling Amazon SP-API endpoints whose backend is operated globally, or when invoking US-based LLM sub-processors — we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) together with technical safeguards including AES-256-GCM encryption at rest and TLS 1.2+ in transit. A list of applicable safeguards is available on request.

6. Data retention and the 30-day deletion SLA

30-day deletion commitment for Amazon Information

When you disconnect your Amazon account or cancel your subscription, all of your Amazon Information is hard-deleted from our production systems within 30 days. This includes OAuth tokens, cached catalog and pricing data, order summaries, agent decision traces, and tenant configuration. The deletion is automated, idempotent, and cascades across every table that holds tenant-scoped data. You can request immediate deletion (skipping the 30-day clock) by emailing privacy@mirox.pt.

Per-class retention windows on production systems:

  • Account data (name, email, company): for the lifetime of your account; deleted within 30 days after termination, except where Portuguese tax law (10 years for invoices) requires retention.
  • Amazon Information — tokens, catalog, inventory, pricing, order summaries: while your seller account is connected; deleted within 30 days of disconnect or cancellation.
  • Tenant configuration (campaigns, keywords, settings): while your account is connected; deleted within 30 days of disconnect or cancellation.
  • Shadow simulation logs (bid history): 90 days rolling on production; deleted on tenant purge.
  • Agent decision traces: 30 days rolling on production; deleted on tenant purge.
  • Semantic / inter-agent / LLM telemetry logs: 48 hours rolling; deleted on tenant purge.
  • API request logs: 7 days rolling; request and response bodies are redacted of any buyer PII at write time as a defence-in-depth measure.
  • Audit log of human access to Amazon Information: 365 days, append-only.
  • Backups: nightly volume snapshots retained 7 days. We do not restore from snapshots in a way that would re-introduce purged data; snapshots age out naturally.

7. Sub-processors

We engage the following sub-processors, each bound by a written agreement compliant with Art. 28 GDPR:

  • Cloud hosting: Hostinger International Ltd — managed VPS in the EU (Lisbon, Portugal).
  • Customer dashboard hosting: Netlify, Inc. — static hosting on the global CDN (no customer data is stored at the edge; all dynamic data comes from our EU API).
  • Payments: Stripe Payments Europe Ltd (PCI-DSS compliant).
  • Transactional email: Resend (Resend, Inc.) for service notifications such as sign-in, billing, and security alerts.
  • LLM inference: Google LLC (Gemini API) under zero-retention contract terms.

We notify customers in advance of material sub-processor changes; you may object on legitimate data-protection grounds.

8. Security

Technical and organisational measures under Article 32 GDPR include: AES-256-GCM at-rest encryption of seller OAuth tokens; TLS 1.2+ for all public traffic with HSTS preload; multi-factor authentication on cross-tenant administrator accounts; tenant-scoped query enforcement on every API endpoint; append-only audit logging of every read of Amazon Information; documented incident-response runbook with a 24-hour notification commitment to Amazon for any unauthorised access to Amazon Information; documented quarterly key rotation. Full detail at /legal/security.

9. Contact

For privacy questions or to exercise your rights:

Privacy & data-subject requests: privacy@mirox.pt
Security vulnerabilities: security@mirox.pt
General support: support@mirox.pt
Postal: Mirox, LDA — Rua Poço do Moleiro, n.º 241, piso intermédio esq. — frente, 6000-412 Castelo Branco, Portugal