This Privacy Policy describes how Xiamen Yunzhongcheng Technology Co., Ltd.
("we", "us", or "our") collects, uses, stores, and protects data when you
use Ads123 (the "Service"). The Service is a SaaS application that helps
authorized Amazon sellers manage advertising campaigns and analyze
advertising performance through the Amazon Advertising API.
By using the Service, you agree to the practices described in this Privacy
Policy. This policy is designed to comply with the Amazon Advertising API
Data Protection Policy, the Acceptable Use Policy, and applicable regional
privacy regulations including the General Data Protection Regulation (GDPR)
and the California Consumer Privacy Act (CCPA).
Summary: We only access advertising data from your
authorized Amazon advertising account through the Amazon Advertising API.
We do not access buyer PII, do not merge Amazon data with third-party
sources, do not sell or share your advertising data, and do not use your
data for interest-based advertising. All data is encrypted in transit and
at rest.
1. Introduction
Ads123 is a publicly available SaaS application that provides Amazon
sellers with advertising campaign management and performance optimization
tools. The Service monitors campaign performance, analyzes search terms,
suggests bid adjustments, manages budgets, and generates performance
reports across Sponsored Products, Sponsored Brands, and Sponsored Display
campaigns.
All advertising data is accessed exclusively through the Amazon
Advertising API, and only after an authorized seller explicitly grants
access to the application through Amazon's secure OAuth authorization
flow. We process advertising data solely for the authorized seller's own
campaign management and performance reporting — never for buyer profiling,
interest-based advertising, or resale.
2. Data We Collect
2.1 Advertising Campaign Data
After you explicitly authorize the application through Amazon's OAuth
flow, we access the following advertising data from your Amazon
advertising account exclusively through the Amazon Advertising API:
- Campaign configuration data: Campaign names, campaign types (Sponsored Products, Sponsored Brands, Sponsored Display), targeting settings, and campaign status
- Keyword and targeting data: Keywords, match types, negative keywords, and product targeting configuration
- Bid and budget data: Keyword bids, placement bids, campaign daily budgets, and budget rules
- Performance metrics: Impressions, clicks, spend, sales, ACoS (Advertising Cost of Sales), ROAS (Return on Ad Spend), conversions, and click-through rates
- Search term reports: Aggregated search terms that triggered your ads, with associated click, spend, and sales metrics — shown as aggregated queries, not individual buyer identities
- Placement and reporting data: Placement performance breakdowns and campaign reporting dimensions
2.2 Contact and Onboarding Data
When you request access to Ads123, we collect your email address, name,
and company information for onboarding and communication purposes only.
This data is used to process your access request, manage your
subscription, and provide operational support to your authorized team.
2.3 Usage Data
We collect application usage logs and operation records necessary to
provide and maintain the Service. This includes:
- Application logs: Records of campaign configuration changes, bid adjustments, and budget modifications made within the application
- Operation records: Timestamps of data retrieval from the Amazon Advertising API and alert delivery records
- Authentication logs: Records of authorization grants and revocations through Amazon's OAuth flow
3. How We Use Your Data
We use the advertising data accessed through the Amazon Advertising API
solely for the following purposes:
- Campaign management: Displaying and managing your authorized advertising campaigns, keywords, bids, and budgets
- Performance monitoring: Tracking impressions, clicks, spend, sales, ACoS, and ROAS against your configured targets
- Search term analysis: Analyzing search term reports to identify scaling opportunities and negation candidates
- Bid optimization: Generating bid adjustment suggestions based on your own campaign performance data
- Budget management: Monitoring daily and monthly ad spend and alerting on budget depletion projections
- Performance reporting: Generating customizable campaign, keyword, and search term reports for your internal teams
We do NOT use Amazon advertising data for: buyer
profiling, interest-based advertising, behavioral retargeting,
cross-seller aggregation, resale to third parties, insights about
Amazon's business, or any purpose other than the advertising campaign
management and performance reporting described above.
4. Data We Do Not Collect
We explicitly do not collect, access, or process:
- Buyer Personally Identifiable Information (PII), including buyer names, email addresses, phone numbers, or shipping addresses
- Buyer identity information or any data that could re-identify individual Amazon customers
- Buyer browsing, purchase, or behavioral history beyond aggregated advertising performance metrics
- Financial, banking, or payment card information
- Amazon Information merged, combined, or enriched with any third-party data sources
- Advertising data retrieved from any external or non-Amazon sources
Search term reports are processed as aggregated queries with associated
performance metrics. We do not attempt to re-identify or reverse-engineer
individual buyers from aggregated advertising data.
5. Cookie and Tracking Disclosure
Ads123 uses essential cookies and similar technologies necessary to
operate the application, maintain your authenticated session, and remember
your preferences. These cookies are required for core application
functionality and cannot be disabled if you wish to use the Service.
We do not use cookies or tracking technologies for interest-based
advertising, behavioral profiling, or cross-site tracking of our users.
We do not place advertising or retargeting cookies on the application.
Amazon's interest-based advertising: Please be aware that
Amazon may place or recognize cookies on the application or related
surfaces for the purpose of providing interest-based advertising and
measuring advertising effectiveness, in accordance with Amazon's
advertising practices. These cookies are governed by Amazon's privacy
practices, not this Privacy Policy. To opt out of Amazon's interest-based
advertising, you may use the following resources:
- Amazon Ad Preferences: Manage your Amazon advertising preferences through your Amazon account settings
- Digital Advertising Alliance (DAA): Visit optout.aboutads.info to opt out of interest-based advertising from participating companies
- YourOnlineChoices: For users in the European Economic Area, visit youronlinechoices.com to manage interest-based advertising preferences
6. Data Authorization and Retrieval
All advertising data is retrieved exclusively through the Amazon
Advertising API using Amazon's secure OAuth 2.0 authorization framework.
The authorization process works as follows:
- Explicit consent: Each selling partner must explicitly authorize Ads123 to access their Amazon advertising account through Amazon's OAuth consent screen
- Scoped access: Authorization is limited to the
campaign_management scope, granting access only to the advertising data operations required to provide the Service
- Authorized sellers only: We process advertising data only for sellers who have explicitly granted authorization. We do not access data from unauthorized accounts
- No broader access: Authorization does not grant access to buyer PII, seller central data, or any data outside the authorized advertising scope
- Revocable at any time: You may revoke Ads123's authorization at any time through your Amazon advertising account settings. Upon revocation, we immediately cease accessing your advertising data
7. Data Sharing and Disclosure
We do not share, sell, rent, lease, or otherwise
distribute Amazon advertising data to any third party. Advertising data
accessed through the Amazon Advertising API is processed solely within
our application infrastructure to provide the Service to the authorized
seller.
Specifically, we do not:
- Share Amazon advertising data with external parties for any purpose
- Sell or license Amazon advertising data to any third party
- Use Amazon advertising data for advertising targeting, retargeting, or audience building
- Aggregate or combine advertising data across different sellers' accounts
- Disclose Amazon advertising data except as required by applicable law or to comply with legal process
Each advertiser's data is processed independently within a multi-tenant
isolated architecture. Cloud infrastructure providers used to host the
Service act as data processors under confidentiality agreements and do
not have access to Amazon advertising data beyond what is necessary for
infrastructure maintenance.
8. Data Security
8.1 Encryption
All advertising data is protected with industry-standard encryption:
- Encryption in transit: All data transmitted between our systems and the Amazon Advertising API, and between our systems and your browser, is encrypted using TLS 1.2 or higher. Insecure communication channels are disabled across all internal and external endpoints
- Encryption at rest: All Amazon advertising data stored in our systems is encrypted at rest using AES-256 encryption. Encryption keys are managed through a dedicated Key Management System (KMS) and are accessible only to authorized application processes
- Credential protection: Amazon Advertising API credentials and OAuth tokens are encrypted and never stored in plain text, in public repositories, or hard-coded into applications
8.2 Access Controls
Access to Amazon advertising data is governed by the following controls:
- Role-based access control (RBAC): Access is granted based on job duties and business functions following the principle of least privilege (need-to-know basis)
- Unique user IDs: Every individual accessing Amazon advertising data is assigned a unique identifier. Generic, shared, or default login credentials are prohibited
- Quarterly access reviews: Personnel and service access lists are reviewed at least every 90 days. Accounts no longer requiring access are promptly removed
- Multi-Factor Authentication (MFA): MFA is enforced for all internal systems that may come into contact with Amazon advertising data
- Password policy: Passwords must be at least 12 characters with a mix of uppercase, lowercase, numbers, and special characters. Password history of the last 10 passwords is maintained to prevent reuse. Passwords are rotated at least every 365 days
- Account lockout: Accounts are automatically locked after unsuccessful login attempts to prevent brute-force attacks
- No personal device storage: Employees and contractors are prohibited from storing Amazon advertising data on personal devices
8.3 Incident Response (IMPOC)
We maintain a documented incident response plan that is:
- Approved by senior management and reviewed at least every 6 months
- Updated after significant infrastructure or system changes, and after lessons learned from any incident
- Covering all standard phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned
We have designated an Incident Management Point of Contact (IMPOC) who is
available at all times, has the authority to coordinate incident response
activities, and can be reached quickly in the event of a data breach or
security incident involving Amazon advertising data.
Any security incident involving Amazon advertising data will be reported
to security@amazon.com within
24 hours of detection. We will investigate each security
incident and document the incident description, remediation actions, and
corrective processes or system controls implemented to prevent
recurrence. All incident documentation will be provided to Amazon upon
request.
8.4 Data Deletion (NIST 800-88)
Upon revocation of authorization — whether by the seller through Amazon
advertising settings, by Amazon, or upon subscription termination — we
will permanently and securely delete all associated Amazon advertising
data within 72 hours of notification.
Data destruction follows NIST SP 800-88 standards,
including:
- Clear: Overwriting data with zeros or random patterns
- Purge: Firmware-level erasure or cryptographic key destruction
- Physical destruction: Shredding, crushing, or incineration of physical media when applicable
All active data stores and all backups/copies are destroyed. Data
anonymization (e.g., hashing) is not considered an
acceptable deletion method. When using cloud services, we use supported
deletion mechanisms (such as delete APIs or TTL policies); simply
removing object pointers or orphaning data is not accepted. Upon request,
we will provide written certification that all Amazon advertising data
has been securely destroyed.
9. Data Retention
We retain data only for as long as necessary to provide the Service:
- Advertising campaign data: Retained for the duration of your active subscription and deleted within 30 days of subscription termination or authorization revocation
- Security and access logs: Retained for a minimum of 12 months to support audit and incident investigation requirements
- Contact and onboarding data: Your contact information (email, name, company) is retained for the duration of your active subscription and deleted within 30 days of subscription termination
- Usage data: Application usage logs and operation records are retained for the duration of your subscription and deleted within 30 days of termination
We do not retain Amazon advertising data beyond what is necessary to
provide the Service to the authorized seller. No Amazon advertising data
is retained for any secondary purpose.
10. Your Privacy Rights (GDPR/CCPA)
As an authorized seller, you have the following rights under applicable
data protection regulations, including the GDPR (for EU/EEA residents)
and CCPA/CPRA (for California residents):
- Right of access: Request a copy of the personal data we hold about you
- Right to erasure ("right to be forgotten"): Request deletion of your personal data from our systems
- Right to rectification: Request correction of inaccurate or incomplete personal data
- Right to restrict processing: Request that we limit the processing of your personal data
- Right to data portability: Receive your personal data in a structured, machine-readable format
- Right to object: Object to the processing of your personal data for certain purposes
- Right to revoke authorization: Disconnect Ads123 from your Amazon advertising account at any time through your Amazon advertising settings
To exercise any of these rights, contact us at
contact@yzccn.com. We will respond
to your request within 30 days. If you believe we have not adequately
addressed your concerns, you have the right to lodge a complaint with
your local data protection authority.
11. Consent Signal Requirements
For users located in the United Kingdom and the European Economic Area
(EEA), Ads123 requires explicit consent before processing advertising
data. We support recognized consent signaling frameworks to ensure
compliance with regional privacy regulations:
- IAB Transparency and Consent Framework (TCF): We support IAB TCF consent signals, allowing consent management platforms to transmit user consent preferences to the application
- Amazon Consent Signal: We support Amazon's Consent Signal mechanism for transmitting user consent status through the Amazon Advertising API
- Consent records: We maintain records of consent grants, including the timestamp, scope, and method of consent, for the duration required by applicable law
- Granular control: Users in the UK/EEA may withdraw consent at any time, which triggers the data deletion process described in Section 8.4
Where consent is the lawful basis for processing, we will not process
advertising data without a valid affirmative consent signal. Consent must
be freely given, specific, informed, and unambiguous.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you
of any material changes by email or through the Service at least 30 days
before the changes take effect. The updated policy will be effective
immediately upon posting after the notice period.
We encourage you to review this policy periodically to stay informed
about how we collect, use, and protect your advertising data.
13. Contact Us
If you have any questions about this Privacy Policy or our data
practices, please contact us: