Privacy Policy

Privacy Policy & Data Protection

Last updated: February 24, 2026

This privacy policy describes how JSCT LUX (trade name cockpitLAB), a limited liability company incorporated under Luxembourg law, registered under number B295868 at the Luxembourg Trade and Companies Register, with its registered office at 22, rue Jean Wolter, L-3544 Dudelange, Luxembourg (VAT: LU36544814), collects, uses, stores and protects the personal data of its users.

This policy also covers how our cockpitLAB application accesses, processes and protects data obtained through the Amazon Selling Partner API (SP-API), in compliance with the Amazon Data Protection Policy (DPP) and the Amazon Acceptable Use Policy (AUP).

Version française disponible ici.

1. Data Controller

JSCT LUX (trade name cockpitLAB)
22, rue Jean Wolter, L-3544 Dudelange, Luxembourg
Luxembourg RCS: B295868 – VAT: LU36544814
Data Protection Officer: [email protected]

2. Personal Data Collected

2.1 Data collected directly from users

  • Name, email address, phone number (registration, contact)
  • Billing and payment information (processed by Stripe, Inc.)
  • Connection data (IP address, browser, device)

2.2 Data collected via Amazon SP-API

When a user connects their Amazon Seller Central account to cockpitLAB via the OAuth 2.0 protocol, we access the following data, strictly necessary for the operation of our services:

  • Orders: order numbers, amounts, statuses, dates
  • Order items: ASINs, SKUs, quantities, prices, Amazon fees
  • Financial data: referral fees, FBA fees, financial events
  • Inventory: stock levels, FBA reports
  • Product catalog: listing information, images, prices
  • Reports: shipment, settlement, and performance reports
  • PII (Personally Identifiable Information): buyer name and shipping address, solely for invoicing and legal/tax compliance purposes

3. Purposes and Legal Basis

PurposeLegal basis (GDPR Art. 6)
Providing cockpitLAB services (dashboard, P&L, analytics)Performance of contract (Art. 6.1.b)
Invoice generation and tax complianceLegal obligation (Art. 6.1.c)
Processing Amazon PII for invoicing/shippingLegal obligation (Art. 6.1.c)
Service improvement and technical supportLegitimate interest (Art. 6.1.f)
Email communications (newsletters, updates)Consent (Art. 6.1.a)

4. Use of Amazon SP-API Data

In compliance with the Amazon Acceptable Use Policy:

  • SP-API data is used exclusively to provide cockpitLAB platform features to authorized users.
  • Buyer PII is used only for merchant-fulfilled shipping invoicing and legal/tax requirements.
  • No SP-API data is shared with third parties, except as required by law.
  • No data is aggregated across different seller accounts for resale or sharing purposes.
  • No marketing or prospecting is conducted using Amazon data.
  • No external data enrichment is performed with Amazon data.
  • Use of artificial intelligence (AI) in analysis features is clearly disclosed to users, including data source and freshness.

5. Data Storage and Security

5.1 Encryption

  • In transit: all communications are encrypted via TLS 1.2 or higher.
  • At rest: data is encrypted using AES-256. SP-API credentials (OAuth tokens, API keys) are encrypted with AES-256 using a dedicated Key Management System (KMS).

5.2 Infrastructure

  • Database hosted in the European Union (Supabase, eu-west region, France), encrypted at rest.
  • Application served via Cloudflare (global CDN, WAF, DDoS protection).
  • WordPress site hosted by OVH SAS (France).

5.3 Access Controls

  • Access restricted on a need-to-know basis using fine-grained access controls.
  • Unique individual credentials — no shared accounts.
  • Multi-Factor Authentication (MFA) mandatory on all systems.
  • Quarterly access reviews. Accounts disabled within 24 hours of termination.
  • Automatic lockout after 10 failed login attempts.

5.4 Logging and Monitoring

  • All API access, logins, and critical actions are logged (success/failure, timestamp, identifier).
  • Centralized monitoring with real-time alerts for anomalies.
  • No PII is stored in logs.
  • Log retention: minimum 12 months.

6. Data Retention

6.1 Amazon PII Data

Personally Identifiable Information from Amazon SP-API (buyer names, shipping addresses) is retained for a maximum of 30 days after order delivery, unless legally required for a longer period (tax, accounting).

6.2 Amazon Non-PII Data

Non-PII data (anonymized orders, amounts, fees, statistics) is retained for a maximum of 18 months, unless legally required for a longer period.

6.3 cockpitLAB User Data

User account data is retained for the duration of the contractual relationship and deleted within 30 days of account closure, unless legally required.

6.4 Deletion on Request

Upon deletion request from Amazon or the user, data is permanently deleted within 30 days. Online instances are deleted within 90 days. Written certification of deletion is provided upon request. Data sanitization follows NIST 800-88 guidelines.

7. Data Attribution

cockpitLAB maintains a data attribution mechanism to identify the origin of each data point: the source seller account (selling_partner_id), the API used, and the collection date are systematically recorded.

8. Data Sharing and Sub-processors

cockpitLAB does not sell, rent, or share any personal data or Amazon data with third parties, except in the following cases:

Technical sub-processors (with GDPR-compliant data processing agreements in place):

Sub-processorPurposeData location
Supabase, Inc.Database and authenticationEU (France)
Cloudflare, Inc.CDN, network security, WorkersGlobal (edge), EU data
Stripe, Inc.Payment processingEU / US
OVH SASWordPress hostingFrance
Brevo (Sendinblue)Transactional emailsEU (France)
Axiom, Inc.Logs and monitoring (no PII)US

Legal obligations: if required by law, court order, or competent authority.

An annual security assessment of each sub-processor is conducted.

9. International Transfers

Some sub-processors (Cloudflare, Stripe, Axiom) may process data outside the EU. These transfers are governed by:

  • The EU-US Data Privacy Framework, or
  • Standard Contractual Clauses (SCCs) approved by the European Commission.

No Amazon PII data is transferred outside the EU.

10. Code and Credential Security

  • No credentials, API keys, tokens, or passwords are ever hard-coded in source code.
  • Secrets are stored in secure vaults (encrypted environment variables).
  • API keys and tokens are rotated at minimum every 90 days, and immediately upon suspected compromise.
  • Test and production environments are strictly separated. No PII in test environments — synthetic data only.

11. Vulnerability Management

  • Vulnerability scans performed at minimum every 30 days.
  • Source code scanned before each production deployment.
  • Critical vulnerabilities remediated within 7 days; high-severity within 30 days.
  • Penetration testing performed at minimum annually.

12. Incident Response Plan

cockpitLAB maintains a documented incident response plan, reviewed every 6 months:

  1. Detection: continuous monitoring, automated alerts.
  2. Containment: immediate suspension of compromised access.
  3. Assessment: impact analysis, identification of affected data.
  4. Notification:
    • Amazon: notification within 24 hours via [email protected]
    • CNPD Luxembourg: notification within 72 hours if personal data is affected (GDPR Art. 33)
    • Affected users: notification without undue delay (GDPR Art. 34)
  5. Remediation: corrective actions, documentation of measures taken.

Incident Management Point of Contact (IMPOC): [email protected] – cockpitLAB

13. User Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

  • Right of access (Art. 15): obtain a copy of your personal data.
  • Right to rectification (Art. 16): correct inaccurate or incomplete data.
  • Right to erasure (Art. 17): request deletion of your data.
  • Right to restriction of processing (Art. 18): restrict the processing of your data.
  • Right to data portability (Art. 20): receive your data in a structured format.
  • Right to object (Art. 21): object to the processing of your data.
  • Right to withdraw consent (Art. 7.3): withdraw your consent at any time.

To exercise these rights, contact us at: [email protected]

We respond to all requests within a maximum of 30 days.

If you wish to lodge a complaint, you may contact the Commission Nationale pour la Protection des Données (CNPD) of Luxembourg: cnpd.public.lu

14. Cookies

The cockpitlab.io website uses cookies for:

  • Essential cookies: website functionality, authentication, security.
  • Analytics cookies: audience measurement (Google Analytics) — only with your consent.

You can manage your cookie preferences at any time via the consent banner or your browser settings.

15. Changes to This Policy

cockpitLAB reserves the right to modify this policy at any time. In case of material changes, users will be notified by email or via a notification in the application. The last updated date is indicated at the top of this page.

16. Contact

For any questions regarding this policy or your personal data:

JSCT LUX (cockpitLAB) – Data Protection Officer
22, rue Jean Wolter, L-3544 Dudelange, Luxembourg
Email: [email protected]
Phone: +33 6 23 72 00 41

Menu
Rechercher
Inscription newsletter
Comment cockpitLAB peut vous aider ?
Sujets populaires :
formation-amazon-fba-impact-cockpitlab
ebook-comment-vendre-amazon-fba-cockpitlab-mockup
Envie d'aller plus loin en
E‑commerce Marketplace ?
Rejoignez la plus grande communauté de vendeurs, retailers, distributeurs, dropshippers
Restez informé des dernières actualités
Non, je ne préfère pas m'informer gratuitement
Illustration fusee progression etape cockpitLAB
Illustration fusee progression cockpitLAB