Privacy Policy

Who we are

Array42 is the data controller for data collected directly by us. You can reach us at info@array42.com. For privacy and security matters, use security@array42.com.

What we collect

• Identification and contact data (name, company, email, phone, address) of clients and prospects.
• Commercial data (contracts, invoices, communications).
• Account credentials and tokens issued by third-party platforms that you authorize us to access on your behalf.
• Technical data (IP address, server and application logs) for security and troubleshooting.
• Order and buyer data when we operate e-commerce services on behalf of a merchant client.

How we use your data

• To deliver the services we are contracted to provide.
• To communicate with you about proposals, contracts, and operational matters.
• To comply with Portuguese tax, accounting, and legal obligations.
• To secure our systems and prevent abuse.

We do not sell personal data, do not use it for advertising, and do not share it with third parties other than the subprocessors listed below.

Amazon Information

When a client authorizes Array42 to access their Amazon Selling Partner account, we process data obtained through Amazon APIs and through the client's systems that synchronise with Amazon. This may include order identifiers, buyer billing information, tokenized buyer email addresses, order line items, and tax data. We refer to this data collectively as "Amazon Information".

Amazon Information is:

• Collected only through authorized access to the Amazon Selling Partner API and related systems.
• Processed only for the purpose requested by the authorizing merchant, typically to generate and deliver compliant invoices to buyers.
• Stored encrypted at rest (AES-256-GCM) and in transit (TLS 1.2 or higher).
• Shared only with the subprocessors listed below, each bound by a Data Processing Agreement.
• Never sold, rented, or shared with advertisers, data brokers, or any unrelated third party.
• Deleted within 30 days of a merchant disconnecting our application, except where a longer retention period is required by law.

Subprocessors

We rely on the following subprocessors to operate our services, all bound by a Data Processing Agreement:

• Cloudflare for hosting, edge compute (Workers), KV storage for sessions, DNS, CDN, and WAF.
• GitHub (Microsoft) for source code hosting and CI/CD. Our application code is stored in private GitHub repositories with multi-factor authentication enforced on all accounts.
• Shopify for client e-commerce platform access.
• A transactional email provider for sending service and invoice emails.
• Google Workspace for internal email, documents, and calendars.

An up-to-date list is available on request.

Retention

We keep personal data only for as long as necessary. Invoicing and accounting records are kept for 10 years as required by Portuguese tax law. Operational data is deleted within 30 days of contract termination or merchant disconnection. Security logs are kept for up to 13 months.

Your rights

Security

We encrypt data in transit and at rest, enforce multi-factor authentication on all administrative accounts, keep secrets in dedicated secret storage (never in code), log access to personal data, and operate a documented Incident Response Plan. Incidents affecting Amazon Information are reported to security@amazon.com within 24 hours of detection.

Cookies

Our website uses only strictly necessary cookies. We do not deploy tracking or advertising cookies without explicit consent.

Changes

We may update this policy to reflect changes in our practices or the law. The effective date at the top shows when the current version took effect.

Contact

Questions about this policy: info@array42.com.
Security incidents: security@array42.com.