Last Updated: September 11, 2025
1. Our Commitment to Data Protection
At EcomATM, protecting your data is not just a legal obligation—it's fundamental to our business. This Data Protection Policy outlines our comprehensive approach to safeguarding personal and business data across our e-commerce automation platform.
2. Data Security Framework
2.1 Technical Security Measures
- Encryption in Transit: All data transmitted using TLS 1.3 encryption
- Encryption at Rest: Database and file storage encrypted with AES-256
- Key Management: Secure key rotation and hardware security modules
- Network Security: Firewalls, intrusion detection, and DDoS protection
- Access Controls: Multi-factor authentication and role-based permissions
- API Security: Rate limiting, authentication tokens, and request validation
2.2 Infrastructure Security
- Cloud Security: Enterprise-grade cloud infrastructure with SOC 2 compliance
- Data Centers: Certified facilities with physical security controls
- Redundancy: Multi-region backups and disaster recovery capabilities
- Monitoring: 24/7 security monitoring and automated threat detection
- Updates: Regular security patches and vulnerability assessments
3. Data Categories and Protection Levels
3.1 Highly Sensitive Data
Maximum Protection Level
- Payment information and financial data
- Authentication credentials and passwords
- Personal identification information
- Health information (if applicable)
- Government identification numbers
Protection: End-to-end encryption, restricted access, enhanced monitoring
3.2 Sensitive Data
High Protection Level
- Business financial information
- Customer contact databases
- Private communications and messages
- Business strategies and plans
- Proprietary algorithms and AI training data
Protection: Encryption, access controls, audit logging
3.3 Internal Data
Standard Protection Level
- Product catalogs and inventory data
- Order information and transaction history
- Usage analytics and performance metrics
- Configuration settings and preferences
- Support tickets and communications
Protection: Standard encryption, role-based access, regular backups
4. Access Control and Authentication
4.1 User Access Management
- Role-Based Access Control (RBAC): Granular permissions based on job function
- Principle of Least Privilege: Users get minimum necessary access
- Multi-Factor Authentication: Required for all accounts
- Session Management: Automatic timeouts and secure session handling
- Password Policies: Strong password requirements and regular rotation
4.2 Administrative Access
- Privileged Access Management: Additional controls for admin accounts
- Just-in-Time Access: Temporary elevated permissions when needed
- Administrative Logging: Complete audit trail of admin actions
- Separation of Duties: Critical operations require multiple approvals
5. Data Processing and AI Protection
5.1 AI Data Handling
Special protections for AI-processed data:
- Data Minimization: Only necessary data sent to AI services
- Anonymization: Personal identifiers removed when possible
- Selective Processing: Users control which data is AI-processed
- Third-Party Agreements: Strict data handling contracts with AI providers
- Model Training Exclusion: Your data not used to train external models
5.2 AI Service Providers
| Provider | Data Processed | Protection Level |
|---|
| OpenAI | Text content for AI responses | Enterprise agreement, no training |
| DeepSeek | Analytics and pattern recognition | Anonymized data only |
| Google Gemini | Multi-modal content processing | Enterprise controls, data residency |
6. Data Breach Response
6.1 Incident Response Plan
Our comprehensive response process:
- Detection: Automated monitoring and threat detection systems
- Assessment: Rapid evaluation of breach scope and impact
- Containment: Immediate steps to prevent further data exposure
- Investigation: Forensic analysis to understand the incident
- Notification: Timely notification to affected users and authorities
- Recovery: System restoration and security enhancement
- Review: Post-incident analysis and process improvement
6.2 Notification Timelines
- Internal Notification: Security team notified within 1 hour
- Management Escalation: Leadership informed within 4 hours
- User Notification: Affected users notified within 72 hours
- Regulatory Notification: Authorities notified as required by law
7. International Data Transfers
7.1 Transfer Mechanisms
We ensure appropriate safeguards for international data transfers:
- Adequacy Decisions: Transfers to countries with adequate protection levels
- Standard Contractual Clauses: EU-approved data transfer agreements
- Binding Corporate Rules: Internal privacy rules across our organization
- Certification Programs: Compliance with recognized data protection standards
7.2 Data Residency Options
We provide data localization options:
- Regional Storage: Data stored in user's preferred region
- Processing Restrictions: Limits on cross-border processing
- Local Compliance: Adherence to local data protection laws
- Enterprise Controls: Advanced residency controls for enterprise customers
8. Compliance and Certifications
8.1 Regulatory Compliance
- GDPR: Full compliance with European data protection regulation
- CCPA: California Consumer Privacy Act compliance
- SOC 2: System and Organization Controls certification
- ISO 27001: Information security management certification
- PCI DSS: Payment card industry data security standards
8.2 Regular Audits
- Internal Audits: Quarterly security and privacy assessments
- External Audits: Annual third-party security audits
- Penetration Testing: Regular security testing by certified experts
- Compliance Reviews: Ongoing regulatory compliance monitoring
9. Employee Data Protection Training
9.1 Mandatory Training Programs
- Security Awareness: Annual training on data protection and security
- Privacy Laws: Training on applicable privacy regulations
- Incident Response: Training on breach detection and response
- Role-Specific Training: Specialized training based on job function
9.2 Ongoing Education
- Monthly security newsletters and updates
- Phishing simulation exercises
- Privacy impact assessment training
- New technology privacy reviews
10. Data Retention and Deletion
10.1 Retention Schedules
| Data Type | Retention Period | Reason |
|---|
| Account Information | Until deletion + 90 days | Account recovery, legal compliance |
| Transaction Records | 7 years | Tax, audit, and legal requirements |
| Analytics Data | 3 years (anonymized) | Service improvement, research |
| Communication Logs | 2 years | Support quality, dispute resolution |
| Security Logs | 1 year | Security monitoring, forensics |
10.2 Secure Deletion Process
- Cryptographic Erasure: Destruction of encryption keys
- Physical Destruction: Secure wiping of storage media
- Multi-Pass Overwriting: Multiple overwrite passes for sensitive data
- Verification: Confirmation that data cannot be recovered
11. User Rights and Controls
11.1 Data Subject Rights
You have the right to:
- Access: View all personal data we hold about you
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your personal data
- Portability: Export your data in a machine-readable format
- Restriction: Limit how we process your data
- Objection: Object to certain types of data processing
11.2 Exercising Your Rights
To exercise your rights:
- Submit a request through your account dashboard
- Email our Data Protection Officer at dpo@ecomatm.net
- Verify your identity for security purposes
- Receive response within 30 days (or as required by law)
12. Third-Party Data Processors
12.1 Vendor Management
We carefully vet all third-party data processors:
- Due Diligence: Comprehensive security and privacy assessments
- Contractual Obligations: Strict data processing agreements
- Regular Reviews: Ongoing monitoring of vendor compliance
- Data Minimization: Limited data sharing with processors
12.2 Key Processors
| Processor | Purpose | Data Processed |
|---|
| Supabase | Database services | All platform data |
| Vercel | Hosting and CDN | Application data, logs |
| Resend | Email delivery | Email addresses, message content |
| Moneroo | Payment processing | Payment information |
13. Contact Information
For data protection questions or to exercise your rights, contact us at:
Data Protection Officer
Email: dpo@ecomatm.net
Privacy Team: privacy@ecomatm.net
Address: [Company Address]
Phone: [Data Protection Contact Number]
Our Promise: We are committed to protecting your data with the highest standards of security and privacy. If you have any concerns about our data handling practices, please don't hesitate to contact us.