Skip to content

Legal

Privacy Policy

This policy covers our website and Kepll Commerce. It is designed for UK GDPR transparency and Amazon Selling Partner API data protection expectations.

Kepll LTD Last updated: 20 May 2026

1. Who we are

Kepll LTD is a company incorporated in the United Kingdom.

For data protection purposes, Kepll LTD is the controller of personal data described in this Policy, unless we state otherwise (for example, where we process personal data strictly as a processor on documented instructions of a business customer).

2. Scope and relationship to other documents

This Policy applies to personal data we process in connection with:

  • our corporate website and marketing pages;
  • sales, onboarding, billing, customer support, and account administration for Kepll Commerce;
  • the operation, security, analytics, and improvement of Kepll Commerce where such processing involves personal data;
  • integrations you enable between Kepll Commerce and third-party platforms (including Amazon and Shopify) and related APIs.

Where you use Kepll Commerce as an organisation, you may be required to accept additional contractual terms (including data processing terms where applicable). If there is any inconsistency between this Policy and a signed agreement, the agreement prevails to the extent of the inconsistency.

3. Definitions

  • Amazon Information means data obtained from Amazon via the Selling Partner API or otherwise through Amazon services, including any data that Amazon designates as restricted or personal information, and any buyer or customer personal data made available to sellers or developers in connection with Amazon marketplace operations.
  • PII means personally identifiable information (personal data relating to an identified or identifiable individual).
  • Customer means the business entity that subscribes to Kepll Commerce (where relevant).
  • Users means individuals authorised to access a Customer account (for example, administrators and staff).

4. Personal data we collect

Depending on how you interact with us, we may process the following categories of personal data:

4.1 Account, billing, and authentication data

  • name, business name, job title, email address, telephone number, password hashes, security settings, and multi-factor authentication artefacts;
  • billing identifiers, subscription plan, invoices, and payment-related records. Payment card data is processed by our payment service provider (Stripe). We do not store full payment card numbers on our systems.

4.2 Service data and configuration

  • store configuration, product and listing metadata, operational logs, sync status, repricing rules, and other content you submit or generate through Kepll Commerce;
  • integration credentials or tokens required to connect Amazon, Shopify, and other services (stored and handled using industry-standard security measures and least-privilege access).

4.3 Amazon Information and marketplace-related PII

Where you connect an Amazon selling account, Kepll Commerce may process Amazon Information necessary to provide the features you enable. This may include, depending on your settings and Amazon’s disclosures to your selling account, buyer or customer PII (such as names, addresses, phone numbers, and email addresses) where Amazon makes such data available to you as a seller or to us strictly as needed to provide the Services.

We process Amazon Information only for the purposes described in this Policy and in accordance with Amazon Requirements, including limitations on onward transfers, retention, minimisation, and security.

4.4 Shopify and other integrations

If you connect Shopify or other third-party services, we process personal data received from those services only as needed to provide the integrations you enable, consistent with the third party’s terms and your configuration.

4.5 Support, communications, and marketing

  • messages you send us, call recordings if used and permitted, crash diagnostics, and troubleshooting materials you voluntarily provide;
  • where permitted, marketing preferences and engagement metrics.

4.6 Technical and usage data

  • IP address, device identifiers, browser type, approximate location derived from IP, timestamps, pages viewed, referring URLs, and event logs for security, fraud prevention, reliability, and product improvement.

5. Purposes and lawful bases (UK GDPR)

We process personal data on one or more of the following lawful bases:

  • Contract (Article 6(1)(b)): to provide Kepll Commerce, authenticate users, process subscriptions, and perform our agreement with Customers.
  • Legitimate interests (Article 6(1)(f)): to secure our Services, prevent abuse, debug and improve performance, analyse aggregated usage, and operate our business, where not overridden by your rights.
  • Legal obligation (Article 6(1)(c)): to comply with applicable law, tax, accounting, and regulatory requirements.
  • Consent (Article 6(1)(a)): where required for certain cookies or direct marketing communications, which you may withdraw at any time.

Where we process special categories of personal data (rare in our Services), we will ensure an applicable condition under UK law is satisfied.

6. Amazon PII and Amazon Requirements (Selling Partner API alignment)

We treat Amazon Information that constitutes PII as high-sensitivity data. Without limiting the generality of our obligations, we implement and maintain administrative, technical, and organisational measures designed to meet Amazon Requirements, including:

  • Minimisation and purpose limitation: we collect and retain only the Amazon PII reasonably necessary to provide the features you enable.
  • Access controls: access to Amazon PII is restricted to authorised personnel and systems on a need-to-know basis, with authentication, authorisation, logging, and periodic review.
  • Encryption and transmission security: we use encryption in transit consistent with modern standards (such as TLS) for data exchanges between Kepll Commerce, your devices, and integrated services, and we protect data at rest using industry-standard controls appropriate to the environment.
  • No “data selling” of Amazon PII: we do not sell Amazon PII. We do not use Amazon PII to solicit buyers away from Amazon in violation of Amazon policies.
  • Prohibited uses: we do not use Amazon-designated PII to train machine-learning models for unrelated purposes, and we do not use Amazon PII for general advertising profiling unrelated to providing the Services to you. Where machine-learning features process operational or marketplace data, such processing is limited to providing the Services to you, uses minimisation and pseudonymisation where practicable, and complies with Amazon Requirements.
  • Confidentiality and workforce controls: personnel with access to Amazon PII are subject to confidentiality obligations and security training appropriate to their role.
  • Monitoring and incident response: we maintain security monitoring and an incident response process designed to detect, investigate, and report issues consistent with legal obligations and contractual commitments.

If Amazon requires specific attestations, audit cooperation, or additional controls for particular data elements or APIs, we will implement those requirements as part of our compliance programme.

7. How we share personal data

We may share personal data with:

  • Service providers (processors) who assist us with hosting, infrastructure, logging, email delivery, customer support tooling, security monitoring, analytics, and payment processing (including Stripe).
  • Amazon and Shopify as necessary to operate integrations you enable, subject to their terms and your account permissions.
  • Professional advisers (lawyers, accountants, insurers) where required.
  • Authorities where required by law or to protect rights, safety, and security.

We require processors to process personal data only on our instructions and to implement appropriate security measures. A list of key sub-processors may be provided on request or published on our website.

8. International transfers

We may process personal data in the United Kingdom and the European Economic Area, and may use service providers in other countries. Where personal data is transferred from the UK to countries not subject to adequacy regulations, we implement appropriate safeguards (such as the UK International Data Transfer Agreement / Addendum or UK-approved standard contractual clauses) as required by applicable law.

9. Retention (including Amazon-related data)

We retain personal data only for as long as necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law.

  • Account and subscription records: retained for the life of the account and for a limited period thereafter to resolve disputes, enforce terms, and meet legal, tax, and accounting obligations.
  • Amazon PII and operational copies within Kepll Commerce: retained only as long as needed to provide active features you use (for example, order fulfilment workflows you configure) and for a short operational buffer consistent with minimisation, unless a different retention applies due to legal obligations.
  • Security logs: retained for a period necessary for threat detection, investigation, and compliance (typically rolling retention).
  • Marketing records: retained until you withdraw consent or object, as applicable.

Retention periods may vary depending on integration type, feature configuration, and regulatory requirements. We review retention periodically and anonymise or delete data when no longer needed.

10. Data deletion upon subscription termination

When your Kepll Commerce subscription ends or you close your account (and any applicable post-termination access window expires), we will delete or irreversibly anonymise Customer Data and Amazon-derived PII from production systems within thirty (30) calendar days, except where a longer retention is required by law or where data is stored only in encrypted backups that cannot be readily accessed for routine processing.

Encrypted backup snapshots are overwritten or purged in accordance with our backup lifecycle, which is designed to ensure complete removal of identifiable data within ninety (90) calendar days after the production deletion, except where a legal hold or regulatory obligation requires preservation of specific records. Where preservation is required, access is restricted and the data is not used for operational purposes.

You may request deletion earlier where applicable law provides a right to erasure, subject to statutory exceptions.

11. Security

We implement technical and organisational measures appropriate to the risk, including access controls, encryption in transit, secure development practices, vulnerability management, logging, and business continuity measures. No method of transmission or storage is completely secure; we work to continually improve our security posture.

12. Automated decision-making

Kepll Commerce may include features that automate recommendations or pricing suggestions. Unless we expressly state otherwise for a specific feature, we do not make solely automated decisions that produce legal or similarly significant effects concerning individuals under UK GDPR Article 22 in relation to end-customers of your business. If we introduce such processing, we will provide appropriate information and safeguards as required by law.

13. Your rights

Depending on your circumstances, you may have the following rights under UK data protection law:

  • right of access;
  • right to rectification;
  • right to erasure;
  • right to restriction of processing;
  • right to data portability (where applicable);
  • right to object to processing based on legitimate interests or for direct marketing;
  • rights related to automated decision-making (where applicable);
  • right to withdraw consent at any time (where processing is consent-based).

You may also lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk).

To exercise your rights, contact us at info@kepll.com. We may need to verify your identity before responding.

14. Children

Our Services are not directed to children, and we do not knowingly collect personal data from children. If you believe we have collected personal data from a child, please contact us and we will take appropriate steps to delete it.

15. Cookies and similar technologies

We use cookies and similar technologies for authentication, security, preferences, and analytics. Where required, we obtain consent through a cookie banner or equivalent mechanism and allow you to adjust non-essential cookies.

16. Changes to this Policy

We may update this Policy from time to time. We will post the updated version on our website and update the “Last updated” date. If changes are material, we will provide additional notice as required by law (which may include email notice or an in-product notification).

17. Regulatory notice

This Policy is provided for transparency and compliance purposes. It is not legal advice. If you require bespoke contractual data protection terms (including a Data Processing Agreement), please contact us.

18. Contact

For privacy enquiries, please contact:

Kepll LTD
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Email: info@kepll.com
Phone: +44 7988 598729