Privacy Policy & GDPR Statement

1. Objective, Scope, and Controller Identity

At BBBS Domestic and Foreign Trade Limited Company ("We", "Us", "Our", or "Company"), the security, confidentiality, and integrity of your personal and corporate data are our highest priorities. This extensive Privacy Policy and Information Notice is drafted in strict adherence to the **General Data Protection Regulation (GDPR)** (EU 2016/679) and applicable domestic laws. It details comprehensively how your data is collected, processed, maintained, and safely destroyed across our entire SaaS ecosystem, including the Master Panel, WMS, and API gateways. BBBS acts as the primary Data Controller for all direct interactions, ensuring that any B2B processing operations are conducted under explicit enterprise confidentiality vectors.

2. Categories of Processed Data and Collection Mechanisms

Throughout your interactions with our platform—whether initiating a software consultation, registering for the Store Panel, or mapping third-party marketplace API integrations (e.g., Amazon SP-API, Trendyol, Hepsiburada)—we programmatically and manually collect the following data categories:

• Identity and Corporate Data: Authorized representative full names, corporate titles, registered entity names, tax identification numbers, and official billing addresses.
• Contact Information: Professional email addresses, direct and corporate phone numbers, and IP addresses used during consultation forms.
• Financial and Operational Data: Aggregate order volumes, existing marketplace structures, ERP software currently in use, and transaction histories passed strictly for the purpose of architectural diagnosis.
• Technical and Security Data: Cryptographic JWT footprints, OAuth 2.0 access tokens exclusively scoped to requested marketplaces, CSRF validation hashes, and device geographic analytics.

3. Purpose and Legal Basis for Processing

Your personal data is never processed without a valid legal framework. We rely on the following legal bases outined in Article 6 of the GDPR:

• Contractual Necessity: To execute B2B software services, spin up dedicated AWS hosting clusters, and authenticate users into the Suppert Flow infrastructure.
• Legitimate Interests: To deploy autonomous AI repricing scripts, prevent malicious robotic API scraping, ensure cybersecurity defenses (Idempotency and Token Buckets), and improve UX.
• Legal Obligations: Compliance with domestic e-commerce logging regulations, taxation audit trails, and mandatory law enforcement disclosures.
• Explicit Consent: Pertaining specifically to non-essential marketing communications, tracking pixel deployments, and opt-in newsletter distributions.

4. Data Security Architecture and Third-Party Transfers

We do not commercialize, sell, rent, or unauthorizedly broadcast your data to shadow brokers or ad-networks. All backend communications run isolated entirely on TLS 1.3 cryptographic tunnels. Our databases utilize AES-256 encryption at rest. In cases where data must be transmitted to third parties (such as cloud providers like AWS, or domestic SMS/email routing services), strict Data Processing Agreements (DPAs) are legally enforced. All Restricted Data Tokens (RDT) involving PII (Personally Identifiable Information) generated via Amazon APIs are flushed autonomously upon fulfillment routing avoiding any permanent localized persistence.

5. Data Retention Protocols

We maintain an algorithmic data minimization stance. Corporate entity data and billing histories are retained for the legally mandated period (typically 10 years) under commercial tax laws. Integration tokens and API keys are immediately destroyed upon account termination. Audit logs detailing system accesses are purged continuously based on a rolling 90-day FIFO (First-In-First-Out) architecture unless flagged for security forensics.

6. Your Rights Under GDPR (Data Subject Rights)

In accordance with GDPR Chapter 3, you possess robust fundamental rights regarding your digital footprint within our ecosystem:

• Right to Access & Portability: Obtain a structured JSON/CSV export of all stored metrics linked to your entity.
• Right to Rectification: Promptly mandate the correction of any inaccurate logistics or billing data.
• Right to Erasure (Right to be Forgotten): Demand the absolute deletion of your records, provided no superseding legal retention laws apply.
• Right to Restrict Processing: Halt the AI algorithms or API synchronization without deleting the underlying account configurations.

To exercise these rights, authenticated administrators may dispatch a formal request to our designated Data Protection Officer (DPO) at legal@suppertsoftware.com. We obligate ourselves to resolve all compliance requests within 30 calendar days globally.