Privacy Policy

1. Introduction

BidPilot ("we," "us," "our") is an automated Amazon Advertising bid optimization service operated by Muhammad Ahtisham as an individual developer based in Pakistan. This Privacy Policy describes how we collect, use, store, and protect information when you use BidPilot (the "Service").

By using BidPilot, you agree to the collection and use of information in accordance with this policy. If you disagree with any part of this policy, please do not use the Service.

2. Who This Policy Applies To

This policy applies to:

• Visitors to https://bidpilot.ahtisham.store
• Users who sign up for a BidPilot account
• Amazon Advertising accounts that users connect to the Service via Login with Amazon (LWA)

3. Information We Collect

3.1 Information You Provide Directly

• Account information: Your name, email address, and password (stored as a one-way hash, never in plain text).
• Team information: If you invite team members, we store their name, email, and assigned role.
• Communications: Any messages you send us via email or the contact form.

3.2 Information from Amazon Advertising API

When you connect an Amazon advertising profile via Login with Amazon, BidPilot is authorized to read and write specific data on your behalf. We only access what is necessary to operate the Service:

• Advertising profile ID, marketplace, and currency
• Sponsored Products campaigns, ad groups, keywords, and product targets
• Performance metrics: impressions, clicks, spend, orders, sales, ACoS, and ROAS
• Search term reports (for negative keyword discovery features)
• Historical bid values

What we do NOT access: buyer personal information, order-level customer data, return or refund information, inventory data, pricing data, or any personally identifiable information about Amazon shoppers.

3.3 Automatically Collected Information

• Log data: IP address, browser type, pages visited, and timestamps — used only for security and debugging.
• Cookies: Strictly necessary cookies for authentication (session cookies). We do not use tracking or advertising cookies.

4. How We Use Your Information

We use the information we collect exclusively to:

• Operate, maintain, and provide the BidPilot Service to you
• Execute the bid optimization rules you configure
• Calculate and apply bid changes via the Amazon Advertising API
• Generate reports, analytics, and bid history views within your account
• Send you transactional emails (daily rule summaries, approval notifications, account alerts)
• Respond to your support requests
• Detect and prevent fraud, abuse, or security incidents

We do not:

• Sell, rent, or trade your data to anyone, ever.
• Use your Amazon advertising data for any purpose other than operating the Service for you.
• Share aggregated or anonymized data with third parties.
• Use your data to train machine learning models beyond the specific rules you create.
• Show you advertisements or use your data for advertising targeting.

5. Amazon Advertising API Compliance

BidPilot accesses the Amazon Advertising API as an authorized third-party application. We adhere to:

• The Amazon Advertising API License Agreement
• The Amazon Advertising API Data Protection Policy
• All published rate limits and usage restrictions

You can revoke BidPilot's access to your Amazon advertising profile at any time by visiting your Amazon account's "Manage Connected Apps" page. Revocation takes effect immediately, after which BidPilot will no longer be able to read or modify any data from your account.

6. How We Store and Secure Your Data

• Database: All data is stored in Supabase (PostgreSQL), hosted on secure cloud infrastructure.
• Encryption at rest: Sensitive fields such as Amazon refresh tokens, API credentials, and password hashes are encrypted with AES-256 before being written to the database.
• Encryption in transit: All communication between your browser, BidPilot servers, and Amazon APIs uses HTTPS with TLS 1.2 or higher.
• Access control: Production data is only accessible to the BidPilot developer (Muhammad Ahtisham). All access is logged.
• Isolation: Each agency's data is isolated at the database row level. One user's data is never exposed to another user.
• Backups: Daily automatic database backups, retained for 7 days.

7. Data Retention

We retain your data only as long as necessary:

• Account data: Retained while your account is active and for 30 days after deletion, after which it is permanently purged.
• Bid history and performance data: Full detail retained for 90 days. After 90 days, data is automatically aggregated into weekly summaries to reduce storage while preserving long-term trends.
• Audit logs: Retained for 1 year for security and compliance purposes.
• Log data: Server logs are retained for 30 days.

8. Your Rights

You have the following rights regarding your data:

• Access: Request a copy of all data we hold about you.
• Correction: Request correction of any inaccurate data.
• Deletion: Request complete deletion of your account and all associated data. You can trigger this yourself via the "Delete My Account" button in account settings, or by emailing us. Deletion is completed within 72 hours.
• Portability: Export your rules, bid history, and account settings as JSON at any time.
• Revocation: Disconnect any Amazon advertising profile at any time from the account dashboard or from Amazon's Connected Apps page.
• Objection: Object to any use of your data that you believe is inappropriate.

To exercise any of these rights, email ahtishampatni653@gmail.com. We respond to all requests within 30 days.

9. GDPR Compliance (EU Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR). BidPilot processes your personal data on the lawful basis of your consent and the performance of our contract with you. Our Data Protection contact is Muhammad Ahtisham at ahtishampatni653@gmail.com.

10. CCPA Compliance (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA). BidPilot does not sell personal information as defined by the CCPA. You may request disclosure of the personal information we have collected and request its deletion by contacting us at the email above.

11. Children's Privacy

BidPilot is not directed at children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

12. Third-Party Services

BidPilot relies on the following third-party services to operate. Each has its own privacy policy:

• Amazon Advertising API — Terms of Use
• Supabase (database hosting) — Privacy Policy
• Vercel (web hosting) — Privacy Policy
• Email provider (for transactional email) — will be disclosed here once selected

13. International Data Transfers

BidPilot is operated from Pakistan. Your data may be processed in countries other than your own, including the United States (where Supabase and Vercel operate servers). By using the Service, you consent to this transfer. We ensure that all third-party processors provide adequate safeguards for international data transfers.

14. Security Incidents

If BidPilot experiences a data breach that may affect your personal information, we will notify you via email within 72 hours of becoming aware of the incident, and publish an incident report at bidpilot.ahtisham.store/security.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify active users by email at least 7 days before the changes take effect.

16. Contact

If you have any questions about this Privacy Policy or our data practices, contact:

• Email: ahtishampatni653@gmail.com
• Website: https://bidpilot.ahtisham.store/contact