← Rivergate

Privacy Policy

Rivergate is operated by LE PION PASSE, France.

Last updated: March 10, 2026

1. Who We Are

Rivergate is a Software-as-a-Service platform for Amazon sellers, operated by LE PION PASSE, a company registered in France.

For all privacy-related inquiries: support@rivergate.apprivergate.app

2. Scope of This Policy

This policy applies to all users of Rivergate who authorize the platform to access their Amazon Seller account data through Amazon's Selling Partner API (SP-API). It describes how we collect, use, store, protect, and delete personal data, including data retrieved from Amazon on behalf of authorized sellers.

3. Data We Collect

3.1 Account data (provided directly by you)

  • Full name and email address
  • Billing information (processed by our payment provider; we do not store card numbers)
  • Marketplace and language preferences

3.2 Amazon SP-API data (retrieved with your explicit authorization)

  • Orders and order items (including shipping destination country, order identifiers, fulfillment status)
  • Financial events (fees, refunds, settlements)
  • Inventory levels and catalog listings
  • Reports provided by Amazon
  • Seller account and marketplace configuration

3.3 Technical and usage data

  • Server access logs, session tokens, and authentication events
  • Application error logs for debugging purposes

4. Personally Identifiable Information (PII) from Amazon Orders

Order data retrieved via SP-API may include personal information about Amazon buyers, such as shipping destination country and postal region. This information is used solely for:

  • Displaying order data to the authorized seller within the platform
  • EU VAT compliance analysis (classifying transactions by destination country under EU OSS rules)
  • Generating structured transaction reports for the seller's accountant

This data is never used for marketing, advertising, profiling, or any purpose unrelated to providing the service to the authorized seller.

5. Legal Basis for Processing (GDPR)

  • Performance of a contract (Art. 6(1)(b) GDPR): to provide the services you subscribed to
  • Legitimate interests (Art. 6(1)(f) GDPR): to secure the platform, prevent fraud, and improve service reliability
  • Legal obligation (Art. 6(1)(c) GDPR): to comply with applicable EU laws, including VAT regulations

6. Data Retention

  • Amazon order data (including any buyer PII): Maximum 90 days after order shipment date, then permanently deleted
  • Financial events data: Duration of active subscription + 30 days
  • Account data: Duration of active subscription + 30 days, or upon deletion request
  • Server access logs: Maximum 12 months

Upon account termination, you may request immediate deletion of all your data by contacting support@rivergate.app. We will process deletion requests within 30 days.

7. Data Storage and Security

All data is stored on servers located within the European Union. We implement the following security controls:

Encryption

  • All data in transit is encrypted using TLS 1.2 or higher
  • Data at rest is protected using AES-256 disk-level encryption
  • Sensitive database fields are encrypted at the application level

Access controls

  • Database is accessible only via localhost / private network
  • Administrative server access restricted by SSH key authentication and IP allowlist
  • Multi-factor authentication (MFA) enforced for all administrative accounts
  • Access to Amazon SP-API credentials limited to the application service account only

Backups

  • Automated daily encrypted backups stored in a geographically separate location
  • Recovery Time Objective (RTO): 4 hours; Recovery Point Objective (RPO): 24 hours

8. Amazon SP-API Compliance

Rivergate accesses and handles Amazon data in strict accordance with Amazon's Selling Partner API Data Protection Policy. Specifically:

  • Data is retrieved only for sellers who have completed Amazon's official OAuth authorization flow
  • Amazon data is not shared, sold, or transferred to any third parties except technical infrastructure providers under data processing agreements
  • PII retrieved via SP-API is retained for no more than 90 days after the relevant order shipment date
  • In the event of a security incident, Amazon will be notified at security@amazon.com within 24 hours of detection

9. Data Sharing and Third Parties

We do not sell, rent, or trade personal data. We may share limited data with the following technical service providers, acting as data processors under signed data processing agreements:

  • Cloud hosting provider (EU-based): for server infrastructure
  • Transactional email provider: for account notifications and alerts
  • Payment processor: for subscription billing (card data never stored by Rivergate)

No data is shared with advertising networks, analytics companies, or data brokers.

10. Your Rights Under GDPR

If you are located in the European Economic Area, you have the following rights:

  • Right of access (Art. 15): request a copy of all personal data we hold about you
  • Right to rectification (Art. 16): request correction of inaccurate data
  • Right to erasure (Art. 17): request permanent deletion of your data
  • Right to restriction (Art. 18): request that we limit processing of your data
  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format
  • Right to object (Art. 21): object to processing based on legitimate interests

To exercise any of these rights, contact us at support@rivergate.app. We will respond within 30 days.

You also have the right to lodge a complaint with your national data protection authority. In France: CNILcnil.fr — 3 Place de Fontenoy, 75007 Paris.

11. Security Incident Response

In the event of a personal data breach, we will:

  1. Contain the incident and revoke any compromised credentials immediately
  2. Notify Amazon at security@amazon.com within 24 hours of detection
  3. Notify affected users and the CNIL within 72 hours as required by GDPR Art. 33
  4. Assess the scope of data exposure and document findings
  5. Remediate the vulnerability and update procedures to prevent recurrence

12. Cookies

Rivergate uses only technically necessary session cookies to maintain authentication. We do not use advertising or tracking cookies.

13. Children's Data

Rivergate is a B2B platform intended for use by Amazon sellers (businesses and professionals). We do not knowingly collect data from individuals under the age of 18.

14. Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. We will notify registered users by email at least 14 days before material changes take effect.

15. Contact

LE PION PASSE — France
Email: support@rivergate.app
Website: rivergate.app

Rivergate is not affiliated with, endorsed by, or sponsored by Amazon.com, Inc. Amazon and Selling Partner API are trademarks of Amazon.com, Inc.