Privacy Policy

1. Introduction

Laurence AI, Inc. ("Laurence," "we," "our," or "us") provides an automated Amazon advertising (PPC) bid-optimization platform for Amazon sellers and the agencies that manage them. This Privacy Policy explains how we collect, use, store, protect, share, and delete information when you use our website, dashboard, APIs, and related services (collectively, the "Service").

Because the Service connects to Amazon's Advertising API and Selling Partner API (SP-API), this policy is designed to comply with the Amazon Acceptable Use Policy and the Amazon Data Protection Policy (DPP), as well as the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable data-protection laws.

2. Information We Collect

2.1 Account & Identity Information

When you register for and use the Service, we collect your name, business email address, company name, and the authentication credentials used to sign in. We also retain the role and store-access assignments that govern what each member of your organization can see.

2.2 Amazon Authorization Data

When you connect your Amazon account through Login with Amazon (LWA) and authorize SP-API and Advertising API access, Amazon issues us OAuth tokens on your behalf. We store the resulting refresh tokens in encrypted form (see Section 4), along with the identifiers needed to call the APIs for your account — such as your Amazon selling partner ID, marketplace IDs, and advertising profile IDs.

2.3 Amazon Advertising Data

To optimize your campaigns, we access and process advertising data from the Amazon Advertising API, including:

• Campaign, ad group, keyword, and product-target structures for Sponsored Products, Sponsored Brands, and Sponsored Display
• Bids, budgets, and bidding strategies
• Performance metrics such as impressions, clicks, spend, conversions, sales, ACOS, and ROAS
• Search-term and targeting reports

2.4 Amazon Selling Partner (SP-API) Data

To measure profitability and contextualize bids, we access selling-account data from the SP-API, including:

• Catalog and listing data (ASINs, product titles, attributes, images, and A+ content)
• Inventory levels and fulfillment status
• Aggregated order and sales metrics (e.g., ordered product sales, units ordered, and order-item counts by ASIN and date)
• Referral, fulfillment, and other product fees
• Business and advertising reports you authorize us to pull

2.5 Usage & Technical Data

We automatically collect technical information when you use the Service, including IP address, browser and device type, pages viewed, feature interactions, and application logs and performance metrics.

2.6 What We Do Not Collect

Laurence is an advertising-optimization tool, not a CRM. We do not request, collect, or store personally identifiable information about your shoppers — no buyer names, shipping or billing addresses, email addresses, phone numbers, or payment-card data. The order and sales data we process is limited to aggregated, non-identifying metrics. If Amazon Information ever includes such personally identifiable information, we handle it strictly in accordance with the Amazon Data Protection Policy and delete it as described in Section 7.

3. How We Use Information

We use the information above solely to operate and improve the Service for you. Specifically, we use it to:

• Calculate optimized bids and submit automated campaign, keyword, and bid adjustments on your behalf
• Generate analytics, diagnostics, and reporting dashboards for your account
• Power the "Ask Laurence" reporting agent
• Maintain, secure, troubleshoot, and improve the Service, including the accuracy of our statistical models
• Communicate with you about your account, provide support, and send service-related notifications

We do not sell your data or your Amazon Information, and we never use it to benefit your competitors. We process Amazon Information only to provide and improve the Service for the account that authorized us. Any model improvement that draws on multiple accounts uses only anonymized, aggregated data that cannot be used to identify you, your products, or your business.

4. How We Store & Protect Information

We apply technical and organizational safeguards consistent with the Amazon Data Protection Policy:

• Encryption in transit: all traffic between your browser, our servers, and Amazon's APIs is encrypted using TLS.
• Encryption at rest: stored data is encrypted using AES-256. Amazon OAuth refresh tokens are additionally protected with envelope encryption — a per-record data key sealed by a master key — so credentials are never stored in plaintext.
• Access controls: access to production systems and credentials is restricted to authorized personnel on a least-privilege basis, with authentication and access logging.
• Environment separation: production data is not used in development or testing environments.
• Incident response: we maintain an incident-response plan and will notify affected customers and Amazon of any qualifying security incident without undue delay, as required by law and the DPP.

Data is hosted with reputable cloud providers in the United States (see Section 5). Our state and analytics stores run on Supabase (PostgreSQL), ClickHouse, and Upstash Redis; our backend runs on Amazon Web Services and our website on Vercel.

5. How We Share Information

We do not sell, rent, or trade your information. We share it only in these limited circumstances:

5.1 Service Providers

We share data with sub-processors that host and operate the Service on our behalf, including Amazon Web Services (infrastructure), Vercel (website hosting), Supabase and ClickHouse (databases), Upstash (caching), and Google Analytics (usage analytics). These providers are bound by contractual obligations consistent with this policy and the Amazon Data Protection Policy, and may use the data only to provide services to us.

5.2 Legal Requirements

We may disclose information where required by law, court order, or government request, or where necessary to protect our rights, prevent fraud, or address security threats.

5.3 Business Transfers

In a merger, acquisition, or sale of assets, information may be transferred to the successor entity, subject to the same protections described in this policy.

6. Amazon Data Protection Policy Compliance

For data obtained through the Amazon Advertising API and SP-API ("Amazon Information"), we specifically commit that we:

• Use Amazon Information only to provide and improve the Service for the authorizing seller, and only as permitted by the authorized scopes
• Retain Amazon Information only as long as necessary to provide the Service, and delete it on request or when no longer needed
• Encrypt Amazon Information in transit and at rest, and protect credentials with envelope encryption
• Never use Amazon Information for advertising or marketing to shoppers, and never share it except with the sub-processors and for the purposes described above

7. Data Retention & Deletion

While your account is active, we retain your data to provide the Service. You can revoke our access to your Amazon account at any time from Amazon Seller Central or your Login with Amazon settings, or by disconnecting your store in the Laurence dashboard; once access is revoked, we stop ingesting new Amazon Information.

When you close your account or request deletion, we delete or anonymize your data — including stored Amazon credentials and Amazon Information — within 30 days, except where longer retention is required by law. Residual copies in encrypted backups are purged on the backup-rotation cycle (no later than 90 days). To request access to, correction of, or deletion of your data, email us at matthew@laurence.com.

8. Your Rights & Choices

Depending on your location, you may have rights to access, correct, export, restrict, or delete your personal data, and to object to certain processing. As an Amazon seller or agency, you also control your Amazon authorization and may withdraw it at any time. To exercise any of these rights, contact us at matthew@laurence.com. We will respond within the timeframe required by applicable law.

9. International Data Transfers

We process and store data in the United States. Where we receive data from other regions, we rely on legally recognized transfer mechanisms, such as the European Commission's Standard Contractual Clauses, to ensure an adequate level of protection.

10. Cookies & Tracking Technologies

We use essential cookies for authentication and core functionality, and analytics cookies (including Google Analytics) to understand and improve how the Service is used. You can control cookies through your browser settings, though disabling some may limit functionality.

11. Children's Privacy

The Service is a business-to-business product intended for sellers and agencies. It is not directed to children, and we do not knowingly collect personal information from anyone under 16.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date above and, where appropriate, notify you by email or through the Service. Your continued use of the Service after an update constitutes acceptance of the revised policy.