Legal

Privacy Policy

Stand: April 21, 2026

This Privacy Policy explains how M.B. Ecom Brands Ltd. ("Vorteq", "we", "us") processes personal data and Amazon data in connection with the Vorteq service. It applies to sellers using Vorteq and to visitors of this website.

1. Controller

Controller within the meaning of the EU General Data Protection Regulation (GDPR) and other national data protection laws:

M.B. Ecom Brands Ltd.
Prodromou 121, Office 402
2064 Strovolos Nicosia, Cyprus
Email: support@vorteq.io (interim also michaelbrandl51@gmail.com)
Phone: +49 152 0441 3884

We have not formally appointed a Data Protection Officer because we do not meet the statutory thresholds of Art. 37 GDPR. Privacy enquiries go to support@vorteq.io.

2. What we process

2.1 When you visit this website

  • Server logs: IP address (truncated where technically possible), timestamp, user agent, requested URL, HTTP status. Purpose: operations, security, error analysis. Legal basis: Art. 6(1)(f) GDPR.
  • Strictly necessary / session cookies: e.g. for sign-in and CSRF protection.
  • No tracking or marketing cookies. We do not run third-party analytics during the beta.

2.2 Contact or beta signup form

  • Name, email, optional message.
  • Consent to be contacted, IP address and timestamp of submission.
  • Purpose: processing your request, sending a confirmation. Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(a) GDPR.

2.3 As a Vorteq customer (seller)

  • Account data: name, email, password hash, timestamps.
  • Amazon authorisation data: Amazon refresh tokens and short-lived access tokens for SP-API and Amazon Ads API, encrypted with AES-256-GCM.
  • Amazon data from your seller account: orders, financial data (settlements, financial events), inventory and FBA stock, traffic and ranking metrics, advertising campaign and keyword performance.
  • Support and communication content: emails, chat messages and support cases.

Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(f) GDPR (legitimate interest).

3. Purposes

  • Providing Vorteq as an analytics service for Amazon sellers.
  • Syncing and structuring your Amazon data into a queryable data foundation (dashboard, AI chat via MCP server).
  • Managing pre-contractual and contractual relationships (beta, paid plans, invoicing).
  • Security, abuse prevention, meeting legal obligations (e.g. bookkeeping).

4. Retention

  • Amazon refresh tokens / credentials: kept while your subscription is active; cryptographically erased within 30 days of termination.
  • Amazon analytics data (orders, financials, inventory, traffic): active subscription + 24 months.
  • Raw Amazon report files: 90 days.
  • Account email and billing data: active subscription + 6 months; invoice data beyond that in line with statutory retention obligations up to 10 years.
  • Security audit logs: at least 13 months.
  • Application logs: 90 days.
  • Contact / beta signup form data: until your revocation, at the latest 24 months after the last contact.

5. Recipients and processors

We rely on carefully selected processors pursuant to Art. 28 GDPR. All data processing takes place inside the EU:

ProcessorPurposeRegion
Supabase Inc. via AWSGehostete PostgreSQL-Datenbank und DateispeicherAWS eu-central-1 (Frankfurt, Deutschland)
Hetzner Online GmbHVirtuelle Server für Sync- und Backend-WorkerDeutschland / EU
Vercel Inc.Hosting für Next.js-Frontend (Edge auf EU-Regionen begrenzt)EU-Regionen
Amazon.com Services LLC (SP-API, Ads API)Amazon Selling Partner API und Amazon Ads API als DatenquelleEU-Endpunkte
Resend, Inc.Transaktionaler E-Mail-Versand (Bestätigungen, Benachrichtigungen)EU-Region

We do not share your data with advertising networks, marketplaces or other third parties. We only disclose data to authorities where legally required.

6. International transfers

Under the current architecture, personal data and Amazon data are processed exclusively within the EU. Should we onboard a processor outside the EU, we will put Standard Contractual Clauses (Art. 46 GDPR) or an adequacy decision in place beforehand.

7. Amazon-specific notes

Vorteq is a third-party application that accesses your Amazon data through the official Amazon Selling Partner API and the Amazon Ads API — exclusively with your explicit authorisation in Amazon Seller Central. We process the data in line with the Amazon Data Protection Policy.

You can revoke the authorisation at any time via Amazon Seller Central ("Manage Your Apps"). Data access stops within 24 hours and we delete your Amazon data in line with the retention schedule in section 4.

8. Security

We protect your data with TLS 1.2+ in transit, AES-256 at rest (Supabase/AWS) and additional AES-256-GCM encryption on credential fields. Multi-tenant isolation is enforced by PostgreSQL Row Level Security. Our security and access policies align with the Amazon Data Protection Policy.

9. Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Correct inaccurate data (Art. 16).
  • Erasure (Art. 17).
  • Restriction of processing (Art. 18).
  • Data portability in a machine-readable format (Art. 20).
  • Object to processing based on Art. 6(1)(f) GDPR (Art. 21).
  • Withdraw previously given consents with future effect (Art. 7(3)).

To exercise your rights, email support@vorteq.io. We acknowledge requests within 3 business days and respond within 30 days.

10. Right to lodge a complaint

You have the right to lodge a complaint with a data protection authority. The primary authority for M.B. Ecom Brands Ltd. is the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus (Iasonos 1, 1082 Nicosia, Cyprus; dataprotection.gov.cy). If you reside in Germany, Austria, Switzerland or another EU member state, you can also contact your local authority.

11. Changes

We update this policy when the legal landscape, our services or our data processing change. The current version is always available at vorteq.io/privacy.