Last updated: 15 May 2026
Introduction
OTO Fulfilment (“we”, “us”, “our”) operates a cloud-based Warehouse Management System (WMS), Order Management System (OMS), and customer support module that helps e-commerce merchants and third-party logistics (3PL) providers manage multi-channel fulfilment and customer communications. This Privacy Policy explains how we collect, use, store, share, and dispose of personal data – including data received from third-party APIs such as the Amazon Selling Partner API and the Google APIs (Gmail).
By using the OTO Fulfilment platform you agree to the practices described in this policy. If you do not agree, please do not use our services.
Data Controller
OTO Technologies Ltd (trading as OTO Fulfilment) is the data controller for information processed through our platform.
Registered address: Unit 403 Glenfield Park Two, Blakewater Road, Blackburn, England, BB1 5QH
Contact: admin@otofulfilment.com
Data We Collect
Account Data
When you register for an OTO Fulfilment account we collect:
- Full name, email address, and hashed password (or Google SSO identity)
- Organisation/merchant name
Marketplace Data (including Amazon Information)
When a merchant connects a marketplace integration (e.g. Amazon, Shopify), we retrieve data from that marketplace’s API on the merchant’s behalf. For Amazon, this includes:
| Category | Data Elements | Purpose |
|---|---|---|
| Order data | Order ID, items, quantities, prices, order status, timestamps | Order processing and fulfilment |
| Buyer PII | Buyer name, shipping address, email, phone number | Shipping label generation, pick lists, packing slips |
| Listing data | ASIN, SKU, title, description, price, quantity | Catalogue synchronisation and inventory management |
| Integration credentials | OAuth refresh tokens, Selling Partner ID | Authenticated API access on behalf of the merchant |
Amazon buyer PII is accessed exclusively through Amazon’s Restricted Data Token (RDT) mechanism and is used solely for order fulfilment purposes.
Google User Data (Gmail)
When a merchant connects their Gmail account to the OTO Fulfilment support module, they are taken through Google’s OAuth 2.0 consent flow and must grant our application explicit permission for the scopes listed below. We access Google user data only through the official Google APIs (Gmail API and Google OAuth 2.0 userinfo endpoint) and only to operate the merchant-facing support inbox feature.
| OAuth Scope | Data Accessed | Purpose |
|---|---|---|
https://www.googleapis.com/auth/userinfo.email | The email address of the Google account being connected | To display and store which Gmail account has been linked to the merchant’s support integration, and to set the “From” address on agent replies |
https://www.googleapis.com/auth/gmail.readonly | Inbound Gmail messages in the connected mailbox: message and thread IDs, history IDs, headers (From, To, Subject, Date, Message-ID, In-Reply-To, References), the plain-text or HTML body, and basic metadata (timestamps, labels) | To detect new customer emails via the Gmail History API and ingest them as support tickets inside the merchant’s OTO Fulfilment account so the merchant’s agents can triage and respond |
https://www.googleapis.com/auth/gmail.send | The ability to send messages from the connected mailbox (no additional data is read with this scope) | To deliver agent replies authored inside OTO Fulfilment as outbound emails from the merchant’s own Gmail account, preserving the original Gmail thread |
https://www.googleapis.com/auth/gmail.modify | The ability to modify message state in the connected mailbox (e.g. mark messages as read; we do not delete messages) | To keep the merchant’s Gmail mailbox in sync with the support inbox state (for example, marking an email as read once it has been ingested and assigned to an agent) so the merchant does not see duplicated unread counts in Gmail |
| Google OAuth refresh token | Long-lived refresh token issued by Google at consent | To obtain short-lived Gmail API access tokens on the merchant’s behalf when polling for new emails and sending replies, without prompting the merchant to re-authenticate |
The Google OAuth refresh token is encrypted at rest using envelope encryption (AES-256-GCM with a per-record data key wrapped by an AWS KMS customer master key) and is never logged, exposed to the browser, or shared with any third party. The merchant can revoke our access at any time from https://myaccount.google.com/permissions or by disconnecting the integration from inside OTO Fulfilment, which immediately deletes the stored refresh token from our database.
Operational Data
- Inventory records, bin/location assignments, batch and lot tracking data
- Shipping labels, tracking numbers, courier service selections
- User activity logs and audit trails
How We Use Data
We process personal data for the following purposes only:
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Order fulfilment – generating shipping labels, pick lists, packing slips | Legitimate interest / contractual necessity |
| Inventory synchronisation with connected marketplaces | Contractual necessity |
| Submitting shipment confirmations and tracking data to marketplaces | Contractual necessity |
| Ingesting inbound Gmail messages as support tickets in the merchant’s OTO Fulfilment workspace | Contractual necessity |
| Sending agent replies from the merchant’s connected Gmail account in response to customer support enquiries | Contractual necessity |
| Marking Gmail messages as read after ingestion to keep the merchant’s mailbox state in sync with the support inbox | Contractual necessity |
| Account management and user authentication | Contractual necessity |
| Platform security, monitoring, and incident investigation | Legitimate interest |
We do not:
- Use buyer PII for marketing, advertising, analytics, or profiling
- Sell or rent personal data to any third party
- Use Amazon Information for any purpose other than order fulfilment
- Use Google user data (including Gmail message content, metadata, and the connected email address) for serving advertisements, for any form of advertising profiling, or to determine creditworthiness or for lending purposes
- Use Google user data to develop, train, fine-tune, or improve generalised, cross-merchant, or third-party artificial intelligence / machine learning models. Some OTO Fulfilment features (AI-assisted reply drafting and order-detail extraction) use AWS Bedrock as a sub-processor on the individual merchant’s own historical support conversations to fine-tune a private, merchant-scoped custom model that is only available to that merchant; data from one merchant is never used to train a model that serves another merchant, and customer message content is not provided to any third-party AI provider for the purpose of training their generalised foundation models
- Allow humans to read a merchant’s Gmail messages except (a) with the merchant’s affirmative consent for specific messages, (b) where strictly necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymised
- Transfer or sell Google user data, Amazon Information, or any buyer/customer PII to any third party for an unrelated purpose
- Aggregate buyer or end-customer data across merchants
Data Sharing
We share personal data only with the following categories of recipients, and only to the extent necessary for order fulfilment:
| Recipient | Data Shared | Purpose |
|---|---|---|
| Courier / shipping providers (e.g. Royal Mail, DPD, DHL) | Buyer name, shipping address, contact number | Shipping label generation and parcel delivery |
| Amazon (via SP-API) | Shipment confirmations, tracking numbers, inventory updates | Order status synchronisation |
| Google (via Gmail API and OAuth 2.0 endpoints) | Outbound reply messages (subject, body, recipient address, threading headers) sent from the merchant’s own connected Gmail account; Gmail message-state updates (e.g. mark as read) | Delivering agent replies from the merchant’s mailbox and synchronising read state, on the merchant’s behalf |
| Cloud infrastructure providers (Amazon Web Services) | Encrypted data in transit and at rest; Gmail message content while being processed by the support and support-AI services; per-merchant training data passed to AWS Bedrock for private, merchant-scoped model fine-tuning | Hosting, storage, compute services, and operating the AI-assisted support features as a sub-processor |
All third-party data sharing is conducted over encrypted channels (TLS 1.2+). We do not share Amazon Information with any party for purposes unrelated to fulfilment, and we do not share Google user data with any party for purposes unrelated to operating the merchant-facing support inbox the merchant has connected.
Data Storage and Security
Infrastructure
- All services are hosted on Amazon Web Services (AWS) within the EU (eu-west-1) region
- Application services run in private VPC subnets with no direct public internet access
- Data is stored in MongoDB Atlas with encryption at rest (AES-256) managed via AWS KMS
- All data in transit is encrypted using TLS 1.2 or higher
Access Controls
- User authentication via RS256 JWT tokens with short-lived expiry (1 hour access, 24 hour refresh)
- Passwords hashed using bcrypt before storage – plaintext passwords are never persisted
- Role-based access controls (RBAC) restrict user access to authorised resources only
- Multi-tenant data isolation ensures each merchant can only access their own data
- AWS infrastructure access requires IAM role assumption with MFA
Encryption at Rest
- Database: AES-256 encryption via MongoDB Atlas with AWS KMS key management
- Backups: Encrypted and stored in a geographically separated AWS region
- Secrets and credentials: Stored in AWS Secrets Manager / GitHub Actions Secrets, never in source code
- Automatic key rotation is enabled for all KMS-managed encryption keys
Monitoring and Logging
- Application logs collected via AWS CloudWatch with minimum 12-month retention
- AWS CloudTrail records all infrastructure and API activity
- Automated alerts configured for unauthorised access attempts and anomalous activity
- Security logs reviewed at minimum bi-weekly
Data Retention and Disposal
| Data Type | Retention Period | Disposal Method |
|---|---|---|
| Buyer PII (name, address, email, phone) | 30 days from order completion | Automatically anonymised (fields replaced with non-reversible placeholder values) |
| Order transactional data (items, totals, status) | Duration of merchant’s account | Deleted upon account termination |
| Soft-deleted orders | 90 days | Permanently hard-deleted via automated cleanup |
| Marketplace integration credentials (including Google OAuth refresh tokens) | Until integration is disconnected or merchant revokes access in their Google Account | Immediately deleted upon disconnection or revocation |
| Gmail message content ingested as support tickets (subject, body, sender/recipient headers, attachments) | Duration of merchant’s account, or until the merchant deletes the ticket | Deleted upon ticket deletion, integration disconnection, or account termination |
| Gmail message and thread identifiers / history cursors | Until integration is disconnected | Deleted upon disconnection |
| Per-merchant AI training exports (S3 JSONL artefacts derived from the merchant’s own support conversations) | Until the next training run, or until the merchant requests deletion | Overwritten/deleted from S3 |
| User account data | Duration of account | Anonymised upon account deletion |
| Security and audit logs | Minimum 12 months | Automatically expired per retention policy |
Amazon buyer PII is retained for the minimum period necessary to complete order fulfilment and is automatically anonymised thereafter. Merchants cannot export raw buyer PII in bulk.
Data Subject Rights
Under the UK GDPR, individuals have the following rights regarding their personal data:
- Right of access – request a copy of personal data we hold
- Right to rectification – request correction of inaccurate data
- Right to erasure – request deletion of personal data
- Right to restriction – request limited processing of personal data
- Right to data portability – receive data in a structured, machine-readable format
- Right to object – object to processing based on legitimate interests
To exercise any of these rights, contact us at privacy@otofulfilment.com. We will respond within 30 days.
Note: For buyer PII received from Amazon, the data controller for that personal data is the Amazon seller (our merchant customer). Buyer data subject requests should be directed to the relevant seller. We will assist our merchants in fulfilling such requests.
International Data Transfers
All data is processed and stored within the European Economic Area (EEA) and the United Kingdom. Our primary infrastructure is hosted in AWS eu-west-1 (Ireland) with backups in eu-west-2 (London). We do not transfer personal data outside the EEA/UK unless required by a specific courier integration, in which case appropriate safeguards (Standard Contractual Clauses) are in place.
Incident Response
In the event of a data breach affecting personal data, we will:
- Identify and contain the breach within 24 hours of detection
- Assess the scope, severity, and affected data subjects
- Notify the Information Commissioner’s Office (ICO) within 72 hours where required under UK GDPR
- Notify affected marketplace partners (including Amazon) within 24 hours
- Notify affected data subjects without undue delay where there is a high risk to their rights
- Conduct a post-incident review and implement remediation measures
Our Incident Management Point of Contact can be reached at security@otofulfilment.com.
Cookies
The OTO Fulfilment platform uses only strictly necessary cookies for session management and authentication. We do not use third-party advertising or analytics cookies. No Amazon Information is exposed to client-side tracking scripts.
Third-Party API Compliance
Amazon Selling Partner API
Our handling of Amazon Information complies with Amazon’s Data Protection Policy and the Acceptable Use Policy for the Selling Partner API programme. Specifically:
- Amazon Information is used exclusively for order fulfilment
- Buyer PII is accessed via Restricted Data Tokens (RDT)
- PII is encrypted at rest using AES-256 with AWS KMS key management
- PII is retained for no longer than 30 days after order completion
- Access to Amazon Information is restricted to authorised personnel on a need-to-know basis
- We maintain documented data handling and security policies
- Vulnerability assessments and penetration testing are conducted regularly
Google API Services User Data Policy – Limited Use disclosure
OTO Fulfilment’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. In particular:
- Allowed use. Google user data (the connected Gmail address and the Gmail messages, threads, and metadata accessible through the granted OAuth scopes) is used solely to provide and improve the merchant-facing support inbox feature inside OTO Fulfilment – specifically: ingesting inbound customer emails as support tickets, sending agent replies from the merchant’s mailbox, and keeping Gmail message-state in sync with the support inbox.
- Allowed transfers. We do not transfer Google user data to others except as necessary to provide or improve user-facing features that are prominent in OTO Fulfilment, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to merchants.
- No advertising. We do not use Google user data for serving advertisements, including retargeting, personalised, or interest-based advertising.
- No human reading. We do not allow humans to read Google user data unless (a) we have obtained the merchant’s affirmative agreement to view specific messages, (b) it is necessary for security purposes such as investigating abuse, (c) it is required to comply with applicable law, or (d) the data has been aggregated and anonymised and is used only for internal operations.
- No generalised AI / ML training. We do not transfer or use Google user data to develop, improve, or train generalised or cross-merchant AI / ML models. AI features are trained on a strictly per-merchant basis using only that merchant’s own data, via AWS Bedrock acting as our sub-processor, and the resulting custom model is only available to that merchant.
- No sale. We do not sell Google user data.
- Encryption and access control. Gmail content is encrypted in transit (TLS 1.2+) and at rest (AES-256 via AWS KMS). OAuth refresh tokens are encrypted using AWS KMS envelope encryption and are stored in MongoDB Atlas in an EU region. Access is restricted to authorised personnel on a least-privilege basis.
- Revocation. The merchant can revoke our access to their Gmail account at any time, either by disconnecting the integration inside OTO Fulfilment (which deletes the stored refresh token) or via https://myaccount.google.com/permissions.
Children’s Privacy
OTO Fulfilment is a business-to-business platform. We do not knowingly collect personal data from children under the age of 16. If we become aware that we have inadvertently collected such data, we will delete it promptly.
Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered account holders and posted on this page with an updated “Last updated” date. Continued use of the platform after changes constitutes acceptance of the revised policy.
Contact Us
For questions about this Privacy Policy or our data practices, contact us at:
Email: privacy@otofulfilment.com
Security issues: security@otofulfilment.com