Last updated: 23 March 2026
Introduction
OTO Fulfilment (“we”, “us”, “our”) operates a cloud-based Warehouse Management System (WMS) and Order Management System (OMS) that helps e-commerce merchants and third-party logistics (3PL) providers manage multi-channel fulfilment operations. This Privacy Policy explains how we collect, use, store, share, and dispose of personal data – including data received from third-party marketplace APIs such as the Amazon Selling Partner API.
By using the OTO Fulfilment platform you agree to the practices described in this policy. If you do not agree, please do not use our services.
Data Controller
OTO Technologies Ltd (trading as OTO Fulfilment) is the data controller for information processed through our platform.
Registered address: Unit 403 Glenfield Park Two, Blakewater Road, Blackburn, England, BB1 5QH
Contact: privacy@otofulfilment.com
Data We Collect
Account Data
When you register for an OTO Fulfilment account we collect:
- Full name, email address, and hashed password (or Google SSO identity)
- Organisation/merchant name
Marketplace Data (including Amazon Information)
When a merchant connects a marketplace integration (e.g. Amazon, Shopify), we retrieve data from that marketplace’s API on the merchant’s behalf. For Amazon, this includes:
| Category | Data Elements | Purpose |
|---|---|---|
| Order data | Order ID, items, quantities, prices, order status, timestamps | Order processing and fulfilment |
| Buyer PII | Buyer name, shipping address, email, phone number | Shipping label generation, pick lists, packing slips |
| Listing data | ASIN, SKU, title, description, price, quantity | Catalogue synchronisation and inventory management |
| Integration credentials | OAuth refresh tokens, Selling Partner ID | Authenticated API access on behalf of the merchant |
Amazon buyer PII is accessed exclusively through Amazon’s Restricted Data Token (RDT) mechanism and is used solely for order fulfilment purposes.
Operational Data
- Inventory records, bin/location assignments, batch and lot tracking data
- Shipping labels, tracking numbers, courier service selections
- User activity logs and audit trails
How We Use Data
We process personal data for the following purposes only:
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Order fulfilment – generating shipping labels, pick lists, packing slips | Legitimate interest / contractual necessity |
| Inventory synchronisation with connected marketplaces | Contractual necessity |
| Submitting shipment confirmations and tracking data to marketplaces | Contractual necessity |
| Account management and user authentication | Contractual necessity |
| Platform security, monitoring, and incident investigation | Legitimate interest |
We do not:
- Use buyer PII for marketing, advertising, analytics, or profiling
- Sell or rent personal data to any third party
- Use Amazon Information for any purpose other than order fulfilment
- Aggregate buyer data across merchants
Data Sharing
We share personal data only with the following categories of recipients, and only to the extent necessary for order fulfilment:
| Recipient | Data Shared | Purpose |
|---|---|---|
| Courier / shipping providers (e.g. Royal Mail, DPD, DHL) | Buyer name, shipping address, contact number | Shipping label generation and parcel delivery |
| Amazon (via SP-API) | Shipment confirmations, tracking numbers, inventory updates | Order status synchronisation |
| Cloud infrastructure providers (AWS) | Encrypted data in transit and at rest | Hosting, storage, and compute services |
All third-party data sharing is conducted over encrypted channels (TLS 1.2+). We do not share Amazon Information with any party for purposes unrelated to fulfilment.
Data Storage and Security
Infrastructure
- All services are hosted on Amazon Web Services (AWS) within the EU (eu-west-1) region
- Application services run in private VPC subnets with no direct public internet access
- Data is stored in MongoDB Atlas with encryption at rest (AES-256) managed via AWS KMS
- All data in transit is encrypted using TLS 1.2 or higher
Access Controls
- User authentication via RS256 JWT tokens with short-lived expiry (1 hour access, 24 hour refresh)
- Passwords hashed using bcrypt before storage – plaintext passwords are never persisted
- Role-based access controls (RBAC) restrict user access to authorised resources only
- Multi-tenant data isolation ensures each merchant can only access their own data
- AWS infrastructure access requires IAM role assumption with MFA
Encryption at Rest
- Database: AES-256 encryption via MongoDB Atlas with AWS KMS key management
- Backups: Encrypted and stored in a geographically separated AWS region
- Secrets and credentials: Stored in AWS Secrets Manager / GitHub Actions Secrets, never in source code
- Automatic key rotation is enabled for all KMS-managed encryption keys
Monitoring and Logging
- Application logs collected via AWS CloudWatch with minimum 12-month retention
- AWS CloudTrail records all infrastructure and API activity
- Automated alerts configured for unauthorised access attempts and anomalous activity
- Security logs reviewed at minimum bi-weekly
Data Retention and Disposal
| Data Type | Retention Period | Disposal Method |
|---|---|---|
| Buyer PII (name, address, email, phone) | 30 days from order completion | Automatically anonymised (fields replaced with non-reversible placeholder values) |
| Order transactional data (items, totals, status) | Duration of merchant’s account | Deleted upon account termination |
| Soft-deleted orders | 90 days | Permanently hard-deleted via automated cleanup |
| Marketplace integration credentials | Until integration is disconnected | Immediately deleted upon disconnection |
| User account data | Duration of account | Anonymised upon account deletion |
| Security and audit logs | Minimum 12 months | Automatically expired per retention policy |
Amazon buyer PII is retained for the minimum period necessary to complete order fulfilment and is automatically anonymised thereafter. Merchants cannot export raw buyer PII in bulk.
Data Subject Rights
Under the UK GDPR, individuals have the following rights regarding their personal data:
- Right of access – request a copy of personal data we hold
- Right to rectification – request correction of inaccurate data
- Right to erasure – request deletion of personal data
- Right to restriction – request limited processing of personal data
- Right to data portability – receive data in a structured, machine-readable format
- Right to object – object to processing based on legitimate interests
To exercise any of these rights, contact us at privacy@otofulfilment.com. We will respond within 30 days.
Note: For buyer PII received from Amazon, the data controller for that personal data is the Amazon seller (our merchant customer). Buyer data subject requests should be directed to the relevant seller. We will assist our merchants in fulfilling such requests.
International Data Transfers
All data is processed and stored within the European Economic Area (EEA) and the United Kingdom. Our primary infrastructure is hosted in AWS eu-west-1 (Ireland) with backups in eu-west-2 (London). We do not transfer personal data outside the EEA/UK unless required by a specific courier integration, in which case appropriate safeguards (Standard Contractual Clauses) are in place.
Incident Response
In the event of a data breach affecting personal data, we will:
- Identify and contain the breach within 24 hours of detection
- Assess the scope, severity, and affected data subjects
- Notify the Information Commissioner’s Office (ICO) within 72 hours where required under UK GDPR
- Notify affected marketplace partners (including Amazon) within 24 hours
- Notify affected data subjects without undue delay where there is a high risk to their rights
- Conduct a post-incident review and implement remediation measures
Our Incident Management Point of Contact can be reached at security@otofulfilment.com.
Cookies
The OTO Fulfilment platform uses only strictly necessary cookies for session management and authentication. We do not use third-party advertising or analytics cookies. No Amazon Information is exposed to client-side tracking scripts.
Third-Party Marketplace Compliance
Amazon Selling Partner API
Our handling of Amazon Information complies with Amazon’s Data Protection Policy and the Acceptable Use Policy for the Selling Partner API programme. Specifically:
- Amazon Information is used exclusively for order fulfilment
- Buyer PII is accessed via Restricted Data Tokens (RDT)
- PII is encrypted at rest using AES-256 with AWS KMS key management
- PII is retained for no longer than 30 days after order completion
- Access to Amazon Information is restricted to authorised personnel on a need-to-know basis
- We maintain documented data handling and security policies
- Vulnerability assessments and penetration testing are conducted regularly
Children’s Privacy
OTO Fulfilment is a business-to-business platform. We do not knowingly collect personal data from children under the age of 16. If we become aware that we have inadvertently collected such data, we will delete it promptly.
Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered account holders and posted on this page with an updated “Last updated” date. Continued use of the platform after changes constitutes acceptance of the revised policy.
Contact Us
For questions about this Privacy Policy or our data practices, contact us at:
Email: privacy@otofulfilment.com
Security issues: security@otofulfilment.com