Skip to main content

Privacy Policy

  • Effective Date: April 24, 2026
  • Last Updated: April 24, 2026
  • Version: 1.0

1. Introduction & Scope

Nagog Innovation Technology Inc. (“Nagog,” “we,” “us,” or “our”) respects your privacy and is committed to protecting personal information that you share with us or that we collect in the course of providing our services.

This Privacy Policy explains how we collect, use, disclose, and safeguard information in connection with:

  • Visits to our website at https://www.nagoginnovation.com (the “Website”)
  • Inquiries you submit through our Website forms or contact channels
  • Business process outsourcing (“BPO”) services we provide to our clients
  • Amazon Seller Partner integration services delivered through Amazon’s Selling Partner API (“SP-API”)

Nagog is incorporated in the Commonwealth of Massachusetts, USA. Our registered address is 394 Lowell St, Lexington, MA 02420. Where this Policy refers to specific obligations under the European Union’s General Data Protection Regulation (“GDPR”) or the United Kingdom’s UK GDPR, those obligations apply to information about individuals located in the EU or UK at the time of collection.

This Privacy Policy should be read together with our Terms of Service and, where applicable, the Amazon Data Use Addendum, which forms part of our agreements with seller customers using our Amazon-related services.

2. Information We Collect

We collect information from four distinct sources, summarized below.

2.1 Information from Website Visitors

When you visit our Website, we automatically collect:

  • Technical data: IP address, browser type and version, operating system, device identifiers, screen resolution, referring URL, language preference
  • Usage data: pages viewed, time spent on pages, click paths, search queries within the site, error logs

We use cookies and similar technologies to collect a portion of this data. See Section 4 for details.

2.2 Information from Sales Inquiries and Marketing

When you submit a contact form, request a demo, subscribe to our newsletter, or otherwise initiate contact, we collect:

  • Name, business email address, telephone number
  • Company name, job title, country
  • The content of your inquiry or message
  • Marketing preferences (where you have provided consent)

2.3 Information Processed on Behalf of Clients (BPO Services)

In the course of delivering BPO services such as customer support, IT helpdesk, and back-office processing, we process information about our clients’ end customers strictly on our clients’ instructions. This may include contact details, account identifiers, transaction details, and communication records that our client provides to us or routes through our service.

For this category, our clients are the data controllers and Nagog is the data processor under GDPR Article 4(8). The lawful basis, retention, and rights handling for this category are governed by the data processing terms in the agreements we sign with each client.

2.4 Amazon Information (SP-API Integration)

When a seller customer authorizes Nagog to access their Amazon Seller Central account through Amazon’s Login with Amazon (“LWA”) OAuth flow, we receive Amazon Information limited to order metadata. This includes:

  • Order identifier and status
  • Order amount and currency
  • Item SKU, quantity, and product title
  • Fulfillment status and tracking carrier (where available)
  • Marketplace identifier and order date

We do not access buyer personally identifiable information (“PII”), including buyer name, shipping address, email address, or telephone number. We have not requested and do not hold Amazon Restricted Data Token (“RDT”) authorizations for buyer PII.

See Section 11 for a consolidated description of how Amazon Information is handled across all aspects of our service.

3. How We Use Information

We use the categories of information described in Section 2 only for the purposes set out below. For visitors and individuals located in the EU or UK, we identify the GDPR legal basis applicable to each purpose.

Purpose Legal Basis (GDPR)
Operating, maintaining, and securing the Website Legitimate interests (Art. 6(1)(f))
Responding to sales inquiries, demo requests, and support questions you initiate Pre-contractual measures at your request (Art. 6(1)(b))
Sending marketing communications (newsletters, product updates) Consent (Art. 6(1)(a)); withdrawable at any time
Performing contracted BPO services for our clients Contract performance (Art. 6(1)(b))
Providing customer service to seller customers using order data obtained via SP-API Contract performance (Art. 6(1)(b))
Complying with legal, tax, and regulatory obligations Legal obligation (Art. 6(1)(c))
Preventing fraud, abuse, and security incidents Legitimate interests (Art. 6(1)(f))

Use of Amazon Information is strictly limited to providing the customer service that the seller customer has requested. Nagog does not, and will not:

  • Use Amazon Information to train artificial intelligence or machine learning models
  • Use Amazon Information for advertising or marketing purposes
  • Aggregate, anonymize, or analyze Amazon Information across multiple seller customers for any purpose
  • Sell, lease, or otherwise transfer Amazon Information to any third party
  • Use Amazon Information to compete with the seller, Amazon, or any other Amazon seller

4. Cookies & Tracking Technologies

Our Website uses cookies and similar technologies to function correctly and to understand how visitors use the site. We classify cookies into the four categories below.

4.1 Strictly Necessary Cookies

These cookies are required for the Website to operate. They cannot be disabled. They include session cookies, security tokens, and load-balancing identifiers. Lawful basis: legitimate interests (no consent required under ePrivacy Directive Art. 5(3) exceptions).

4.2 Functional Cookies

These cookies remember your preferences (such as language and region selection) to provide a personalized experience. Lawful basis: consent.

4.3 Analytics Cookies

These cookies help us understand how visitors interact with the Website by collecting aggregated, anonymized usage data. Lawful basis: consent.

4.4 Marketing Cookies

These cookies track your interaction with marketing campaigns and may be set by third-party advertising platforms. Lawful basis: consent.

4.5 Managing Your Cookie Preferences

You can manage cookie preferences through the cookie banner that appears on your first visit, or at any time by clicking the “Cookie Settings” link in our footer. Most browsers also allow you to block or delete cookies through browser settings.

Amazon Information is not subject to cookie or analytics tracking. No analytics, advertising, or third-party tag is applied to data obtained through SP-API integration.

5. How We Share Information

We disclose information only in the limited circumstances described below.

5.1 Amazon Information

We do not share Amazon Information with any third party. Amazon Information is processed entirely within infrastructure operated by Nagog within Amazon Web Services (“AWS”). We engage no sub-processors for Amazon Information processing.

5.2 Standard Information

For information other than Amazon Information, we may disclose information:

  • To comply with legal obligations: when required by court order, subpoena, regulatory request, or applicable law
  • To protect rights, property, or safety: where disclosure is reasonably necessary to investigate, prevent, or respond to suspected fraud, security threats, or violations of our Terms
  • In a corporate transaction: in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to confidentiality undertakings
  • With your explicit consent: where you have specifically agreed that we may share information for a stated purpose

We do not sell personal information to third parties.

6. International Data Transfers

Nagog is incorporated in the United States, and the principal infrastructure used to provide our services is located in the United States.

6.1 Amazon Information

Amazon Information is stored exclusively in AWS region us-east-1 (N. Virginia, USA). It is not replicated, backed up, or otherwise transferred to any other geographic region.

Customer service personnel located in India and the Philippines may view Amazon Information through controlled remote sessions for the purpose of delivering customer service to the seller’s end customers. These remote-access controls include:

  • Virtual Desktop Infrastructure (“VDI”) with no local file storage
  • Multi-factor authentication for every access session
  • Disabled clipboard, file transfer, and print functions on the remote session
  • Full audit logging of every record accessed

Where applicable to other categories of information, we rely on the European Commission’s Standard Contractual Clauses (“SCCs”) and intra-group data transfer frameworks to lawfully transfer information from the EU or UK to the United States and to our service-delivery locations.

6.2 Standard Information

Standard information may be processed in the United States and in Nagog service-delivery locations. We rely on SCCs, derogations under GDPR Article 49, or other appropriate safeguards as required.

7. Data Retention & Deletion

We retain information only as long as necessary to fulfill the purpose for which it was collected, unless a longer retention period is required by law.

7.1 General Retention Schedule

Information Category Retention Period
Website visitor logs (IP, UA, paths) 90 days
Sales inquiry and marketing contact data 36 months from last interaction
BPO client service tickets and communication records Per client agreement; default 7 years (US tax records baseline)
Account, billing, and tax records 7 years (or as required by law)
Marketing email subscription records Until you unsubscribe + 30 days

7.2 Amazon Information Retention

  • Amazon Information is retained only while the seller customer’s authorization is active and while the customer service engagement is ongoing
  • Upon revocation of OAuth authorization in Amazon Seller Central, or upon termination of the seller’s agreement with Nagog, we delete Amazon Information from production systems within 30 days
  • Backup copies are purged through standard backup rotation within 45 days of revocation
  • A Deletion Certificate is available on written request to info@nagoginnovation.com

8. Security Measures

We implement and maintain technical and organizational measures designed to protect information against unauthorized access, alteration, disclosure, and destruction.

8.1 Technical Measures

  • Encryption at rest: AES-256 encryption applied to stored data using AWS Key Management Service (“KMS”) for key management
  • Encryption in transit: TLS 1.2 or higher for all network communication, with HSTS enforced on the Website
  • Network isolation: production environments deployed in private VPCs; ingress restricted by security groups and a web application firewall
  • Access controls: role-based access control (“RBAC”) on the principle of least privilege; multi-factor authentication required for all employee access to production systems
  • Audit logging: all access to production data is logged and retained for review

8.2 Organizational Measures

  • Background checks on personnel with access to production data
  • Annual training on data protection, including specific Amazon Data Protection Policy (“DPP”) training for personnel handling Amazon Information
  • Confidentiality and data protection clauses in all employment and contractor agreements
  • Immediate revocation of access on personnel separation or role change

8.3 Incident Response

We maintain a written incident response plan covering monitoring, detection, containment, notification, and remediation. In the event of a confirmed security incident affecting personal information or Amazon Information:

  • We notify Amazon at security@amazon.com within 24 hours of confirmed detection of any incident affecting Amazon Information
  • We notify the lead supervisory authority of any reportable personal data breach affecting EU or UK individuals within 72 hours, in accordance with GDPR Article 33
  • We notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with GDPR Article 34
  • We notify affected clients in accordance with the notification terms of their service agreements
  • We provide a post-incident root cause report and remediation plan upon request

9. Your Rights Under GDPR

If you are located in the European Union or United Kingdom at the time we collect your information, you have the following rights under GDPR and UK GDPR:

Right Description
Access (Art. 15) Obtain confirmation of whether we process your personal data and request a copy
Rectification (Art. 16) Correct inaccurate or incomplete personal data
Erasure (Art. 17) Request deletion of your personal data, subject to legal exceptions
Restriction (Art. 18) Restrict processing in specified circumstances
Portability (Art. 20) Receive your data in a structured, machine-readable format and transmit it to another controller
Object (Art. 21) Object to processing based on legitimate interests or for direct marketing
Withdraw Consent Withdraw consent at any time where processing is based on consent (without affecting the lawfulness of prior processing)
Lodge a Complaint (Art. 77) File a complaint with your national supervisory authority

To exercise any of these rights, contact us at info@nagoginnovation.com. We respond to verified requests within 30 days of receipt. We may extend this period by an additional 60 days for complex requests, in which case we will notify you of the extension and the reasons.

For requests concerning information we process on behalf of a client (BPO services, Section 2.3), please contact the client directly. As the data processor, we will support our client in responding to your request.

10. Your Rights in Other Jurisdictions

10.1 United Kingdom

Individuals located in the UK have rights equivalent to those described in Section 9 under UK GDPR. The UK Information Commissioner’s Office (“ICO”) is the relevant supervisory authority.

10.2 United States — California (CCPA / CPRA)

Nagog provides BPO services on behalf of business clients. We do not sell or share personal information with third parties for cross-context behavioral advertising. California residents may submit requests for access, deletion, or correction of their personal information by contacting us at info@nagoginnovation.com.

10.3 Canada (PIPEDA)

Individuals in Canada may exercise rights of access and correction under the Personal Information Protection and Electronic Documents Act by contacting us at info@nagoginnovation.com.

10.4 India (DPDPA)

Individuals in India may exercise rights of access, correction, and erasure under the Digital Personal Data Protection Act, 2023 by contacting us at info@nagoginnovation.com.

11. Amazon Seller Partner Information

This section consolidates how Amazon Information is handled across our service. It supplements and does not replace the more general descriptions in Sections 2-10.

11.1 What We Collect

Amazon Information consists of order metadata fields obtained through SP-API after a seller customer authorizes our application via LWA OAuth. The fields are listed in Section 2.4. We do not collect buyer PII.

11.2 Authorized Purpose

Amazon Information is used solely for delivering customer service to the seller’s end customers. Permitted activities include:

  • Looking up an order to answer a customer service inquiry
  • Confirming order status, fulfillment status, or item details
  • Identifying which order a customer is calling about based on the order identifier the customer provides

11.3 Prohibited Uses

We do not use Amazon Information for analytics, machine learning, advertising, resale, benchmarking, or any purpose other than customer service. See Section 3 for the complete list of prohibited uses.

11.4 Seller’s Right to Revoke

A seller customer may revoke our application’s authorization at any time through Amazon Seller Central under “Apps & Services > Manage Your Apps.” Upon revocation, we cease all access to the seller’s Amazon account and follow the deletion timeline in Section 7.2.

11.5 Amazon as Third-Party Beneficiary

Our agreements with seller customers include the Amazon Data Use Addendum, which designates Amazon as a third-party beneficiary with the right to enforce our commitments directly. We commit to comply with the Amazon Acceptable Use Policy and the Amazon Data Protection Policy (“DPP”) version 2.

11.6 Where to Read More

The full contractual commitments concerning Amazon Information are set out in the Amazon Data Use Addendum.

12. Children’s Privacy

Our services are directed to businesses, not to children. We do not knowingly collect personal information from children under the age of 13 (or the equivalent minimum age in your jurisdiction). If you believe we have inadvertently collected such information, please contact info@nagoginnovation.com and we will delete it promptly.

In the course of delivering BPO services, we may incidentally process information about children when our client’s end customers raise such information in a service interaction. This information is processed on the client’s instructions, retained only as long as the client requires, and not used for any other purpose.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — such as changes to data use, retention, sub-processors, or international transfer arrangements — we will:

  • Post a notice on the Website at least 30 days before the change takes effect
  • Notify clients with active Master Service Agreements by email
  • Update the “Effective Date” and “Version” at the top of this document
  • Maintain a Change Log at the bottom of this document

For minor edits (typographical corrections, contact detail updates, formatting), the change is effective on publish.

14. Contact Us

For all privacy-related inquiries, including:

  • General questions about this Policy
  • Requests to exercise your rights under Section 9 or 10
  • Reports of suspected security incidents
  • Requests for data deletion certifications

please contact:

Nagog Innovation Technology Inc.
394 Lowell St
Lexington, MA 02420
United States

Email: info@nagoginnovation.com
Telephone: (978) 712-8830