Legal
Privacy Policy
Last updated: March 30, 2026 · Mercanto, Barcelona, Spain
Short version: We collect only what we need to run Mercanto. We never sell your data. Your Amazon Advertising data is used solely to provide the service to you. Stripe handles all payments — we never touch your card details.
1. Who we are
Mercanto is an AI-powered Amazon PPC optimization service built and operated from Barcelona, Spain. When this policy refers to "Mercanto", "we", "our", or "us", it means the entity operating mercantoamz.com.
If you have questions about this policy or your data, contact us at mercanto@polsia.app.
2. Data we collect
We collect information in the following categories:
Account information
- Email address (required to create an account)
- Name (optional, provided by you)
- Account preferences and settings
Amazon Advertising account data (when you connect your account)
- Campaign names, types, and structures
- Keyword bids, match types, and performance data
- Advertising metrics: ACoS, ROAS, CPC, impressions, clicks, conversions, spend, and sales
- Budget settings and allocation
- Search term reports and keyword harvesting data
Usage and technical data
- Log data: IP address, browser type, pages visited, timestamps
- Device information: operating system, screen resolution
- Feature usage patterns within the dashboard
Billing data
- Subscription status and plan tier (stored by us)
- Payment method details (stored exclusively by Stripe — see Section 5)
3. How we use your data
We use your data strictly to operate and improve Mercanto:
- Provide the service — generate PPC optimization recommendations, automate bid adjustments, and surface campaign insights based on your Amazon account data.
- Improve the product — analyze usage patterns to fix bugs and build better features. We use aggregate, anonymized data — not your individual account data — for product development.
- Send service emails — account confirmations, billing receipts, product updates, and important service notifications. You can opt out of marketing emails at any time.
- Maintain security — detect and prevent fraud, abuse, and unauthorized access.
- Meet legal obligations — comply with applicable laws and respond to lawful requests.
We do not use your Amazon Advertising data to train general-purpose AI models, sell to third parties, or run competitor benchmarking.
4. Amazon Advertising data
When you connect your Amazon Advertising account, Mercanto accesses your campaign data via the Amazon Advertising API using OAuth. This access is governed by Amazon's API usage policies, and we operate strictly within those terms.
Key commitment: Your Amazon Advertising data is used solely to provide optimization recommendations and automation for your own account. We do not share it with third parties, sell it, or use it to build products for other sellers.
Specifically:
- Data is fetched in real-time and stored in our database to power your dashboard and optimization engine.
- Stored data is encrypted at rest and in transit.
- You can revoke Mercanto's access to your Amazon account at any time via Amazon's "Authorized Applications" settings, which will stop all future data access.
- Upon account deletion (see Section 7), all Amazon Advertising data associated with your account is permanently deleted from our systems.
5. Payments (Stripe)
All subscription payments are processed by Stripe, a PCI-DSS Level 1 certified payment processor. Mercanto does not store, process, or have access to your credit card numbers, CVV codes, or full payment card details.
When you subscribe, Stripe creates a customer record and stores your payment method securely in their vault. We receive only:
- A Stripe customer ID (a reference token)
- Last 4 digits of your card (for display purposes only)
- Subscription status and billing cycle information
For Stripe's privacy practices, see stripe.com/privacy.
6. Data sharing
We do not sell your personal data. We share data only in these limited circumstances:
- Service providers — trusted vendors who help us operate Mercanto (cloud hosting, database services, email delivery). They process data only on our instructions and under data processing agreements.
- Stripe — for payment processing (as described in Section 5).
- Legal requirements — if required by law, court order, or to protect the rights and safety of Mercanto, our users, or the public.
- Business transfers — in the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you in advance.
In all cases, we share only the minimum data necessary.
7. Retention & deletion
We retain your data for as long as your account is active or as needed to provide the service.
When you cancel your subscription: Your account and data remain accessible until the end of your billing period, then move to an inactive state for 30 days in case you want to reactivate.
When you delete your account: We permanently delete your personal data and Amazon Advertising data within 30 days. Some records (e.g., billing history) may be retained for up to 7 years as required by EU financial record-keeping regulations.
To request account deletion, email us at mercanto@polsia.app with the subject line "Delete my account".
8. Cookies & analytics
We use minimal, necessary cookies to operate the service:
- Session cookies — to keep you logged in while you use the dashboard. These expire when you close your browser.
- Authentication tokens — stored in your browser's local storage to maintain your session across visits.
We do not currently use third-party analytics tools (such as Google Analytics) or advertising tracking pixels on mercantoamz.com. If this changes, we will update this policy and notify users.
9. Your rights (GDPR)
If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):
- Right of access — request a copy of all personal data we hold about you.
- Right to rectification — ask us to correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — request deletion of your personal data.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to restrict processing — ask us to pause processing of your data in certain circumstances.
- Right to object — object to processing based on legitimate interests.
- Right to withdraw consent — where processing is based on consent, you can withdraw at any time.
Our legal basis for processing your data is:
- Contract performance — processing necessary to deliver the service you subscribed to.
- Legitimate interests — fraud prevention, service security, and product improvement (where these don't override your rights).
- Legal obligation — compliance with applicable laws.
To exercise any of these rights, contact us at mercanto@polsia.app. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
10. Security
We take reasonable technical and organizational measures to protect your data:
- All data in transit is encrypted via TLS/HTTPS.
- Data at rest (including OAuth tokens and campaign data) is encrypted in our database.
- Access to production systems is restricted to authorized personnel only.
- We regularly review and update our security practices.
No system is perfectly secure. If you believe your account has been compromised, contact us immediately at mercanto@polsia.app.