1.Introduction and Scope

Wayline Media Ltd (“we,” “us,” or “our”) is a UK-based advertising agency that provides Amazon Advertising management services. This Privacy Policy describes how we collect, process, store, and protect information when clients authorise our application, Wayline Analytics (the “Application”), to access their Amazon Advertising account via the Amazon Ads API and Login with Amazon (LWA).

Wayline Media Ltd is registered in England and Wales (Company Number: 16392393) with its registered office at 86-90 Paul Street, London, England, EC2A 4NE. We are registered with the UK Information Commissioner’s Office (ICO Registration Number: ZB984791).

This policy applies to all users of the Application, which in practice are our contracted advertising clients (the “End Users”).

2.Our Role Under UK GDPR

For processing of advertising data within a client’s Amazon Advertising account, we act as a data processor on behalf of the client, who is the data controller. For processing related to the client relationship itself (billing, account management, support communications, marketing), we act as a data controller.

3.Data We Collect via Amazon Services

When an End User authorises the Application through Login with Amazon (LWA), we receive a secure OAuth 2.0 access token and refresh token. We do not receive, request, store, or proxy Amazon passwords or user login credentials at any time. Authentication is handled entirely by Amazon.

Through the Amazon Ads API, we access only the minimum data required to deliver the contracted services. Specifically:

• Profile and identification data: name and email address of the authorising user, used to identify the authorised account and send service-related notifications.
• Advertising account data: profile IDs, marketplace IDs, and campaign hierarchy (campaigns, ad groups, keywords, product targets, negative targets).
• Advertising performance data: impressions, clicks, spend, sales, orders, conversion rate, ACOS, TACOS, ROAS, attributed sales, and similar reporting metrics.
• Product data: ASINs, SKUs, product titles, and product metadata for products associated with campaigns in the authorised account.

We do not access, collect, or store any Amazon Ads data outside the scope of what is required to deliver our contracted services. We apply the principle of data minimisation to all API requests.

4.How We Use the Data

Our lawful bases under UK GDPR are:

• Performance of a contract: to deliver the advertising management services set out in the client agreement.
• Legitimate interests: to monitor Application performance, produce internal operational reporting, improve our services, and maintain security, balanced against the rights and interests of our clients.

Specifically, we use Amazon Data to:

• Manage, optimise, and report on the client’s Amazon Advertising campaigns.
• Produce performance reports, dashboards, and analyses delivered exclusively to the client.
• Diagnose issues and provide technical support.
• Maintain the security, integrity, and operation of the Application.

5.Prohibited Uses of Amazon Data

In accordance with the Amazon Ads Partner Network Policies, we commit that we will not:

• Sell, license, rent, lease, lend, or transfer Amazon Data to any third party.
• Use Amazon Data for interest-based advertising, behavioural retargeting, remarketing, or any unauthorised interest-based messaging.
• Combine Amazon Data with any other third-party data source without express prior written approval from Amazon.
• Place Amazon Data on public websites, search engines, or in any publicly accessible environment.
• Attempt to reidentify, reverse engineer, or reconstruct Amazon Data to identify or profile individuals.
• Use Amazon Data for unlawful, discriminatory, or unethical surveillance purposes.
• Cache, store, retain, or maintain Amazon Data beyond the period necessary to deliver the Application’s functionality.
• Solicit, collect, store, proxy, buy, sell, or transfer Amazon login credentials.

6.Data Sharing

We do not sell personal data. We share data only with the following categories of recipient:

• Amazon: as required to facilitate the API integration and deliver campaign management services.
• Approved infrastructure providers: we use Amazon Web Services (AWS), London region (eu-west-2), to host the Application. AWS operates under a written data processing agreement and confidentiality obligations, and acts as our sub-processor.
• Professional advisers: accountants and legal advisers, under duties of confidentiality, where strictly necessary.
• Legal and regulatory authorities: only where we are legally required to disclose information.

A current list of sub-processors is available on request via the contact details in Section 14. We will not disclose Amazon Data to any employee, contractor, or other personnel beyond those with a strict need to know for the authorised purpose.

7.International Data Transfers

All Amazon Data processed by the Application is stored within the United Kingdom (AWS London, eu-west-2). Where any personal data is transferred outside the UK (for example, through limited operational tooling or support services), we rely on appropriate safeguards as required under UK GDPR, including the UK International Data Transfer Addendum (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or reliance on countries covered by a UK adequacy regulation. Details of the transfer mechanism in place for a given processing activity are available on request.

8.Data Security

We maintain comprehensive administrative, physical, and technical safeguards that conform to industry data security standards, including:

• Encryption in transit using TLS 1.2 or higher for all API traffic.
• Encryption at rest using AES-256 for stored Amazon Data and credentials.
• OAuth 2.0 token-based authentication. Amazon login credentials are never handled by the Application.
• Secure storage of access and refresh tokens, with support for revocation and rotation.
• Strict role-based access controls, with Amazon Data accessible only to personnel with a documented need to know.
• Monitoring, logging, and audit of access to Amazon Data.
• Input validation and error handling on all API interactions to protect the integrity of campaign data.
• Prompt removal of personnel access when no longer required.
• Periodic review of our security controls and practices.

9.Data Retention and Deletion

We retain Amazon Data only for as long as necessary to deliver the contracted service. Our default retention periods are:

• Active campaign and account data: for the duration of the client engagement.
• Historical reporting data: up to 24 months after the end of the reporting period, to support year-on-year analysis for the client.
• Billing and accounting records: up to 7 years, to comply with UK tax and accounting law.

We will promptly delete all Amazon Data in our possession:

• When a client terminates their engagement with us.
• When an End User revokes Application authorisation within their Amazon account.
• Upon written request from Amazon.
• When the data is no longer required for the purpose for which it was collected.

Where we are legally required to retain specific data, we will retain it securely, use it only for that legal requirement, and permanently delete it when no longer legally required.

10.Security Incident and Vulnerability Reporting

We maintain a documented process for receiving, investigating, responding to, and resolving reports of data privacy incidents, security vulnerabilities, and any actual or suspected misuse of Amazon Data.

We will:

• Acknowledge receipt within 2 business days.
• Provide an initial substantive response within 5 business days.
• Take appropriate remedial action based on the severity of the issue.
• Notify the UK Information Commissioner’s Office within 72 hours of becoming aware of a reportable personal data breach.
• Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
• Cooperate fully with any Amazon investigation under the Amazon Ads Partner Network Policies.

11.Your Rights Under UK GDPR

As a UK data subject, you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate or incomplete data.
• Request erasure of your data, subject to our legal retention obligations.
• Object to or restrict processing.
• Request data portability in a structured, machine-readable format.
• Withdraw consent at any time by deauthorising the Application within your Amazon account settings.

To exercise any of these rights, please contact us using the details in Section 14. We will respond to verified requests within one month, as required by UK GDPR. In complex cases, this period may be extended by up to two further months, in which case we will inform you of the extension and the reasons for it.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at https://ico.org.uk or by calling 0303 123 1113, if you believe your rights have not been respected.

12.Children’s Privacy

The Application is a business-to-business service intended for commercial advertising clients. It is not directed at children under 18, and we do not knowingly collect personal data from children.

13.Policy Updates

We may update this Privacy Policy from time to time. Material changes will be communicated to active clients by email at least 30 days before taking effect. The “Last Updated” date at the top of this policy reflects the most recent revision. Continued use of the Application after the effective date constitutes acceptance of the updated policy.

14.Contact Us

For any privacy, data protection, or security enquiry, please contact:

For Amazon Data security incidents and vulnerability reports specifically, please use the dedicated security address: security@waylinemedia.com.

Back to top