Security & Data Protection

How we protect data for our clients and site visitors.

Overview

Elevation Marketplace Services Limited is committed to safeguarding personal and business data. We apply technical and organisational measures appropriate to the risk, follow least-privilege principles, and work only with vetted providers.

Scope & roles

  • For our website and enquiries, we act as the Data Controller.
  • When managing Amazon accounts on your behalf, we act as a Processor of data you control, accessing Seller/Vendor Central and related tools strictly per your authorisation.

Data we process

  • Enquiry & client data: contact details, company info, service communications.
  • Operational Amazon data: catalog, content, ads metrics, inventory, performance indicators.
  • Customer PII from Amazon (if applicable): we minimise access and handle it under strict retention controls (see below).

Lawful bases

  • Contract (deliver services you request).
  • Legitimate interests (run, secure, and improve our services).
  • Consent (marketing or non-essential cookies/analytics).
  • Legal obligation (records, compliance, and lawful requests).

Security controls (summary)

  • Access management: least-privilege, role-based access, MFA enforced where supported, regular access reviews.
  • Authentication: unique accounts, strong passwords, MFA on critical systems including Amazon Seller/Vendor Central.
  • Encryption: TLS for data in transit; encryption at rest provided by our cloud/platform providers where applicable.
  • Network & device security: endpoint protection, OS and browser patching, disk encryption on managed devices.
  • Change & configuration: version control for documents and templates; documented change procedures for client assets.
  • Vulnerability management: periodic reviews of third-party advisories and provider notices; prompt remediation and patching.
  • Data minimisation: collect and retain only what is necessary for the stated purpose.
  • Backups & continuity: provider-level redundancy for hosted services; configuration and document backups for critical materials.
  • Staff training & NDA: confidentiality obligations and regular awareness for handling client and customer data.

Amazon customer PII retention

  • We avoid downloading or storing customer PII whenever possible. Where access is necessary, we minimise scope and duration.
  • Customer PII obtained for order support is retained for no longer than 30 days after fulfilment, unless a longer period is legally required; if retained, it is minimised and access-restricted.
  • Upon request or termination, we will delete or return client data consistent with contractual and legal requirements.

Incident response

  • We maintain procedures to detect, assess, contain, and remediate security incidents.
  • Where legally required, we will notify affected clients and regulators within applicable timeframes and cooperate on corrective actions.

Authorisation & permissions

  • Clients grant access to Amazon accounts and roles on a least-privilege basis.
  • Authorisations can be revoked at any time via Seller/Vendor Central; we will promptly cease processing on revocation.

Sub-processors (key providers)

We use reputable providers to deliver our services. Typical categories include:

  • Platform & hosting: Shopify (website), Shogun (page builder).
  • Productivity & communication: email and collaboration tools.
  • Analytics (consent-based): Google Analytics or similar.
  • File storage: secure cloud storage for client deliverables.

We assess providers for security posture and enter into appropriate data processing terms. We can share an up-to-date list on request.

International transfers

Where data is transferred outside the UK/EEA (for example, to the United States), we rely on recognised safeguards such as the UK-US Data Bridge and/or Standard Contractual Clauses, combined with technical and organisational measures.

Retention

  • Enquiries and proposals: up to 24 months from last interaction.
  • Client/service records & invoices: 6–7 years (tax/accounting).
  • Amazon customer PII: max 30 days after fulfilment unless law requires longer (then minimised and access-restricted).

Your rights

You may request access, rectification, erasure, restriction, or object to processing, and where applicable request data portability or withdraw consent. To exercise rights, contact andy@marketplace-services.co.uk. You can also raise concerns with the UK ICO.

Contact

Elevation Marketplace Services Limited
Rose Cottage, Bronygarth, Oswestry, SY10 7ND, United Kingdom
Email: andy@marketplace-services.co.uk

Last updated: 12 October 2025