Privacy Policy
Effective: 4 May 2026
This policy explains how Kukkdi Ltd ("Kukkdi", "we", "us") handles personal data in connection with AMZGrid — the website at amzgrid.com and the AMZGrid software service (when launched).
AMZGrid is currently in pre-launch. The amzgrid.com website describes a planned product; the product itself is not yet available. This policy covers both today's marketing site and the AMZGrid service as it will operate once launched. Where the two differ, we say so.
We are committed to handling personal data lawfully, transparently, and only for purposes you would reasonably expect.
1. Who we are
The data controller is:
Kukkdi Ltd A company registered in England and Wales, company number 13116351 Registered office: 42 Betony Way, Colchester, CO3 8PE, United Kingdom Contact for privacy matters: hello@amzgrid.com
We are not required to appoint a Data Protection Officer under UK GDPR, and we have not voluntarily appointed one. The point of contact for privacy questions, data subject requests, and complaints is the email address above.
2. Scope of this policy
This policy applies to:
- Visitors to amzgrid.com and any subdomains we operate
- Future users of the AMZGrid service (account holders), once it launches
- Anyone who contacts us by email about AMZGrid
It does not apply to:
- Other Kukkdi Ltd businesses (which have their own policies)
- Third-party websites linked from amzgrid.com
- Amazon Seller Central or other Amazon services (which Amazon controls)
3. The personal data we collect
Today — visitors to amzgrid.com
When you visit the AMZGrid website, we collect a small amount of technical information automatically:
- Server log data — your IP address, the time of the request, the page you requested, your browser's user-agent string, and the referring URL. This is standard for any website and is necessary for the site to function and to defend against abuse.
- Anonymous analytics — we use Vercel Web Analytics, which is cookieless and does not track individual users across sites. It records aggregate page-view counts and approximate referrer information without storing personally identifiable data.
We do not use advertising trackers, fingerprinting, or third-party analytics scripts on the marketing site. We do not set non-essential cookies.
When AMZGrid launches — service users
When you sign up to use AMZGrid, we will also collect:
- Account information — your name, email address, and a hashed password (we never store passwords in plain text). If you sign in via a third party (e.g. Google), we receive your email address and basic profile information from that provider.
- Billing information — when AMZGrid becomes a paid service, billing will be handled by an external payment processor (e.g. Stripe). We will receive a customer reference and the metadata needed for invoicing (name, billing country, VAT number if applicable). We will not see, store, or process your payment-card details.
- Service usage data — pages and features you use within AMZGrid, errors you encounter, and basic device information. Used to improve the product and diagnose issues.
- Amazon SP-API access tokens — when you connect your Amazon Seller Central account to AMZGrid, Amazon issues us refresh and access tokens that allow AMZGrid to read data from your seller account on your behalf. See section 6 for what we do and do not access via those tokens.
- Communications — the contents of any email you send us, and our reply.
We do not deliberately collect any special-category data (race, religion, health, biometric data, etc.) and we ask you not to send us any. AMZGrid is not aimed at, or marketed to, children under 18, and we do not knowingly collect data from children.
4. Why we use your data, and our lawful basis
UK GDPR requires us to identify a lawful basis for every use of personal data. Our purposes and bases are:
| Purpose | Lawful basis |
|---|---|
| Operate and secure the amzgrid.com website (server logs, abuse defence) | Legitimate interest |
| Measure aggregate website traffic to improve the site | Legitimate interest (cookieless analytics, no individual tracking) |
| Provide AMZGrid as a service to a customer who has signed up | Performance of a contract |
| Bill customers and meet our tax/accounting obligations | Performance of a contract; legal obligation |
| Send service emails (account, security, billing) | Performance of a contract |
| Send product or marketing emails | Consent (you can opt out at any time) |
| Defend against fraud, abuse, and security incidents | Legitimate interest; legal obligation |
| Respond to legal requests | Legal obligation |
Where we rely on legitimate interest, we have considered whether our interest is overridden by your rights. We believe the processing described above is what a reasonable person would expect from a website and a SaaS provider, and is limited to what is necessary.
5. The marketing site does not require an account
You can browse amzgrid.com and read this policy without giving us any personal information beyond the technical data described in section 3. We do not require sign-up to view the website.
If we add an "early access" email-signup form in future, we will only use the address you provide to send updates about AMZGrid's launch, and you will be able to unsubscribe with a single click. We will update this policy at that point.
6. Data we access via the Amazon Selling Partner API (SP-API)
This section is important and worth reading carefully if you are an Amazon seller considering connecting your account to AMZGrid.
When you authorise AMZGrid in Amazon Seller Central, AMZGrid receives the technical permissions needed to read non-buyer-personal-data from your seller account.
What AMZGrid will access:
- Order metadata: order IDs, item ASIN/SKU, quantities, prices, fees, taxes, marketplace, fulfilment channel, settlement IDs
- Financial events: settlements, fees, refunds, reserves, adjustments
- Inventory data, including FBA stock levels and (where the seller uses Amazon Warehousing and Distribution) AWD stock levels and shipment status
- Listing data: ASIN/SKU, prices, listing status, product titles, dimensions, weights, and other listing attributes
- Account-level metadata: the seller's marketplace IDs, region, and similar configuration needed to scope our SP-API calls correctly
- For sellers who are brand owners and have authorised it: Brand Analytics reports such as search-frequency rank, repeat-purchase behaviour, and item-comparison reports. Brand Analytics data is aggregated and anonymised by Amazon before we receive it — it does not contain individual buyer identifiers, and we do not attempt to re-identify it
- Reports we have explicitly requested for the above purposes
What AMZGrid will NOT access:
- Buyer names, email addresses, or phone numbers
- Buyer shipping addresses
- Any personally identifiable information (PII) about individual customers
- Any data outside the seller account you connect
We have made the deliberate engineering choice not to request the SP-API roles that would expose buyer PII. AMZGrid's profit-tracking features do not require it.
How we store and use SP-API data:
- Refresh and access tokens are encrypted at rest and tightly access-controlled. Only the minimal set of services needed to operate AMZGrid can decrypt them.
- Each customer's SP-API data is stored in a logically isolated tenant boundary. One AMZGrid customer cannot read another customer's data.
- We use SP-API data only to power the AMZGrid features you signed up for (profit calculation, VAT reporting, dashboards). We do not aggregate identifiable seller data across customers, and we do not sell or share it.
- You can disconnect AMZGrid from your Amazon seller account at any time from within Amazon Seller Central or AMZGrid's settings. On disconnection we delete the access tokens and, on request, the underlying data.
7. Sub-processors and other parties we share data with
We use a small number of trusted vendors to operate AMZGrid. Each of them processes personal data only on our instructions, under written terms that meet UK GDPR requirements.
Our current and planned sub-processors include:
| Vendor | Purpose | Data |
|---|---|---|
| Vercel Inc. | Marketing site hosting, edge CDN, web analytics today; at launch: also AMZGrid application hosting and serverless compute (which executes the code that calls the SP-API) | Server log data and anonymous analytics events today; at launch: in-flight processing of SP-API tokens and seller data during request handling (persistence is at the database layer, listed separately below) |
| GitHub Inc. | Source-code hosting and deployment pipeline | No customer personal data; site source only |
| Amazon Web Services / Amazon Selling Partner API | Source of seller data you authorise | SP-API tokens and seller-side data (see section 6) |
| Planned: an EU-region database provider (e.g. Neon, Supabase) | Customer database when AMZGrid launches | Account, usage, and SP-API data |
| Planned: Stripe Payments Europe Ltd | Subscription billing when AMZGrid launches | Billing reference, invoicing metadata (no card data) |
| Planned: a transactional-email provider (e.g. Postmark, Resend) | Account, security, and product emails | Email address and message content |
We will update this list before adding any new sub-processor that handles personal data.
We do not sell personal data, and we do not share it with advertising networks.
8. International transfers
AMZGrid is operated from the United Kingdom. Some of our sub-processors are based outside the UK or process data on infrastructure that may include non-UK regions:
- Personal data of AMZGrid customers will be stored in UK or EU regions. We have committed to choosing a UK/EU primary database region when AMZGrid launches.
- Some processing may occur on infrastructure outside the UK/EU (for example, Vercel's serverless functions can run in US regions). Where data is transferred outside the UK, we rely on UK GDPR-approved safeguards: the UK International Data Transfer Addendum, the European Commission's Standard Contractual Clauses, or an adequacy decision recognised by the UK government.
We continue to keep transfer mechanisms under review. If you would like a copy of the relevant safeguards, contact us at hello@amzgrid.com.
9. How long we keep data
We keep personal data only as long as we need it for the purposes described in this policy.
| Category | Retention |
|---|---|
| Server logs | Up to 30 days, then automatically purged |
| Anonymous analytics | Aggregated and retained indefinitely; not personally identifiable |
| Account data (when AMZGrid launches) | While your account is active, then deleted within 90 days of closure (except where law requires longer retention — e.g. tax records for 6 years) |
| SP-API access tokens | While your AMZGrid account has an active Amazon connection; deleted on disconnection |
| SP-API-derived seller data | While your account is active; deleted within 90 days of account closure or earlier on request |
| Billing records | 6 years from the end of the relevant tax year (HMRC requirement) |
| Email correspondence | Up to 3 years from last reply, then archived or deleted |
10. Your rights
Under UK GDPR you have the following rights in relation to your personal data. We will respond to any valid request within one month.
- Access — ask for a copy of the personal data we hold about you
- Rectification — ask us to correct data that is inaccurate or incomplete
- Erasure — ask us to delete your data ("right to be forgotten"), subject to legal exceptions
- Restriction — ask us to limit how we use your data while a question is being resolved
- Portability — ask us to provide your data in a machine-readable format
- Objection — object to processing based on legitimate interests, including direct marketing
- Withdraw consent — where we rely on consent, you can withdraw it at any time without affecting prior processing
- Not be subject to solely automated decisions with legal or similarly significant effects (we do not currently make any such decisions)
To exercise any of these rights, email hello@amzgrid.com. We may need to verify your identity before acting on a request, especially for access or erasure.
11. Cookies and similar technologies
The amzgrid.com marketing site does not set any non-essential or tracking cookies. We do not use Google Analytics, Facebook Pixel, or any cross-site advertising tracker.
We may use a small number of strictly necessary technologies — for example, session storage to remember your light/dark theme preference. These do not require consent under the Privacy and Electronic Communications Regulations (PECR) because they are essential to deliver the service you have requested.
When AMZGrid launches as a logged-in service, we will use a session cookie to keep you signed in. If we ever introduce non-essential cookies, we will add a cookie banner that gives you a real choice and update this policy.
12. Security
We take security seriously. Our practical measures include:
- All connections to amzgrid.com and AMZGrid are encrypted in transit using TLS.
- Customer data and SP-API tokens will be encrypted at rest.
- Access to production systems is restricted to a small number of authorised personnel and protected by multi-factor authentication.
- We follow the principle of least privilege: services and people get only the access they need.
- We monitor for and respond to security incidents. In the event of a personal-data breach affecting your rights, we will notify the ICO and (where required) you, in line with our UK GDPR obligations.
No system is perfectly secure. If you believe you have found a vulnerability in AMZGrid, please email hello@amzgrid.com.
13. Children
AMZGrid is a business tool for Amazon sellers. It is not directed at children, and we do not knowingly collect personal data from anyone under the age of 18. If you believe a child has provided us with personal data, please contact us and we will delete it.
14. Changes to this policy
We may update this policy from time to time. The "Effective" date at the top tells you when the current version took effect. If we make a material change, we will:
- Update the effective date
- Post the new policy at this URL
- For registered AMZGrid users, send a notification to the email address on your account
Your continued use of AMZGrid after a change indicates acceptance of the updated policy.
15. Complaints
If you are unhappy with how we have handled your personal data, please contact us first at hello@amzgrid.com so we can try to put it right.
You also have the right to complain to the UK supervisory authority:
Information Commissioner's Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Helpline: 0303 123 1113 Online: ico.org.uk/concerns
16. How to contact us
For any privacy-related question, request, or complaint:
Email: hello@amzgrid.com Post: Kukkdi Ltd (Privacy), 42 Betony Way, Colchester, CO3 8PE, United Kingdom
We aim to respond to privacy emails within 5 working days.
This policy was last updated on 30 May 2026.