Image
CodeBridge...

Privacy Policy

Data protection and privacy practices

Last Updated: August 2025

Overview

CodeBridge Limited ("we," "our," or "us") provides custom software development and enterprise integration services. This Privacy Policy describes how we handle information when developing and maintaining software solutions for our clients, including integrations with various e-commerce platforms and business systems.

Our Role: We act as a data processor on behalf of our clients (data controllers) who use our integration platform to connect their business systems with various e-commerce platforms, marketplaces, and third-party services.

1. Information We Process

As a software development and integration service provider, we process various types of data depending on the specific project requirements:

General Business Data

Client Project Data:

  • Business system data required for integration projects
  • API credentials and authentication tokens
  • System configuration and technical specifications
  • Operational data necessary for software functionality

Client Account Information:

  • Business contact information
  • Project requirements and specifications
  • Technical system access credentials

E-commerce Integration Data

When providing e-commerce platform integrations (including Amazon, Shopify, WooCommerce, and others), we may process:

Order Information:

  • Order IDs, dates, and status
  • Product details (SKUs, quantities, prices)
  • Customer shipping addresses and contact information
  • Payment and settlement data
  • Order fulfillment details

Product & Inventory Data:

  • Product listings and catalog information
  • Inventory levels and availability
  • Pricing information
  • Product performance metrics

Customer Information (when required for order fulfillment):

  • Customer names and shipping addresses
  • Phone numbers for delivery purposes
  • Email addresses for order communication

Financial Data:

  • Settlement reports and transaction details
  • Fee structures and payment information
  • Tax calculation data
  • Refund and return information

Data Collection Methods

  • Direct API Calls: Automated retrieval through platform APIs
  • Webhook Notifications: Real-time updates from integrated systems
  • Scheduled Synchronization: Regular data updates as configured by clients
  • Client Authorization: All data access requires explicit client authorization

2. How We Use Information

We process information solely to deliver our contracted software development and integration services:

Core Services

  • Custom Development: Building bespoke software solutions
  • System Integration: Connecting disparate business systems (ERP, CRM, e-commerce platforms)
  • API Development: Creating secure data exchange mechanisms
  • Technical Support: Maintaining and optimizing deployed solutions

E-commerce Integration Services

  • Order Processing: Transmitting order details between platforms and client systems
  • Inventory Management: Synchronizing stock levels across multiple channels
  • Financial Reconciliation: Processing settlement and transaction reports
  • Compliance Support: Meeting tax reporting and regulatory requirements

Amazon Selling Partner API Integration

When providing Amazon marketplace integration services through the Amazon Selling Partner API (SP-API), we process data in strict accordance with Amazon's Data Protection Policy requirements:

Amazon-Specific Data Processing:

  • Order data retrieved exclusively through official Amazon SP-API endpoints
  • Customer personally identifiable information (PII) processed only for order fulfillment purposes
  • Data transmitted securely to client-authorized logistics partners and ERP systems
  • Strict compliance with Amazon's 30-day PII retention requirement
  • Real-time monitoring and logging of all Amazon API interactions

Amazon Data Security Measures:

  • Client-specific encryption keys for Amazon data segregation
  • Dedicated secure infrastructure for Amazon marketplace integrations
  • Comprehensive audit logging with tamper-proof storage
  • Immediate incident notification to Amazon (security@amazon.com) within 24 hours
  • Regular security assessments aligned with Amazon's Data Protection Policy

Amazon Compliance Framework:

  • Full adherence to Amazon's Acceptable Use Policy and Data Protection Policy
  • Documented data governance procedures for Amazon seller information
  • Employee training specific to Amazon data handling requirements
  • Regular compliance audits and policy updates to maintain Amazon certification

Legal Basis for Processing

  • Contract Performance: Processing necessary to fulfill our service agreements
  • Legitimate Business Interest: Providing efficient integration services
  • Legal Compliance: Meeting tax, regulatory, and audit requirements
  • Client Consent: Explicit authorization through platform OAuth processes

Amazon Order Export Tool (Free)

This section describes the specific data handling practices of our publicly available, free "Amazon Order Export Tool."

  • Session-Only Processing: Uploaded files are processed in memory on our servers and are not written to disk. We do not use any database for this tool. Data is discarded when the response is completed or the session ends.
  • No Amazon Login Required: The free tool does not require SP‑API authorization. If an optional API login is offered in the future, any tokens would be held only in server memory for the duration of the session and destroyed on logout/timeout.
  • PII‑Free Logging: Application logs are designed to exclude PII. We use automated redaction to prevent emails, phone numbers, or token‑like values from being written to logs. Security logs rotate daily and are retained for at least 90 days.
  • Security Controls: HTTPS is required. We use CSRF protections on forms, secure cookies (HttpOnly, SameSite=Lax, Secure in production), rate limiting on sensitive routes, and industry‑standard security headers.
  • No Caching of Outputs: Download responses are sent with Cache-Control: no-store to prevent intermediary caching of user data.
  • File Restrictions: Only plain text or CSV files are accepted, and uploads are limited in size to protect system resources.

3. Data Security

We implement enterprise-grade security measures for all client data:

Technical Safeguards

  • Encryption in Transit: TLS 1.3+ encryption for all data transmission
  • Encryption at Rest: AES-256 encryption for all stored data
  • Access Controls: Role-based permissions with least privilege principle
  • Multi-Factor Authentication: Required for all system access
  • Network Security: Hardware firewalls and network segmentation
  • Regular Audits: Security assessments and penetration testing

Organizational Measures

  • Employee Training: Regular security awareness programs
  • Access Management: Unique accounts with quarterly reviews
  • Incident Response: Documented procedures with 24-hour notification
  • Vendor Management: Due diligence on all service providers

Multi-Tenant Security

For clients using our integration platform:

  • Strict logical data segregation between clients
  • Client-specific encryption keys
  • Isolated database schemas
  • Comprehensive audit logging

4. Data Retention

We retain client data only as necessary to provide our services:

General Business Data

  • Project Data: Retained according to contractual agreements
  • Technical Configurations: Maintained during active service period
  • Support Data: Retained for troubleshooting and optimization

E-commerce Integration Data

  • Personal Information: Automatically deleted within 30 days of order completion
  • Operational Data: Retained for 90 days for system operations
  • Financial Data: Retained per tax and regulatory requirements
  • Extended Retention: Only when required by applicable law with documented justification

Client Control

  • Clients may request immediate data deletion at any time
  • Complete data purge within 30 days of deletion request
  • Certified destruction documentation provided upon request

5. Data Sharing

We do not sell or share client data with third parties except as necessary for service delivery:

Authorized Sharing

Client-Authorized Integrations:

  • Data transmitted to client-designated systems (ERP, warehouses, carriers)
  • Secure API connections with certificate authentication
  • Explicit client authorization required for each integration

Service Providers:

  • Hosting and infrastructure providers (with appropriate safeguards)
  • Security and monitoring services (under strict confidentiality)

Legal Requirements

  • When required by law or legal process
  • To protect our rights or prevent fraud
  • With regulatory authorities as required

No Unauthorized Sharing

We do NOT:

  • Sell or monetize any client data
  • Use data for marketing or advertising purposes
  • Share data with unauthorized third parties
  • Combine data across different client accounts

6. Global Compliance

We maintain compliance with applicable privacy laws worldwide:

Regional Compliance

GDPR (European Union):

  • Lawful basis documentation for all processing
  • EU data residency options available
  • Data Protection Impact Assessments conducted
  • Data subject rights procedures implemented

CCPA (California):

  • Consumer privacy rights respected
  • No sale of personal information
  • Transparent privacy practices maintained

Other Jurisdictions:

  • PIPEDA (Canada), LGPD (Brazil), PIPL (China) compliance
  • Local data protection law adherence
  • Regular compliance assessments and updates

Data Subject Rights

  • Access and Portability: Right to access and receive personal data
  • Correction: Right to rectify inaccurate information
  • Deletion: Right to erasure of personal data
  • Restriction: Right to limit processing activities
  • Objection: Right to object to certain processing activities

7. International Data Transfers

Cross-Border Processing

  • Data localization based on client requirements and legal obligations
  • Appropriate safeguards for international transfers
  • Standard Contractual Clauses where applicable
  • Regular assessment of transfer mechanisms

Data Residency Options

  • EU data centers for GDPR compliance
  • Regional hosting options available
  • Client-specific data residency requirements accommodated

8. Incident Response

In the event of a security incident, we will:

Immediate Response

  • Contain and investigate the incident immediately
  • Assess scope and potential impact
  • Preserve forensic evidence with chain of custody

Notification Procedures

  • Notify affected clients within 24 hours
  • Report to relevant authorities as required by law
  • Provide transparent communication throughout resolution

Post-Incident Actions

  • Conduct thorough forensic analysis
  • Implement remediation measures
  • Document lessons learned and process improvements
  • Regular testing and plan updates

9. Employee Access and Training

Access Controls

  • Role-Based Access: Employees access only data necessary for their role
  • Unique Accounts: No shared credentials or generic accounts
  • Regular Reviews: Quarterly access audits and updates
  • Immediate Revocation: Access removed within 24 hours for terminated employees

Training and Confidentiality

  • Confidentiality Agreements: All employees sign comprehensive NDAs
  • Security Training: Annual security awareness programs
  • Specialized Training: Additional training for data handling roles
  • Regular Updates: Ongoing education on regulatory changes

10. Contact Information

Data Protection Inquiries

Email: nerds@codebridge.sh
Address: CodeBridge Limited, Room P, 4/F, Lladro Centre, 72 Hoi Yuen Road, Kwun Tong, Kowloon, Hong Kong

General Business Inquiries

Email: nerds@codebridge.sh
Website: https://codebridge.sh
Support: Available through client portal

Data Subject Requests

For requests regarding personal data:

  • Email nerds@codebridge.sh with sufficient information to verify identity
  • Specify the nature of your request clearly
  • Response provided within 30 days of verified requests

11. Policy Updates

Change Management

  • Regular Reviews: Annual policy review and updates
  • Regulatory Changes: Immediate updates for legal requirements
  • Client Notification: Email notification of material changes
  • Version Control: Detailed change documentation maintained

Effective Date

This privacy policy is effective as of August 2025 and supersedes all previous versions. Continued use of our services constitutes acceptance of these terms.

12. Certifications and Compliance

Security Standards

  • Regular Audits: Quarterly internal and annual third-party assessments
  • Industry Standards: Alignment with ISO 27001 and SOC 2 frameworks
  • Continuous Improvement: Regular security posture enhancements
  • Compliance Monitoring: Ongoing regulatory compliance verification

Documentation and Records

  • Processing Records: Detailed activity logs for all data processing
  • Compliance Documentation: Evidence of regulatory adherence
  • Audit Cooperation: Full cooperation with regulatory investigations
  • Transparency Reports: Regular compliance and security reporting

This privacy policy reflects our commitment to protecting client data while providing professional software development and integration services across multiple platforms and business systems. For questions about this policy, please contact our Data Protection Officer at nerds@codebridge.sh.