Privacy Policy

ILLUMA COM

How ILLUMA COM collects, uses, stores, and protects your data. We are committed to transparency and to safeguarding the information entrusted to us by our merchants and their customers.

Last Updated: March 4, 2026

SECTION 01

Overview

ILLUMA COM (“we,” “us,” “our”) operates an ecommerce platform and consultancy serving parts-driven businesses in the automotive, outdoor power equipment, agricultural, and industrial sectors. This Privacy Policy describes how we collect, use, process, store, share, and dispose of information when you use our platform, services, and website at illumacom.co.

This policy applies to all users of our platform including merchants (dealers and sellers who use our platform to manage their businesses), their customers (end buyers whose order and shipping information may be processed through our platform), and visitors to our website.

SECTION 02

Information We Collect

Merchant Account Information

When merchants register for our platform, we collect business name, contact name, email address, phone number, business address, and payment information for subscription billing via Stripe.

Product & Inventory Data

Merchants provide or sync product catalogs including SKUs, descriptions, pricing, images, fitment data, manufacturer part numbers, and inventory quantities. This data is managed within our Product Information Manager (PIM) and may be synced to connected sales channels.

Order & Transaction Data

We process order information from merchants’ connected sales channels, including order details, item quantities, pricing, shipping addresses, and fulfillment status. Financial data including fees, settlements, and transaction records are collected for analytics purposes.

Marketplace Account Data

When merchants connect third-party marketplace accounts (such as Amazon, eBay, or Walmart), we receive authorized access to their seller account data through official APIs. This includes listing data, inventory levels, order information, financial reports, and account performance metrics. See Section 4 for detailed marketplace data handling.

Usage & Technical Data

We automatically collect technical information including IP addresses, browser type, device information, pages visited, and platform usage patterns to improve our services and maintain security.

SECTION 03

How We Use Information

We use collected information to provide and operate our ecommerce platform services, synchronize inventory and orders across connected sales channels, process and fulfill orders on behalf of merchants, provide automated repricing across marketplaces, generate financial analytics and reporting, communicate with merchants about their accounts and our services, maintain platform security and prevent fraud, and improve and develop new platform features.

We do not sell personal information to third parties. We do not use merchant or buyer data for advertising purposes. Data from connected marketplace accounts is used solely to provide the services authorized by each merchant.

SECTION 04

Marketplace Data Handling

Our platform integrates with third-party marketplaces through their official APIs. This section describes how we handle data from these integrations.

Amazon Selling Partner API

We access Amazon seller data exclusively through the official Amazon Selling Partner API (SP-API) using OAuth authorization granted by each merchant. We collect only the data necessary for the features authorized by the merchant.

Data collected from Amazon includes: product listings and catalog data, inventory levels (FBA and merchant-fulfilled), order details and fulfillment status, buyer shipping information for merchant-fulfilled orders, financial and settlement reports, account performance metrics, and competitive pricing data for repricing services.

Data Type	Purpose	Retention
Buyer PII (name, address)	Order fulfillment for FBM orders	Purged within 90 days of shipment
Order details	Order management & analytics	Active account duration + 30 days
Product & listing data	Catalog sync & listing management	Active account duration + 30 days
Financial reports	Analytics & profitability reporting	Active account duration + 30 days
Pricing data	Automated repricing engine	Real-time processing, historical trends retained

Amazon buyer Personally Identifiable Information (PII) is never sold, shared with third parties, or used for any purpose other than fulfilling the specific order. All Amazon data handling complies with Amazon’s Acceptable Use Policy, Data Protection Policy, and the Amazon Services API Solution Provider Agreement.

Other Marketplaces

Data from other marketplace integrations (eBay, Walmart, and future integrations) is handled with equivalent security controls and retention policies. Data is collected exclusively through official APIs with merchant authorization and used solely to provide platform services.

SECTION 05

Data Sharing & Third Parties

We share data only with service providers necessary to operate our platform. We do not sell data to third parties.

Provider	Purpose	Data Shared
Stripe	Payment processing & tax calculation	Transaction amounts, merchant billing info
DigitalOcean	Cloud infrastructure & database hosting	All platform data (encrypted at rest)
Postmark	Transactional email delivery	Email addresses, order reference numbers
Cloudflare	CDN, DNS, DDoS protection, WAF	Web traffic metadata

All third-party providers maintain SOC 2 compliance or equivalent security certifications. Data processing agreements are in place with each provider. No marketplace buyer PII is shared with any third party beyond what is required for order fulfillment.

We may also disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of ILLUMA COM, our merchants, or others.

SECTION 06

Data Storage & Security

All data is processed and stored on encrypted servers hosted in US-based DigitalOcean data centers. Our platform uses a multi-tenant architecture where each merchant’s data is isolated using dedicated database schemas, preventing cross-merchant data access.

Infrastructure security includes: private VPC networks with no public database access, Cloudflare WAF and DDoS protection on all public endpoints, TLS 1.2+ encryption for all data in transit, firewall rules restricting inbound traffic to HTTPS only, SSH key-based authentication restricted to authorized IPs, and centralized logging with automated anomaly detection.

Automated daily backups are encrypted with AES-256 and stored in a geographically separated data center. Weekly snapshots are retained for 90 days. Our Recovery Time Objective (RTO) is 4 hours and Recovery Point Objective (RPO) is 24 hours. Backup restoration is tested quarterly.

SECTION 07

Encryption

All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 at the storage layer on DigitalOcean Managed Databases. Personally Identifiable Information receives additional application-level encryption using AES-256-GCM before database storage.

Encryption keys are managed through a dedicated key management system with automatic rotation on a 90-day cycle. Keys are stored separately from encrypted data. Object storage uses server-side AES-256 encryption.

SECTION 08

Data Retention & Disposal

We retain data only as long as necessary to provide our services and comply with legal obligations.

Data Category	Retention Period
Marketplace buyer PII (names, addresses)	Purged within 90 days after order shipment
Order and transaction data	Duration of active merchant account + 30 days
Product and inventory data	Duration of active merchant account + 30 days
Merchant account information	Duration of active account + 30 days after termination
Security and access logs	Minimum 12 months
Financial records	As required by applicable tax and accounting law

Upon account termination, all merchant data and associated marketplace data is deleted within 30 days. Merchants may request immediate deletion of their data at any time by contacting us. Backups containing deleted data are purged within 90 days through normal backup rotation.

SECTION 09

Access Controls

Access to systems containing personal and marketplace data is restricted through role-based access control (RBAC) and limited to personnel whose job functions require it. All accounts require multi-factor authentication (MFA) and enforce minimum 12-character passwords with complexity requirements.

Our multi-tenant architecture enforces merchant-level data isolation, ensuring personnel only access data relevant to their responsibilities. Access grants are reviewed quarterly and revoked immediately upon role changes or departure. All access events are logged and monitored.

SECTION 10

Your Rights

Depending on your jurisdiction, you may have the right to access the personal information we hold about you, correct inaccurate personal information, request deletion of your personal information, object to or restrict processing of your data, receive your data in a portable format, and withdraw consent where processing is based on consent.

Merchants can access, export, and delete their data through the ILLUMA COM dashboard at any time. For additional requests or if you are an end buyer whose data may be processed through our platform, please contact us using the information in Section 14.

We respond to all data rights requests within 30 days. There is no fee for exercising your rights.

SECTION 11

Cookies & Tracking Technologies

Our platform uses essential cookies required for authentication, session management, and security. We use analytics cookies to understand platform usage and improve our services. We do not use advertising or third-party tracking cookies.

You can control cookie preferences through your browser settings. Disabling essential cookies may affect platform functionality.

SECTION 12

Children’s Privacy

Our platform is designed for business use and is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

SECTION 13

Policy Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify merchants of material changes via email and update the effective date at the top of this page. Continued use of our platform after changes constitutes acceptance of the updated policy.

SECTION 14

Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a security concern, please contact us:

ILLUMA COM

Matthew LeBrun, Founder & CEO

Email: [email protected]

Phone: (888) 384-8018

Website: illumacom.co

For security incidents involving marketplace data, contact us immediately at [email protected]. We will notify the appropriate marketplace security teams within 24 hours of confirmed incidents.