Privacy Policy
Effective Date: April 21, 2026 · Bati AI Corp. · support@bati.ai
1. Introduction
Bati AI Corp. ("BatiAI", "we", "us", "our") operates the Bati CIS (Commerce Intelligence System) platform, which helps corporate sellers aggregate and analyze their own order, shipment, and settlement data across e-commerce marketplaces.
This Privacy Policy describes how we collect, use, store, and protect information when you use our services, including integrations with third-party platforms such as Amazon Selling Partner API (SP-API).
If you have any questions, please contact us at support@bati.ai.
2. Information We Collect
2.1 Information from Our Customers (Sellers)
When a corporate seller engages Bati to operate the CIS platform, we may collect:
- Company name, business registration number, and contact information
- Billing and payment details (processed by third-party payment processors)
- User account credentials for the Bati admin console
2.2 Information from Third-Party Marketplaces (e.g., Amazon)
With the seller's explicit authorization via OAuth, we collect operational data from marketplaces, including:
- Order data: order IDs, SKU/ASIN, quantity, currency, item price, promotional discounts, purchase dates, fulfillment channel.
- Shipment data: shipment IDs, ship dates, carrier and tracking numbers, shipping region (city / state / postal code / country).
- Limited buyer contact data: buyer email address.
- Settlement data (future scope): settlement totals, fees, adjustments.
2.3 Information We Do NOT Collect
We do not access or store:
- Buyer name, phone number, or full street address (explicitly excluded from ingestion via our column-mapping configuration).
- Payment card numbers or other financial identifiers.
- Buyer-to-seller messages or customer service content.
- Product listing content or pricing (read-only aggregation only).
3. How We Use Information
We use the information described above to:
- Provide scheduled data aggregation and reconciliation services to the seller who authorized us.
- Generate sales, tax, and reconciliation reports for the seller's own use.
- Transmit processed data to the seller's internal systems (e.g., SAP ERP) at the seller's direction.
- Maintain the security and integrity of our platform.
- Comply with applicable legal obligations (tax, accounting).
We do not use information to:
- Market to buyers or contact buyers directly.
- Aggregate or benchmark across different sellers' data.
- Train machine-learning models on seller or buyer data.
- Sell, lease, or share data with any third party except as described in §6.
4. How We Store and Secure Information
4.1 Infrastructure
All data is stored on Amazon Web Services (AWS) infrastructure in the ap-northeast-2 (Seoul) region. Regional SP-API calls are made to the official Amazon endpoints in us-east-1, eu-west-1, and us-west-2.
4.2 Encryption
- At rest: AES-256 encryption via AWS KMS customer-managed keys (alias/cis-platform-credential).
- In transit: TLS 1.2 or higher, enforced at the Application Load Balancer.
4.3 Access Control
- Human access to production systems requires AWS SSO with mandatory multi-factor authentication (MFA).
- All data access is logged to AWS CloudTrail (90-day retention).
- SP-API credentials are stored in AWS Systems Manager Parameter Store as encrypted SecureString parameters. No credentials appear in source code, logs, or error messages.
4.4 Tenant Isolation
Each seller's data is isolated at the application layer by a tenant identifier. Database queries enforce this filter; there is no cross-tenant aggregation or data mixing.
5. Retention
| Data Category | Retention Period |
|---|---|
| Raw marketplace reports (S3 archive) | 90 days |
| Structured order/shipment data (Postgres) | 24 months (for tax compliance) |
| Buyer email address (PII) | 90 days, rolling window |
| Audit logs | 12 months |
| Account/billing records | 5 years after contract termination (Korean commercial law) |
Sellers may request earlier deletion of their data at any time by written request. We respond to deletion requests within 30 days.
6. Sharing Information
We do not sell or rent personal data. We share data only:
- With the seller themselves: processed data is delivered to the seller's own admin console and, at their direction, to their ERP systems.
- With sub-processors (listed in §7) strictly for infrastructure provisioning.
- When legally required: by valid Korean court order or regulatory demand, with prior notice to the seller where legally permitted.
Buyer personal data (e.g., buyer email) is never shared outside of the seller's own environment.
7. Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services, Inc. | Cloud hosting (compute, storage, secrets management) | Seoul; SP-API endpoints in N. Virginia, Ireland, Oregon |
| Slack Technologies, Inc. | Internal operational alerting (no PII) | Global |
All sub-processors are bound by written data processing agreements.
8. Your Rights (Seller and Data Subject Rights)
Sellers engaging Bati under a data processing agreement may:
- Request access to data we hold about their account.
- Request correction or deletion of their data.
- Request export of their data in a machine-readable format.
- Revoke OAuth authorization at any time via Amazon Seller Central (this immediately invalidates the Refresh Token).
Data subjects (e.g., buyers whose email we process on behalf of a seller) may contact the seller directly. Bati supports the seller in fulfilling subject requests within 30 days.
9. Amazon Selling Partner API (SP-API) Specific Terms
This section describes our handling of data obtained from the Amazon Selling Partner API. It complies with Amazon's Acceptable Use Policy and Data Protection Policy requirements.
9.1 Purpose Limitation
We access Amazon data solely to provide the seller who granted OAuth authorization with analytics and reconciliation services for their own business. We do not:
- Resell or redistribute Amazon data to any third party.
- Use Amazon data to compete with Amazon or its affiliates.
- Use Amazon data for advertising or marketing purposes outside the seller's own operations.
9.2 Data Elements Accessed
The specific SP-API data elements we access are listed in §2.2. PII access is limited to buyer-email. We do not access buyer-name, buyer-phone, or full shipping address fields.
9.3 Retention of Amazon Data
Per Amazon's Data Protection Policy, we retain Amazon PII no longer than necessary for the stated purpose. Buyer email addresses are purged after 90 days. Aggregated, non-PII order and shipment data is retained for tax and reconciliation purposes as described in §5.
9.4 Seller Revocation
If a seller revokes our OAuth authorization via Seller Central, we immediately cease new data collection. Existing data is retained under the schedule in §5 unless the seller requests deletion.
9.5 Incident Notification
In the event of a security incident affecting Amazon data, we will notify:
- The affected seller within 24 hours.
- Amazon Developer Support within 72 hours.
10. International Transfers
While our primary infrastructure is in South Korea (AWS Seoul), SP-API calls are made to Amazon endpoints in the United States (N. Virginia, Oregon) and the European Union (Ireland). These transfers are necessary for the core functionality of the service. No personal data leaves our control during these API calls other than the SP-API credentials required for authentication.
11. Children's Privacy
Our service is intended for business use by corporate sellers. We do not knowingly collect personal information from children under 14.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified to sellers via email and posted on this page with an updated "Last Updated" date. Continued use of the service after changes constitutes acceptance.
13. Contact
Bati AI Corp.
Email: support@bati.ai
Address: Seoul Fintech Lab, Floor 6, 83 Uisadang-daero, Yeongdeungpo-gu, Seoul, Republic of Korea
For EU data subjects, our Data Protection representative can be contacted at the same email address.