Privacy Policy

1. Data Controller Identity

The Fenicia service (hereinafter "Fenicia", "we" or "the company") is operated by the following entities, responsible for the processing of personal data you provide, in accordance with the California Consumer Privacy Act (CCPA) and applicable regulations in the United States and Mexico:

Privacy contact:
Email: privacy@fenicia.io
Phone: +52 56 1308 1660

2. Personal Data We Collect

To provide our services, we may collect the following personal data:

• Identification data: full name, company name, Tax ID
• Contact data: email address, phone number, address
• Business data: information about your business, products, inventory, orders
• Financial data: billing information, payment methods (processed by Stripe)
• Usage data: information about how you use our platform
• Technical data: IP address, browser type, device

3. Processing Purposes

We use your personal data for:

Primary Purposes:

• Create and manage your account on the Fenicia platform
• Provide the contracted e-commerce management services
• Process transactions and payments
• Synchronize your information with marketplaces and sales channels
• Provide technical support and customer service
• Comply with legal and tax obligations

Secondary Purposes:

• Send communications about new features
• Conduct satisfaction surveys
• Prepare usage statistics and analysis (in aggregate form)
• Send promotional information about our services

If you do not want your data to be processed for secondary purposes, you can contact us at privacy@fenicia.io.

4. Data Transfers

Your personal data may be transferred to:

• Infrastructure providers: Amazon Web Services (AWS), MongoDB Atlas
• Payment processors: Stripe
• Authorized marketplaces: Amazon, Mercado Libre, Shopify (based on your integrations)
• Shipping providers: DHL, FedEx, Skydropx (based on your configurations)

All transfers are made with appropriate security measures and in accordance with applicable regulations.

5. ARCO Rights (Mexico)

Under LFPDPPP, you have the right to Access, Rectify, Cancel or Oppose the processing of your personal data (ARCO rights). To exercise these rights, send an email to privacy@fenicia.io with:

• Your full name and contact information
• Clear description of the right you wish to exercise
• Documents that verify your identity

We will respond to your request within a maximum of 20 business days.

6. California Residents Rights (CCPA)

If you are a California resident, you have the right to:

• Know what personal data we collect about you
• Request deletion of your personal data
• Opt out of the "sale" of personal information (Fenicia does not sell personal data)
• Not be discriminated against for exercising your privacy rights

7. Marketplace Data Handling

Fenicia acts as a solution provider for sellers on marketplaces like Amazon, MercadoLibre, Shopify and others. This section specifically describes how we handle data obtained through these marketplace APIs.

7.1 Data Collection

We collect marketplace data only when the seller authorizes the connection. Data includes:

• Order information (order number, products, quantities, prices)
• Buyer shipping data (name, address, phone)
• Fulfillment status and tracking
• Product and catalog information
• Inventory data

7.2 Processing and Use

Marketplace data is processed exclusively for:

• Synchronizing orders and inventory between sales channels
• Generating shipping labels and guides
• Providing sales analytics to the seller
• Facilitating returns management and customer service
• Complying with seller tax and accounting obligations

We do not use buyer data for marketing, advertising, or share it with third parties beyond what is strictly necessary to fulfill the order.

7.3 Storage

Marketplace data is stored in:

• MongoDB Atlas servers with encryption at rest (AES-256)
• AWS infrastructure with SOC 2 Type II certification
• Data centers located in the United States
• Encrypted backups in geographically separate locations

7.4 Data Sharing

Marketplace data is shared only with:

• Shipping providers: Recipient name and address to generate shipping labels
• The seller owner: Full access to their own order data
• Authorities when required by law: In response to valid court orders

7.5 Data Deletion

Marketplace data is deleted or anonymized:

• Within 30 days of order delivery (for PII not legally required)
• Immediately upon disconnecting the marketplace integration (operational data)
• Upon seller request, except data required by law
• Data retained for legal requirements is deleted when the retention period expires

The deletion process includes: production databases, backups, and logs (PII anonymization).

8. Data Security

We implement administrative, technical, and physical security measures to protect your personal data, including:

• Data encryption in transit (TLS 1.2+) and at rest (AES-256)
• Two-factor authentication (2FA/MFA)
• Role-based access control (RBAC)
• Continuous security monitoring and threat detection
• Regular encrypted backups
• Periodic penetration testing and vulnerability analysis

8.1 Backup and Recovery

We maintain a robust backup and recovery program:

• Geographically separate locations: Backups are stored in multiple AWS regions (us-east-1, us-west-2)
• Frequency: Incremental backups every hour, full backups daily
• Encryption: All backups are encrypted with AES-256
• RTO (Recovery Time Objective): 4 hours for full service restoration
• RPO (Recovery Point Objective): Maximum 1 hour of data loss
• Restoration testing: Quarterly disaster recovery tests are performed

8.2 Logging and Monitoring

Our logging and monitoring system includes:

• Log retention: Security logs are retained for 12 months
• PII protection in logs: Personally identifiable information is masked or excluded from logs
• Suspicious activity monitoring: Automatic alerts for unusual access
• Incident investigation: Security events are investigated within the first 4 hours

8.3 Password Management

We apply strict password policies:

• Minimum length: 12 characters
• Complexity: Must include uppercase, lowercase, numbers and special characters
• Expiration: Passwords expire every 90 days
• History: Cannot reuse the last 12 passwords
• Lockout: Account locked after 5 failed attempts

8.4 Vulnerability Management

We maintain an active vulnerability management program:

• Automated analysis: Weekly vulnerability scans
• Penetration testing: Annual third-party assessments
• Remediation timeline: Critical 24-48h, High 7 days, Medium 30 days, Low 90 days
• Tracking: All vulnerabilities are tracked in a ticketing system

8.5 Security Incident Response

We have a formal incident response plan:

• Detection and identification: 24/7 monitoring with automatic alerts
• Containment: Immediate isolation of affected systems
• Eradication: Threat elimination and vulnerability remediation
• Recovery: Service restoration with integrity validation
• Notification: We inform affected users and authorities as required by law. For Amazon data, we notify within 24 hours
• Lessons learned: Post-incident review and control improvement

Incident Management Point of Contact (IMPOC):
Juan José Amador
Email: security@fenicia.io

9. Data Retention

We retain your personal data while you maintain an active account with us. Once you cancel your account, we will delete or anonymize your data within 90 days, except for data we must retain for legal or tax obligations.

Marketplace Data Retention

For data from marketplaces like Amazon, we retain order information for more than 30 days after delivery only when required by law:

• Tax obligations: Mexican and US tax law requires retaining transaction records for a minimum of 5 years
• Accounting obligations: Accounting standards require maintaining sales documentation for audits
• Disputes and claims: We retain data to resolve disputes until the applicable statute of limitations

When the law does not require retention, personally identifiable data is deleted within 30 days of delivery.

10. Changes to Privacy Policy

We reserve the right to modify this Privacy Policy. Any changes will be notified through our platform or by email. We recommend reviewing this document periodically.

11. Contact

For any questions or clarifications about this Privacy Policy, contact us: