Privacy Policy

1. Scope

This Policy applies to:

• Visitors to lmo7.com and any subdomains (the Website);
• Prospective and current clients and partners;
• Individuals whose data we process when operating our services, tools and integrations (e.g., analytics dashboards, audits, reports);
• Personal data we process when a seller authorises LMO7's application to access Amazon SP‑API data.

It does not apply to third‑party sites or services that we do not control. Those are governed by their own privacy policies.

2. What data we collect

We may collect and process the following categories of data:

Identity & contact – name, job title, company, email address, phone number, social profile, postal address.

Business details – company information, billing details, purchase orders, VAT number, contract metadata.

Communications – emails, call/meeting notes, support tickets, form submissions, feedback.

Website & device data – IP address, device type, browser, pages viewed, referring URLs, timestamps, cookie identifiers, consent choices, basic geolocation derived from IP.

Marketing preferences – subscriptions, opt‑ins/opt‑outs, campaign interactions.

Files & content you provide – briefs, product feeds, images, copy, data exports required for our services.

SP‑API / "Amazon Information" (if you authorise us) – order, listing, catalogue, inventory, pricing, advertising and performance data as permitted by your SP‑API scopes. We do not require or store buyer payment information. Access to buyer PII (e.g., names, addresses, phone numbers) is strictly limited to what is necessary and only where explicitly authorised by you.

3. How we collect data

• Directly from you when you contact us, request a proposal, sign a contract, subscribe to updates, or use our tools.
• Automatically via cookies and similar technologies when you visit our Website.
• From your authorised systems (e.g., Amazon SP‑API, analytics platforms) when you connect them to our services.
• From publicly available sources (e.g., your company website, LinkedIn) where relevant to a B2B engagement.

4. How we use data

We use personal data for the following purposes:

• Provide and operate services – audits, optimisation, reporting, dashboards, support, and account management.
• Contract & billing – proposals, statements of work, invoicing, credit control, and tax compliance.
• Product improvement – troubleshoot, test, maintain and enhance our tools and Website.
• Security & abuse prevention – detect, investigate and prevent security incidents or fraud.
• Marketing & communications – send service updates and content you request; you can opt out anytime.
• Legal & compliance – comply with applicable laws, resolve disputes, enforce agreements.

For SP‑API data, we only process it to deliver the services you have requested, in accordance with your instructions and Amazon's DPP (including retention and deletion requirements).

5. Our legal bases (UK GDPR/UK DPA 2018)

• Contract performance – to provide our services and respond to requests.
• Legitimate interests – to operate and improve our Website and services, keep them secure, and grow our business in a proportionate way. You have the right to object to processing based on legitimate interests.
• Consent – for non‑essential cookies/analytics and direct marketing where required. You can withdraw consent at any time.
• Legal obligation – to meet record‑keeping, tax and regulatory duties.

When acting as a processor for SP‑API data, our legal basis is determined by the seller (controller). We process such data strictly under the seller's instructions.

6. Sharing your data

We do not sell your personal data. We may share it with:

• Service providers / processors who support our Website, tools and operations (for example: web hosting, cloud infrastructure, analytics, email and CRM, payment/billing, authentication and security). These providers are bound by contracts and only process data per our instructions.
• Professional advisers (legal, accounting, insurance) under confidentiality duties.
• Authorities where required by law or to protect rights, safety and security.
• Business transfers – if we restructure or sell parts of our business, data may transfer under appropriate safeguards.

Typical processors may include (non‑exhaustive, subject to change): website/CMS hosting (e.g., Squarespace/Webflow), cloud platforms (e.g., Google Cloud Platform), analytics (e.g., Google Analytics), email & CRM tools, task/workflow tools, and secure file storage.

7. International transfers

We are UK‑based but some providers may process data outside the UK. Where data is transferred internationally, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) and, where relevant, the UK International Data Transfer Addendum (IDTA), plus risk assessments and supplementary measures.

8. Retention

We keep personal data only as long as necessary for the purposes set out in this Policy and to comply with legal obligations.

Indicative periods:

• Marketing contacts: up to 24 months from last meaningful interaction.
• Contracts, billing and tax records: 6–7 years (as required by law).
• Support tickets and project files: up to 24 months after project closure unless we agree otherwise.
• Web server logs and security logs: up to 90 days unless needed to investigate an incident.

SP‑API / Amazon Information: We comply with Amazon's DPP. Where buyer PII is accessed, we do not retain such PII longer than permitted (e.g., no later than 30 days after order delivery) and we will delete or return Amazon Information within 72 hours of an authorised request from Amazon or the seller, unless we are legally required to retain it longer.

9. Amazon SP‑API – additional terms

When you authorise LMO7 to access SP‑API on your behalf:

• You (the seller) are the data controller and LMO7 is your data processor for Amazon Information.
• We process Amazon Information only to provide the agreed services and in line with your documented instructions.
• We maintain appropriate technical and organisational measures to protect Amazon Information, including encryption in transit, access control, least‑privilege permissions, audit logging, and staff confidentiality obligations.
• We do not sell, share or use Amazon Information for advertising or unrelated purposes.
• On revocation or at the end of our engagement, we will promptly cease access, and delete or return Amazon Information within the timeframes required by Amazon's DPP (typically within 72 hours of request). Residual non‑PII logs may be retained for security and audit purposes for up to 90 days.

How to revoke access: Seller Central → Apps & Services → Manage Your Apps → locate "LMO7" (or the app name) → Revoke. You can also email us to request deletion (see Section 13).

10. Security

We take security seriously and implement measures including:

• Encryption in transit (HTTPS/TLS) and secure configuration of our hosting and cloud services;
• Access controls, least‑privilege, MFA and role‑based permissions;
• Segregation of environments and secure key/secret management;
• Vendor due diligence and DPAs with processors;
• Staff confidentiality and security awareness practices;
• Backups, monitoring and incident response procedures.

No method of transmission or storage is 100% secure; however, we work to protect your data and promptly address incidents in line with legal obligations.

11. Your rights (UK GDPR)

You have the right to request:

• Access to your personal data and a copy of it;
• Rectification of inaccurate or incomplete data;
• Erasure ("right to be forgotten") in certain circumstances;
• Restriction of processing in certain circumstances;
• Data portability (machine‑readable copy) in certain circumstances;
• Object to processing based on our legitimate interests and to direct marketing at any time;
• Withdraw consent where processing relies on consent.

To exercise your rights, contact hello@lmo7.com. We may need to verify your identity. We will respond within one month, subject to lawful extensions for complex requests.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk | Tel: 0303 123 1113. We would appreciate the chance to resolve concerns first.

12. Cookies & similar technologies

We use cookies and similar technologies to operate the Website, measure performance, and improve content.

• Essential cookies – required for site functionality and security.
• Analytics cookies – help us understand site usage. Set only with your consent.
• Advertising/marketing cookies – if used, set only with your consent.

When you first visit, you'll see a cookie banner. You can accept, reject, or manage categories. You can also change your choices later via the "Cookie Settings" link in the footer and through your browser settings. See our separate Cookie Policy for details of specific cookies (provider, purpose, duration).

13. Data deletion & revocation requests

• Website/marketing data: email hello@lmo7.com with the subject "Data Deletion Request" and provide details so we can identify you. We will confirm once completed.
• SP‑API / Amazon Information: revoke access via Seller Central (see Section 9). You may also email us; we will cease processing and delete/return Amazon Information within applicable Amazon DPP timeframes (typically within 72 hours of request), subject to any legal retention duties.

14. Children's data

Our Website and services are intended for business users. We do not knowingly collect personal data from children.

15. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date shows the latest version. Material changes will be highlighted on this page and, where appropriate, notified to you by email.

16. Contact us

If you have questions about this Policy or how we handle personal data, contact:

LMO7 Agency Limited

Email: hello@lmo7.com

Postal: Elizabeth House, 13–19 London Road, Newbury, Berkshire, United Kingdom, RG14 1JL