1. GENERAL PROVISIONS

1.1. The purpose of this Privacy Policy is to ensure the protection of the personal data of clients of Comfortside LLC (hereinafter referred to as the «Company»).

1.2. This Privacy Policy applies to all personal information of clients that the Company receives.

1.3. This privacy policy establishes the obligations of employees to not disclose and ensure the confidentiality of personal data that the client provides when placing an order.

1.4. This privacy policy defines the procedure for collecting, processing, storing, using personal data and measures to ensure and protect this data from unauthorized access, disclosure, and leakage.

 

2. DEFINITION OF TERMS

 The following terms are used in this Privacy Policy:

2.1. «Personal data» — any information relating directly or indirectly to an individual (an object of personal data).

2.2. «Processing of personal data» — an action (operation) performed with the use of automation tools with personal data, including recording, storage, use, and their destruction.

2.3. “Confidentiality of personal data” is a mandatory requirement for employees of the Company who have access to personal data to prevent their distribution or transfer to third parties.

2.4. «Customer» — a person who makes a purchase of goods in the Amazon store or on the Company’s website.

2.5. «Deletion of personal data» complete deletion of all personal data from the Company’s digital media.

 

3. PURPOSE OF COLLECTING CLIENTS’ PERSONAL INFORMATION

3.1 The purpose of processing personal data is to fulfill the obligations of the «Company» to customers in relation to the provision of services for the sale of goods.

3.2 The «Company» uses the personal data of customers only for certain purposes and only those personal data that are relevant to the achievement of such purposes. In particular, we process your personal data for the following purposes:

3.2.1. Order processing and delivery of the Company’s products directly to the buyer

3.2.2. Prompt resolution of issues related to a recent customer order

3.2.3. Providing the User with effective customer support (customer service)

3.2.4 Notifying the client about the status of the Order, its tracking, and delivery options.

 

4. STORAGE AND USE OF PERSONAL DATA

 Personal data of Clients are stored exclusively on electronic media of the «Company» and processed using automated systems.

4.1. The collection of personal data occurs by publishing an order by the client on the Company’s website or in the Amazon store.

4.2. Personal data can be processed only inside the company with Company’s software.

4.3. The transfer of personal data in any form to third parties is prohibited.

4.4. The storage of the personal data of customers cannot be more than 30 days from the date of publication of the order. All personal data must be completely deleted within this period.

4.5. Personal data is used solely to fulfill the obligations assumed by the Company to the client. For example, such as processing an order, creating labels, sending goods directly to the buyer, or notifying the location of parcels.

4.6. The Company takes the necessary organizational and technical measures to protect the personal information of customers from unauthorized or accidental access, modification, copying, distribution, as well as from other illegal actions of third parties.

4.7 Any employees of the Company who have gained access to personal data are obliged not to transfer this information to third parties, not to distribute or copy personal data of clients.

4.8 Employees of the Company are prohibited from using portable media to copy any personal data, such as hard drives to flash drives, mobile phones, including screenshots, as well as any other media.

4.9 Employees of the Company can contact the client only if the client needs help or if there are problems that require agreement with the client about his recent order.

4.10 Users’ personal data cannot be transferred to any third parties and cannot be used for any other purposes not described in this agreement.

4.11 Personal data may be stored exclusively on the Company’s electronic media.

4.12. The Company cannot create and store backup copies of personal data.

 

5. SECURITY OF PERSONAL DATA 

5.1. The security of personal data processed by the Company is ensured by the implementation of organizational and technical measures necessary to ensure reliable protection of personal data.

5.2. To prevent unauthorized access to personal data, the Company applies the following organizational and technical measures:

5.2.1 appointment of officials responsible for organizing the processing and protection of personal data;

5.2.2 limiting the composition of persons having access to personal data;

5.2.3 familiarization of responsible persons with the requirements of legislation and documents of the Company on the processing and protection of personal data;

5.2.4 organization of storage of use and deletion of personal information;

5.2.5 identification of threats to the security of personal data during their processing, the formation of threat models based on them;

5.2.6 development of a personal data protection system based on the threat model;

5.2.7 checking the readiness and effectiveness of the use of information security tools;

5.2.8 differentiation of user access to information resources and software and hardware for information processing;

5.2.9 registration and accounting of user actions with personal data;

5.2.10 use of anti-virus tools and monitoring tools for the personal data protection system;

5.2.11 intrusion detection, security analysis and means of cryptographic information protection;

5.2.12 organization of strict control of access to systems of storage and processing of personal data.

5.3. All sensitive credentials must not be hardcoded and cannot be published to public code repositories.

 

6. DESTRUCTION OF PERSONAL DATA

 6.1. Personal data must be completely destroyed from the Company’s digital media no later than 30 days from the date of publication of the order.

 

7. OBLIGATIONS OF THE COMPANY

7.1. Use the information received solely for the purposes specified in clause 3 of this Privacy Policy.

7.2. Ensure that confidential information is kept secret, not disclosed, and not sold, exchanged, published, or disclosed in any other way.

7.3. Take all possible precautions to protect the confidentiality of the personal data of customers.

7.4. If personal information relating to an Amazon store has been leaked, the person responsible must notify Amazon via email to 3p-security@amazon.com within 24 hours of discovering a security incident or suspecting that a security incident has occurred.

7.5. If a personal data leak is suspected, a commission should be created to identify the causes of a possible leak, all data should be documented.

7.6. If a potential threat to the security of the system has been detected, the Company’s developers must correct the problem as soon as possible and create a log file with all the necessary information.

7.7. Developers must create and maintain a plan for detecting and handling security incidents.

7.8. Developers or any other employees of the Company may not represent or act on behalf of Amazon before any regulatory authority or customers unless Amazon specifically asks Developer to do so in writing.

7.9. Developers must create and maintain a plan to detect and remediate vulnerabilities. Developers must protect physical hardware containing PII from technical vulnerabilities by performing vulnerability scans and remediating appropriately. Developers must conduct vulnerability scans or penetration tests at least once every 180 days and scan code for vulnerabilities prior to each release. In addition, developers must control changes to storage hardware by testing, reviewing changes, approving changes, and restricting access to who can perform these actions.

7.10. Developers must establish and abide by their privacy policy for customer consent and data rights to access, rectify, erase, or stop sharing/processing their information where applicable or required by data privacy regulation.

7.11. Developers must permanently and securely delete or return Information upon and in accordance with Amazon’s notice requiring deletion or return within 72 hours of Amazon’s requests unless the data is necessary to meet legal requirements, including tax or regulatory requirements. Secure deletion must occur in accordance with industry-standard sanitization processes such as NIST 800-88. Developers must also permanently and securely delete all live (online or network accessible) instances of Information 90 days after Amazon’s notice. If requested by Amazon, the Developer will certify in writing that all information has been securely destroyed.

7.12. The working and test environments should be separated.

 

8. ADDITIONAL TERMS

 8.1. Any suggestions or questions regarding this Privacy Policy should be directed to: office@comfortside.com