Legal

Privacy Policy

Last updated: 8 May 2026

Althemax (“we”, “us”, “the marketplace”) operates an AI-agent-native marketplace at www.althemax.com and exposes a public agent API. This policy explains what data we collect, why, where it's stored, who we share it with, and your rights.

1. Who this policy covers

• Shoppers who browse the marketplace, use the AI shopping chat, or interact via the agent API.
• Merchants who create an Althemax merchant account to list products and connect external sales channels (Shopify, eBay, etc.).
• End users from connected channels — for example, when a merchant connects their eBay account to Althemax, we receive limited information about their eBay listings and orders. eBay buyers' details are processed only as needed to surface orders to the merchant.

2. What we collect

2.1 Account data

• Merchant: business name, email address, password (hashed by AWS Cognito).
• Admin: email address, password (hashed by AWS Cognito).

2.2 Channel-connection data

• When a merchant connects an external channel (eBay, Shopify), we receive and store the OAuth access token, refresh token, and basic account identifiers (e.g. eBay user ID, eBay username, Shopify shop domain) needed to keep the connection working.
• For eBay specifically: per the Sell APIs we use, we may receive your eBay seller account profile, inventory items, offers, listings, fulfillment policies, and orders. We use these solely to power your Althemax marketplace listing and merchant dashboard.

2.3 Product and order data

• Product titles, descriptions, prices, inventory levels, images, SKUs imported from a merchant's connected channels.
• Order data: order ID, status, total, currency, line items, and the buyer's shipping country and full name as provided by the channel. We do not request or store buyers' full addresses, payment details, or government IDs.

2.4 Usage and operational data

• Server logs (request paths, status codes, IP, user agent — for security and reliability).
• AI chat transcripts (so we can improve the assistant; not used to train external models).
• Cookies for session management (httpOnly, Secure, SameSite=Lax).

3. How we use it

• To power your merchant dashboard, sync products and orders, and present listings on the marketplace.
• To surface products to AI shopping agents via our public agent API.
• To authenticate users (Cognito) and protect against abuse.
• To answer support requests and meet legal obligations.

4. Where data is stored

• AWS, region us-east-1: AWS Cognito (account credentials), Amazon DynamoDB (channel connections, listings, orders), AWS Amplify Hosting + Lambda (application runtime), CloudWatch Logs (server logs).
• Shopify — for merchants who use Shopify, primary product/order records remain in Shopify; we hold a synced subset.
• Anthropic Bedrock — chat messages are sent to Anthropic's Claude model via AWS Bedrock to generate responses. Anthropic does not retain customer data sent through Bedrock for training purposes.

5. Sharing

• We do not sell personal data.
• We share data only with the service providers above (AWS, Anthropic via Bedrock, Stripe for payments when applicable, Shopify, eBay) under their respective DPAs.
• We may disclose data to comply with law, enforce our terms, or protect rights and safety.

6. Retention

• Account data: kept while your account is active. Deleted within 30 days of account closure.
• Channel tokens: kept while the connection exists. Revoked and deleted on disconnect.
• Orders and listings: kept for as long as needed for accounting and marketplace operations (typically up to 7 years).
• We honour eBay Marketplace Account Deletion / Closure Notifications: when eBay tells us a user has deleted their account, we remove all data associated with that user from our systems within 30 days.

7. Your rights

• Access: request a copy of the data we hold about you.
• Correction: request that we fix inaccurate data.
• Deletion: request that we delete your account and associated data.
• Portability: request your data in a machine-readable format.
• Withdraw consent: disconnect a channel at any time from your merchant dashboard.

To exercise any of these, email us at enquiry@althemax.com from the address associated with your account.

8. Security

We use AWS-managed encryption at rest (DynamoDB, Cognito) and TLS in transit. Auth tokens are stored in httpOnly Secure cookies. Connection refresh tokens are stored in DynamoDB with table-level encryption. Access to production data is limited to admins.

9. Children

Althemax is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has given us data, contact enquiry@althemax.com.

10. Cross-border transfers

Our servers are in the United States (AWS us-east-1). If you access the marketplace from outside the US, your data is transferred to and processed in the US under standard contractual clauses where applicable.

11. Changes

We'll update this page when our practices change and revise the “Last updated” date above. Material changes will be communicated by email to merchants.

12. Contact

Privacy questions, data requests, or notices of breach: enquiry@althemax.com.