At BombBuy ("we," "us," or "our"), we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website bombbuy.org (the "Site") and use our e-commerce automation platform (the "Platform" or "Services").
This policy applies to both website visitors and registered users of our Platform. By using our Site or Services, you agree to the collection and use of information in accordance with this policy.
Scope: This policy covers our marketing website (bombbuy.org) and our e-commerce automation platform (app.bombbuy.org), including all microservices, integrations, and data processing activities.
1. Information We Collect
A. Website Visitors (bombbuy.org)
Contact Form Data
- Name, email address, company name, phone number
- Message content and inquiry details
- Timestamp and IP address of submission
Analytics and Usage Data
- Pages visited, time on site, click patterns
- Browser type, device information, operating system
- IP address and geographic location (city/country level)
- Referral sources and traffic origins
B. Platform Users (app.bombbuy.org)
Account and Authentication Data
- Registration Information: Full name, email address, password (encrypted with bcrypt)
- Organization Data: Company name, organization ID, multi-tenant configuration
- User Roles: Role assignments (superadmin, admin, bodega/warehouse)
- Authentication Tokens: JWT access tokens (60-minute expiry), refresh tokens (7-day expiry)
- Session Data: Login timestamps, IP addresses, device fingerprints
E-commerce Business Data
- Product Information: Product titles, descriptions, images, prices, specifications imported from Amazon
- Inventory Data: SKUs, stock levels, warehouse locations, product availability
- Marketplace Listings: MercadoLibre publications, listing IDs, category mappings, attributes
- Pricing and Costs: Cost analysis, profit margins, exchange rates, marketplace fees
- Orders and Sales: Order IDs, transaction amounts, order status, shipping information
End Customer Data (via Marketplaces)
When your customers purchase products through MercadoLibre, we process the following data on your behalf:
- Customer names and contact information
- Shipping addresses and delivery details
- Order details and purchase history
- Customer questions and communications
Important: You are the data controller for your end customers' data. BombBuy acts as a data processor. You are responsible for complying with privacy laws regarding your customers and providing them with appropriate privacy notices.
Third-Party Integration Data
- MercadoLibre: OAuth tokens, seller IDs, API credentials, listing permissions
- Amazon (via RapidAPI): Product URLs, ASIN codes, scraped product data
- N8N Workflows: Workflow configurations, automation rules, custom triggers
Technical and System Data
- API Usage: Request/response logs, API call timestamps, rate limiting data
- Performance Metrics: Response times, error rates, system health indicators
- Audit Logs: User actions, data modifications, security events
- Media Files: Product images, documents uploaded to S3 storage
2. How We Use Your Information
A. Website Information
- Communication: Respond to inquiries, provide demos, send marketing materials (with consent)
- Analytics: Understand visitor behavior, improve website performance, optimize user experience
- Security: Prevent spam, detect bot activity, protect against fraud
B. Platform Information
- Service Delivery: Provide e-commerce automation features, process product imports, manage marketplace listings
- Authentication: Verify user identity, maintain secure sessions, manage access control
- Multi-Tenant Isolation: Segregate data by organization, ensure privacy between customers
- AI Processing: Translate product descriptions (GPT), match attributes automatically, categorize products, analyze costs
- Marketplace Integration: Sync products to MercadoLibre, manage orders, respond to customer questions
- Business Intelligence: Generate analytics, calculate profit margins, track sales performance
- Customer Support: Troubleshoot issues, provide technical assistance, resolve disputes
- System Maintenance: Monitor performance, detect errors, optimize infrastructure
3. Third-Party Services and Integrations
A. Amazon Web Services (AWS)
Our infrastructure is hosted on AWS, which provides:
- Amazon S3: Static website hosting and media file storage (product images, documents)
- Amazon CloudFront: Content delivery network for fast, secure access
- AWS Lambda: Serverless functions for contact form processing
- Amazon EKS: Kubernetes cluster for microservices deployment
- Amazon CloudWatch: Logging, monitoring, and alerting
- Amazon SES: Email delivery for notifications and alerts
AWS complies with GDPR, CCPA, SOC 2, ISO 27001, and other security standards. Data is stored in US East (Virginia) region.
B. MongoDB (Database)
- Primary database for all user data, product information, and transactions
- Multi-tenant architecture with organization-level data isolation
- Encrypted at rest and in transit (TLS/SSL)
- Regular automated backups with 30-day retention
C. RabbitMQ (Message Queue)
- Inter-service communication between 13+ microservices
- Transient message storage (messages deleted after processing)
- Contains product data, user IDs, and operational commands
D. MercadoLibre API
- Official API integration for marketplace publishing
- OAuth 2.0 authentication with your MercadoLibre seller account
- Product listing creation, order management, customer questions
- Subject to MercadoLibre's Privacy Policy and Terms of Service
E. Amazon Product Data (RapidAPI)
- Third-party API for fetching Amazon product information
- Product titles, descriptions, images, prices, specifications
- No direct Amazon account connection required
- RapidAPI acts as intermediary with its own privacy practices
F. OpenAI GPT Services
- Translation Service: Automatic translation of product descriptions (Spanish, Portuguese, English)
- Attribute Matching: AI-powered product attribute categorization
- Data Sent: Product titles, descriptions, and attributes (no personal user data)
- OpenAI's Business Terms: Data not used for model training per enterprise agreement
G. Google Services
- Google Analytics 4: Website traffic analysis (bombbuy.org only)
- Google reCAPTCHA v3: Bot detection and spam prevention on contact form
- Subject to Google's Privacy Policy
H. N8N Workflow Automation
- Self-hosted workflow automation platform
- Enables custom business process automation
- May access product data, inventory, and order information based on your configurations
4. How We Share Your Information
We do not sell your personal data to third parties.
We may share your information in the following circumstances:
A. Service Providers
- Cloud infrastructure providers (AWS)
- API service providers (RapidAPI, OpenAI)
- Analytics providers (Google Analytics)
- All service providers are bound by confidentiality agreements
B. Marketplace Platforms
- Product data shared with MercadoLibre for listing creation
- Order and shipping information exchanged through official APIs
- Customer questions and responses via marketplace messaging systems
C. Legal and Compliance
- When required by law, court order, or government request
- To enforce our Terms of Service or protect our rights
- To investigate fraud, security incidents, or illegal activity
- To protect the safety of users or the public
D. Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change and your choices regarding your data.
E. With Your Consent
We may share your information for other purposes with your explicit consent.
5. Data Security
We implement comprehensive security measures to protect your data:
Encryption
- In Transit: TLS 1.3 encryption for all data transmission (HTTPS, WSS)
- At Rest: AES-256 encryption for database and file storage
- Passwords: Bcrypt hashing with salt (never stored in plain text)
Access Control
- Role-based access control (RBAC) with principle of least privilege
- Multi-factor authentication for administrative access
- JWT token-based authentication with short-lived sessions
- Organization-level data isolation in multi-tenant architecture
Infrastructure Security
- AWS Virtual Private Cloud (VPC) with network segmentation
- Web Application Firewall (WAF) for DDoS protection
- Intrusion detection and prevention systems
- Regular security patches and updates
Monitoring and Auditing
- 24/7 system monitoring and alerting
- Comprehensive audit logs for all data access and modifications
- Regular security assessments and penetration testing
- Incident response procedures and breach notification protocols
Employee Access
- Limited access on a need-to-know basis
- Background checks for employees with data access
- Regular security training and awareness programs
- Confidentiality agreements and data handling policies
While we implement industry-standard security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but continuously work to protect your data.
6. Data Retention
We retain personal data only as long as necessary for the purposes outlined in this policy:
| Data Type |
Retention Period |
Reason |
| Contact Form Submissions |
2 years |
Lead tracking and follow-up |
| Active User Accounts |
Duration of subscription + 30 days |
Service delivery and account reactivation |
| Product and Inventory Data |
Duration of subscription + 30 days |
Business operations and data export |
| Transaction and Order Records |
7 years |
Legal and tax compliance |
| Audit Logs |
2 years |
Security investigation and compliance |
| Analytics Data (Google) |
26 months |
Usage analysis and optimization |
| Encrypted Backups |
30 days rolling |
Disaster recovery |
Data Deletion
When you cancel your subscription:
- You have 30 days to export your data (CSV and JSON formats available)
- After 30 days, all account data, products, and business information are permanently deleted
- Transaction records are retained for 7 years per legal requirements
- Audit logs are retained for 2 years for security purposes
- Backups are automatically purged after 30 days
7. Your Privacy Rights
Depending on your location, you have specific rights regarding your personal data:
A. GDPR Rights (European Economic Area)
- Right to Access: Request a copy of all personal data we hold about you
- Right to Rectification: Correct inaccurate or incomplete personal data
- Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data (subject to legal retention requirements)
- Right to Restrict Processing: Limit how we use your data
- Right to Data Portability: Receive your data in machine-readable format (CSV, JSON)
- Right to Object: Object to processing based on legitimate interests or direct marketing
- Right to Withdraw Consent: Withdraw consent for data processing at any time
- Right to Lodge a Complaint: File a complaint with your local data protection authority
B. CCPA Rights (California Residents)
- Right to Know: Request disclosure of personal information collected, used, disclosed, or sold
- Right to Delete: Request deletion of your personal information
- Right to Opt-Out: Opt out of sale of personal information (note: we do not sell personal data)
- Right to Non-Discrimination: Receive equal service regardless of exercising privacy rights
- Right to Correct: Request correction of inaccurate personal information
C. Other Jurisdictions
If you are located in Brazil (LGPD), Canada (PIPEDA), or other jurisdictions with privacy laws, you may have similar rights. Contact us to learn more about your specific rights.
How to Exercise Your Rights
Email: privacy@bombbuy.org
Account Dashboard: Many settings can be updated directly in your account settings at app.bombbuy.org
Response Time: We will respond to verified requests within 30 days (or as required by applicable law)
Identity Verification: We may request additional information to verify your identity before processing requests
8. International Data Transfers
BombBuy operates from Latin America and uses infrastructure located in the United States (AWS US-East-1 Virginia). Your information may be transferred to, stored, and processed in countries other than your country of residence.
Transfer Safeguards
- AWS Data Privacy Framework: AWS complies with EU-US and Swiss-US Data Privacy Framework
- Standard Contractual Clauses (SCCs): We use EU-approved SCCs for transfers to third countries
- Adequacy Decisions: We rely on adequacy decisions where available
- Encryption: All data transfers are encrypted end-to-end
Data Storage Locations
- Primary: AWS US-East-1 (Virginia, USA)
- Backups: Encrypted and stored in the same region
- CDN: CloudFront edge locations worldwide (cached content only)
9. Children's Privacy
BombBuy is a business-to-business (B2B) service intended for commercial use by individuals 18 years or older. We do not knowingly collect personal information from children under 16.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@bombbuy.org and we will promptly delete such information.
10. Cookies and Tracking Technologies
Website (bombbuy.org)
| Cookie Name |
Type |
Purpose |
Duration |
| bombbuy-lang |
Essential |
Language preference (ES/EN) |
1 year |
| cookie-consent |
Essential |
Cookie banner consent choice |
1 year |
| _ga, _ga_* |
Analytics |
Google Analytics 4 tracking |
2 years |
| _grecaptcha |
Security |
reCAPTCHA bot detection |
Session |
Platform (app.bombbuy.org)
- Authentication Tokens: JWT tokens stored in httpOnly secure cookies
- Session Management: User session state and preferences
- Security: CSRF tokens and security headers
Cookie Control
You can control cookies through:
- Browser settings (most browsers allow blocking or deleting cookies)
- Cookie consent banner on our website (for analytics cookies)
- Google Analytics opt-out: Browser Add-on
Note: Disabling essential cookies may affect platform functionality.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect:
- Changes in our data practices or services
- New legal or regulatory requirements
- Security or technology improvements
- User feedback and best practices
Notification of Changes
For material changes, we will notify you by:
- Updating the "Last Updated" date at the top of this policy
- Sending an email to your registered email address
- Displaying a prominent notice on our website and platform
- Requiring re-acceptance of updated terms upon login (for significant changes)
Your continued use of our Services after changes are posted constitutes acceptance of the updated Privacy Policy.
12. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Supervisory Authority
If you are located in the EU/EEA and believe we have not addressed your concerns adequately, you have the right to lodge a complaint with your local data protection authority.