Legal
Privacy Policy
Effective 2026-07-07 · Contact: privacy@dubstream.co
Dubstream ("Dubstream", "we", "us") is an e-commerce engineering agency based in Montevideo, Uruguay. We operate this website (dubstream.co), the Commerce Agent platform, and custom software we build and run for clients. This policy explains what data we collect, why, how it is stored and protected, and the choices you have. Questions or requests: privacy@dubstream.co.
Data we collect on this website
The website itself is a static site. We do not run advertising trackers and we do not sell or share visitor data for marketing. We collect:
- Contact form submissions — the interest you select, your name, email address, where you sell, and your message. Submissions are delivered to our team by email and an internal notification channel, and are used solely to respond to your enquiry.
- Email — anything you send to our mailboxes (hello@, support@, etc.), retained as ordinary business correspondence.
- Server logs — standard web-server access logs (IP address, user agent, requested URL) kept for security and operations.
Client platform data — how our products and builds access it
Commerce Agent, our command centers and our productized builds connect to marketplace and advertising accounts only after the account owner authorizes access through each platform's official consent flow (for example, Amazon's third-party developer authorization, Google's OAuth consent, Shopify app authorization). We never ask for your passwords and we never scrape accounts. You can revoke access at any time from the platform's own settings (e.g. Amazon Seller Central → Manage your apps, or your Google account permissions), and revocation cuts our access immediately.
Depending on the services a client engages, this data can include:
- Orders, listings, inventory, fees, settlements and reports (Amazon Selling Partner API and equivalents on other marketplaces);
- Advertising entities and performance data (Amazon Ads API, Google Ads API);
- Store data (Shopify, Mercado Libre and similar);
- Files and sheets a client designates as a source of truth (e.g. Google Drive / Google Sheets used for listing audits).
We use this data exclusively to provide the services the client engaged us for — analytics, audits, automations and reports delivered back to that same client. We do not sell it, we do not use it for advertising, and we never mix one client's data into another client's service.
Amazon data and personally identifiable information (PII)
As an Amazon-approved third-party developer we operate under, and require our clients' engagements to conform to, Amazon's Acceptable Use Policy and Data Protection Policy. In particular:
- Buyer PII (names, addresses, and similar order data) is accessed only where a service genuinely requires it (e.g. shipping, tax or refund workflows) and is used for no other purpose.
- PII is retained no longer than 30 days after order delivery, unless a longer period is required by law or by the client's tax obligations, in which case it is archived with restricted access.
- All data is encrypted in transit (TLS 1.2+) and at rest; access is restricted to personnel who need it to deliver the service, and every API call through our command centers is written to an audit log the client can review.
- We do not disclose Amazon data to third parties except the sub-processors listed below, and never for their own purposes.
Google user data
Where a service connects to Google APIs (Google Ads, Google Drive, Google Sheets), our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Concretely: Google user data is used only to provide the features the client connected (e.g. reading a pricing sheet to audit listings, or managing the ad campaigns the client asked us to manage); it is not used for advertising, not sold, and not transferred except as needed to provide those features, for security, or to comply with law. Humans do not read this data except with the client's consent, for security purposes, or where required by law.
Where data lives and how it is secured
- Client deployments run on AWS or Google Cloud — either in the client's own cloud account (dedicated deployments are the client's to keep) or in infrastructure we operate.
- Data stores (PostgreSQL, BigQuery) are network-isolated; command-center endpoints require token authentication; secrets are stored outside version control with restricted file permissions.
- Encryption in transit and at rest, least-privilege IAM, and per-call audit logging are standard across deployments.
Sub-processors
We use a small set of infrastructure providers to deliver our services: Amazon Web Services and Google Cloud (hosting, storage, email delivery via Amazon SES) and Slack (internal notifications of contact-form submissions and operational alerts). These providers process data on our instructions and do not use it for their own purposes.
Retention and deletion
Client platform data is retained only while the engagement or subscription is active, plus a short wind-down period to hand data back. On termination — or earlier on request — we delete client data from systems we operate and confirm deletion in writing; where the deployment lives in the client's own cloud account, the client keeps it and we simply lose access. Amazon PII follows the stricter 30-day rule above regardless. Step-by-step: Data Deletion Instructions.
Your rights
You can request access to, correction of, or deletion of personal data we hold about you, and you can object to or restrict our processing of it, by writing to privacy@dubstream.co. We answer within a business day and resolve requests within 30 days. If you are in the EU/EEA or UK, these rights track the GDPR; we honor them for everyone regardless of location.
Children
Our website and services are for businesses and are not directed at children under 16; we do not knowingly collect their data.
Changes
If we change this policy we will update it here with a new effective date. Material changes affecting active clients are notified by email.
Dubstream · Montevideo, Uruguay · privacy@dubstream.co · See also our Terms of Service & Acceptable Use.