SUPPLY LEADER PRIVACY POLICY

Last Updated August 20th, 2019

1. GENERAL

Supply Leader (“Company” or “we” or “us” or “our”) respects the privacy of its users (“User” or “you”) that use our website (s) located at supplyleader.com including other media forms, media channels, mobile website or mobile application related or connected thereto (collectively, the “Website”). The following Supply Leader privacy policy (“Privacy Policy”) is designed to inform you, as a user of the Supply Leader Website, about the types of information that Supply Leader may gather about or collect from you in connection with your use of the Supply Leader Website.

It also is intended to explain the conditions under which Supply Leader uses and discloses that information, and your rights in relation to that information. Changes to this Privacy Policy are discussed at the end of this document, each time you use the Supply Leader Website. However, the current version of this Privacy Policy will apply. Accordingly, each time you use the Supply Leader Website you should check the date of this Privacy Policy (which appears at the beginning of this document) and review any changes since the last time you used the Supply Leader Website.

2. ACCEPTANCE

The Supply Leader Website is hosted in Hong Kong and is subject to in accordance with the laws of Hong Kong. If you are accessing our Website from other jurisdictions, please be advised that you are transferring your personal information to us in China, and by using our Website; you consent to that transfer and use of your personal information in accordance with this Privacy Policy. You also agree to abide by the applicable laws of applicable states and People's Republic of China law concerning your use of the Supply Leader Website and your agreements with us.

Any persons accessing our Website from any jurisdiction with laws or regulations governing the use of the Internet, including personal data collection, use and disclosure, different from those of the jurisdictions mentioned above may only use the Supply Leader Website in a manner lawful in their jurisdiction. If your use of the Supply Leader Website would be unlawful in your jurisdiction, please do not use our Website.

By Using Or Accessing The Supply Leader Group LTD Website, You Are Accepting The Practices Described In This Privacy Policy. Gathering, Use and Disclosure of Non-Personally-Identifying Information.

3. OVERVIEW

This is the privacy notice of Supply Leader or supplyleader.com and Supply Leader Group Ltd. In this document, "we", "our", or "us" refer to Supply Leader.

Your privacy is important to us. Supply Leader is committed to protecting the privacy of its users and the information that you share in connection with your use of Supply Leader’s Services. This Privacy Policy describes how we share and transfer Personal Data that You provide to us (including how we collect, process and manage Your Personal Data) and informs You of Your rights with respect the privacy practices associated with the use and disclosure of Personal Data through the Site and Our Services. This privacy statement discloses what information we gather and how we use it. Supply Leader is strongly committed to protecting the privacy of our users. Supply Leader is committed to safeguarding your private information.

Similar to other commercial websites, our website utilizes a standard technology called ‘cookies’ (see explanation below and our cookies policy page for more information) and server logs to collect information about how our site is used. Information gathered through cookies and server logs may include the date and time of visits, the pages viewed, time spent at our site, and the websites visited just before and just after our own, as well as your IP address.

4. INTRODUCTION

This is a notice to inform you of the Supply Leader policy about all information that we record about you. It sets out the conditions under which we may process any information that we collect from you, or that you provide to us. It covers information that could identify you (“personal information”) and information that could not. In the context of the law and this notice, “process” means collect, store, transfer, use or otherwise act on information.

I. We regret that if there are one or more points below with which you are not happy, your only recourse is to leave our website immediately.

II. Supply Leader takes seriously the protection of your privacy and confidentiality. We understand that all visitors to our website are entitled to know that their personal data will not be used for any purpose unintended by them, and will not accidentally fall into the hands of a third party.

III. Supply Leader undertakes to preserve the confidentiality of all information you provide to us, and hope that you reciprocate.

IV. Our policy complies with the Hong Kong law accordingly implemented, including that required by the European Union General Data Protection Regulation (GDPR).

V. The law requires us to tell you about your rights and our obligations to you in regards to the processing and control of your personal data.

VI. Except as set out below, we do not share, or sell, or disclose to a third party, any information collected through our website.

5. PERSONAL INFORMATION WE COLLECT

We collect information about the individual web pages or products that you view, what websites or search terms referred you to the Site, and information about how you interact with the Site. We refer to this automatically-collected information as “Device Information”.

When we talk about “Personal Information” in this Privacy Policy, we are talking both about Device Information and Order Information.

6. INFORMATION FROM USERS

If you are a user, you agree to be bind by this Privacy Policy on our website which complies with the laws applicable to this site. You also agree that you gave your consent for the use and access of your Personal Information by Supply Leader and other third parties. You agree to grant Supply Leader affirmative, express consent regarding your data for the use and access of sensitive Personal Information and other third parties.

7. WHAT INFORMATION DO WE COLLECT FROM USERS AND WHY?

We collect Device Information using the following technologies:

“Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit www.allaboutcookies.org.

“Log files” track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.

“Web beacons”, “tags”, and “pixels” are electronic files used to record information about how you browse the Site.

Additionally when you make a purchase or attempt to make a purchase through the Site, we collect certain information from you, including your name, billing address, shipping address, payment information, email address, and phone number. We refer to this information as “Order Information”.

I. We collect your name, email address, company name, and address.

II. We need this information to provide you with our Services; for example, to create your account, confirm your identity, contact you, and invoice you.

III. We collect data about the Supply Leader -hosted webpages that you visit. We also collect data about how and when you access your account, including information about the device and browser you use, your network connection and your IP address.

IV. We need this information to troubleshoot, give you access to and improve our Services.

V. We collect Personal Information about your customers that you share with us or that customers provide during checkout.

VI. We use this information to provide you with our Services and so that you can process orders and better serve your customers.

VII. We will also use Personal Information in other cases where you have given us your express permission.

8. WHAT ADDITIONAL INFORMATION WE COLLECT AND HOW WE USE IT

We may also collect information for billing and transactional purposes, statistics on your usage of the Site or Our Services (including IP, device, geographic, and other specific information about you) as well as other technical data such as cookies, pixel tags, and other similar technology.

Data that You provide to Us will be made available to other users of the Site and Service, may be shared with other Supply Leader Services of which you are not a user, as well as potentially transmitted to third parties as set forth herein. Please do not post any information you do not want revealed to the public or shared across the Supply Leader Site, Services, or otherwise. We use this information to provide and enhance our Services (including servicing your account, if applicable), and answer any questions you may have.

9. HOW DO WE USE YOUR PERSONAL INFORMATION?

We use the Order Information that we collect generally to fulfill any orders placed through the Site (including processing your payment information, arranging for shipping, and providing you with invoices and/or order confirmations). Additionally, we use this Order Information to:

- Communicate with you;

- Screen our orders for potential risk or fraud; and

- When in line with the preferences you have shared with us, provide you with information or advertising relating to our products or services.

We use the Device Information that we collect to help us screen for potential risk and fraud (in particular, your IP address), and more generally to improve and optimize our Site (for example, by generating analytics about how our customers browse and interact with the Site, and to assess the success of our marketing and advertising campaigns).

10. HERE ARE SOME EXAMPLES OF HOW WE USE YOUR DATA

We need this information to troubleshoot, give you access to and improve our Services. We also use this information to provide you with our Services and so that you can process orders and better serve your customers.

I. To provide, develop, and enhance the Service

II. To respond to feedback, requests, and monitor security for the Service

III. To provide users with promotional communications, materials, and other third party information

IV. To enforce Our terms or rights under any agreement between you and Supply Leader

VI. We need this information to provide you with our Services; for example, to create your account, confirm your identity, contact you, and invoice you.

VII. We collect data about the Supply Leader -hosted webpages that you visit. We also collect data about how and when you access your account, including information about the device and browser you use, your network connection and your IP address.

VIII. We will also use Personal Information in other cases where you have given us your express permission.

Supply Leader may also collect and create Anonymous Data about you, which does not identify any personal information about you and may be disclosed in our sole discretion.

11. SHARING YOUR PERSONAL INFORMATION

We share your Personal Information with third parties to help us use your Personal Information, as described above. For example, We use Google Analytics to help us understand how our customers use the Site -- you can read more about how Google uses your Personal Information here: www.google.com/intl/en/policies/privacy. You can also opt-out of Google Analytics here: tools.google.com/dlpage/gaoptout.

Finally, we may also share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights.

12. WHEN DO WE COLLECT INFORMATION?

We collect personal information from you when you place an order or enter information on our website. We need this information to provide users with our Services, including supporting and processing orders, authentication, and processing payments.

13. BEHAVIOURAL ADVERTISING

As described above, we use your Personal Information to provide you with targeted advertisements or marketing communications we believe may be of interest to you. For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page at www.networkadvertising.org/understanding-online-advertising/how-does-it-work.

You can opt out of targeted advertising by using the links below:

Facebook: www.facebook.com/settings/?tab=ads

Google: www.google.com/settings/ads/anonymous

Bing: advertise.bingads.microsoft.com/en-us/resources/policies/personalized-ads

Additionally, you can opt out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at: optout.aboutads.info.

14. IP ADDRESSES DATA WE COLLECT UNDER EU GDPR REGULATION

IP addresses are used by your computer every time you are connected to the Internet. Your IP address is a number that is used by computers on the network to identify your computer. IP addresses are automatically collected by our web server as part of demographic and profile data known as “traffic data” so that data (such as the Web pages you request) can be sent to you.

15. WE DO NOT SELL, RENT OR LEASE ITS USER LISTS TO THIRD PARTIES

Supply Leader may, from time to time, contact you on behalf of external business partners about a particular offering that may be of interest to you. In those cases, your unique personally identifiable information (e-mail, name, address, telephone number) is transferred to the third party. Supply Leader may share data with trusted partners to help perform statistical analysis, send you email or postal mail, provide user support, or arrange for deliveries. All such third parties are prohibited from using your personal information except to provide these services to Supply Leader, and they are required to maintain the confidentiality of your information.

16. WHEN WE DISCLOSE YOUR INFORMATION UNDER THE EU GDPR REGULATION

Supply Leader will disclose your personal information, without notice, only if required to do so by law or in the good faith belief that such action is necessary to:

(a) Conform to the edicts of the law or comply with legal process served on Supply Leader or the site;

(b) Protect and defend the rights or property of Supply Leader; and,

(c) Act under exigent circumstances to protect the personal safety of users of Supply Leader, or the public.

17. DATA RETENTION

When you place an order through the Site, we will maintain your Order Information for our records unless and until you ask us to delete this information.

18. CAN-SPAM ACT UNDER GDPR REGULATION

In compliance with the GDPR CAN-SPAM Act, all e-mail sent from our organization will clearly state who the e-mail is from and provide clear information on how to contact the sender. In addition, all e-mail messages will also contain concise information on how to remove yourself from our mailing list so that you receive no further e-mail communication from us. You can also email us to support@supplyleader.com to disable any type of email notification.

19. INFORMATION WE PROCESS BECAUSE WE HAVE A CONTRACTUAL OBLIGATION WITH YOU

When you create an account on the Supply Leader website, purchase a service from us, or otherwise agree to our terms a contract is formed between you and us. Information is collected in the Supply Leader hosted checkout when a user’s customer an order on our site, or when our users submit various types of information and data into the Service through the Supply Leader administration console or through Supply Leader’s API.

In order to carry out our obligations under that contract we must process the information you give us. Some of this information may be personal information.

We may use it in order to:

i. verify your identity for security purposes

ii. introduce new Offers to you

iii. provide you with our products and services

iv. provide you with suggestions and advice on relevant services and how to obtain the most from using our website

Supply Leader processes this information on the basis there is a contract between us, or that you have requested we use the information before we enter into a legal contract.

Additionally, we may aggregate this information in a general way and use it to provide class information, for example to monitor our performance with respect to a particular service we provide. If we use it for this purpose, you as an individual will not be personally identifiable.

20. USERS OF THE SUPPLY LEADER WEBSITE GENERALLY

“Non-Personally-Identifying Information” is information that, without the aid of additional information, cannot be directly associated with a specific person. “Personally-Identifying Information,” by contrast, is information such as a name or email address that, without more, can be directly associated with a specific person. Like most website operators, Supply Leader gathers from users of the Supply Leader Website Non-Personally-Identifying Information of the sort that Web browsers, depending on their settings, may make available.

That information includes the user’s Internet Protocol (IP) address, operating system, browser type and the locations of the websites the user views right before arriving at, while navigating and immediately after leaving the Website. Although such information is not Personally-Identifying Information, it may be possible for Supply Leader to determine from an IP address a user’s Internet service provider and the geographic location of the visitor’s point of connectivity as well as other statistical usage data. Supply Leader analyzes Non-Personally-Identifying Information gathered from users of the Website to help Supply Leader better understand how the Website is being used.

By identifying patterns and trends in usage, Supply Leader is able to better design the Website to improve users’ experiences, both in terms of content and ease of use. From time to time, Supply Leader may also release the Non-Personally-Identifying Information gathered from Website users in the aggregate, such as by publishing a report on trends in the usage of the Supply Leader Website.

21. WEB COOKIES

A “Web Cookie” is a string of information which assigns you a unique identification that a website stores on a user’s computer, and that the user’s browser provides to the Supply Leader website each time the user submits a query to the Supply Leader website. We use cookies on our Website to keep track of services you have used, to record registration information regarding your login name and password, to record your user preferences, to keep you logged into the Website and to facilitate purchase procedures.

Supply Leader also uses Web Cookies to track the pages that users visit during each Website session, both to help Supply Leader improve users’ experiences and to help Supply Leader understand how the Website is being used. As with other Non-Personally-Identifying Information gathered from users of the Website, Supply Leader analyzes and discloses in aggregated form information gathered using Web Cookies, so as to help us, its partners and others better understand how the Website is being used.

Supply Leader users who do not wish to have web cookies placed on their computers should set their browsers to refuse web cookies before accessing the Supply Leader website, with the understanding that certain features of the website may not function properly without the aid of web cookies. Website users who refuse web cookies assume all responsibility for any resulting loss of functionality.

22. WEB BEACONS

A “Web Beacon” is an object that is embedded in a web page or email that is usually invisible to the user and allows website operators to check whether a user has viewed a particular web page or an email. Supply Leader may use Web Beacons on the Website and in emails to count users who have visited particular pages, viewed emails and to deliver co-branded services. Web Beacons are not used to access users’ Personally-Identifying Information.

They are a Technique Supply Leader may use to compile aggregated statistics about Website usage. Web Beacons collect only a limited set of information, including a Web Cookie number, time and date of a page or email view and a description of the page or email on which the Web Beacon resides. You may not decline Web Beacons.

However, they can be rendered ineffective by declining all Web Cookies or modifying your browser setting to notify you each time a Web Cookie is tendered, permitting you to accept or decline Web Cookies on an individual basis.

23. ANALYTICS

We may partner with selected third parties to allow tracking technology on the Supply Leader Website, which will enable them to collect data about how you interact with the Supply Leader Website and our services over time. This information may be used to, among other things, analyze and track data, determine the popularity of certain content and better understand online activity.

24. MOBILE DEVICE TERMS

Mobile Device. If you use a mobile device to access the Website or download any of our mobile applications, we may collect device information (such as your mobile device ID, model and manufacturer), operating system, version information and IP address.

Geo-Location Information. Unless we have received your prior consent, we do not access or track any location-based information from your mobile device at any time while downloading or using our mobile application or our services, except that it may be possible for Supply Leader to determine from an IP address the geographic location of your point of connectivity, in which case we may gather and use such general location data.

Push Notifications. We send you push notifications if you choose to receive them, letting you know when someone has sent you a message or for other service-related matters. If you wish to opt-out from receiving these types of communications, you may turn them off in your device’s settings.

Mobile Analytics. We use mobile analytics software to allow us to better understand the functionality of our mobile software on your phone. This software may record information, such as how often you use the application, the events that occur within the application, aggregated usage, and performance data and where the application was downloaded from. We do not link the information we store within the analytics software to any Personally-Identifying Information you submit within the mobile application.

25. SOCIAL MEDIA

We may provide you the option to connect your account on the Supply Leader Website to your account on some social networking sites for the purpose of logging in, uploading information or enabling certain features on the Website.

When logging in using your social network credentials, we may collect the Personally-Identifying Information you have made publicly available on the social networking site, such as your name, profile picture, cover photo, username, gender, friends network, age range, locale, friend list and any other information you have made public.

Once connected, other users may also be able to see information about your social network, such as the size of your network and your friends, including common friends.

By connecting your account on the Supply Leader Website to your account on any social networking site, you hereby consent to the continuous release of information about you to us. We will not send any of your account information to the connected social networking site without first disclosing that to you. Each social network may further allow you to set privacy controls around your information on their system, and our collection of information will always follow such controls and permissions.

This feature is subject to continuous change and improvement by us and each social networking site involved, and therefore the available features and shared information are subject to change without notice to you.

26. COLLECTION, USE AND DISCLOSURE OF PERSONALLY-IDENTIFYING INFORMATION

As defined above, Personally-Identifying Information is information that can be directly associated with a specific person. Supply Leader may collect a range of Personally-Identifying Information from and about Website users. Much of the Personally-Identifying Information collected by Supply Leader about users is information provided by users themselves when

1) Registering for our service,

2) Logging in with social network credentials,

3) participating in polls, contests, surveys or other features of our service, or responding to offers or advertisements,

4) Communicating with us,

5) Signing up to receive newsletters. That information may include each user’s name, address, email address and telephone number, and, if you transact business with us, financial information such as your payment method (valid credit card number, type, expiration date or other financial information).

We also may request information about your interests and activities, your gender, age, date of birth, username, hometown and other demographic or relevant information as determined by Supply Leader from time to time. Users of the Website are under no obligation to provide Supply Leader with Personally-Identifying Information of any kind, with the caveat that a user’s refusal to do so may prevent the user from using certain Website features.

By Registering With Or Using The Supply Leader Website, You Consent To The Use And Disclosure Of Your Personally-Identifying Information As Described In This “Collection, Use And Disclosure Of Personally-Identifying Information” Section.

27. SUPPLY LEADER COMMUNICATIONS

We may occasionally use your name and email address to send you notifications regarding new services offered by the Supply Leader Website that we think you may find valuable. We may also send you service-related announcements from time to time through the general operation of the service. Generally, you may opt out of such emails at the time of registration or through your account settings, though we reserve the right to send you notices about your account, such as service announcements and administrative messages, even if you opt out of all voluntary email notifications.

28. SUPPLY LEADER DISCLOSURES

Supply Leader will disclose Personally-Identifying Information under the following circumstances:

By Law or to Protect Rights. When we believe disclosure is appropriate, we may disclose Personally-Identifying Information in connection with efforts to investigate, prevent or take other action regarding illegal activity, suspected fraud or other wrongdoing; to protect and defend the rights, property or safety of Supply Leader, our users, our employees or others; to comply with applicable law or cooperate with law enforcement; to enforce our Terms of Use or other agreements or policies, in response to a subpoena or similar investigative demand, a court order or a request for cooperation from a law enforcement or other government agency; to establish or exercise our legal rights; to defend against legal claims; or as otherwise required by law. In such cases, we may raise or waive any legal objection or right available to us.

Third-Party Service Providers. We may share your Personally-Identifying Information, which may include your name and contact information (including email address) with our authorized service providers that perform certain services on our behalf. These services may include fulfilling orders, providing customer service and marketing assistance, performing business and sales analysis, supporting Supply Leader Website’s functionality and supporting contests, sweepstakes, surveys and other features offered through the Website. We may also share your name, contact information and credit card information with our authorized service providers who process credit card payments. These service providers may have access to personal information needed to perform their functions but are not permitted to share or use such information for any other purpose.

Business Transfers; Bankruptcy. Supply Leader reserves the right to transfer all Personally-Identifying Information in its possession to a successor organization in the event of a merger, acquisition, bankruptcy or other sale of all or a portion of Supply Leader assets. Other than to the extent ordered by a bankruptcy or other court, the use and disclosure of all transferred Personally-Identifying Information will be subject to this Privacy Policy, or to a new Privacy Policy if you are given notice of that new Privacy Policy and are given an opportunity to affirmatively opt-out of it. Personally-Identifying Information submitted or collected after a transfer, however, may be subject to a new Privacy Policy adopted by the successor organization.

29. GENERAL USE

Supply Leader uses the Personally-Identifying Information in the file we maintain about you, and other information we obtain from your current and past activities on the Website

I. To deliver the products that you have requested;

II. To manage your account and provide you with customer support;

III. To communicate with you by email, postal mail, telephone and/or mobile devices about products or services that may be of interest to you either from us, our affiliate companies or other third parties;

IV. To develop and display content and advertising tailored to your interests on the Website and other sites;

V. To resolve disputes and troubleshoot problems;

VI. To measure consumer interest in our services;

VII. To inform you of updates;

VIII. To customize your experience; to

IX. Detect and protect us against error, fraud and other criminal activity;

X. To enforce our Terms of Use; and

XI. To do as otherwise described to you at the time of collection

At times, we may look across multiple users to identify problems. In particular, we may examine your Personally-Identifying Information to identify users using multiple user IDs or aliases. We may compare and review your Personally-Identifying Information for accuracy and to detect errors and omissions. We may use financial information or payment method to process payment for any purchases made on the Website, enroll you in the discount, rebate, and other programs in which you elect to participate, to protect against or identify possible fraudulent transactions and otherwise as needed to manage our business.

30. Amazon MWS Data Protection

Supply Leader's Developer Team and operates comprehensive and sophisticated data analysis software (“Application”), based on the Amazon Marketplace Web Service API. The Application combines a wide array of different tools which shall help the customers of Supply Leader (“Customer”) to make business decisions. Supply Leader offers Customers access to its web platform (“Application”), which allows Customers to access and use the Software as a service.

The Data Protection Policy ("DPP") governs the treatment (e.g., receipt, storage, usage, transfer, and disposition) of the data vended and retrieved through the Amazon Marketplace APIs (including the Amazon Marketplace Web Service APIs). This Policy supplements the Amazon Marketplace Developer Agreement and the Amazon Acceptable Use Policy. We are doing our best to comply with terms indicated below.

Definitions

"Application" means a supplyleader.com website that interfaces with the Amazon Marketplace APIs.

"Amazon Information" means any information that is exposed by Amazon through the Amazon Marketplace APIs, Seller Central, or Amazon's public-facing websites. This data can be public or non-public, including Personally Identifiable Information about Amazon customers.

"Customer" means any person or entity who has purchased items or services from Amazon's public-facing websites.

"Developer" means Supply Leader's Developer Team that uses the Amazon Marketplace APIs for the purpose of integrating or enhancing a supplyleader.com systems with the features and functionality permitted by Amazon to be accessed through the Marketplace APIs.

"Personally Identifiable Information" ("PII") means information that can be used on its own or with other information to identify, contact, or locate an individual (e.g., Customer or Seller), or to identify an individual in context. This includes, but is not limited to, a Customer or Seller's name, address, e-mail address, phone number, gift message content, survey responses, payment details, purchases, cookies, digital fingerprint (e.g., browser, user device), IP Address, geo-location, or Internet-connected device product identifier.

"Security Incident" means any actual or suspected unauthorized access, collection, acquisition, use, transmission, disclosure, corruption, or loss of Amazon Information, or breach of any environment (i) containing Amazon Information, or (ii) managed by a Developer with controls substantially similar to those protecting Amazon Information.

"Seller" means any person or entity (including you, if applicable) selling on Amazon's public-facing websites.

General Security Requirements

Consistent with industry-leading security standards and other requirements specified by Amazon based on the classification and sensitivity of Amazon Information, Developers will maintain physical, administrative, and technical safeguards, and other security measures (i) to maintain the security and confidentiality of Amazon Information accessed, collected, used, stored, or transmitted by a Developer, and (ii) to protect that information from known or reasonably anticipated threats or hazards to its security and integrity, accidental loss, alteration, disclosure, and all other unlawful forms of processing. Without limitation, the Developer will comply with the following requirements:

Network Protection

Developers implement network protection controls (e.g., AWS VPC subnet/Security Groups, network firewalls) to deny access to unauthorized IP addresses and public access restricted only to approved users.

Access Management

Developers assign a unique ID (email) to each person with computer access to Amazon Information. Developers not create or use generic, shared, or default login credentials or user accounts. Developers implement baselining mechanisms to ensure that at all times only the required user accounts access Amazon Information.

Developers review the list of people and services with access to Amazon Information on a regular basis (at least quarterly), and remove accounts that no longer require access. Developers restrict developer employees from storing Amazon data on personal devices. Developers will maintain and enforce "account lockout" by detecting anomalous usage patterns and log-in attempts, and disabling accounts with access to Amazon Information as needed.

Encryption in Transit

Developers encrypt all Amazon Information in transit (e.g., when the data traverses a network, or is otherwise sent between hosts. This can be accomplished using HTTP over TLS (HTTPS). Developers enforce this security control on all applicable external endpoints used by customers as well as internal communication channels (e.g., data propagation channels among storage layer nodes, connections to external dependencies) and operational tooling.

Developers disable communication channels which do not provide encryption in transit even if unused (e.g., removing the related dead code, configuring dependencies only with encrypted channels, and restricting access credentials to use of encrypted channels). Developers use data message-level encryption (e.g., using AWS Encryption SDK) where channel encryption (e.g., using TLS) terminates in untrusted multi-tenant hardware (e.g., untrusted proxies).

Incident Response Plan

Developers create and maintain a plan and/or runbook to detect and handle Security Incidents. Such plans identify the incident response roles and responsibilities, define incident types that may impact Amazon, define incident response procedures for defined incident types, and define an escalation path and procedures to escalate Security Incidents to Amazon.

Developers review and verify the plan every six (6) months and after any major infrastructure or system change. Developers investigate each Security Incident, and document the incident description, remediation actions, and associated corrective process/system controls implemented to prevent future recurrence (if applicable).

Developers maintain the chain of custody for all evidences or records collected, and such documentation made available to Amazon on request (if applicable). Developers inform Amazon within 24 hours of detecting any Security Incidents. Developers do not notify any regulatory authority, nor any customer, on behalf of Amazon unless Amazon specifically requests in writing that the Developer do so.

Amazon reserves the right to review and approve the form and content of any notification before it is provided to any party, unless such notification is required by law, in which case Amazon reserves the right to review the form and content of any notification before it is provided to any party.

Developers inform Amazon within 24 hours when their data is being sought in response to legal process or by applicable law.

Request for Deletion or Return

Developers promptly (but within no more than 72 hours after Amazon's request), permanently, and securely delete (in accordance with industry-standard sanitization processes, e.g., NIST 800-88) or return Amazon Information upon and in accordance with Amazon's notice requiring deletion and/or return.

Developers also permanently and securely delete all live (online or network accessible) instances of Amazon Information within 90 days after Amazon's notice. If requested by Amazon, the Developer will certify in writing that all Amazon Information has been securely destroyed.

Additional Security Requirements Specific to Personally Identifiable Information

The following additional Security Requirements met for all Personally Identifiable Information ("PII"). PII is granted to MWS developers for select tax and merchant fulfilled shipping purposes, on a must-have basis. If a Marketplace API contains PII, or PII is combined with non-PII, then the entire data store comply with the following requirements:

Data Retention and Recovery

Developers will retain PII only for the purpose of, and as long as is necessary to fulfill orders (no longer than 30 days after order shipment), or to calculate/remit taxes. If a Developer is required by law to retain archival copies of PII for tax or similar regulatory purposes, this archived Amazon Information stored as a "cold" or offline (e.g., not available for immediate or interactive use) backup stored in a physically secure facility, and all archived data on backup media encrypted. In the event that PII is lost, you able to recover all PII lost (i.e., the data is erased or unavailable for processing due to system crash or ransomware).

Data Governance

Developers create, document, and abide by a privacy and data handling policy for their Applications or services which govern the appropriate conduct and technical controls to be applied in managing and protecting information assets. Developers keep inventory of software and physical assets (e.g. computers, mobile devices) with access to PII, and update regularly.

A record of data processing activities such as specific data fields and how they are collected, processed, stored, used, shared, and disposed for all PII Information maintained to establish accountability and compliance with regulations.

Developers establish and abide by their privacy policy for customer consent and data rights to access, rectify, erase, or stop sharing/processing their information where applicable or required by data privacy regulation.

Encryption and Storage

Developers encrypt all PII at rest (e.g., when the data is persisted) using industry best practice standards (e.g. using either AES-128, AES-256, or RSA with 2048-bit key size (or higher).

The cryptographic materials (e.g., encryption/decryption keys) and cryptographic capabilities (e.g., daemons implementing virtual Trusted Platform Modules and providing encryption/decryption APIs) used for encryption of PII at rest only accessible to the Developer's processes and services.

Developers not store PII in removable media (e.g., USB) or unsecured public cloud applications (e.g., public links made available through Google Drive). Developers securely dispose of any printed documents containing PII.

Least Privilege Principle

Developers implement fine-grained access control mechanisms to allow granting rights to any party using the Application (e.g., access to a specific set of data at its custody) and the Application's operators (e.g., access to specific configuration and maintenance APIs such as kill switches) following the principle of least privilege.

Application sections or features that vend PII protected under a unique access role, and access granted on a "need-to-know" basis.

Logging and Monitoring

Developers gather logs to detect security-related events (e.g., access and authorization, intrusion attempts, configuration changes) to their Applications and systems. Developers implement this logging mechanism on all channels (e.g., service APIs, storage-layer APIs, administrative dashboards) providing access to Amazon Information.

All logs have access controls to prevent any unauthorized access and tampering throughout their lifecycle. Logs themselves not contain PII and retained for at least 90 days for reference in the case of a Security Incident.

Developers build mechanisms to monitor the logs and all system activities to trigger investigative alarms on suspicious actions (e.g., multiple unauthorized calls, unexpected request rate and data retrieval volume, and access to canary data records).

Developers perform investigation when monitoring alarms are triggered, and this documented in the Developer's Incident Response Plan.

Audit

Developers maintain all appropriate books and records reasonably required to verify compliance with the Amazon Acceptable Use Policy, Amazon Data Protection Policy, and Amazon Marketplace Developer Agreement during the period of this agreement and for 12 months thereafter. Upon Amazon's written request, Developers certify in writing to Amazon that they are in compliance with these policies.

Upon request, Amazon may, or may have an independent certified public accounting firm selected by Amazon, audit and inspect the books, records, facilities, operations, and security of all systems that are involved with a Developer's application in the retrieval, storage, or processing of Amazon Information.

Developers cooperate with Amazon or Amazon's auditor in connection with the audit, which may occur at the Developer's facilities and/or subcontractor facilities.

If the audit reveals deficiencies, breaches, and/or failures to comply with our terms, conditions, or policies, the Developer must, at its sole cost and expense, and take all actions necessary to remediate those deficiencies within an agreed-upon timeframe.

31. SECURITY

We take the security of your Personally-Identifying Information seriously and use reasonable electronic, personnel and physical measures to protect it from loss, theft, alteration or misuse. However, please be advised that even the best security measures cannot fully eliminate all risks. We cannot guarantee that only authorized persons will view your information. We are not responsible for third-party circumvention of any privacy settings or security measures.

We are dedicated to protect all information on the Website as is necessary. However, you are responsible for maintaining the confidentiality of your Personally-Identifying Information by keeping your password confidential. You should change your password immediately if you believe someone has gained unauthorized access to it or your account. If you lose control of your account, you should notify us immediately.

32. YOUR RIGHTS

If you are a European resident, you have the right to access personal information we hold about you and to ask that your personal information be corrected, updated, or deleted. If you would like to exercise this right, please contact us through the contact information below.

Additionally, if you are a European resident we note that we are processing your information in order to fulfill contracts we might have with you (for example if you make an order through the Site), or otherwise to pursue our legitimate business interests listed above. Additionally, please note that your information will be transferred outside of Europe, including to Canada and the United States.

333. PRIVACY POLICY CHANGES

Supply Leader may, in its sole discretion, change this Privacy Policy from time to time. Any and all changes to Supply Leader Privacy Policy will be reflected on this page and the date new versions are posted will be stated at the top of this Privacy Policy. Unless stated otherwise, our current Privacy Policy applies to all information that we have about you and your account. Users should regularly check this page for any changes to this Privacy Policy. Supply Leader will always post new versions of the Privacy Policy on the Website.

However, Supply Leader may, as determined in its discretion, decide to notify users of changes made to this Privacy Policy via email or otherwise. Accordingly, it is important that users always maintain and update their contact information.

34. CHILDREN

The Children's Online Privacy Protection Act ("COPPA") protects the online privacy of children under 13 years of age. We do not knowingly collect or maintain Personally-Identifying Information from anyone under the age of 13, unless or except as permitted by law.

Any person who provides Personally-Identifying Information through the Website represents to us that he or she is 13 years of age or older. If we learn that Personally-Identifying Information has been collected from a user under 13 years of age on or through the Supply Leader Website, then we will take the appropriate steps to cause this information to be deleted.

If you are the parent or legal guardian of a child under 13 who has become a member of the Website or has otherwise transferred Personally-Identifying Information to the Website, please contact Supply Leader using our contact information below to have that child's account terminated and information deleted.

35. DO-NOT-TRACK POLICY

Most web browsers and some mobile operating systems include a Do-Not-Track (“DNT”) feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. Because there is not yet a common understanding of how to interpret the DNT signal, the Website currently does not respond to DNT browser signals or mechanisms.

36. CONTACT

If you have any questions regarding our Privacy Policy, please contact our Privacy Officer at: Supply Leader email: support@supplyleader.com