← Back to home

Privacy Policy

Last updated: May 14, 2026

1. Who We Are

Alexandria AI LLC ("Alexandria", "we", "us", "our") operates the Alexandria AI sourcing platform at thealexandria.ai. We are a Michigan, USA limited liability company registered at 2780 Denton Rd, Canton MI 48188, USA. This Privacy Policy explains what data we collect, how we use it, and the rights you have over your information.

Questions or requests? Email moe@thealexandria.ai, or write to: Alexandria AI LLC, 2780 Denton Rd, Canton MI 48188, USA.

For privacy-specific requests (GDPR / CCPA rights, subprocessor disclosures, breach notifications), email moe@thealexandria.ai. That alias forwards to the founder; a backup contact at moe@thealexandria.ai is monitored daily. Alexandria does not currently have a designated Data Protection Officer — under GDPR Article 37 a DPO is only required for large-scale systematic monitoring or processing of special-category data, neither of which applies at our current size. We will appoint one if and when the thresholds are met.

2. What Data We Collect

Account data: email address, name, password hash, and any profile details you provide when signing up.

Billing data: we use Stripe for payments. Stripe collects and stores your payment card details — we never see or store full card numbers. We retain billing metadata such as subscription status, plan, and invoice history.

Usage data: product searches, deal analyses, chat messages, clicks, and other interactions with the Platform. We use this to operate and improve the service.

Connected account data: if you choose to connect third-party accounts (for example, Amazon SP-API), we access only the data needed to deliver Alexandria features to you.

Device and log data: IP address, browser type, device identifiers, and pages visited, collected automatically when you use the Platform.

3. How We Use Your Data

We use your data to: (a) deliver and operate the Platform, (b) authenticate you and secure your account, (c) process payments and manage subscriptions, (d) provide customer support, (e) generate product analytics so we can understand and improve the Platform, (f) send transactional and account email, and (g) comply with legal obligations. We do not sell your personal data.

4. Subprocessors

Below is the complete list of third-party services Alexandria uses. We've split them into two categories: services that may process data derived from your Amazon Selling Partner account ("Amazon Information"), and services that operate exclusively on publicly available data or your explicit input.

Each sub-processor is bound by contractual obligations consistent with Amazon's Data Protection Policy, including encryption, access controls, and breach notification requirements. This list will be updated when material changes occur.

Category A — Services that may receive Amazon Information

  • Anthropic — Large language model for the chat agent (Claude). Receives summarized SP-API responses to generate recommendations.
  • Supabase — Postgres database, authentication, and file storage. Hosts your SP-API refresh tokens (encrypted) and audit results.
  • Render — Backend application hosting. Runs the FastAPI service that orchestrates SP-API calls.
  • Vercel — Frontend application hosting. Serves the dashboard you log into.
  • Resend — Transactional email delivery (login alerts, daily briefings, account notifications).

Category B — Services that operate on publicly available data or your explicit input, never on Amazon Information

  • OpenAI — Backup large language model, used only as a fallback when Anthropic is unavailable. Receives the same summarized inputs as Anthropic when it does.
  • EasyPost — Shipping rate quotes and label purchases. Receives only shipping addresses and parcel dimensions you explicitly provide.
  • Serper — Google Search API used for supplier discovery. Receives only search queries you initiate (e.g., supplier names).
  • Apify — Public web data collection for wholesale supplier pricing. Operates on public supplier catalog pages only.
  • Walmart Affiliate API — Walmart catalog comparison data. Public Walmart product data only.
  • Pirate Ship — Bulk shipping label purchases. Receives only shipping addresses and parcel dimensions.
  • Stripe — Subscription payment processing. Receives only your billing email and payment method tokens, never Amazon data.
  • PostHog — Product analytics + session replay. Receives explicit usage events (chat queries, page views, button clicks) and, for consented sessions, records interaction flow with all form inputs masked (sign-in, sign-up, chat input, settings fields are never captured). Used to debug issues and improve UX. Loaded only after explicit cookie consent; you can clear your data by emailing vision@thealexandria.ai.
  • Vercel Analytics — Aggregated page-view and Web Vitals telemetry on the marketing site and dashboard shell. Loaded only after explicit cookie consent.
  • GreenAPI — WhatsApp Business API gateway used to deliver opt-in supplier-chat notifications when you enable that channel from Dashboard → Notifications. Receives only the phone number you provide and the message content.

Upstream platform integrations

These are platforms Alexandria reads from on your behalf (rather than third-party services we forward your data to). They are governed by the linked owner's own privacy policy:

  • Amazon Selling Partner API (SP-API) — read/write access to your connected Amazon Seller account. See Section 5 below for the full data-handling specification. Governed by Amazon's Data Protection Policy.

We may add or replace subprocessors as the product grows. Material changes will be reflected in this list and the "Last updated" date above. A current Data Processing Agreement (DPA) is available from moe@thealexandria.ai on request.

5. How We Handle Amazon Selling Partner Data

Alexandria connects to your Amazon Seller account via Amazon's Selling Partner API (SP-API). To provide the service, we read data from your account and, when you authorize specific actions, write data back. This section describes exactly what we collect, how we secure it, how long we keep it, and what we do if something goes wrong.

What we collect

When you connect your Amazon Seller account, we receive and store:

  • A long-lived refresh token issued by Amazon, which Alexandria uses to obtain short-lived access tokens for each SP-API call
  • Your Amazon Selling Partner ID (your merchant identifier)
  • Marketplace identifiers (which Amazon stores you sell on, e.g. ATVPDKIKX0DER for amazon.com)

When you use Alexandria's features, we read the following SP-API data on demand:

  • Catalog information for ASINs you analyze (titles, dimensions, package weight, product type)
  • Fee estimates for ASINs you analyze (FBA fees, referral fees) from Amazon's fee preview endpoint
  • Order summaries (count, totals, status) for sales tracking
  • Listing and inventory state for products you list or ship through Alexandria
  • Shipment plan details for FBA inbound shipments you create

We do not collect, store, or process any Personally Identifiable Information about your Amazon buyers. The "Restricted" SP-API roles that grant access to buyer PII (names, addresses, phone numbers, email addresses) are not requested by Alexandria and are not used by any feature in the service.

How we secure your data

  • Encryption at rest.Your SP-API refresh token is encrypted with an application-layer secret before being written to our database, on top of the database provider's native encryption-at-rest. The plaintext token exists only briefly in memory during an SP-API call and is never logged.
  • Encryption in transit. All connections between your browser, our application, the Amazon Selling Partner API, and our database use TLS 1.2 or higher.
  • Access controls.Only Alexandria's production application and the founder, in their administrative capacity, can access the encrypted credentials store. Row-level security (RLS) on our database enforces that one user's data is never returned to a different user's session.
  • Credential management.Encryption keys are stored in our hosting provider's environment variable system (not in source code) and are rotatable. Refresh tokens are replaced whenever you reconnect your Amazon Seller account through the integration flow.

How long we keep it

  • SP-API refresh tokens: retained while your account is active and the integration is connected. Deleted within 24 hours of you disconnecting the integration from /dashboard/integrations, or within 24 hours of account closure.
  • Operational records (orders you analyzed, listings you created, shipments you generated, watchlist entries you set): retained for the lifetime of your account so that your Library and operator memory remain useful. Deleted on account closure.
  • Logs. Application logs containing SP-API request metadata (timestamps, endpoints called, HTTP status) are retained for 30 days for debugging and security purposes, then purged. Logs do not contain plaintext tokens or buyer PII.

You may request deletion of any operational data at any time by emailing moe@thealexandria.ai. We will confirm deletion within 7 days.

Third-party sharing

Amazon Information is shared only with the Category A subprocessors listed in Section 4 (Anthropic, Supabase, Render, Vercel, and Resend), each of which is contractually bound to use it solely to deliver the Alexandria service to you. We do not share or sell Amazon Information for any other purpose. We do not share it with advertising networks, data brokers, retargeting platforms, or any third party for commercial purposes. The Category B subprocessors listed in Section 4 never receive Amazon Information.

Operational role of each Category A recipient:

  • Anthropic — processes summarized SP-API responses to generate agent recommendations. Anthropic does not train on your data.
  • Supabase — hosts the encrypted database, authentication, and storage (including your encrypted SP-API refresh tokens).
  • Render — runs the FastAPI backend that orchestrates SP-API calls on your behalf.
  • Vercel — hosts the frontend application you log into.
  • Resend — delivers transactional emails (e.g. watchlist alerts, daily briefings). We share only the email address and the message content.

Each Category A subprocessor is bound by contract to use Amazon Information only to provide the listed service.

Incident response

In the event of a confirmed security incident affecting your Amazon Selling Partner data:

  1. We will notify Amazon's Selling Partner API security-incident contact within 24 hours of confirmed discovery of any security incident affecting Amazon Selling Partner data, in compliance with Amazon's Data Protection Policy.
  2. Affected users will be notified by email at the address on file within 72 hours of confirmed discovery.
  3. The notification will include: the nature of the incident, the categories of data affected, the date range of the exposure, the steps we are taking to contain and remediate, and recommended steps for you.
  4. We will rotate any potentially exposed credentials and force a re-authentication of the SP-API connection.

To report a suspected security incident or vulnerability: moe@thealexandria.ai. We commit to a first response within 24 hours.

Your rights

You can, at any time:

  • View what we have stored about you (request a data export via email)
  • Disconnect the Amazon Seller account integration from /dashboard/integrations, which deletes the refresh token within 24 hours
  • Request deletion of any operational data (orders, listings, shipments, watchlist entries) by emailing the address above
  • Close your account, which triggers deletion of all stored data within 30 days

6. Data Retention

We keep your account data for as long as your account is active. When you close your account, we delete or anonymize your personal data within 90 days, except where we are required to retain it for legal, tax, or accounting purposes (for example, billing records). Backups containing your data may persist for up to 30 additional days before being overwritten.

7. Your Rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct data that is inaccurate or incomplete.
  • Request deletion of your personal data.
  • Export a portable copy of your data.
  • Object to or restrict certain processing.
  • Opt out of non-essential analytics.
  • Withdraw consent where processing is based on consent.

You can exercise the deletion and export rights yourself from Dashboard → Settings → Privacy & Data. The Delete Account button calls POST /api/account/delete and the Request Data Export button calls POST /api/account/export — both are authenticated routes scoped to your own user record. For any other request, email moe@thealexandria.ai. We will respond within 30 days. We will not discriminate against you for exercising these rights.

GDPR Rights (EU / UK / EEA users)

If you are located in the European Union, the United Kingdom, or the European Economic Area, you have the rights granted by Articles 15 through 22 of the General Data Protection Regulation (GDPR):

  • Art. 15 — Right of access. Use the Request Data Export button in Dashboard → Settings; the route is POST /api/account/export.
  • Art. 16 — Rectification. Edit your profile fields directly in Dashboard → Settings, or email moe@thealexandria.ai for fields you cannot self-edit.
  • Art. 17 — Erasure (right to be forgotten). Use the Delete Account button in Dashboard → Settings; the route is POST /api/account/delete.
  • Art. 18 — Restriction of processing. Email moe@thealexandria.ai with the scope you want restricted.
  • Art. 19 — Notification of recipients. If you exercise Art. 16/17/18 we will notify Category A subprocessors (Section 4) within 30 days.
  • Art. 20 — Data portability. The export route above returns a machine-readable JSON document.
  • Art. 21 — Right to object. Reject non-essential analytics from the cookie banner, or email moe@thealexandria.ai for other processing objections.

You also have the right to lodge a complaint with your local supervisory authority. Our lawful bases for processing are: (a) performance of our contract with you (GDPR Art. 6(1)(b)), (b) our legitimate interests in operating and improving the service (Art. 6(1)(f)), and (c) your consent for non-essential analytics and marketing cookies (Art. 6(1)(a)).

CCPA Rights (California residents)

If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA (Cal. Civ. Code §§ 1798.100 through 1798.135), gives you the following rights:

  • § 1798.100 — Right to know. What categories of personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it. Section 2 (What Data We Collect) and Section 4 (Subprocessors) above are the disclosure.
  • § 1798.105 — Right to delete. Implemented by POST /api/account/delete.
  • § 1798.106 — Right to correct. Edit profile in Dashboard → Settings or email moe@thealexandria.ai.
  • § 1798.110 / § 1798.115 — Right to access. Implemented by POST /api/account/export.
  • § 1798.120 — Right to opt out of sale / sharing. See the "Do Not Sell or Share" section below.
  • § 1798.121 — Right to limit use of sensitive personal information. Alexandria does not use sensitive personal information for any purpose beyond providing the requested service.
  • § 1798.125 — Right to non-discrimination. We will not deny service, charge different prices, or provide a different level of quality because you exercised a CCPA right.

To exercise any of these rights, use the in-app controls or email moe@thealexandria.ai. We will respond within 45 days as required by § 1798.130(a)(2).

Do Not Sell or Share My Personal Information

Alexandria AI does not sell your personal information to third parties for money or other valuable consideration, and we do not share it for cross-context behavioral advertising. We do not run third-party ad-network pixels, retargeting cookies, or data-broker exports. We have no advertising business model — our revenue comes exclusively from subscription payments processed by Stripe.

We do disclose limited personal information to the subprocessors listed in Section 4 strictly for the purpose of providing the Alexandria service (for example, Supabase hosts your account record, Resend delivers transactional email, Anthropic generates agent responses). Under CCPA § 1798.140(ad)(2), these service-provider disclosures are not a "sale" because each subprocessor is contractually restricted to using the data only to provide its specific service to Alexandria.

Because we do not sell or share personal information, there is no opt-out to action. If your interpretation of CCPA differs and you wish to formally exercise your § 1798.120 right against any disclosure we make, email moe@thealexandria.ai with the subject line "Do Not Sell or Share" and we will confirm receipt within 15 business days and act on it within 45 days.

8. Cookies

We use a small number of cookies — including essential cookies for authentication, analytics cookies for understanding product usage, and a referral cookie. See our Cookie Policy for details and how to opt out.

9. Children's Policy

Alexandria is not directed to children. We do not knowingly collect personal information from anyone under 13 years of age, and our service is intended for users aged 18 and older. If we learn we have collected data from a child under 13, we will delete it. If you believe a child has provided us data, contact moe@thealexandria.ai.

10. International Data Transfers

Alexandria is operated from the United States, and our primary data stores are located in the US. If you access the service from outside the US, you understand that your data will be transferred to, stored, and processed in the United States. By using Alexandria, you consent to that transfer. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for cross-border data transfers.

11. Security

We use industry-standard technical and organizational measures to protect your data, including TLS encryption in transit, encryption at rest for sensitive credentials, scoped access controls, and regular review of our subprocessors. No system is perfectly secure, and we cannot guarantee that unauthorized access will never occur, but we work hard to minimize risk and respond promptly to incidents.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date and, where appropriate, notify you by email or in-app notice. Continued use of the Platform after changes take effect means you accept the updated policy.

13. Contact & Data Protection

Privacy questions, complaints, and rights requests: moe@thealexandria.ai (primary).

Backup contact (monitored daily): moe@thealexandria.ai. Postal mail: Alexandria AI LLC, 2780 Denton Rd, Canton MI 48188, USA.

Alexandria does not currently have a designated Data Protection Officer. Under GDPR Article 37(1), appointing a DPO is mandatory only when an organization conducts large-scale systematic monitoring of data subjects or large-scale processing of special-category data — neither of which describes our current operations. We will appoint a DPO if and when those thresholds are met, and we will update this policy accordingly.