Skip to content
BuyCast

Data Processing Addendum

Last updated: May 8, 2026 · Effective: May 8, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between Legend Software, LLC (“BuyCast,” “we,” or “Processor”) and the Customer (“Controller”) governing Customer's use of the BuyCast.ai platform (the “Service”). It supplements the Terms of Service and the Privacy Policy, and reflects the attestations made in our Amazon Selling Partner API developer application (see Amazon Data Protection).

An executable counterpart, scoped to Customer's legal entity and governing law, is available on request from sales@buycast.ai. In the event of any conflict between this public-facing DPA and a signed counterpart, the signed counterpart controls.

1. Definitions

  • “Personal Data”means any information relating to an identified or identifiable natural person processed by us on Customer's behalf in connection with the Service.
  • “Amazon Information”means any information we receive, directly or indirectly, from Amazon's Selling Partner API or related services about Customer's Amazon seller account, as defined in the Amazon Selling Partner API Data Protection Policy (“DPP”).
  • “Processing,” “Controller,” “Processor,” and “Data Subject”have the meanings given in Regulation (EU) 2016/679 (“GDPR”) and equivalent provisions of UK GDPR, CCPA/CPRA, and other applicable data protection laws.
  • “Subprocessor”means a third party we engage to process Personal Data or Amazon Information on Customer's behalf.

2. Scope and roles

With respect to Personal Data and Amazon Information processed in connection with the Service, Customer is the Controller and Legend Software, LLC is the Processor. Where Customer acts as a processor on behalf of a third party, Legend Software, LLC acts as a sub-processor.

3. Subject matter, duration, and nature of processing

  • Subject matter: the provision of the Service as described in the Terms of Service.
  • Duration: the term of the agreement, plus the deletion period set out in Section 12.
  • Nature of processing: hosting, retrieval, display, analytics, demand forecasting, purchasing recommendations, and related operations performed on Customer-supplied data and Amazon Information.
  • Purpose: to provide the Service to the seller who authorized the connection. We do not use Amazon Information for any purpose other than providing the Service to that seller.

4. Categories of data subjects and personal data

  • Data subjects:Customer's authorized users (account holders, team members, and operators acting on Customer's behalf).
  • Categories of Personal Data: work-contact identifiers (name, work email, role, organization), authentication artifacts, session and audit metadata, and support correspondence.
  • Amazon Information:Customer's catalog, listings, order summaries, FBA inventory, settlement reports, financial events, refund and return data, and pricing context, in each case scoped to the Customer's authorized seller account. We do not request, store, or process buyer Personally Identifiable Information (see Section 4 of the Privacy Policy).

5. Processing instructions

We process Personal Data and Amazon Information only on Customer's documented instructions, including with regard to international transfers, except where required by applicable law. The Terms of Service, the Privacy Policy, this DPA, and Customer's use of the Service constitute Customer's documented instructions. We will notify Customer if, in our opinion, an instruction infringes applicable data protection law.

6. Confidentiality and personnel

We ensure that personnel authorized to process Personal Data and Amazon Information are bound by appropriate confidentiality obligations and have received training on data protection and security obligations commensurate with their responsibilities. Production access is least-privilege, audit-logged, and reviewed.

7. Security measures

We maintain technical and organizational measures designed to protect Personal Data and Amazon Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include:

  • AES-256 encryption at rest on AWS RDS, S3, and Secrets Manager, with AWS KMS; customer-managed KMS keys available on Enterprise.
  • TLS 1.2+ in transit (TLS 1.3 by default); SSL required for database connections.
  • PostgreSQL Row-Level Security (FORCE) on every tenant-scoped table; the application role cannot bypass RLS.
  • Per-tenant isolation of SP-API credentials in AWS Secrets Manager; credentials never leave the secrets boundary.
  • Audit logging on every mutation; operator-impersonation gated behind a second flag and fully logged.
  • Point-in-time database recovery; daily snapshots with at least 7-day retention; cross-region snapshots on Enterprise.

Additional detail is on our Security overview. A Customer-specific security questionnaire is available on request from security@buycast.ai.

8. Subprocessors

Customer authorizes us to engage Subprocessors to provide the Service. We remain responsible for each Subprocessor's compliance with this DPA. Each Subprocessor is bound by written terms imposing obligations no less protective than those set out here, including confidentiality, purpose limitation, security, and assistance with data subject rights.

The current list of Subprocessors, including their purpose, region, and access classification, is maintained on our Privacy Policy and Amazon Data Protection pages. We will notify Customer at least 30 days in advance of engaging any new Subprocessor that processes Personal Data or Amazon Information. Customer may object to a new Subprocessor in writing on reasonable data-protection grounds; if we cannot accommodate the objection, Customer may terminate the affected portion of the Service for the remainder of the then-current term.

9. International transfers

Personal Data and Amazon Information are processed in the data region declared on the Amazon Data Protection page (currently AWS us-east-1 (N. Virginia)). For transfers of EEA, UK, or Swiss Personal Data outside the originating region, we rely on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), the UK International Data Transfer Addendum, and the Swiss FDPIC standards, as applicable, which are incorporated into this DPA by reference. Module 2 (Controller-to-Processor) applies between Customer and Legend Software, LLC; Module 3 applies between us and any onward Subprocessor.

10. Data subject rights

Taking into account the nature of the processing, we will assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer's obligations to respond to requests by data subjects to exercise their rights under applicable data protection law (including access, rectification, erasure, restriction, data portability, and objection). Customers may submit requests through the app, by emailing privacy@buycast.ai, or through the form at /legal/data-deletion.

11. Personal data breach notification

We will notify Customer without undue delay, and in any event within 72 hours, of becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data or Amazon Information. The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach. We will also notify Amazon as required under the SP-API Developer Agreement and DPP.

12. Return and deletion

On termination of the agreement or upon Customer's written request, we will delete or return all Personal Data and Amazon Information processed on Customer's behalf within 30 days, including from primary databases, indexes, caches, and the next backup-rotation window, except as required by applicable law (for example, billing records retained for tax compliance, which contain no Amazon Information). On request we will provide written confirmation of deletion identifying the date, the systems purged, and any narrowly-scoped exceptions.

13. Audits and assessments

We will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. On reasonable prior written notice, no more than once per twelve-month period (except where required by a supervisory authority or following a material Personal Data Breach), Customer may conduct an audit of our compliance with this DPA. Audits will be conducted during business hours, subject to confidentiality obligations, and in a manner that does not unreasonably interfere with our business operations. We may satisfy audit requests by providing recent independent third-party assessments or attestations where available.

14. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or any other theory of liability, is subject to the limitations and exclusions of liability set out in the Terms of Service and any applicable Enterprise agreement.

15. Order of precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA controls with respect to data protection matters. In the event of any conflict between this DPA and an executed counterpart between the parties, the executed counterpart controls. The Standard Contractual Clauses prevail over this DPA to the extent of any conflict.

16. Contact

Privacy and DSAR requests: privacy@buycast.ai. Security: security@buycast.ai. Sales and contracting: sales@buycast.ai.

Postal: Legend Software, LLC, c/o Legalinc Corporate Services Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, USA.