M20 Autopilot
Privacy PolicyTerms of Service
Security & Privacy

Security & Privacy at M20 Autopilot

Last updated: June 2026

M20 Autopilot is built on a security-first foundation. We protect your Amazon advertising data, account access, and business metrics with strong encryption, strict access controls, and continuous monitoring. This page explains exactly how we keep your data safe, what rights you have over it, and how we respond when things go wrong.

🔒

TLS 1.3 Encryption

🛡️

AES-256 at Rest

SOC 2 Aligned

🔑

Zero-Knowledge OAuth

🔔

Breach Notice < 72h

🗑️

Data Deletion in 30d

🔍

Pen Tested Biannually

🤝

3 Vetted Subprocessors

Protection & Infrastructure

Data Encryption

All your data is encrypted in transit using TLS 1.3 and encrypted at rest using AES-256. Your campaign metrics and advertising data are never stored in plain text, whether moving between systems or sitting in our databases.

Amazon Account Access

We connect to your Amazon account through the official Amazon SP-API using secure OAuth. We never see or store your Amazon password, and you can revoke our access at any time directly from your Amazon account.

Access Controls

We apply strict role-based access and least-privilege permissions. Multi-factor authentication is mandatory for every internal system that touches your data, so only authorized people can access what they truly need.

Secure Infrastructure

Our platform runs on hardened cloud infrastructure with isolated environments, automated security patching, and continuous intrusion monitoring across every region we operate in.

Continuous Monitoring

We use real-time logging, anomaly detection, and automated alerts to identify and respond to suspicious activity quickly, often before it can become a problem.

Session & Token Security

User sessions expire after 24 hours of inactivity and require re-authentication. Amazon OAuth tokens are rotated automatically before expiry. All refresh tokens are stored encrypted and are invalidated immediately upon account disconnection or deletion.

Penetration Testing

We conduct structured security assessments every 6 months, covering API endpoints, authentication flows, and data access paths. Critical findings are remediated within 72 hours and high-severity findings within 14 days. Results are reviewed by the Security Owner.

Data & Privacy

Data Isolation & AI Privacy

Every seller's data is logically isolated using row-level security. Your advertising data is never mixed with another customer's data, and it is never used to train AI models that benefit other sellers. When AI features process your data, only the minimum required context is sent to our AI provider.

Third-party Subprocessors

We work with a limited set of vetted subprocessors to deliver the service: Supabase (database & authentication — EU/US infrastructure), OpenAI (AI features — data is not used for model training), and Resend (transactional email). All subprocessors are bound by data processing agreements and may not use your data for any other purpose.

Data Residency

Your data is stored on Supabase-managed PostgreSQL databases hosted on AWS infrastructure. Primary storage is in the US East region. If your business requires a specific data residency region, contact us at the support email and we will advise on available options.

Cookies & Local Storage

We use browser local storage solely to maintain your session, remember your language and theme preferences, and store your chatbot conversation history (up to 24 messages). We do not use third-party advertising cookies or tracking pixels. You can clear all stored data at any time through your browser settings — this will sign you out of the platform.

Your Rights

Data Export

You have the right to a full export of your data at any time. To request your export, go to Settings → Account → Export My Data, or email us at the support address below. Exports are delivered as a structured JSON file within 7 business days and include your profile, campaign data, AI query history, and audit logs.

Account & Data Deletion

You may permanently delete your account and all associated data at any time from Settings → Danger Zone → Delete Account. Once confirmed, your personal data, campaign data, Amazon connection, and AI history are permanently erased within 30 days. Anonymized aggregate statistics (no personally identifiable information) may be retained for internal analytics. To request deletion by email, write to the support address below.

Your Control Over Your Data

You stay in charge at all times. You can connect securely through Amazon's official OAuth flow, grant only the permissions the AI agent needs, disconnect M20 from your Amazon account at any time, export your full data on request, and request permanent account deletion whenever you wish. All these actions are available from your account settings without needing to contact us.

Compliance & Disclosure

Breach Notification

In the unlikely event of a data breach that affects your personal or advertising data, we will notify you by email within 72 hours of confirmed discovery — in line with GDPR requirements. The notification will describe what data was affected, what steps we have taken, and what actions (if any) you should take. We will also notify the relevant supervisory authorities as required by law.

Compliance & Standards

Our controls are aligned with SOC 2 Type II practices, and we honor data protection rights under GDPR and CCPA. Our Amazon integration is a certified SP-API integration. All traffic is encrypted with TLS 1.3, and we undergo a structured security review every 6 months.

Reporting a Security Issue

If you discover a potential security issue, please email our security team at security@m20autopilot.com. We review every report, acknowledge receipt within 24 hours, and respond with our assessment within 5 business days. We are committed to responsible disclosure and will not pursue legal action against good-faith security researchers.

Security team

security@m20autopilot.com

Support

support@m20autopilot.com