Privacy Policy
Last updated: April 2026
1. Who we are
This privacy policy is published by KnGA SAS, operating under the trade name OKTee, publisher of the SaaS platform for Amazon Vendor Central & Seller Central optimization, available at www.oktee.io.
KnGA SAS acts as the data controller within the meaning of Regulation (EU) 2016/679, the GDPR, for data collected in connection with customer relationship management, the provision of the OKTee platform, and operation of the website.
When the platform is used by its business customers, OKTee also acts as a processor within the meaning of Article 28 of the GDPR for Amazon data and business data that customers provide to the platform. In that context, the customer’s instructions take precedence.
KnGA SAS, 6 rue des Berceaux, 95160 Montmorency, France
Email: privacy@oktee.io
2. What data do we collect and why?
2.1 Data collected while browsing the website
| Category | Data | Purpose | Legal basis |
|---|---|---|---|
| Technical data | IP address, browser, pages visited, visit duration | Security, browsing analytics, site improvement | Legitimate interest, GDPR Art. 6(1)(f) |
| Analytics cookies | Anonymized session identifiers | Aggregated audience measurement | Consent, GDPR Art. 6(1)(a) |
| Contact / demo form | First name, last name, business email, company, phone number, message | Processing your demo or contact request | Performance of pre-contractual measures, GDPR Art. 6(1)(b) |
2.2 Data collected in connection with the provision of the OKTee platform
| Category | Data | Purpose | Legal basis |
|---|---|---|---|
| User account | First name, last name, business email, company, role | Account creation and management, authentication, module access | Performance of the contract, GDPR Art. 6(1)(b) |
| Usage logs | Login timestamps, actions performed, modules used | Security, traceability, anomaly detection, support | Legitimate interest, GDPR Art. 6(1)(f) |
| Amazon Vendor / Seller Central data | Orders, POs, inventory, shipments, financial data, invoices, deductions, chargebacks, catalog data, performance data | Delivery of the OKTee Ops and OKTee Product module features activated by the customer | Performance of the contract, GDPR Art. 6(1)(b) |
| Billing data | Billing details, SIRET, bank account details, for SEPA mandate | Billing and collections management | Performance of the contract + legal obligation, GDPR Art. 6(1)(b) and 6(1)(c) |
3. Amazon Vendor Central & Seller Central data
OKTee connects to its customers’ Amazon Vendor Central and/or Seller Central accounts through Amazon’s official APIs, SP-API, with explicit authorization granted directly from the customer’s Amazon interface.
The Amazon data we collect is used exclusively to:
- Deliver the features of the OKTee modules activated by the customer
- Generate analytics, reports, alerts, and recommendations within the platform
- Enable operational automation, including order confirmation, on the customer’s instruction
Specific safeguards:
- Amazon data is never resold, shared with undisclosed third parties, or used for advertising or marketing purposes.
- The customer may revoke OKTee’s access to their Amazon account at any time, directly from Vendor Central or Seller Central.
- OKTee uses Amazon APIs in strict compliance with the Amazon Developer Policy.
4. Retention periods
| Data type | Retention period |
|---|---|
| Active account data | Term of the contract |
| Amazon service data | Term of the contract |
| Post-termination data | 30 to 90 days after the termination date, then secure deletion or return upon customer request, Section 19bis of the Terms of Service. See Terms of Service. |
| Billing data | 10 years, accounting legal obligation |
| Security logs | 12 months |
| Anonymized browsing data | 13 months maximum, CNIL recommendation |
| Contact requests | 3 years from the last contact |
5. Data recipients
Your data is processed by authorized OKTee teams, including support, engineering, and leadership, strictly within the scope of their duties.
OKTee uses the following technical subprocessors to provide the service:
| Subprocessor | Role | Location | Safeguards |
|---|---|---|---|
| Vercel Inc. | Hosting for the interface, marketing site + application | United States, Northern Virginia | DPA included in ToS + European Commission SCCs |
| Neon Inc. | PostgreSQL database | European Union, Frankfurt | DPA included in ToS |
| Inngest Inc. | Async task orchestration | EU / US | Signed DPA, EU SCCs + CCT |
| Railway Corp. | Execution of background workers, Inngest | European Union, Amsterdam, eu-west-1 | Signed DPA, EU SCCs Modules 2 & 3 + UK Addendum, SOC 2 Type II |
| Sentry Inc. | Monitoring & error management | United States | European Commission CCT 2021/914 |
| OpenAI LLC | AI features, OKTee Product module | United States | European Commission CCT 2021/914 |
| CIC | Payment provider, wire transfer, SEPA | France | French banking regulation |
OKTee does not sell, rent, or transfer any personal data to third parties for commercial purposes.
6. Transfers outside the European Union
Some technical components of OKTee involve data transfers outside the European Union.
Vercel, interface: the application interface is hosted in the United States, Northern Virginia. This transfer is governed by Standard Contractual Clauses, SCCs, incorporated into Vercel’s DPA. Customer data, orders, users, and Amazon data do not pass through Vercel; they remain hosted in Europe with Neon, Germany, and Railway, the Netherlands.
Sentry and OpenAI, based in the United States, are also subject to the SCCs adopted by the European Commission on June 4, 2021, Decision 2021/914, in accordance with Article 46 of the GDPR.
You can request a copy of the safeguards in place by writing to privacy@oktee.io.
7. Your rights
Under the GDPR and the amended French Data Protection Act, you have the following rights:
| Right | Description |
|---|---|
| Access, Art. 15 | Obtain a copy of your personal data processed by OKTee |
| Rectification, Art. 16 | Correct inaccurate or incomplete data |
| Erasure, Art. 17 | Request deletion of your data, the right to be forgotten |
| Restriction, Art. 18 | Temporarily restrict the processing of your data |
| Portability, Art. 20 | Receive your data in a structured, machine-readable format |
| Objection, Art. 21 | Object to processing based on legitimate interest |
| Withdrawal of consent | Withdraw your consent at any time, without affecting the lawfulness of prior processing |
To exercise your rights: privacy@oktee.io or legal@oktee.io
We will acknowledge receipt within 72 hours and process your request within a maximum of 30 calendar days.
If you believe your rights are not being respected, you may file a complaint with the CNIL: Commission Nationale de l'Informatique et des Libertés, www.cnil.fr, 3 Place de Fontenoy, 75007 Paris.
8. Data security
OKTee implements appropriate technical and organizational measures to protect your data against unauthorized access, loss, alteration, or disclosure. These measures include TLS 1.2+ encryption in transit, AES-256 encryption at rest, role-based access control (RBAC), pseudonymization of monitoring data, and a security incident response plan.
For more details, see our Security page. See Security page.
9. Cookies
Cookie use is described in our Cookie Policy. See Cookie Policy page.
10. Changes to this policy
OKTee reserves the right to update this policy at any time. In the event of a material change, customers will be notified by email at least 15 days before the changes take effect. The updated date is shown at the top of the document.
11. Contact
Signed DPA