Overview
DSP Recon AI ("we", "our", "us") provides an automated reconciliation platform for Amazon Delivery Service Partners (DSPs). This policy covers the web application at dspreconai.com and the Chrome extension DSP Recon AI — Amazon DSP Portal Sync.
Plain English: we read the Amazon DSP portal pages you are already logged into, send the data we extract to your own DSP Recon AI account, and help you reconcile and dispute discrepancies. We do not sell your data. We do not see your Amazon password.
Chrome Extension — Data We Read
The extension activates only on these domains and reads only the data the user has already authenticated to:
- payeecentral.amazon.com — Payment dates, amounts, payment IDs, invoice numbers, payment status, and payment method.
- logistics.amazon.com— Invoice records (number, amount, period, type), invoice PDF artifacts, fleet vehicle data (counts, types, status), work summary route and package counts, Logistics Support Central case data, performance scorecard metrics, and dispute submission state during the user's own dispute flow.
The extension does not read or transmit data from any other website.
Chrome Extension — Data We Store Locally
- API tokenissued by your own DSP Recon AI account, used to authenticate the extension's POST requests to dspreconai.com.
- Linked client ID and organization ID identifying which DSP Recon AI account this extension instance is paired with.
- Per-source last-sync timestamps to rate-limit syncs and avoid duplicate work.
All values are stored using the browser's chrome.storage.local API and are accessible only to this extension. They are removed when the extension is uninstalled.
Chrome Extension — What We Do NOT Collect
- Your Amazon username, password, MFA codes, or session cookies.
- Your name, home address, email, phone, or government ID.
- Your browsing history outside the two Amazon domains above.
- Your location, IP address, or device telemetry.
- Keystrokes, mouse position, scroll position, or screen recordings.
- Personal communications (email, messages, chats) of any kind.
Web Application — Data We Collect
- Account information: Email address and name you provide at signup, plus an authentication password hash managed by Supabase Auth.
- DSP business information: DSP business name, station code, fleet size, and onboarding choices.
- Amazon portal credentials (optional, legacy): Encrypted client-side using RSA-OAEP-256 before transmission. Most clients now connect via the Chrome extension and never enter credentials in our application.
- Financial and operational data: Settlement, invoice, fleet, work summary, performance, deposit, and support case data extracted on your behalf from the Amazon portals you control.
- Billing information: Subscription status and payment method tokens managed by Stripe; we never see or store full card numbers.
- Application logs: Job execution metadata, sync timestamps, and error traces used for monitoring and debugging.
How We Use Data
- Reconcile DSP settlements, work summary data, and Payee Central deposits to detect billing discrepancies.
- Generate dispute narratives and supporting evidence for invoices still within Amazon's dispute window.
- Track recovery losses on invoices whose dispute window has closed and surface them on the operator dashboard.
- Send transactional emails (account, billing, alerts).
- Provide customer support when you contact us.
We do not sell, rent, or share your financial data with third parties for marketing or advertising. We do not use your data to train models for any third party.
Data Sharing & Service Providers
We share data only with the infrastructure providers required to operate the service:
- Supabase — primary database and authentication.
- Vercel — application hosting.
- Railway — legacy worker hosting (sunset for extension-first clients).
- Stripe — subscription billing.
- Resend — transactional email delivery.
- Anthropic — AI processing for dispute narrative generation. Only the discrepancy summary needed for the narrative is sent; raw credentials and personally identifying data are never included in prompts.
Each provider is contractually bound to use the data only to deliver their service to us.
Security
- All client and server traffic uses HTTPS/TLS.
- Database access is gated by Supabase Row Level Security (RLS) scoped to your organization.
- Extension API tokens are SHA-256 hashed at rest; raw token strings are never stored after issuance.
- Amazon portal credentials, when present, are encrypted in the browser with RSA-OAEP-256 before transmission.
- Webhook endpoints validate signatures using timing-safe comparison.
- Login, signup, and password reset endpoints are rate-limited per IP.
Data Retention
Financial, operational, and reconciliation data is retained for the duration of your active subscription. On account deletion, we permanently remove your data within 30 days, with two exceptions: (1) billing records required for tax and accounting are retained for the period required by law, and (2) anonymized aggregate metrics with no link to your account may be retained indefinitely.
Your Rights
You may at any time:
- Request an export of your data.
- Request deletion of your account and associated data.
- Revoke an extension token from your dashboard, which immediately disconnects that browser from your account.
- Uninstall the Chrome extension, which stops all data collection from your browser.
- Cancel your subscription, which halts new data collection while preserving historical records during your retention period.
EU/UK residents have additional rights under GDPR/UK GDPR, including the right to object to processing and to lodge a complaint with a supervisory authority. California residents have rights under the CCPA. Email us to exercise any of these rights.
Children
DSP Recon AI is a business-to-business product for operators of Amazon DSPs. It is not directed to children under 16, and we do not knowingly collect data from children.
Changes to This Policy
Material changes will be announced in-product and via email to active accounts at least 14 days before they take effect. The "Last updated" date above always reflects the current version.