Compliance

POA Defender is a tool that helps Amazon sellers comply with Amazon’s own reinstatement process. A Plan of Action is the document Amazon itself requests from suspended sellers — generating one is an explicitly sanctioned activity.

POA Defender does not assist with review manipulation, feedback abuse, account hijacking, or any other activity that violates Amazon’s policies. The tool is designed specifically to help sellers address genuine policy violations through Amazon’s official appeal channel.

POA Defender is an independent software service. We are not affiliated with, endorsed by, or in any way connected to Amazon.com, Inc. Amazon, Seller Central, Seller Performance, and related marks are trademarks of Amazon.com, Inc.

We do not have access to Amazon’s internal systems, your Seller Central account, or any Amazon data. All content used by POA Defender is provided directly by you.

We identify a lawful basis for every processing activity. Account and service data is processed under contract performance. Fraud prevention and security processing is under legitimate interests. Financial records are retained under legal obligation.

Data subject rights — access, rectification, erasure, portability, objection — are supported. Requests are processed within 30 days. Contact privacy@poadefender.com.

We do not sell personal information. California residents have the right to know what personal information we collect, the right to delete it, and the right to opt out of sale (which we do not engage in). Contact us to exercise these rights.

We collect only the data necessary to provide the Service: account credentials, payment references, and the content you submit for POA generation. We do not collect browser fingerprints, device identifiers, location data, or advertising identifiers.

POA Defender does not use your suspension notices, seller context, or generated Plans of Action to train or fine-tune any AI model. Your content is used only to generate your specific POA.

Amazon’s seller policies evolve. Every POA generated by the Service is stamped with the month and year of generation. The application monitors for policy updates and displays a staleness warning when a POA is more than two months old, prompting you to review before submitting.

All payments are processed by Paystack, which is certified as a PCI DSS Level 1 service provider — the highest level of payment security certification.

POA Defender never transmits, processes, or stores payment card numbers, CVV codes, or bank account details. These are entered directly into Paystack’s secure checkout and never touch our servers.

We store only a Paystack customer code and payment reference — anonymised identifiers that allow us to manage your subscription without holding sensitive financial data.

All incoming payment webhooks from Paystack are verified using HMAC-SHA512 signature validation before any action is taken. Webhook payloads with invalid or missing signatures are rejected. Timing-safe comparison is used to prevent timing attacks on signature verification.

User authentication is managed by Supabase Auth, which implements industry-standard secure session management including HTTP-only cookies, token rotation, and PKCE for OAuth flows.

Row-level security (RLS) policies are enforced at the database level for all tables. Users can only read and write their own data. The service role key (which bypasses RLS) is used only in server-side API routes — it is never exposed to the browser or embedded in client-side code.

All data is transmitted over HTTPS/TLS. Data at rest is encrypted by Supabase’s managed encryption on AWS infrastructure. All connections to Anthropic, Paystack, and Supabase are made over HTTPS.

POA generation is subject to a daily limit of 50 POAs per account per 24-hour period, enforced by an atomic database-level counter. Credit operations (decrement before generation, refund on failure) are performed atomically to prevent race conditions. Payment processing uses conditional database updates to prevent double-processing.