Effective Date: March 30, 2026
Partner Central Connect ("Service," "we," "us," "our") is a cloud-based AWS partner co-sell management platform owned and created by Developer Labs AI, LLC. This Privacy Policy describes how we collect, use, disclose, and protect your information when you access or use our Service, including our website, application programming interfaces (APIs), and all related services.
This Privacy Policy applies to all individuals who interact with the Service, including website visitors, registered users, API consumers, and administrators of Self-Hosted Deployments. It covers data practices for both our Software-as-a-Service (SaaS) and Self-Hosted (AMI) deployment models.
By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the practices described herein, you must discontinue use of the Service immediately. If you are using the Service on behalf of an organization, you represent and warrant that you have the authority to bind that organization to this Privacy Policy.
We are committed to protecting your privacy and handling your data with transparency and care. This Privacy Policy is designed to help you understand what information we collect, why we collect it, and how you can manage, export, and delete your information.
We collect information that you provide directly, information generated through your use of the Service, and information received from third-party integrations you configure. The categories of information we collect are described below.
When you create an account, we collect your email address, full name, user role (admin, member, or viewer), and account status. Authentication credentials are securely hashed using industry-standard cryptographic algorithms and are never stored in plaintext. We also collect the date and time of account creation and your most recent login timestamp.
When you set up or join an organization, we collect company name, AWS account ID, subscription plan and tier, AWS IAM role ARN and external ID (both encrypted at rest via AWS Key Management Service), AI provider configuration preferences, deployment mode (SaaS or Self-Hosted), and your Stripe customer identifier for billing purposes. This information is necessary to provision your account, manage your subscription, and establish secure connections to AWS services on your behalf.
Through your use of the Service, we store and process information about the customers and partners you manage, including: company names, industry classifications, website URLs, physical addresses, and country of operations; contact details including names, job titles, email addresses, and phone numbers; and business context such as use cases, needs, and engagement history. This data is provided by you and is used solely to deliver the functionality of the Service.
When you synchronize opportunities with AWS Partner Central, we collect and store AWS Partner Central opportunity identifiers and Amazon Resource Names (ARNs), synchronization status and history, expected customer spend amounts (including currency and frequency), team member assignments, project details including use cases and business problems being addressed, and sales activity logs. This data enables bidirectional synchronization with AWS Partner Central and powers reporting and analytics features within the Service.
When you connect third-party services, we collect integration-specific credentials and metadata, including: HubSpot OAuth access and refresh tokens (encrypted at rest via AWS KMS), CRM synchronization metadata and field mappings, and integration connection status and error logs. We do NOT store your CRM platform credentials in plaintext. All OAuth tokens are encrypted using envelope encryption with AWS Key Management Service, and access to decrypted tokens is strictly limited to the synchronization processes that require them.
When you use AI-powered features within the Service, we collect the AI action type and configuration, input and output token counts, estimated and actual cost calculations, and execution timestamps and duration. We collect prompt metadata for billing and audit purposes; however, we do not permanently store the raw customer prompts sent to AI providers. AI-generated outputs may be temporarily cached to deliver results to you but are not retained beyond the active session unless you explicitly choose to save them.
To process payments and manage your subscription, we collect Stripe payment method identifiers, invoice history and line items, credit allocation and consumption records, and metering events for usage-based billing. We do NOT store raw credit card numbers, bank account numbers, or other sensitive financial instrument details. All payment processing is handled by Stripe, which is PCI DSS Level 1 compliant. We only retain tokenized references to your payment methods as provided by Stripe.
When you access the Service, we automatically collect technical information including your IP address, browser type and version, device type and operating system, session identifiers, API request logs (endpoint, HTTP method, response code, and timestamp), and referral URLs. This information is used to maintain the security and performance of the Service, diagnose technical issues, and generate aggregate usage analytics.
To support compliance and security requirements, we collect audit events including actor identification (user ID and role), action performed, resource affected, timestamp, IP address, and decision outcome (permit or deny). Our audit trail is architected with SOC 2 compliance principles and secured with SHA-256 hash chains to ensure tamper detection and immutability. Each audit event is cryptographically linked to the preceding event, making it computationally infeasible to alter historical records without detection.
We use the information we collect for the following purposes:
We are committed to protecting your information and limiting its disclosure. We share your information only in the following circumstances and with the following categories of recipients:
We share data with trusted service providers who process data on our behalf under strict contractual obligations. These sub-processors are bound by data processing agreements that require them to protect your information with appropriate technical and organizational measures, process your data only as instructed by us, and promptly notify us of any security incidents. A complete list of our current sub-processors is provided in Section 11 of this Privacy Policy.
When you enable CRM integration (HubSpot, Salesforce, or Dynamics 365), your Customer Data is shared with the connected platform according to your sync configuration. You maintain full control over which data fields are synchronized and in which direction (unidirectional or bidirectional). We act as a data processor facilitating the transfer you configure; we do not independently determine what data is shared with your CRM platform.
Opportunity and engagement data is synchronized with AWS Partner Central per your configuration. This synchronization is essential to the core functionality of the Service and is performed using your AWS IAM credentials. Marketplace data is shared with the AWS Marketplace Catalog API for listing management when you use our marketplace features. All data transfers to AWS are encrypted in transit using TLS 1.2 or higher.
When you use AI Actions, contextual data is sent to AWS Bedrock and/or Anthropic for inference processing. This data is used solely to generate the requested output and is NOT used to train AI models, in accordance with each provider's published data handling policies. For additional details on AI data handling, see Section 5 of this Privacy Policy.
We may disclose information when required by law, subpoena, court order, or governmental regulation. We will notify you of such requests unless legally prohibited from doing so. Where permitted, we will attempt to redirect the requesting party to seek data directly from you. We evaluate each request for legal validity before disclosing any information and will challenge requests we believe are overbroad, vague, or otherwise legally deficient.
In connection with a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such transfer and any choices you may have regarding your information. In such an event, this Privacy Policy will continue to govern the treatment of your information until you are notified of changes and given the opportunity to exercise your rights.
We do NOT sell, rent, or trade your personal information to third parties for their marketing purposes. Ever. This commitment is fundamental to our business model. We generate revenue through subscription fees and usage-based billing for the Service, not through the monetization of your data.
AI-powered intelligence features within Partner Central Connect are powered by HybrIQ, our intelligent processing engine that utilizes AWS Bedrock and Anthropic Claude models. This section provides additional detail on how your data is handled when you use these features.
When you initiate an AI Action, relevant contextual data — such as opportunity details, account information, and business context — is sent to the AI provider for processing. The specific data transmitted depends on the type of AI Action you invoke and is limited to the minimum context necessary to generate an accurate and useful response.
AI providers process data solely for generating the requested output. Under our configuration, AI providers do not retain the content of your requests or generated responses for training purposes, in accordance with their published data handling policies. AWS Bedrock and Anthropic process data in real-time for inference and do not use API customer data to improve their models. Temporary processing may occur as required by each provider's standard operational procedures (such as abuse monitoring), subject to their respective privacy policies.
Your data is NEVER used to train, fine-tune, or improve AI models. This is ensured through AWS Bedrock's data handling policies and Anthropic's API terms of service, both of which prohibit using API customer data for model training. Your proprietary business data, opportunity information, customer details, and all other content processed through AI features remains exclusively yours and is never incorporated into model training datasets.
Token usage (input and output counts) and associated costs are logged for billing and metering purposes. These records contain metadata about the AI interaction (action type, timestamp, token counts, and calculated cost) but do not contain the actual content of prompts or responses.
AI execution metadata — including action type, execution timestamp, token counts, and cost — is retained for 90 days for audit and billing reconciliation purposes. After 90 days, this metadata is automatically purged from our systems.
You may disable AI features entirely through your Organization settings at any time. Disabling AI features will prevent any data from being sent to AI providers and will disable all AI-powered functionality within your account. This setting takes effect immediately upon change.
AI-generated outputs may be stored within your account if you choose to save them (for example, saving an AI-generated opportunity assessment to an opportunity record). If you do not explicitly save the output, it is not retained after display and is discarded when the response is delivered to your browser or API client.
We retain your information only for as long as necessary to fulfill the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements. The specific retention periods for each category of data are as follows:
We may retain anonymized, aggregated data indefinitely for analytical purposes. This data is processed through irreversible anonymization techniques and cannot be used to identify any individual, organization, or specific account. Aggregated data is used solely to understand Service usage trends and inform product development decisions.
We implement comprehensive technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. Our security program includes the following safeguards:
While we employ robust security measures, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security but are committed to promptly addressing any vulnerabilities or incidents that may arise.
For customers using our Self-Hosted (AMI) deployment model, the following privacy terms apply in addition to the general provisions of this Privacy Policy:
ALL Customer Data in a Self-Hosted Deployment remains entirely within your AWS account and network. Partner Central Connect servers NEVER access, store, or process your Customer Data from self-hosted instances. Your data sovereignty is absolute in the Self-Hosted model — your opportunity data, customer records, CRM integrations, audit logs, and all other business data reside exclusively in infrastructure you own and control.
You are the data controller for all data within your Self-Hosted Deployment. Partner Central Connect is NOT a data processor for this data. You bear full responsibility for data protection compliance, access management, and security within your Self-Hosted environment.
The communications between your Self-Hosted instance and our servers are limited to the following:
TELEMETRY_ENABLED=false), a lightweight diagnostic payload is transmitted at regular intervals containing: instance identifier, software version, deployment tier and mode, runtime environment, process uptime, aggregate record counts (number of organizations, users, and opportunities — not the records themselves), system resource metrics (CPU count, memory usage, disk usage, platform, architecture, Node.js version), background job queue statistics (waiting, active, and failed job counts), and up to 5 recent sanitized error messages (with all personally identifiable information such as email addresses, IP addresses, and UUIDs automatically stripped before transmission). This telemetry payload is under 4KB and contains zero personally identifiable information.No Customer Data, personally identifiable information, opportunity details, CRM records, contact information, financial data, or proprietary business content is transmitted during any of these communications. All transmitted data is limited strictly to operational and licensing metadata as described above.
The license check-in is secured with ES256 (Elliptic Curve Digital Signature Algorithm) signed JWT tokens and TLS encryption. The JWT signature ensures that check-in payloads cannot be tampered with in transit, and TLS encryption protects against eavesdropping.
You are responsible for implementing your own data protection measures, backups, access controls, encryption configurations, network security, and compliance monitoring within your AWS environment. We provide documentation and best-practice recommendations for securing Self-Hosted deployments, but the implementation and maintenance of these measures is your responsibility.
Depending on your jurisdiction, you may have the following rights with respect to your personal data. We are committed to honoring these rights regardless of your location, to the extent practicable and not in conflict with applicable law:
To exercise any of these rights, contact us at privacy@partnercentralconnect.com or use the account settings within the Service. We may need to verify your identity before processing your request. We will respond to all rights requests within 30 days of receipt. If we require additional time (up to an additional 60 days for complex requests), we will inform you of the extension and the reasons for it.
We use a limited number of cookies and similar technologies to operate the Service effectively. Our approach to tracking is privacy-respecting and minimal by design.
You can manage cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, and set preferences for specific websites. Please note that disabling certain cookies may affect the functionality and usability of the Service. For instructions on managing cookies in your specific browser, consult your browser's help documentation.
We use the following third-party services (sub-processors) to operate and deliver the Service. Each sub-processor is bound by contractual obligations to protect your data and process it only as instructed by us.
| Service | Purpose | Data Shared |
|---|---|---|
| Amazon Web Services (EC2, S3, KMS, SNS, SES) | Cloud infrastructure, encryption, notifications, email delivery | Encrypted service data, notification recipients |
| AWS Partner Central API | Opportunity and engagement synchronization | Opportunity data as configured by you |
| AWS Marketplace Catalog API | Marketplace listing management | Product listing data |
| AWS Bedrock | AI inference for HybrIQ features | Contextual prompts for AI processing (not used for training) |
| Supabase | Database hosting (SaaS deployment only) | All SaaS customer data (encrypted at rest) |
| Stripe | Payment processing | Billing identifiers, subscription plan, payment method tokens |
| HubSpot | CRM integration (when enabled by you) | Contact, company, and deal data as configured |
| Resend | Transactional email delivery | Recipient email address, notification content |
We require all sub-processors to maintain appropriate security measures — including encryption, access controls, and incident response procedures — and to process data only as instructed by us. Sub-processors are prohibited from using your data for any purpose other than performing the services we have engaged them to provide.
We will provide at least 30 days advance notice before adding new sub-processors that may process your personal data. This notice will be provided via email to the primary contact on your account or through an in-product notification. If you object to a new sub-processor, you may terminate your account before the new sub-processor begins processing your data.
A current, up-to-date list of sub-processors is available upon request at privacy@partnercentralconnect.com.
Partner Central Connect is a business-to-business (B2B) service designed for use by companies managing their AWS partner relationships. The Service is not directed at, marketed to, or intended for use by individuals under the age of 16.
We do not knowingly collect, solicit, or process personal data from children under 16 years of age. Our registration process requires users to represent that they are at least 16 years old and, if acting on behalf of an organization, that they have the authority to do so.
If we become aware that we have inadvertently collected personal data from a child under 16, we will take immediate steps to delete such data from our systems and terminate the associated account. We will also notify the relevant supervisory authority if required by applicable law.
If you believe that a child under 16 has provided us with personal information, or if you have concerns about a minor's interaction with our Service, please contact us immediately at privacy@partnercentralconnect.com. We will investigate promptly and take appropriate action.
Partner Central Connect primarily processes data in the United States. For SaaS deployments, data is processed and stored in AWS regions us-east-1 (N. Virginia) and us-west-2 (Oregon). Our operational and support teams are based in the United States.
For Self-Hosted Deployments, data is processed and stored in the AWS region you select during deployment. You retain full control over the geographic location of your data and can choose any AWS region that meets your compliance and latency requirements.
If you are located outside the United States and use our SaaS deployment, your data will be transferred to and processed in the United States. By using the Service, you acknowledge and consent to this transfer. We understand that international data transfers require appropriate safeguards, and we take the following measures to ensure lawful transfer:
You may request a copy of the applicable transfer mechanisms, including executed Standard Contractual Clauses, by contacting privacy@partnercentralconnect.com. We will provide the requested documentation within a reasonable timeframe.
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
To exercise your rights under the CCPA, contact us at privacy@partnercentralconnect.com. We will verify your identity before processing any request by confirming your email address and account ownership. We will respond to verified requests within 45 days. If additional time is needed, we will notify you of the extension (up to an additional 45 days) and the reason for it.
Categories of personal information collected in the past 12 months include: identifiers (name, email address, IP address), commercial information (subscription plan, billing records, transaction history), internet or other electronic network activity information (API request logs, session data, feature usage), professional or employment-related information (job title, company name, organizational role), and inferences drawn from the above categories (usage patterns, feature preferences).
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply to our processing of your personal data under the General Data Protection Regulation (GDPR) and the UK GDPR:
We process your personal data under the following legal bases as defined in Article 6 of the GDPR:
For all GDPR-related inquiries, including questions about our data processing activities, requests to exercise your data subject rights, or concerns about our privacy practices, you may contact our Data Protection Officer at dpo@partnercentralconnect.com. Our Data Protection Officer oversees our compliance with data protection regulations and serves as the primary point of contact for data subjects and supervisory authorities.
You have the right to lodge a complaint with your local data protection supervisory authority if you believe that our processing of your personal data violates the GDPR. We encourage you to contact us first so we can attempt to resolve your concern, but this does not affect your right to lodge a complaint at any time. A list of EEA supervisory authorities is available at the European Data Protection Board website.
A GDPR-compliant Data Processing Agreement is available upon request for customers who require one. Our DPA includes all provisions required by Article 28 of the GDPR, including the subject matter and duration of processing, the nature and purpose of processing, the types of personal data processed, and the categories of data subjects. To request a DPA, contact legal@partnercentralconnect.com.
In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. We will notify affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 of the GDPR. Breach notifications will include the nature of the breach, the categories and approximate number of data subjects concerned, the likely consequences, and the measures taken or proposed to address the breach.
You may request erasure of your personal data under Article 17 of the GDPR. We will comply with your request unless retention is required by law (such as tax records), necessary for the performance of the contract, required for the establishment, exercise, or defense of legal claims, or necessary for compliance with a legal obligation. If we are unable to fully comply with an erasure request, we will inform you of the specific reasons and the legal basis for continued retention.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. We are committed to providing you with clear notice of any changes that may affect your rights or our handling of your data.
For material changes — including changes to the categories of data we collect, the purposes for which we process data, the categories of third parties with whom we share data, or your rights — we will provide at least 30 days advance notice via email to the address associated with your account and/or through an in-product notification banner. Material changes will not take effect until the notice period has expired.
Non-material changes — such as corrections of typographical errors, clarifications of existing language, formatting improvements, or updates to contact information — may take effect immediately upon posting to this page. We will update the "Last Updated" date at the top of this page whenever any change is made, regardless of whether the change is material or non-material.
We will indicate the "Effective Date" at the top of this page, which reflects the date the current version of this Privacy Policy became effective. Previous versions of this Privacy Policy are available upon request by contacting privacy@partnercentralconnect.com. We maintain an archive of all prior versions for transparency.
Your continued use of the Service after the effective date of changes constitutes your acceptance of the revised Privacy Policy. If you do not agree with any changes, you must discontinue use of the Service before the changes take effect. You may export your data prior to discontinuing use, as described in Section 9 (Data Portability).
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the information below:
We aim to respond to all privacy-related inquiries within 30 days of receipt. For urgent security concerns or suspected data breaches, please include "URGENT" in the subject line and we will prioritize your request.