first of all sorry for not getting back to you earlier.
Generally, no login information is sent to a any third party (including me and the device synchronization). They will only leave your device while communicating with the Amazon servers.
The username and password are encrypted and saved on your device so you do not need to enter it on every refresh. The app uses this information while refreshing status messages and checking for new orders, imitating the procedure that you would perform with your browser, logging into the Amazon website (via a secure HTTPS connection).
Thus, it's about as safe as checking the order status in your mobile browser, storing the password locally (not syncing it like e.g. the Chrome password sync feature).
I know that this requires a leap of faith, but due to Amazons stance on making available order data to third party applications, this is as good as it gets.