Effective Date: 24 May 2025
Version: 1.2
Controller: Merchant installing or using the MarvelPixel app ("you", "your")
Processor: Marveltest B.V., Camperstraat 42, 1091 AH Amsterdam, Netherlands ("MarvelPixel", "we", "our")
1. Overview
This Privacy and Data Protection Agreement (”Agreement”) governs Marveltest B.V.’s (”Processor”, “MarvelPixel”, “we”, “our”) processing of personal data on behalf of the Merchant (”Controller”, “you”, “your”) through the MarvelPixel application installed on a Shopify store or other digital platform.
This Agreement supplements MarvelPixel’s Terms of Use and is accepted electronically when you install or continue to use the app.
2. Roles and Legal Basis
Controller: You, the Merchant, determine the purposes and means of processing.
Processor: MarvelPixel acts solely on your documented instructions to provide analytics, tracking and optimisation services.
Processing is conducted in compliance with:
General Data Protection Regulation (GDPR – EU 2016/679)
California Consumer Privacy Act (CCPA)
Any other applicable local privacy laws.
The lawful bases relied upon are performance of contract (Art. 6 (1)(b) GDPR) and legitimate interests in obtaining accurate marketing analytics (Art. 6 (1)(f) GDPR).
3. Purpose of Processing
MarvelPixel processes data only to provide services including, but not limited to:
Tracking & analytics – Collecting web‑event data and advertising metrics.
First‑party marketing attribution – Combining advertising data (e.g., spend, clicks, conversions) from Meta Ads and Google Ads with Shopify order data to generate performance analytics such as MER, ROAS, CAC, funnel views and cohort reports.
Server‑side event forwarding – When the Merchant enables Data Sync, MarvelPixel sends hashed purchase or lead events to the Meta Conversions API to improve attribution accuracy.
Reporting dashboards & integrations – Displaying aggregated metrics inside the MarvelPixel UI and exporting data at the Merchant’s request.
MarvelPixel does not transfer, share or disclose data to any party other than the Merchant who owns it.
4. Data Types and Scope
Categories of Data Subjects
End‑users and customers interacting with the Merchant’s store or ads.
Categories of Personal Data
Ad‑platform identifiers (ad‑account ID, campaign ID, ad‑set ID, ad ID)
Aggregated performance metrics (spend, impressions, clicks, purchases, revenue)
Hashed customer identifiers transmitted to Meta’s Conversions API (e.g., SHA‑256 email, phone)
Device and browser metadata, IP address, UTM parameters
Session activity such as product views, add‑to‑cart and checkout events
MarvelPixel does not intentionally process special categories of personal data (GDPR Art. 9).
5. Processor Obligations
Marveltest B.V. shall:
Process data only under the Merchant’s instructions.
Implement appropriate technical and organisational safeguards (encryption, access controls, auditing).
Ensure confidentiality of personnel and all subprocessors.
Notify the Merchant without undue delay of any personal‑data breach.
Assist the Merchant in fulfilling data‑subject requests (access, erasure, portability, objection).
Delete or return personal data upon termination unless Union or Member‑State law requires retention.
6. Subprocessors
MarvelPixel uses trusted third‑party subprocessors (e.g., hosting, database and error‑monitoring providers) listed at https://marvelpixel.io/subprocessors.
These subprocessors are bound by written agreements providing data‑protection obligations no less protective than this Agreement.
Meta Platforms Ireland Ltd. and Google LLC act primarily as independent controllers when providing their advertising platforms; MarvelPixel merely interfaces with their public APIs under your instructions.You will be notified in advance of any new subprocessors, with a 10‑day window to object.
7. International Transfers
Personal data may be transferred outside the EEA or the Merchant’s jurisdiction only:
To countries with an adequacy decision by the European Commission, or
Under appropriate safeguards, such as the EU Standard Contractual Clauses (SCCs).
8. Security and Confidentiality
MarvelPixel follows industry best practices including, but not limited to:
TLS 1.2+ encryption in transit and AES‑256 encryption at rest
Role‑based access controls and multi‑factor authentication
Regular vulnerability scanning, penetration tests and patch management
Continuous logging and monitoring for anomalous activity
Hashing of customer identifiers before transmission to Meta’s Conversions API.
9. Data Retention
Active use: Personal data are retained only as long as necessary to provide services.
Uninstallation/termination: All personal data are deleted within 30 days unless legal obligations require longer retention.
Aggregated data: Non‑identifiable, aggregated analytics may be retained indefinitely.
10. Data-Subject Rights
The Merchant is responsible for responding to data‑subject requests. MarvelPixel will assist promptly by:
Retrieving, correcting or deleting individual records
Exporting data for portability
Implementing opt‑out or restriction flags in tracking scripts.
11. Platform‑Specific Compliance
Shopify: MarvelPixel complies with Shopify’s API Terms and merchant‑data guidelines, including timely deletion of merchant/customer data upon app uninstallation.
Meta Ads: MarvelPixel requests the ads_read and business_management permissions to retrieve performance data and verify asset ownership. Server‑side events are transmitted to Meta’s Conversions API using hashed identifiers only.
Google Ads: MarvelPixel uses OAuth 2.0 read‑only scopes to fetch campaign metrics; no data are pushed back to Google Ads.
12. Duration
This Agreement remains in effect for as long as the Merchant uses MarvelPixel. Processing ceases upon termination, and deletion timelines in Section 9 apply.
13. Governing Law and Jurisdiction
This Agreement is governed by the laws of the Netherlands. Any dispute shall be submitted to the competent courts of Amsterdam, unless mandatory law provides otherwise.
14. Acceptance
By installing, enabling or using the MarvelPixel application, the Merchant agrees to this Privacy and Data Protection Agreement.
