Privacy and Data Protection Agreement (PDPA)

Effective Date: 24/4/2025

Version: 1.0

Controller: Merchant installing or using the MarvelPixel App

Processor: Marveltest B.V., Camperstraat 42, 1091 AH Amsterdam, Netherlands

1. Overview

This Privacy and Data Protection Agreement (“Agreement”) governs the processing of personal data by Marveltest B.V. (“Processor”, “MarvelPixel”, “we”, “our”) on behalf of the Merchant (“Controller”, “you”, “your”) through the use of the MarvelPixel application installed on a Shopify store or other digital platform.

This Agreement is a legally binding addendum to MarvelPixel’s Terms of Use, accepted electronically upon installation or continued use of the app.

2. Roles and Legal Basis

You (the Merchant) are the Data Controller, responsible for the lawful collection and use of customer data.

  • Marveltest B.V. is the Data Processor, acting solely on your documented instructions to provide analytics, tracking, and optimization services.

Processing is carried out in compliance with:

  • General Data Protection Regulation (GDPR) – EU 2016/679

  • California Consumer Privacy Act (CCPA)

  • Any applicable local privacy laws

3. Purpose of Processing

MarvelPixel processes data solely to provide:

  • Pixel-based tracking and analytics

  • First-party marketing attribution

  • User behavior insights

  • Campaign optimization

Reporting dashboards and integrations

4. Data Types and Scope

Categories of Data Subjects:

  • End-users and customers visiting or interacting with the Merchant’s store or campaigns

Categories of Personal Data:

  • Device identifiers, IP addresses

  • Browser, location, and referral metadata

  • Session activity, product views, add-to-cart and checkout events

  • UTM parameters and hashed email addresses (optional)

MarvelPixel does not intentionally process special categories of personal data (GDPR Art. 9).

5. Processor Obligations

Marveltest B.V. agrees to:

  • Only process data under the Merchant’s instructions

  • Implement strong technical and organizational safeguards (encryption, access controls)

  • Ensure confidentiality of personnel and subprocessors

  • Notify you promptly in case of a data breach

  • Assist with requests from data subjects (access, erasure, etc.)

  • Delete or return personal data upon termination unless required by law

6. Subprocessors

MarvelPixel uses trusted third-party subprocessors (e.g., hosting, database, error monitoring providers) to fulfill its service.

  • A current list is maintained at: https://marvelpixel.io/subprocessors

  • Subprocessors are bound by equivalent data protection obligations.

  • You will be notified in advance of any new subprocessors, with a 10-day window to object.

7. International Transfers

Marveltest B.V. may transfer personal data outside the EEA or the Merchant’s country only:

  • To countries with an adequacy decision by the European Commission, or

  • Under valid transfer mechanisms (e.g., Standard Contractual Clauses)

8. Security and Confidentiality

MarvelPixel follows industry best practices including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)

  • Role-based access controls (RBAC)

  • Regular vulnerability scanning and patching

  • Logging and monitoring for anomalous activity

9. Data Retention

MarvelPixel retains personal data only as long as necessary to provide services. Upon app uninstallation or written request:

  • All personal data is deleted within 30 days unless legally required to retain it.

  • Aggregated, non-identifiable data may be retained for analytics.

10. Data Subject Rights

You are responsible for fulfilling data subject rights requests. MarvelPixel will support you in doing so, including:

  • Right to access and rectification

  • Right to erasure (“right to be forgotten”)

  • Right to data portability

  • Right to object or restrict processing

11. Shopify App Compliance

MarvelPixel complies with Shopify’s API Terms and privacy guidelines, including:

  • Full transparency over data access and use

  • No resale or unauthorized sharing of merchant or customer data

  • Timely deletion of data upon app uninstallation

  • Providing merchants with a way to handle data subject access and deletion requests

12. Duration

This Agreement is valid for the duration of the Merchant’s use of MarvelPixel. Upon termination or uninstallation:

  • Processing ceases immediately

  • Personal data is deleted within 30 days, unless otherwise requested

13. Governing Law and Jurisdiction

This Agreement is governed by the laws of the Netherlands. Any disputes shall be brought before the competent courts in Amsterdam, Netherlands, unless otherwise required by applicable local law.

14. Acceptance by Use

By installing, enabling, or using the MarvelPixel application, the Merchant agrees to this Privacy and Data Protection Agreement. This form of clickwrap acceptance constitutes a legally binding agreement between the parties.

Camperstraat 42,

1091 AH Amsterdam

Copyright © 2025 Marveltest B.V

Pixel Operational

Camperstraat 42,

1091 AH Amsterdam

Copyright © 2025 Marveltest B.V

Pixel Operational

Camperstraat 42,

1091 AH Amsterdam

Copyright © 2025 Marveltest B.V

Pixel Operational