Effective Date: 24/4/2025
Version: 1.0
Controller: Merchant installing or using the MarvelPixel App
Processor: Marveltest B.V., Camperstraat 42, 1091 AH Amsterdam, Netherlands
1. Overview
This Privacy and Data Protection Agreement (“Agreement”) governs the processing of personal data by Marveltest B.V. (“Processor”, “MarvelPixel”, “we”, “our”) on behalf of the Merchant (“Controller”, “you”, “your”) through the use of the MarvelPixel application installed on a Shopify store or other digital platform.
This Agreement is a legally binding addendum to MarvelPixel’s Terms of Use, accepted electronically upon installation or continued use of the app.
2. Roles and Legal Basis
You (the Merchant) are the Data Controller, responsible for the lawful collection and use of customer data.
Marveltest B.V. is the Data Processor, acting solely on your documented instructions to provide analytics, tracking, and optimization services.
Processing is carried out in compliance with:
General Data Protection Regulation (GDPR) – EU 2016/679
California Consumer Privacy Act (CCPA)
Any applicable local privacy laws
3. Purpose of Processing
MarvelPixel processes data solely to provide:
Pixel-based tracking and analytics
First-party marketing attribution
User behavior insights
Campaign optimization
Reporting dashboards and integrations
4. Data Types and Scope
Categories of Data Subjects:
End-users and customers visiting or interacting with the Merchant’s store or campaigns
Categories of Personal Data:
Device identifiers, IP addresses
Browser, location, and referral metadata
Session activity, product views, add-to-cart and checkout events
UTM parameters and hashed email addresses (optional)
MarvelPixel does not intentionally process special categories of personal data (GDPR Art. 9).
5. Processor Obligations
Marveltest B.V. agrees to:
Only process data under the Merchant’s instructions
Implement strong technical and organizational safeguards (encryption, access controls)
Ensure confidentiality of personnel and subprocessors
Notify you promptly in case of a data breach
Assist with requests from data subjects (access, erasure, etc.)
Delete or return personal data upon termination unless required by law
6. Subprocessors
MarvelPixel uses trusted third-party subprocessors (e.g., hosting, database, error monitoring providers) to fulfill its service.
A current list is maintained at: https://marvelpixel.io/subprocessors
Subprocessors are bound by equivalent data protection obligations.
You will be notified in advance of any new subprocessors, with a 10-day window to object.
7. International Transfers
Marveltest B.V. may transfer personal data outside the EEA or the Merchant’s country only:
To countries with an adequacy decision by the European Commission, or
Under valid transfer mechanisms (e.g., Standard Contractual Clauses)
8. Security and Confidentiality
MarvelPixel follows industry best practices including:
Encryption in transit (TLS 1.2+) and at rest (AES-256)
Role-based access controls (RBAC)
Regular vulnerability scanning and patching
Logging and monitoring for anomalous activity
9. Data Retention
MarvelPixel retains personal data only as long as necessary to provide services. Upon app uninstallation or written request:
All personal data is deleted within 30 days unless legally required to retain it.
Aggregated, non-identifiable data may be retained for analytics.
10. Data Subject Rights
You are responsible for fulfilling data subject rights requests. MarvelPixel will support you in doing so, including:
Right to access and rectification
Right to erasure (“right to be forgotten”)
Right to data portability
Right to object or restrict processing
11. Shopify App Compliance
MarvelPixel complies with Shopify’s API Terms and privacy guidelines, including:
Full transparency over data access and use
No resale or unauthorized sharing of merchant or customer data
Timely deletion of data upon app uninstallation
Providing merchants with a way to handle data subject access and deletion requests
12. Duration
This Agreement is valid for the duration of the Merchant’s use of MarvelPixel. Upon termination or uninstallation:
Processing ceases immediately
Personal data is deleted within 30 days, unless otherwise requested
13. Governing Law and Jurisdiction
This Agreement is governed by the laws of the Netherlands. Any disputes shall be brought before the competent courts in Amsterdam, Netherlands, unless otherwise required by applicable local law.
14. Acceptance by Use
By installing, enabling, or using the MarvelPixel application, the Merchant agrees to this Privacy and Data Protection Agreement. This form of clickwrap acceptance constitutes a legally binding agreement between the parties.
