Privacy Policy

1. Who We Are

Marketa ("Marketa," "we," "us," or "our") is a CPG growth agency providing eCommerce strategy, retail media management, Amazon account management, TikTok Shop growth, and related services to consumer packaged goods brands. Our primary website is withmarketa.com.

For the purposes of applicable data protection law, Marketa is the data controller with respect to personal data collected through this website and in connection with our services.

2. Scope of This Policy

This Privacy Policy applies to:

• Visitors to withmarketa.com and all associated subdomains
• Prospective and current clients who engage with us via our contact form, email, or other channels
• Individuals whose data we access in connection with Amazon Selling Partner API (SP-API) services provided on behalf of our clients
• Any other individual whose personal information we process in the course of operating our business

This policy does not apply to third-party websites, platforms (including Amazon, TikTok, Whole Foods, or Instacart), or services that we may link to or integrate with. Those platforms have their own privacy policies.

3. Information We Collect

3.1 Information You Provide Directly

• Contact form submissions: Name, brand name, email address, primary sales channel, and any message content you submit via our Brand Audit request form
• Email correspondence: Any information you share when contacting us at hello@withmarketa.com
• Client onboarding: Business contact details, billing information, and account credentials shared in the course of engaging our services

3.2 Information Collected Automatically

• Usage data: IP address, browser type and version, operating system, referring URLs, pages visited, time spent on pages, and clickstream data
• Device information: Device type, screen resolution, and language preferences
• Cookies and similar technologies: See Section 13 for full details

3.3 Information from Third-Party Platforms (on behalf of Clients)

Where a client authorizes us to access their Amazon Seller Central account via the Amazon SP-API, we may access and process certain data on the client's behalf. See Section 5 for full details on our Amazon SP-API data practices.

3.4 Information We Do Not Collect

We do not collect, process, or store:

• Payment card numbers (all payments are handled via secure third-party processors)
• Sensitive personal data (e.g., health data, racial or ethnic origin, biometric data, political opinions) unless explicitly required and consented to
• Personal data from individuals we know to be under 18 years of age

4. How We Use Your Information

We use the information we collect for the following purposes:

• To respond to inquiries and schedule free brand audits requested through our contact form
• To deliver and manage our services to clients, including Amazon account management, retail media, and growth strategy
• To communicate with clients and prospective clients about their accounts, our services, and relevant industry updates
• To improve our website and services through analysis of usage patterns and performance data
• To comply with legal obligations including tax, financial reporting, and applicable data protection laws
• To protect our legal rights and prevent fraud or unauthorized access

We do not sell, rent, or trade personal information to any third party for their own marketing purposes.

5. Amazon Selling Partner API (SP-API) Data

5.1 What SP-API Data We Access

When a client grants us access to their Amazon Seller Central account via SP-API authorization, we may access the following categories of data solely on that client's behalf:

• Order data (order IDs, quantities, statuses, fulfillment details)
• Listing and catalog data (ASINs, product titles, descriptions, pricing)
• Advertising performance data (impressions, clicks, spend, ROAS, campaign structure)
• Inventory and FBA data (stock levels, replenishment alerts, lead times)
• Financial reports (settlement data, fees, revenue summaries)
• Customer feedback and review data (review counts, ratings — no personally identifiable buyer information)

5.2 How We Use SP-API Data

SP-API data is used exclusively to:

• Provide account management, advertising optimization, and growth strategy services to the authorizing client
• Generate performance reports and dashboards for the client's internal use
• Identify and act on optimization opportunities in listings, ad campaigns, and inventory management

We do not:

• Use SP-API data for any purpose beyond the services contracted with the authorizing client
• Combine SP-API data with data from other clients or third-party data sources for any purpose other than the contracted service
• Share SP-API data with any third party except as expressly authorized by the client or required by law
• Use SP-API data to build or train machine learning or AI models that are repurposed or sold
• Access or store any personally identifiable information about Amazon customers (Amazon masks all buyer PII in accordance with their policies)

5.3 Amazon Buyer Data

Marketa acknowledges and complies with Amazon's strict prohibition on accessing, using, or storing Amazon customer personal information. Any masked or anonymized buyer data available via SP-API (e.g., masked email addresses, anonymized order data) is used solely to fulfill the contracted service and is never used to contact buyers directly, build advertising audiences outside of authorized Amazon tools, or combined with other data sources to re-identify individuals.

5.4 SP-API Data Storage & Security

SP-API data is stored on secure, access-controlled systems with encryption at rest and in transit. Access is restricted to Marketa team members working directly on the authorizing client's account. Data is retained only for as long as necessary to provide the contracted service and is deleted or de-identified upon contract termination (see Section 9).

5.5 SP-API Authorization & Revocation

Clients authorize SP-API access through Amazon's standard OAuth authorization flow within Seller Central. Authorization can be revoked by the client at any time via Seller Central → Settings → User Permissions. Upon revocation, Marketa will cease accessing the account and will delete or return all SP-API-derived data upon request.

5.6 Incident Reporting

In the event of a confirmed data security incident involving Amazon SP-API data, Marketa will notify Amazon and the affected client within 72 hours of becoming aware of the incident, consistent with Amazon's Developer Agreement and applicable GDPR breach notification requirements.

6. Legal Bases for Processing (GDPR)

For individuals in the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR and UK GDPR:

• Contract (Art. 6(1)(b)): Processing necessary to perform our contract with clients, including managing Amazon accounts and delivering growth services
• Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate interests in operating our business, improving our services, and communicating with prospective clients — where those interests are not overridden by your data protection rights
• Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with applicable law (e.g., tax and financial record-keeping)
• Consent (Art. 6(1)(a)): Where you have provided explicit consent, such as subscribing to marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing

7. Data Sharing & Third Parties

We do not sell personal data. We may share personal data with the following categories of recipients only to the extent necessary:

7.1 Service Providers (Data Processors)

• Formspree: Processes contact form submissions on our behalf. Data is transmitted securely and used solely to route your message to us. Formspree Privacy Policy
• Cloudflare: Provides web hosting, CDN, and DDoS protection for withmarketa.com. May process IP addresses and usage data as part of infrastructure services. Cloudflare Privacy Policy
• Google Fonts: We load web fonts from Google Fonts CDN, which may involve transmission of your IP address to Google servers. Google Privacy Policy
• Amazon (SP-API): We interact with Amazon's SP-API platform on behalf of clients. Amazon processes data in accordance with their own policies.

7.2 Professional Advisors

We may share information with lawyers, accountants, or insurers where necessary for professional advice or legal proceedings.

7.3 Legal Requirements

We may disclose personal data where required by law, court order, or governmental authority, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

7.4 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the acquiring entity, subject to equivalent privacy protections.

8. International Data Transfers

Marketa is based in the United States. If you are located in the EEA, UK, or Switzerland, your personal data will be transferred to and processed in the United States, which may not provide the same level of data protection as your home country.

We implement appropriate safeguards for such transfers, including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission, where applicable
• UK International Data Transfer Agreements (IDTAs) for transfers from the UK
• Ensuring our service providers participate in recognized cross-border transfer frameworks where available

You may request a copy of the relevant safeguards by contacting us at hello@withmarketa.com.

9. Data Retention

We retain personal data only as long as necessary for the purposes set out in this policy, or as required by law:

• Contact form inquiries: Retained for up to 24 months from last contact, or until you request deletion
• Client account data: Retained for the duration of the contract plus 7 years for financial and legal compliance purposes
• Amazon SP-API data: Retained for the duration of the client engagement. Upon contract termination, SP-API data is deleted or de-identified within 30 days unless retention is required by applicable law
• Website usage data: Retained for up to 13 months in analytics systems
• Email communications: Retained for up to 3 years unless part of an ongoing client relationship

When data is no longer required, it is securely deleted or anonymized so that it can no longer be associated with you.

10. Your Rights — EU / EEA / UK (GDPR & UK GDPR)

If you are located in the EU, EEA, or UK, you have the following rights under the GDPR or UK GDPR:

• Right of Access (Art. 15): Request a copy of the personal data we hold about you
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten") where we have no legal basis to continue processing it
• Right to Restriction (Art. 18): Request that we restrict processing of your data in certain circumstances
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format and transfer it to another controller
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing at any time
• Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority. In the EU, this is your national Data Protection Authority (DPA). In the UK, this is the Information Commissioner's Office (ICO): ico.org.uk

To exercise any of these rights, contact us at hello@withmarketa.com. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice).

11. Your Rights — California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, business purposes, and third parties with whom we share it
• Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising
• Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information beyond what is necessary to provide our services
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

Categories of Personal Information Collected (Last 12 Months)

• Identifiers (name, email address, IP address)
• Commercial information (client service history)
• Internet or network activity (website usage data)
• Professional or employment-related information (brand name, business role)

We Do Not Sell Personal Information

Marketa does not sell personal information as defined under the CCPA/CPRA, and has not done so in the preceding 12 months.

To submit a verifiable consumer request, contact us at hello@withmarketa.com with the subject line "CCPA Data Request." We will respond within 45 days of a verifiable request (extendable by a further 45 days with notice).

12. Your Rights — Other US States

Residents of the following states have similar privacy rights under applicable state law:

• Virginia (VCDPA) — Rights to access, correct, delete, portability, and opt-out of targeted advertising and sale of personal data
• Colorado (CPA) — Rights to access, correction, deletion, portability, and opt-out of profiling and targeted advertising
• Connecticut (CTDPA) — Rights to access, correction, deletion, portability, and opt-out of targeted advertising
• Texas, Oregon, Montana, and other states with enacted consumer privacy laws — equivalent access, correction, and deletion rights as specified under applicable state law

To exercise any state privacy right, email hello@withmarketa.com with your state and the right you wish to exercise. We will respond within the timeframe required by applicable law.

13. Cookies & Tracking Technologies

Our website uses minimal tracking technologies. Specifically:

• No advertising cookies — we do not use cookies for behavioral advertising or retargeting
• No third-party analytics tracking pixels — we do not currently use Google Analytics, Meta Pixel, or similar third-party tracking scripts
• Google Fonts: Loading fonts via Google's CDN may result in your IP address being sent to Google. You can self-host fonts to avoid this; contact us if you have concerns
• Cloudflare: Our hosting provider may set functional cookies for security and performance purposes (e.g., bot detection). These are strictly necessary and do not require consent

If we introduce any new tracking technologies in the future, this policy will be updated and, where required by law, we will obtain your consent before deploying them.

14. Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These include:

• TLS/SSL encryption for all data transmitted to and from our website
• Encryption at rest for stored client and SP-API data
• Access controls limiting data access to authorized personnel only
• Regular review of data handling practices and vendor security assessments

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect personal data, we cannot guarantee absolute security. If you suspect a security incident, please notify us immediately at hello@withmarketa.com.

15. Children's Privacy

Our website and services are directed at businesses and professionals. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have inadvertently collected personal data from a minor, we will delete it promptly. If you believe we have collected data from a minor, please contact us at hello@withmarketa.com.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will update the "Last Updated" date at the top of this page.

We encourage you to review this page periodically. Your continued use of our website or services after any changes constitutes acceptance of the updated policy. Where required by law, we will provide more prominent notice of material changes (e.g., email notification to active clients).

17. Contact & Data Requests

For any privacy-related questions, requests, or complaints — including requests to exercise your rights under GDPR, CCPA, or any other applicable law — please contact us: