Privacy Policy
This Privacy Policy informs you about how we process personal data when you use our website and our SaaS product Marginly, in accordance with Art. 13 of the General Data Protection Regulation (GDPR).
1. Controller
The controller responsible for data processing within the meaning of Art. 4 No. 7 GDPR is:
The Marketplace Guys UG (haftungsbeschränkt)Ritterstraße 8
33602 Bielefeld
Deutschland / Germany
Managing Directors: Alexander Schnelle, Bhavesh Tailor
Email: hello@themarketplaceguys.com
2. Data Protection Officer
We have appointed an internal Data Protection Officer (DPO). You can reach the DPO at:
Email: dpo@themarketplaceguys.com
Postal address: The Marketplace Guys UG (haftungsbeschränkt), attn. Data Protection Officer, Ritterstraße 8, 33602 Bielefeld, Germany
3. General Notes and Legal Bases
We process personal data exclusively on the basis of one of the following legal grounds:
- Art. 6 (1) (a) GDPR — consent of the data subject (e.g., newsletter signup).
- Art. 6 (1) (b) GDPR — performance of a contract or pre-contractual measures (provision of the SaaS tool, billing).
- Art. 6 (1) (c) GDPR — compliance with legal obligations (e.g., retention periods under § 257 of the German Commercial Code (HGB) and § 147 of the German Fiscal Code (AO)).
- Art. 6 (1) (f) GDPR — legitimate interests (IT security, audience measurement, abuse prevention).
4. Hosting
Our website and our SaaS tool are hosted on the infrastructure of Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. Vercel operates edge nodes worldwide, including in the EU. Personal data is transferred to the USA; the legal bases are the EU Standard Contractual Clauses (SCCs) under Implementing Decision (EU) 2021/914 and the EU-US Data Privacy Framework. A data processing agreement under Art. 28 GDPR is in place with Vercel (Vercel Data Processing Addendum).
5. Data Collected and Purposes of Processing
5.1 Visiting the Website (Server Logs)
When you access our website, our hosting provider records technically necessary data in so-called server log files:
- anonymized IP address of the requesting device,
- date and time of access,
- requested resource (URL),
- HTTP status code, amount of data transferred,
- referrer URL, user agent (browser, operating system).
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in trouble-free operation and IT security). Retention period: maximum 14 days.
5.2 Registration and Use of the SaaS Tool
As part of registration and contract handling, we process:
- first and last name,
- business email address,
- company name, billing address, VAT ID,
- OTTO Market installation IDs to connect your OTTO merchant account,
- communication history with our support team.
Authentication data — currently via magic link (email + time-limited token) — is stored only as long as required for sign-in. Full password-based sign-in is in preparation; this policy will be updated before activation.
Legal basis: Art. 6 (1) (b) GDPR (performance of a contract).
5.3 Payments (Planned)
Once enabled, payments will be processed through Stripe Payments Europe Ltd. Payment data (e.g., name, credit card number, IBAN) is transmitted directly to Stripe; we do not store complete payment data ourselves. Stripe's privacy terms apply. A data processing agreement under Art. 28 GDPR is or will be in place with Stripe. Legal basis: Art. 6 (1) (b) GDPR.
5.4 Use of the OTTO API
A core feature of Marginly is the synchronization of data from the OTTO Market API (api.otto.market) into our database. On behalf of the customer, we process in particular:
- OTTO product data (article numbers, titles, prices, inventory),
- order data (order numbers, line items, status, shipping data),
- ad campaign data (campaign structure, keywords, metrics),
- aggregated performance and statistical data.
Where OTTO order data contains personal data of the customer's end customers, we process it exclusively on behalf of the customer in the role of processor under Art. 28 GDPR. The data processing agreement (DPA) is part of our Terms of Service and is provided on request.
6. Processors and Third-Party Providers
We use carefully selected service providers with whom — where required — we have concluded data processing agreements under Art. 28 GDPR:
| Provider | Purpose | Location / Data Region | Safeguard for International Transfers |
|---|---|---|---|
| Vercel Inc. | Hosting, CDN, edge functions | USA (with EU edge nodes) | EU Standard Contractual Clauses (SCCs), EU-US Data Privacy Framework |
| Stripe Payments Europe Ltd. (planned) | Subscription payment processing | Ireland (EU) | Processing within the EU |
| Resend Ltd. | Transactional emails, newsletter | United Kingdom (processing within the EU) | UK adequacy decision (Decision (EU) 2021/1772) |
| OTTO GmbH & Co KG | API data processing on behalf of the customer | Germany | Processing within the EU |
| Plausible Insights OÜ | Cookieless web analytics | Estonia / Germany (EU) | Processing within the EU |
| Anthropic PBC | AI-assisted anomaly explanations and AI help chatbot. We transmit campaign names, aggregated performance metrics, search terms, and bid values. No personal data of end customers. Retention at Anthropic: 7 days default; Zero Data Retention (ZDR) has been requested. | USA (San Francisco, CA) | EU-US Data Privacy Framework (DPF) and EU Standard Contractual Clauses. A DPA under Art. 28 GDPR is included in the Anthropic Commercial Terms from 2026-01-01. |
7. Cookies
We use only strictly necessary cookies. No consent is required for these (§ 25 (2) No. 2 TTDSG — the German Telecommunications and Telemedia Data Protection Act). Legal basis: Art. 6 (1) (f) GDPR or, when logged in, Art. 6 (1) (b) GDPR.
| Cookie | Purpose | Retention |
|---|---|---|
| otto_active_account | Dashboard — required cookie to identify the active tenant (httpOnly + Secure) | 30 days |
| otto_trial_email | Marketing site, optional — stores the email entered in the signup form for UX convenience | 30 days |
| otto_oauth_state | OAuth CSRF protection for the OTTO Connect flow (short-lived) | < 15 minutes |
| otto_oauth_account | Links the OAuth response to the active tenant (short-lived) | < 15 minutes |
Beyond the strictly necessary cookies listed above, we load tracking tools (Google Analytics 4, Google Ads, Meta Pixel) only after you actively consent in our cookie banner. Audience measurement also runs cookie-free via Plausible.
7a. Consent Management (Cookie Banner)
On your first visit, we show a cookie banner that explicitly asks for your consent to non-essential cookies and tracking tools. No consent-required tracker is loaded without your active selection. The buttons "Accept all", "Reject all", and "Customize" are designed with equal visual prominence (no dark patterns). You can change or fully withdraw your choice at any time via the "Cookie settings" link in the footer.
We store your decision in a first-party cookie and in your browser's localStorage (key: marginly-consent-v1; retention: 180 days). After expiry or after withdrawal, the banner reappears. Legal basis for storing the consent record itself: Art. 6 (1) (c) GDPR in conjunction with Art. 7 (1) GDPR (obligation to demonstrate consent).
7b. Google Analytics 4
If you consent to the "Analytics" category in the cookie banner, we use Google Analytics 4 (GA4), a web analytics service provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. GA4 uses cookies (including _ga, _ga_*) to create pseudonymous usage profiles to help us improve the site. IP addresses are truncated via the "anonymize_ip" parameter.
Data is transferred to the United States. The legal bases for the transfer are the EU Standard Contractual Clauses (Decision (EU) 2021/914) and the EU-US Data Privacy Framework (DPF) — Google LLC is DPF-certified. GA4 cookie retention: up to 24 months. Legal basis for processing: Art. 6 (1) (a) GDPR (consent). You can withdraw consent at any time via the cookie settings.
7c. Google Ads Conversion Tracking
If you consent to the "Marketing" category in the cookie banner, we use Google Ads conversion tracking, a service provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. When you click one of our Google ads, a cookie (e.g., _gcl_au) is stored on your device. This cookie helps us measure whether clicks on our ads lead to signups or conversions.
The data is transferred to Google servers in the United States. The legal bases for the transfer are the EU Standard Contractual Clauses and the EU-US Data Privacy Framework (DPF). _gcl_au cookie retention: 90 days. Legal basis for processing: Art. 6 (1) (a) GDPR (consent). You can withdraw consent at any time via the cookie settings.
7d. Meta Pixel (Facebook/Instagram)
If you consent to the "Marketing" category in the cookie banner, we use the Meta Pixel, a service provided by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The pixel sets cookies (e.g., _fbp) and transmits your IP address, browser information, and the pages you visit to Meta. We use the pixel to measure conversions from Facebook and Instagram ads and to show you more relevant content (retargeting).
Meta also processes data in the United States. The legal bases for the transfer are the EU Standard Contractual Clauses and the EU-US Data Privacy Framework (DPF) — Meta Platforms Inc. is DPF-certified. _fbp cookie retention: 90 days. Note: a joint-controller arrangement under Art. 26 GDPR is in place with Meta. Legal basis for processing: Art. 6 (1) (a) GDPR (consent). You can withdraw consent at any time via the cookie settings.
8. Newsletter
If you subscribe to our newsletter, we use the double opt-in procedure: after you enter your email address, we send you a confirmation email via our delivery provider Resend Ltd. You only receive further newsletters after clicking the confirmation link. We log signup and confirmation (timestamp, IP address) for evidence purposes.
You can unsubscribe at any time without giving reasons, either via the unsubscribe link in every newsletter or by emailing hello@themarketplaceguys.com. Legal basis: Art. 6 (1) (a) GDPR (consent), § 7 (2) No. 3 of the German Act Against Unfair Competition (UWG).
9. Retention Periods
We retain personal data only for as long as necessary for the respective purposes:
- Contract data: for the duration of the contractual relationship; after termination, until expiry of statutory retention periods (typically 10 years for invoices and accounting documents under § 257 HGB and § 147 AO).
- Server log files: maximum 14 days.
- Newsletter signup data: until consent is withdrawn.
- OTTO order data (processor role): according to customer instructions; otherwise deleted after end of contract.
10. Rights of Data Subjects
You have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR) – information about the personal data we process about you.
- Right to rectification (Art. 16 GDPR) – correction of inaccurate data.
- Right to erasure (Art. 17 GDPR) – the "right to be forgotten".
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR) – delivery in a commonly used, machine-readable format.
- Right to object (Art. 21 GDPR) – against processing based on legitimate interests, in particular for direct marketing.
- Right to withdraw consent (Art. 7 (3) GDPR) – with effect for the future.
- Right not to be subject to a solely automated decision (Art. 22 GDPR)
To exercise your rights, please contact dpo@themarketplaceguys.com.
11. Right to Lodge a Complaint with a Supervisory Authority
Without prejudice to other remedies, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority for us is:
State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia(LDI NRW)
Kavalleriestraße 2–4
40213 Düsseldorf, Germany
Phone: +49 211 38424-0
Email: poststelle@ldi.nrw.de
12. Right to Amend
We reserve the right to update this Privacy Policy to ensure it always meets current legal requirements or to reflect changes to our services, e.g., when introducing new features. The updated Privacy Policy will then apply to your next visit.
Last updated: 2026-05-10