Privacy Policy

Last updated: February 2026

This policy is a starting template and should be reviewed by legal counsel before launch. It does not constitute legal advice.

1. Introduction

This Privacy Policy explains how MRKT Mesh, operated by Maison MRKT LLC (“we,” “us,” or “our”), collects, uses, and protects information when you use our server-side conversion tracking platform.

2. Information We Collect

a. Account Information (from you directly)

  • Name and email address
  • Password (stored as a cryptographic hash — we never store plaintext passwords)
  • Organization name
  • Billing information (processed by Shopify — we do not store payment details)

b. Store Data (from your Shopify store via API)

  • Order information (order ID, line items, totals)
  • Customer information (hashed email, hashed phone — we never store raw PII)
  • Product information (names, prices, categories)
  • Traffic attribution data (UTM parameters, referrer, landing page)

c. Storefront Visitor Data (from our data layer script)

  • Page URLs visited on your store
  • Products viewed and cart actions
  • Browser identifiers (first-party cookie ID, user agent)
  • Click IDs from ad platforms (fbclid, gclid, ttclid)
  • IP address (used for geolocation, not stored long-term)

d. Usage Data (from your use of our dashboard)

  • Pages visited within the MRKT Mesh dashboard
  • Feature usage patterns

3. How We Use Information

  • To provide the conversion tracking and event delivery service
  • To enrich events with identity and attribution data
  • To deliver events to your configured marketing destinations
  • To monitor delivery accuracy and system health
  • To send service-related communications (not marketing)
  • To improve the platform

4. Data Processing on Your Behalf

  • We act as a data processor for your store’s customer data. You are the data controller.
  • We process data only as instructed by your configuration.
  • We deliver data only to destinations you explicitly configure and enable.
  • We do not combine your data with other customers’ data.

5. Data Sharing

  • We share data only with destinations you configure (Meta, Google, Klaviyo, etc.).
  • Billing is processed through the Shopify platform (Shopify’s privacy policy applies to payment processing).
  • We use Google Cloud Platform for hosting (GCP Data Processing Addendum applies).
  • We do not sell data. Ever.
  • We may disclose data if required by law or valid legal process.

6. Data Security

  • API credentials and destination configs are encrypted at rest using AES-256.
  • Personally identifiable information is hashed with SHA-256 before storage.
  • All data is transmitted over HTTPS/TLS.
  • Database access is restricted and audited.
  • We conduct regular security assessments.

7. Data Retention

  • Event data: 90 days in the primary database, then archived in data warehouse.
  • Account data: retained while your account is active.
  • After account deletion: all data deleted within 30 days.
  • Backups purged within 60 days of deletion.

8. Your Rights

  • Access: Export your data anytime via the dashboard or API.
  • Correction: Update your account information in settings.
  • Deletion: Request account and data deletion via support.
  • Portability: Export data in standard formats (CSV, JSON).
  • Objection: Contact us to discuss data processing concerns.
  • For EU users: rights under GDPR apply.
  • For California users: rights under CCPA apply.

9. Cookies

  • Our dashboard uses session cookies for authentication.
  • Our data layer script sets a first-party cookie (_mrkt_uid) on your store’s domain to identify returning visitors for attribution.
  • This is a first-party cookie, not a third-party tracking cookie.

10. International Transfers

Data is processed in the United States on Google Cloud Platform infrastructure. For EU data subjects, standard contractual clauses apply as part of the GCP Data Processing Addendum.

11. Children’s Privacy

The Service is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Updates will be posted on this page with an updated date. Material changes will be communicated via email.

13. Contact

For privacy-related questions, contact us at privacy@mrktmesh.com.

Maison MRKT LLC