Plain-English Overview
Marketa ("we," "us," or "our") is a CPG growth agency. We manage marketing programs across Amazon, retail media networks, DTC channels, and social platforms on behalf of our clients. This policy explains what personal data we collect, why we collect it, who we share it with, and what choices you have.
Who We Are
Marketa is a growth agency specializing in consumer packaged goods (CPG) brands. We provide services including Amazon account management, retail media, DTC growth, paid social, email marketing, and content strategy.
Data Controller (website & business operations): Marketa
Website: withmarketa.com
Contact: privacy@withmarketa.com
For data processed on behalf of clients, Marketa acts as a data processor. The applicable client is the data controller and their privacy policy governs end-consumer rights.
Data We Collect
A. Website Visitors
When you visit withmarketa.com, we may automatically collect:
| Data Type | Examples | Method | Purpose |
|---|---|---|---|
| Device & Browser | Browser type, OS, screen size | Automatic | Analytics, site compatibility |
| Usage Data | Pages visited, time on page, scroll depth, clicks | Cookies / JS | Site improvement, UX optimization |
| IP Address | Approximate geographic location | Automatic | Security, analytics |
| Referral Source | URL of referring website | Automatic | Marketing attribution |
| UTM Parameters | Campaign, source, medium tags in URL | Query string | Campaign performance tracking |
B. Prospects & Business Contacts
When you fill out a contact form, book a call, or reach out by email:
- Name and professional title
- Email address and phone number
- Company name and website
- Information you voluntarily share about your brand or business needs
- Communication history (emails, notes from calls)
C. Client Brand & Business Data
When we onboard a client and access their platforms, we may process:
- Amazon Seller Central / Vendor Central account data (sales, advertising, inventory, product catalog)
- Shopify store analytics, order data, and customer segments (no individual consumer PII unless explicitly scoped)
- Retail media network data (Walmart Connect, Kroger Precision Marketing, Instacart Ads)
- Meta Business Manager data (ad account performance, pixel events, Custom Audiences)
- Google Ads and Google Analytics data
- Klaviyo account data (email/SMS list metrics, campaign performance, flow data)
- TikTok Ads Manager data
- Financial and trade spend data as provided by the client
D. Data We Do NOT Collect
- Sensitive personal information (Social Security numbers, financial account numbers, health data)
- Biometric data
- Data from children under 13 (see Children's Privacy section)
- Individual consumer PII from client retail platforms unless explicitly contracted and necessary
How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Responding to inquiries | Name, email, company, inquiry details | Legitimate Interest |
| Delivering client services | Platform access credentials, account data | Contract |
| Running ad campaigns | Ad account data, audience data, pixel events | Contract |
| Reporting & analytics | Aggregated campaign and sales data | Contract |
| Website analytics | Usage data, device data, IP address | Consent / Legit. Interest |
| Marketing to prospects | Business email, company context | Legitimate Interest |
| Security & fraud prevention | IP address, access logs | Legitimate Interest |
| Legal compliance | As required by applicable law | Legal Obligation |
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects on you without human review.
Legal Basis for Processing
For users in the European Economic Area (EEA), United Kingdom, or other jurisdictions requiring a lawful basis for processing, we rely on:
- Contract performance: Processing necessary to fulfill our service agreements with clients
- Legitimate interests: Business operations, website analytics, responding to inquiries, security — where these interests are not overridden by your rights
- Legal obligation: Where required by applicable law or regulation
- Consent: For non-essential cookies and certain direct marketing communications (you may withdraw consent at any time)
Third-Party Services & Platform Integrations
Marketa works within a broad ecosystem of marketing and advertising platforms on behalf of our clients. Below we describe each major platform, what data flows through it, and how it is governed.
Amazon & Amazon Web Services (AWS)
- Amazon Advertising API: We use the Amazon Ads API to retrieve campaign performance data, automate bid adjustments, and generate reports. All API usage complies with Amazon Advertising API License Agreement.
- Amazon DSP: Where clients run Demand Side Platform campaigns, we access DSP audience data, impression data, and purchase attribution. Amazon's DSP data policies restrict how this data may be used or transferred.
- Amazon Attribution: We may use Amazon Attribution tags to measure the impact of off-Amazon channels. This involves placing tracking links that report purchase behavior back to Amazon's systems.
- Amazon Marketing Cloud (AMC): Where applicable, we may access AMC for advanced audience analysis using Amazon's clean room environment. AMC data is accessed only in aggregate and in compliance with Amazon's AMC Terms of Service.
- AWS Infrastructure: Marketa may use Amazon Web Services infrastructure for internal tools, data storage, and reporting pipelines. Data stored on AWS is governed by our AWS Data Processing Agreement and stored in compliance with applicable data protection laws.
Amazon's Privacy Policy: amazon.com/privacy
Meta (Facebook & Instagram)
- Meta Business Manager / Ads Manager: We manage client advertising accounts via Meta's Business API. We access ad account performance data, creative assets, and audience data.
- Meta Pixel & Conversions API: Client websites may implement the Meta Pixel and/or Conversions API (CAPI) to track website events (page views, add-to-cart, purchases). This data is sent to Meta and used for ad targeting, optimization, and attribution. Users can opt out of Meta tracking via their Off-Facebook Activity settings.
- Custom Audiences: We may upload hashed customer data (email addresses) on behalf of clients to create Custom Audiences in Meta. Data is hashed (SHA-256) before transmission. This is governed by Meta's Custom Audience Terms.
- Data Use Restrictions: We do not use Meta platform data to build profiles for use outside of Meta's systems, and we comply with Meta's Platform Terms and Data Use Policy.
Meta's Privacy Policy: facebook.com/privacy/policy
Google Services
- Google Ads: We manage client Google Ads accounts (Search, Shopping, Performance Max, YouTube) via the Google Ads API. We access campaign performance, conversion, and audience data.
- Google Analytics (GA4): Where clients use Google Analytics, we may be granted access to analyze website traffic, conversion funnels, and attribution. GA4 data is subject to Google's data retention settings, which we configure in compliance with applicable law.
- Google Tag Manager: We may deploy tracking tags via GTM on client websites. All tags implemented comply with the client's consent management setup.
- Google Customer Match: We may upload hashed customer data for targeting purposes in compliance with Google's Customer Match policy. Data is hashed before upload.
- Google Cloud: We may use Google Cloud Platform for internal data processing and reporting, governed by our GCP Data Processing Agreement.
Google's Privacy Policy: policies.google.com/privacy
Klaviyo
- Email & SMS Marketing: We manage client Klaviyo accounts to build, send, and optimize email and SMS campaigns. This involves accessing subscriber lists, behavioral data (email opens, clicks, purchases), and flow logic.
- Data Residency: Klaviyo stores subscriber data on US-based servers. For clients with EU subscribers, we implement appropriate transfer mechanisms as required by GDPR.
- Opt-Out Compliance: All email communications include unsubscribe mechanisms. SMS campaigns include STOP keyword functionality. We ensure client lists are collected with proper consent and that suppression lists are maintained.
- Klaviyo AI Features: Where applicable, we may utilize Klaviyo's AI-powered send time optimization and predictive analytics features. These process subscriber behavioral data within Klaviyo's platform per their data processing agreement.
Klaviyo's Privacy Policy: klaviyo.com/legal/privacy-notice
TikTok
- TikTok Ads Manager: We manage client TikTok advertising accounts via TikTok's Business API. We access ad performance data, audience data, and creative performance metrics.
- TikTok Pixel & Events API: We may implement TikTok's Pixel or Events API on client websites to track conversions and optimize ad delivery. This data is governed by TikTok's data processing terms.
- TikTok Shop: Where clients operate TikTok Shop, we access product catalog, order, and affiliate data as necessary to manage the shop and affiliated creator programs.
TikTok's Privacy Policy: tiktok.com/legal/privacy-policy
Other Platforms & Tools
Cookies & Tracking Technologies
The withmarketa.com website uses cookies and similar technologies to analyze traffic and improve user experience.
| Cookie Type | Purpose | Opt-Out |
|---|---|---|
| Essential / Functional | Required for core website functionality. Cannot be disabled without breaking the site. | Required |
| Analytics | Understand how visitors use the site (e.g., Google Analytics, similar tools). Helps us improve content and UX. | Optional |
| Marketing / Retargeting | Track conversions and enable retargeting advertising (e.g., Meta Pixel, Google Ads tag). | Optional |
| Preference | Remember your settings and preferences across sessions. | Optional |
How to Manage Cookies
- Browser settings: Most browsers allow you to block or delete cookies via settings. Note that blocking all cookies may affect site functionality.
- Google Analytics opt-out: Install the Google Analytics Opt-out Browser Add-on
- Meta opt-out: Manage via Off-Facebook Activity settings
- Industry opt-outs: Visit aboutads.info or networkadvertising.org
- Do Not Track: We honor browser-level Do Not Track signals for analytics cookies.
Data Sharing & Disclosure
Who We Share Data With
- Platform providers: When we operate campaigns, data flows through the relevant platforms (Amazon, Meta, Google, TikTok, Klaviyo, etc.) as described in the Third-Party Services section above. These platforms act as independent data controllers for their own data practices.
- Service providers: We use a limited number of trusted vendors for infrastructure (e.g., AWS, Google Cloud), communication (Slack), and business operations (CRM, accounting). These vendors are contractually bound to process data only as directed.
- Clients: Performance data and reports prepared for clients are shared back with the respective client. We do not share one client's data with another client.
- Professional advisors: Legal, accounting, and compliance advisors under confidentiality obligations.
We Do NOT:
- Sell personal data to third parties
- Share personal data with data brokers
- Use client data for cross-client targeting or analysis
- Share data with advertisers other than as part of contracted campaign execution
Legal Disclosures
We may disclose personal data if required by law, regulation, court order, or to protect the rights, property, or safety of Marketa, our clients, or others. We will notify affected parties where legally permitted to do so.
Business Transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify you by email or a prominent notice on our website of any such change in ownership, and your data will remain subject to this policy unless otherwise notified.
Data Security
Marketa takes data security seriously. We implement technical and organizational measures appropriate to the sensitivity of the data we process:
- Access controls: Platform credentials and client data are stored in dedicated, access-controlled systems. Access is granted on a need-to-know basis using role-based permissions.
- Encryption in transit: All data transmitted between our systems and third-party platforms uses TLS 1.2+ encryption.
- Encryption at rest: Sensitive data stored in our systems is encrypted at rest.
- Multi-factor authentication (MFA): Required for all team member access to client platform accounts and internal systems.
- Least privilege principle: We request only the API permissions and account access levels necessary to perform our services.
- Regular credential rotation: API keys and access tokens are rotated regularly and revoked immediately upon contract termination.
- Vendor security review: Third-party vendors are reviewed for security practices before onboarding.
- Incident response: We maintain an incident response plan. In the event of a data breach affecting your personal data, we will notify you within 72 hours of becoming aware, as required by applicable law.
Data Retention
We retain data only as long as necessary for the purposes described in this policy or as required by law.
| Data Category | Retention Period | Reason |
|---|---|---|
| Prospect inquiry data | 3 years from last contact | Business development, legal disputes |
| Client contract & service records | 7 years post-contract | Legal, regulatory, tax requirements |
| Campaign performance reports | Duration of contract + 2 years | Service delivery, dispute resolution |
| Platform API access logs | 90 days | Security monitoring |
| Website analytics data | 26 months (GA4 default) | Trend analysis, site improvement |
| Email communications | 3 years | Reference, dispute resolution |
Upon contract termination, we will securely delete or return client data within 30 days of written request, unless retention is required by law.
Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data:
To exercise any of these rights, contact us at privacy@withmarketa.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.
California Residents — CCPA / CPRA
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months, the sources of that information, the business purpose for collecting it, and the categories of third parties with whom it was shared.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt-Out of Sale or Sharing: Marketa does not sell personal information. We do not share personal information for cross-context behavioral advertising on our own website. Where we manage client campaigns that involve data sharing with ad platforms, this is conducted under data processing agreements, not as a "sale."
- Right to Limit Use of Sensitive Personal Information: We do not collect or process sensitive personal information as defined by CPRA.
- Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
To submit a CCPA/CPRA request: privacy@withmarketa.com | Subject line: "California Privacy Request"
You may designate an authorized agent to make requests on your behalf. We may require verification of the agent's authority.
EU / UK Residents — GDPR
If you are located in the European Economic Area (EEA) or United Kingdom, the General Data Protection Regulation (GDPR / UK GDPR) applies to our processing of your personal data.
- You have all rights listed above under "Your Privacy Rights."
- You have the right to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
- You have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or your national DPA in the EU).
- Where we transfer your personal data outside the EEA/UK, we use appropriate safeguards such as EU Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTAs).
To contact us regarding GDPR rights: privacy@withmarketa.com | Subject line: "GDPR Request"
Children's Privacy
Our website and services are directed to business professionals and are not intended for children under the age of 13. We do not knowingly collect personal information from children under 13.
If you believe we have inadvertently collected information from a child under 13, please contact us at privacy@withmarketa.com and we will promptly delete such information.
For clients whose brands market products to families or children, we will discuss appropriate data handling protocols as part of the engagement onboarding process to ensure compliance with COPPA and any applicable state laws.
International Data Transfers
Marketa is based in the United States. If you are located outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.
When we transfer personal data from the EEA, UK, or Switzerland to the United States or other countries, we rely on the following safeguards:
- Standard Contractual Clauses (SCCs): For transfers from the EEA to countries without an adequacy decision
- UK International Data Transfer Agreements (IDTAs): For transfers from the UK
- EU-U.S. Data Privacy Framework: Where applicable service providers are certified
- Adequacy Decisions: Where the European Commission has recognized a jurisdiction as providing adequate protection
Our key platform partners (Amazon, Google, Meta, Klaviyo, TikTok) have their own international transfer mechanisms as described in their respective privacy policies.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this policy
- Notify active clients via email at least 14 days before changes take effect
- Post a notice on our website homepage for a minimum of 30 days following a material update
Your continued use of our website or services after changes take effect constitutes your acceptance of the updated policy. If you disagree with any changes, please discontinue use and contact us to discuss your options.
Previous versions of this policy are available upon request by emailing privacy@withmarketa.com.
Contact Us
If you have questions about this Privacy Policy, wish to exercise your rights, or have a concern about how we handle your data, please reach out:
withmarketa.com
United States
For clients with active service agreements, privacy and data concerns related to your engagement should be directed to your account manager in the first instance.