Market Mana
Shopify

Privacy Policy

Effective Date: November 11, 2025 Last Updated: November 11, 2025

I. Introduction and Data Controller Information

eBerce d.o.o. (registration number: 5787882000, VAT ID: SI90207777), with its registered office at Dunajska cesta 106, Ljubljana, 1000 Ljubljana, Slovenia (hereinafter referred to as "we," "us," "our," or "Market Mana"), operates Market Mana, an artificial intelligence-powered marketing calendar application for Shopify merchants.

Market Mana is designed to help e-commerce businesses streamline their marketing planning through intelligent campaign suggestions, automated calendar generation, and data-driven insights. Our application analyzes your Shopify store data—including product catalogs, historical sales patterns, and inventory levels—to generate personalized marketing campaign recommendations that align with your brand voice and business objectives.

We collect and process personal data in our capacity as a data controller in accordance with applicable data protection regulations, including:

  • The General Data Protection Regulation (EU) 2016/679 ("GDPR")
  • The UK General Data Protection Regulation ("UK GDPR")
  • The California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA")
  • Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA")
  • Other applicable regional and national privacy laws

    • This Privacy Policy describes how we collect, use, share, and protect your information when you install and use Market Mana through the Shopify platform.

    II. How to Contact Us

    If you have questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us at:
    Primary Contact: Email: info@marketmana.io
    Company Address: eBerce d.o.o. Dunajska cesta 106 Ljubljana, 1000 Ljubljana Slovenia
    For Data Protection Inquiries:
    For matters specifically related to GDPR or other data protection regulations, you may contact us at: info@marketmana.io
    We aim to respond to all privacy-related inquiries within 30 days of receipt, in accordance with applicable legal requirements.

    III. Information We Collect

    We collect several categories of information to provide and improve Market Mana's services. The data we collect falls into three primary categories:

    A. Information from Shopify

    When you install Market Mana on your Shopify store, we access and collect the following data through the Shopify API: Store Information:
  • Store name and domain (e.g., yourstore.myshopify.com)
  • Store owner name and email address
  • Store country, currency, and timezone
  • Store language preferences
  • Shopify plan and subscription status
    • Product Data:
  • Product titles, descriptions, and types
  • Product prices and SKUs
  • Inventory levels and availability
  • Product images (URLs only)
  • Product creation and update timestamps
  • Product variants and options
    • Order and Sales Data (Aggregated):
  • Order dates and timestamps
  • Product IDs associated with orders
  • Order quantities and revenue amounts
  • Discount usage (codes and amounts)
  • Currency information
  • Order status and fulfillment state
    • Important Note on Customer Data: We do NOT collect or store individual customer personal information such as customer names, email addresses, shipping addresses, phone numbers, or payment information. Our sales data processing is limited to aggregated analytics (e.g., "Product X sold Y units on Date Z") without any personally identifiable customer information. Discount Information:
  • Existing discount codes in your store
  • Discount performance metrics
  • Discount configurations

    • B. Information You Provide Directly

    Onboarding and Configuration Data:
  • Brand voice preferences and tone selections
  • Target audience descriptions
  • Campaign preferences (channels, frequencies, discount strategies)
  • Custom instructions for AI campaign generation
  • Industry category and business type
  • Marketing goals and objectives
    • Campaign Management Data:
  • Custom campaigns you create manually
  • Edits and modifications to AI-generated campaigns
  • Campaign approval and rejection decisions
  • Feedback on campaign suggestions
    • Account Settings:
  • Communication preferences
  • Notification settings
  • Calendar sharing configurations
  • Subscription plan selections

    • C. Automatically Collected Information

    Usage Data:
  • Features and functionalities you access within Market Mana
  • Time spent using various features
  • Frequency of calendar generation requests
  • Campaign approval and rejection patterns
  • Navigation patterns within the application
    • Technical and Device Information:
  • Browser type and version
  • Operating system
  • IP address (anonymized for analytics)
  • Device identifiers
  • Access times and session duration
  • Referring URLs
    • Application Performance Data:
  • Error logs and crash reports (anonymized)
  • API response times
  • System performance metrics
  • Feature usage statistics
    • Cookies and Similar Technologies:
  • Essential session cookies for authentication
  • Functional cookies for user preferences
  • Analytics cookies (with consent, when implemented)

    • IV. Legal Basis and Purposes for Processing

    Under GDPR Article 6, we process your personal data based on the following legal grounds:

    A. Performance of a Contract (Art. 6(1)(b) GDPR)

    We process your data to deliver the Market Mana service you've subscribed to, including:
  • Generating AI-powered marketing campaign suggestions based on your store data
  • Creating and managing your marketing calendar
  • Automating discount code creation in your Shopify store
  • Providing customer support and technical assistance
  • Processing account authentication and session management
  • Enabling calendar sharing functionality (when activated)

    • B. Compliance with Legal Obligations (Art. 6(1)(c) GDPR)

    We process certain data to fulfill our legal obligations, including:
  • Maintaining accounting records for tax purposes under Slovenian law
  • Retaining financial transaction records as required by law
  • Responding to valid legal requests from authorities
  • Complying with Shopify's Partner Program requirements
  • Fulfilling GDPR data subject request obligations

    • C. Legitimate Interests (Art. 6(1)(f) GDPR)

    We process data based on our legitimate business interests, which include:
  • Improving and optimizing the Market Mana application
  • Analyzing usage patterns to enhance AI recommendation quality
  • Detecting and preventing fraud, abuse, and security threats
  • Conducting internal analytics to understand feature adoption
  • Developing new features and capabilities
  • Ensuring system security and integrity
  • Protecting our legal rights and interests

    • We have assessed that these legitimate interests are not overridden by your fundamental rights and freedoms.

    D. Consent (Art. 6(1)(a) GDPR)

    For certain optional features and processing activities, we rely on your explicit consent:
  • Sending marketing communications about Market Mana updates
  • Using analytics tools (Google Analytics or Posthog, when implemented)
  • Sharing anonymized usage data for research purposes
  • Optional AI training improvements (you can opt out)

    • You may withdraw your consent at any time through your account settings or by contacting us. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.

    V. How We Use Your Information

    We use the collected information for the following specific purposes:

    Primary Service Delivery

    AI Campaign Generation:

    We send your store data (product information, sales patterns, brand voice preferences) to OpenAI's API to generate personalized marketing campaign suggestions. This processing is essential to Market Mana's core functionality. Calendar Creation and Management:

    We create, store, and display your marketing calendar, including both AI-generated and manually created campaigns. Discount Code Automation:

    When you approve campaigns, we automatically create discount codes in your Shopify store using the Shopify Admin API. Sales Analytics:

    We analyze your aggregated sales data to provide insights on campaign performance and identify trending products or slow-moving inventory.

    Service Improvement and Optimization

    AI Model Enhancement:

    We analyze usage patterns, approval/rejection decisions, and campaign edits to improve the quality and relevance of AI-generated suggestions. This analysis uses anonymized data and does not involve re-identifying individual users. Feature Development:

    Usage statistics help us understand which features are most valuable and where to focus development efforts. Performance Optimization:

    Technical data helps us identify and resolve performance issues, ensuring a smooth user experience.

    Communication and Support

    Service Notifications:

    We send essential communications about your account, including subscription status, trial expiration, and critical system updates. Customer Support:

    When you contact us for assistance, we use your information to diagnose issues and provide effective support. Educational Content:

    With your consent, we may send tips, best practices, and feature announcements to help you get more value from Market Mana.

    Security and Compliance

    Fraud Prevention:

    We monitor for suspicious activity and potential abuse of the service. Security Monitoring:

    We log authentication attempts and access patterns to detect and prevent unauthorized access. Legal Compliance:

    We process data as necessary to comply with legal obligations, respond to legal requests, and enforce our Terms of Service.

    VI. Data Sharing and Third-Party Service Providers

    We share your data with carefully selected third-party service providers who assist in operating Market Mana. All third parties are contractually obligated to protect your data and use it only for the specified purposes.

    AI Service Provider

    OpenAI, L.L.C. (United States)
  • Purpose: AI-powered campaign generation
  • Data Shared: Product data (titles, descriptions, prices), aggregated sales data, brand voice preferences, custom instructions
  • Location: United States
  • Safeguards: OpenAI is contractually prohibited from using customer data to train their general-purpose models. Data is processed solely to generate your campaign suggestions.
  • Privacy Policy: https://openai.com/policies/privacy-policy

    • Infrastructure and Hosting Providers

    Database Hosting (PostgreSQL)
  • Location: Frankfurt, Germany (EU)
  • Purpose: Secure storage of all application data
  • Data Stored: All user data, campaigns, settings, and aggregated sales information
  • Safeguards: Encryption at rest, access controls, regular security audits
    • Application Servers
  • Location: Dallas, United States
  • Purpose: Hosting the Market Mana application
  • Data Processed: All application data during user sessions
  • Safeguards: TLS/SSL encryption, DDoS protection, monitoring

    • Payment Processing

    Shopify Payments
  • Purpose: Processing subscription fees
  • Data Shared: Subscription plan selection, billing cycles
  • Note: We do NOT handle payment card information directly. All payment processing occurs through Shopify's secure infrastructure.

    • Future Analytics Providers

    We plan to integrate analytics tools to better understand user behavior and improve our service: Posthog (To Be Implemented)
  • Purpose: Understanding feature usage, user flows, and application performance
  • Implementation: Will require explicit opt-in consent
  • Data: Anonymized usage patterns, aggregated feature adoption metrics
  • Privacy Approach: Open-source, privacy-focused analytics with full data control
  • Controls: You will be able to opt out entirely

    • Legal and Compliance

    We may disclose your information to:
  • Law Enforcement: When required by valid legal process (subpoena, court order)
  • Regulatory Authorities: To comply with legal obligations
  • Legal Advisors: For obtaining legal advice regarding compliance and disputes
  • Acquirers: In the event of a business merger, acquisition, or sale (with notice)

    • Data We Do NOT Share

  • We do NOT sell your personal information to third parties
  • We do NOT share your data with advertising networks
  • We do NOT provide your store data to competitors
  • We do NOT use your data for any purpose other than providing and improving Market Mana

    • VII. International Data Transfers

    Market Mana involves data transfers between different jurisdictions:

    EU to United States Transfers

    Legal Mechanisms:
  • Standard Contractual Clauses (SCCs): We have implemented the European Commission's Standard Contractual Clauses with our US-based service providers (including OpenAI and our US application servers) to ensure adequate protection for data transferred outside the European Economic Area.
  • Supplementary Measures: In addition to SCCs, we implement technical and organizational safeguards recommended by the European Data Protection Board, including:
    - End-to-end encryption for data in transit
    - Encryption at rest for stored data
    - Strict access controls and authentication requirements
    - Regular security audits and penetration testing
    - Data minimization practices
  • Transfer Impact Assessments: We conduct ongoing assessments of the legal environment in destination countries to ensure that transferred data maintains an equivalent level of protection.

    • EU-US Data Privacy Framework

    We monitor developments in international data transfer mechanisms and will participate in relevant frameworks (such as the EU-US Data Privacy Framework) as they become available and applicable to our operations.

    Data Subject Rights

    Regardless of where your data is processed, you retain all rights granted under GDPR, UK GDPR, and other applicable laws. International transfers do not diminish your ability to exercise these rights.

    UK Compliance

    For UK users, we comply with the UK GDPR and are in the process of appointing a UK representative as required under UK data protection law. UK users can exercise all their data protection rights by contacting us directly or through our UK representative once appointed (see Section XIX for details).

    VIII. Data Retention and Deletion

    Active Accounts

    We retain your data for as long as your Market Mana account remains active and you continue using our service. This includes:
  • Store configuration and settings
  • Campaign data (historical and current)
  • Usage analytics
  • Support correspondence

    • Deleted Accounts and App Uninstallation

    Shopify App Uninstallation Process:
  • Immediate Action: When you uninstall Market Mana from your Shopify store, we immediately cease all access to your Shopify store data through the API.
  • 48-Hour Trigger: Shopify sends us a shop/redact webhook 48 hours after uninstallation, triggering our deletion process.
  • Complete Deletion: Upon receiving the shop/redact webhook, we permanently delete all your data, including:
    • - Store information and settings - All campaigns (AI-generated and manual) - Brand voice preferences - Historical sales analytics - Usage data - Any cached data
  • Timeline: Data deletion is completed immediately upon webhook receipt, well within Shopify's required 30-day compliance window.
  • Irreversible: Once deleted, your data cannot be recovered. If you reinstall Market Mana later, you'll start with a fresh account.

    • Legal Retention Requirements

    Certain data may be retained beyond account deletion when required by law:
  • Financial Records: Invoice data and payment records are retained for 10 years under Slovenian accounting and tax law
  • Legal Claims: Data necessary for the establishment, exercise, or defense of legal claims may be retained until the statute of limitations expires
  • Anonymized Analytics: Aggregated, anonymized usage statistics that cannot be linked back to you may be retained indefinitely for research and service improvement

    • Data Subject Requests

    If you exercise your right to erasure ("right to be forgotten") under GDPR, we will delete your data following the same process as account deletion, subject to the legal retention requirements mentioned above.

    Backup Data

    Deleted data is purged from our regular backups within 90 days as backup cycles complete. During this period, backup data is stored securely and is not accessible for operational use.

    IX. Your Data Protection Rights

    Depending on your location, you have various rights regarding your personal data:

    GDPR Rights (EU/EEA and UK Residents)

    1. Right to Access (Art. 15 GDPR) You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that data. You can request:
  • A copy of your personal data
  • Information about the purposes of processing
  • Categories of data being processed
  • Recipients of your data
  • Retention periods
    • 2. Right to Rectification (Art. 16 GDPR)

    You can request correction of inaccurate or incomplete personal data. Most store and configuration data can be updated directly within your Market Mana settings.

    3. Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR) You can request deletion of your personal data when:
  • The data is no longer necessary for the purposes for which it was collected
  • You withdraw consent (for consent-based processing)
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Deletion is required for compliance with a legal obligation
    • 4. Right to Restriction of Processing (Art. 18 GDPR) You can request that we limit how we use your data when:
  • You contest the accuracy of the data
  • Processing is unlawful, but you prefer restriction over deletion
  • We no longer need the data, but you need it for legal claims
  • You've objected to processing pending verification of our legitimate grounds
    • 5. Right to Data Portability (Art. 20 GDPR)

    You can receive your personal data in a structured, commonly used, machine-readable format (JSON) and transmit it to another service provider.

    6. Right to Object (Art. 21 GDPR)

    You can object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

    7. Right to Withdraw Consent

    Where processing is based on consent, you can withdraw it at any time. This doesn't affect the lawfulness of processing before withdrawal.

    8. Right to Lodge a Complaint

    You can file a complaint with a supervisory authority in your EU member state, particularly where you have your habitual residence, place of work, or place of the alleged infringement.

    For Slovenia: Information Commissioner (Informacijski pooblaščenec)
    Address: Dunajska cesta 22, 1000 Ljubljana, Slovenia
    Phone: +386 1 230 97 30
    Email: gp.ip@ip-rs.si
    Website: https://www.ip-rs.si/ For UK: Information Commissioner's Office (ICO)
    Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom
    Phone: +44 303 123 1113
    Website: https://ico.org.uk/

    UK Residents (UK GDPR Rights)

    UK residents have the same data protection rights under the UK GDPR as EU residents, including:
  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent
  • Right to lodge a complaint with the ICO

    • To exercise these rights, contact us at info@marketmana.io with "UK GDPR Request" in the subject line. Once our UK representative is appointed, you may also contact them directly using the details provided in Section XIX.

    California Residents (CCPA Rights)

    1. Right to Know You can request information about:
  • Categories of personal information collected
  • Categories of sources from which data was collected
  • Business or commercial purposes for collection
  • Categories of third parties with whom we share data
  • Specific pieces of personal information we hold about you
    • 2. Right to Delete

    You can request deletion of your personal information, subject to certain exceptions (legal obligations, fraud prevention, internal uses reasonably aligned with expectations).

    3. Right to Opt-Out of Sale

    We do NOT sell your personal information. If our practices change, we will update this policy and provide an opt-out mechanism before selling any data.

    4. Right to Non-Discrimination We will not discriminate against you for exercising your CCPA rights, including by:
  • Denying goods or services
  • Charging different prices or rates
  • Providing a different level or quality of service
  • Suggesting you'll receive a different price or service level
    • 5. Authorized Agent

    You may designate an authorized agent to make CCPA requests on your behalf. We may require verification of the agent's authority.

    Canadian Residents (PIPEDA Rights)

    Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA):
  • Right to Access: Request access to your personal information
  • Right to Correction: Request correction of inaccurate information
  • Right to Withdraw Consent: Withdraw consent for certain processing (may affect service availability)
  • Right to Challenge Compliance: Challenge our compliance with PIPEDA
  • Right to File Complaint: File a complaint with the Office of the Privacy Commissioner of Canada

    • How to Exercise Your Rights

    To exercise any of these rights, contact us at: Email: info@marketmana.io
    Required Information:
  • Your store URL (yourstore.myshopify.com)
  • Email address associated with your account
  • Specific right you wish to exercise
  • Any additional details to help us locate your information
    • Response Timeline:
  • GDPR requests: Within 30 days (extendable to 60 days for complex requests)
  • CCPA requests: Within 45 days (extendable to 90 days with notice)
  • PIPEDA requests: Within 30 days
    • Verification:

    We may request additional information to verify your identity before fulfilling requests, especially for access and deletion requests.

    No Fee:

    We do not charge a fee for processing requests unless they are manifestly unfounded, excessive, or repetitive.

    X. Shopify-Specific Provisions

    As a Shopify App, Market Mana operates within Shopify's ecosystem and complies with Shopify Partner Program requirements.

    Shopify API Scopes

    Market Mana requests the following Shopify API permissions:
  • read_products - To access your product catalog for campaign generation
  • read_orders / read_all_orders - To analyze sales patterns and performance (aggregated only, no customer PII)
  • write_discounts - To create discount codes when you approve campaigns
  • read_discounts - To review existing discount codes and avoid conflicts

    • These are the minimum scopes necessary for Market Mana to function. We do NOT request access to customer data, payment information, or other sensitive information beyond what's necessary for our service.

    Shopify Webhooks

    Market Mana processes the following Shopify webhooks to maintain compliance and service functionality: Mandatory GDPR Compliance Webhooks:
  • shop/redact - Triggered 48 hours after app uninstallation. We use this to permanently delete all your data.
  • customers/data_request - Triggered when a customer requests their data. We respond confirming that we do not store individual customer PII.
  • customers/redact - Triggered when a customer requests data deletion. We respond confirming that we do not store individual customer PII.
    • Operational Webhooks:
  • app/uninstalled - Notifies us when you uninstall Market Mana, triggering cleanup processes.
  • app_subscriptions/update - Manages your subscription plan changes and billing status.

    • Compliance with Shopify Requirements

  • Data Minimization: We only request and access the minimum data necessary for Market Mana's functionality
  • No Customer PII Storage: We comply with Shopify's strict requirements regarding customer personal information
  • Secure Data Handling: All Shopify API interactions use secure, authenticated connections
  • Prompt Data Deletion: We exceed Shopify's 30-day deletion requirement by deleting data immediately upon webhook receipt
  • Transparent Data Usage: This Privacy Policy fully discloses how we use Shopify store data

    • Your Shopify Data Rights

    All data accessed through Shopify remains subject to:
  • Shopify's Privacy Policy: https://www.shopify.com/legal/privacy
  • Shopify's Terms of Service
  • Your existing agreements with Shopify

    • Uninstalling Market Mana does not affect your Shopify store or data within Shopify's infrastructure.

    XI. Cookies and Tracking Technologies

    Current Cookie Usage

    Market Mana currently uses only essential cookies necessary for the application to function: Essential/Functional Cookies:
  • Session Cookies: Used to authenticate your identity and maintain your login session. These are strictly necessary for the app to function.
    • - Duration: Session-based (deleted when you close your browser) - Purpose: Authentication and session management
  • Preference Cookies: Store your settings and preferences within Market Mana (e.g., calendar view preferences, notification settings).
    • - Duration: Persistent (up to 1 year) - Purpose: Remember your preferences between sessions
  • Security Cookies: Help us detect and prevent security threats and fraudulent activity.
    • - Duration: Session-based - Purpose: Security and fraud prevention These essential cookies do not require consent under GDPR as they are strictly necessary for providing the service you've requested.

    Future Analytics Cookies (Planned)

    We plan to implement Posthog analytics to better understand how users interact with Market Mana. When implemented:
  • Consent Requirement: We will request your explicit opt-in consent before deploying analytics cookies
  • Anonymization: All analytics data will be anonymized (IP addresses masked, user IDs pseudonymized)
  • Opt-Out: You can opt out at any time through your account settings
  • No Tracking: We will NOT track you across other websites or services
  • Privacy-First: Posthog is an open-source, privacy-focused analytics platform
    • Proposed Analytics Cookies:
  • Performance Cookies: Understand which features are used most frequently
  • Usage Analytics: Analyze user flows to improve UX
  • Error Tracking: Identify and fix technical issues
  • Feature Flags: Gradually roll out new features to users

    • Managing Cookies

    Browser Controls: You can control and delete cookies through your browser settings:
  • Chrome: Settings > Privacy and Security > Cookies and other site data
  • Firefox: Settings > Privacy & Security > Cookies and Site Data
  • Safari: Preferences > Privacy > Manage Website Data
  • Edge: Settings > Cookies and site permissions > Cookies and site data
    • Impact of Disabling Cookies:
  • Essential Cookies: Disabling essential cookies will prevent you from using Market Mana, as they're necessary for authentication
  • Analytics Cookies (future): Disabling analytics cookies will not affect your ability to use Market Mana

    • Third-Party Cookies

    Market Mana does not currently use any third-party advertising cookies or tracking pixels. When embedded in Shopify's admin interface, Shopify may set its own cookies subject to Shopify's Cookie Policy.

    XII. Security Measures

    We implement robust technical and organizational security measures to protect your data from unauthorized access, disclosure, alteration, and destruction.

    Technical Security Measures

    Encryption:
  • Data in Transit: All data transmitted between your browser and our servers uses TLS 1.3 encryption (HTTPS)
  • Data at Rest: All data stored in our databases is encrypted using AES-256 encryption
  • API Communications: All connections to third-party services (OpenAI, Shopify) use encrypted channels
    • Access Controls:
  • Role-Based Access: Internal access to data is strictly limited based on job function and necessity
  • Multi-Factor Authentication: Required for all team members accessing production systems
  • Least Privilege Principle: Users and systems have access only to data necessary for their function
  • Regular Access Reviews: We periodically review and revoke unnecessary access privileges
    • Network Security:
  • Firewall Protection: Multi-layered firewalls protect our infrastructure
  • DDoS Protection: Distributed Denial of Service mitigation systems
  • Intrusion Detection: Real-time monitoring for suspicious activity
  • Isolated Environments: Development, staging, and production environments are segregated
    • Application Security:
  • OWASP Compliance: We follow OWASP Top 10 security best practices
  • Input Validation: All user inputs are validated and sanitized to prevent injection attacks
  • Security Headers: Implementation of Content Security Policy, X-Frame-Options, etc.
  • Regular Patching: Prompt application of security updates to all software components

    • Organizational Security Measures

    Security Policies:
  • Written information security policies and procedures
  • Incident response plan for data breaches
  • Business continuity and disaster recovery plans
  • Data retention and disposal policies
    • Personnel Security:
  • Background checks for employees with data access
  • Confidentiality agreements for all staff and contractors
  • Regular security awareness training
  • Clear data handling procedures
    • Vendor Management:
  • Security assessments of third-party service providers
  • Data Processing Agreements with all vendors handling personal data
  • Regular vendor compliance reviews

    • Monitoring and Testing

    Continuous Monitoring:
  • 24/7 security monitoring and alerting
  • Automated vulnerability scanning
  • Log analysis and anomaly detection
  • Real-time threat intelligence integration
    • Regular Security Testing:
  • Annual third-party security audits
  • Quarterly internal security reviews
  • Penetration testing of critical systems
  • Code security reviews

    • Data Minimization and Anonymization

  • We collect only data necessary for service delivery
  • Personal data is pseudonymized where possible
  • Aggregated analytics use anonymized data
  • Regular data cleanup to remove unnecessary information

    • Incident Response

    In the unlikely event of a data breach:
  • Detection: Immediate identification of the incident
  • Containment: Rapid action to prevent further unauthorized access
  • Assessment: Evaluation of the scope and impact
  • Notification: Communication to affected users and authorities within 72 hours (as required by GDPR)
  • Remediation: Implementation of corrective measures
  • Review: Post-incident analysis and security improvements

    • Limitations

    While we implement industry-leading security measures, no system is completely secure. We cannot guarantee absolute security of data transmitted over the Internet or stored electronically. You are responsible for maintaining the confidentiality of your Shopify account credentials and for any activity under your account.

    Your Responsibilities:
  • Use strong, unique passwords for your Shopify account
  • Enable two-factor authentication on your Shopify account
  • Keep your devices and browsers updated with security patches
  • Do not share your account credentials
  • Report any suspected security issues to us immediately at info@marketmana.io

    • XIII. Artificial Intelligence and Automated Decision-Making

    Market Mana uses artificial intelligence (AI) as a core feature to generate marketing campaign suggestions. This section explains how AI is used and your control over it.

    How AI Is Used

    OpenAI Integration: Market Mana sends your store data to OpenAI's API to generate personalized marketing campaign suggestions. This includes:
  • Input Data: Product information, aggregated sales data, brand voice preferences, campaign history, custom instructions
  • AI Processing: OpenAI's models (GPT-4 and GPT-5) analyze this data to suggest relevant marketing campaigns
  • Output: Campaign titles, descriptions, recommended discount strategies, suggested marketing channels, optimal timing
    • AI Training and Data Use:
  • No Training on Your Data: OpenAI is contractually prohibited from using your submitted data to train their general-purpose AI models
  • Purpose Limitation: Your data is processed solely to generate your specific campaign suggestions
  • Temporary Processing: OpenAI does not retain your data beyond the immediate processing required for generation

    • Nature of Automated Processing

    Suggestion, Not Decision: Market Mana's AI generates *suggestions* that you review, edit, and approve. The AI does NOT:
  • Automatically execute marketing campaigns
  • Automatically create discount codes (requires your approval)
  • Make binding decisions on your behalf
  • Process any action without your explicit approval
    • Human Review Required: All AI-generated campaigns are presented to you as drafts. You have complete control to:
  • Review all suggestions before implementation
  • Edit any aspect of suggested campaigns
  • Reject suggestions entirely
  • Provide feedback to improve future suggestions
  • Create campaigns manually without AI assistance

    • No Legal or Similarly Significant Automated Decisions

    Market Mana does not engage in automated decision-making that produces legal effects or similarly significantly affects you, as defined in GDPR Article 22. All AI outputs are advisory in nature and require your manual approval before any action is taken.

    Your Rights Regarding AI Processing

    Right to Object (Art. 21 GDPR): You can object to AI processing of your data. However, this would prevent Market Mana from providing its core service (AI-powered campaign generation). You may still use the app to create campaigns manually. Right to Explanation: You can request information about:
  • The logic involved in AI campaign generation
  • The significance and envisaged consequences of such processing
  • The data used to generate specific suggestions
    • Feedback and Improvement:
  • Your approval/rejection decisions help improve the relevance of future AI suggestions
  • This improvement is based on patterns across all users (anonymized), not individual profiling
  • You can opt out of having your usage patterns contribute to AI improvements by contacting us

    • Transparency and Fairness

    Algorithmic Transparency:
  • Our AI system analyzes product performance, seasonal trends, and marketing best practices
  • Campaign suggestions are based on objective business data, not discriminatory factors
  • The AI does not make assumptions about protected characteristics
    • Limitations and Accuracy:
  • AI-generated suggestions are not guaranteed to be accurate or effective
  • Campaign success depends on many factors beyond our AI's control
  • You should evaluate all suggestions based on your business knowledge
  • We continuously work to improve suggestion quality but cannot guarantee specific results

    • AI Model Changes

    As AI technology evolves, we may update the underlying models used for campaign generation (e.g., upgrading to newer versions of GPT). Such changes will be reflected in our:
  • Release notes
  • Email notifications to active users
  • This Privacy Policy (if data processing changes)

    • XIV. Children's Privacy

    Age Requirement: Market Mana is a business-to-business (B2B) service designed exclusively for Shopify merchants operating commercial e-commerce businesses. Our service is NOT directed at, intended for, or designed to attract individuals under the age of 18, and specifically not children under 13 years of age. No Knowing Collection: We do not knowingly collect personal information from children under 13 (or under 16 in the EU). If we become aware that we have collected personal data from a child without parental consent, we will take immediate steps to delete such information. Parental Notice: If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at info@marketmana.io so we can delete the information. Shopify Account Requirement: Use of Market Mana requires a Shopify store account. Shopify's Terms of Service require users to be at least 18 years old (or the age of majority in their jurisdiction) to create a Shopify account. COPPA and Similar Laws: We comply with the Children's Online Privacy Protection Act (COPPA) in the United States and similar laws in other jurisdictions protecting children's privacy.

    XV. California-Specific Privacy Rights (CCPA/CPRA)

    This section provides additional information for California residents as required by the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

    Categories of Personal Information Collected

    In the preceding 12 months, we have collected the following categories of personal information: | Category | Examples | Collected? | |----------|----------|------------| | A. Identifiers | Name, email address, IP address, online identifiers | Yes | | B. Personal information under Cal. Civ. Code § 1798.80 | Name, email | Yes | | C. Protected classifications | Age, gender, race, religion, etc. | No | | D. Commercial information | Purchase history, transaction records | Yes (via Shopify) | | E. Biometric information | Fingerprints, facial recognition | No | | F. Internet/network activity | Browsing history, search history, interactions with our app | Yes | | G. Geolocation data | Country, timezone (not precise location) | Yes (General only) | | H. Sensory data | Audio, visual, thermal, olfactory | No | | I. Professional/employment information | Business name, industry | Yes | | J. Education information | N/A | No | | K. Inferences | Preferences, behavior predictions | Yes (marketing preferences) | | L. Sensitive personal information | Precise geolocation, race, religion, health, etc. | No |

    Sources of Personal Information

    We collect personal information from:
  • Directly from you: When you install the app, configure settings, or contact us
  • Shopify API: Store and product data through authorized API access
  • Automatically: Usage data, device information, cookies
  • Third parties: Shopify (store owner information at installation)

    • Business or Commercial Purposes for Collection

    We use personal information for:
  • Providing Market Mana services
  • AI campaign generation
  • Customer support
  • Service improvement
  • Security and fraud prevention
  • Legal compliance
  • Internal analytics

    • Categories of Third Parties with Whom We Share Personal Information

    We share personal information with:
  • Service providers: Hosting providers, infrastructure providers
  • Shopify: For billing and subscription management
  • Legal/regulatory: If required by law
  • Professional advisors: Legal, accounting, auditing

    • Sale and Sharing of Personal Information

    We do NOT sell your personal information. Under CCPA's broad definition of "sale," some data sharing might be considered a "sale." However:
  • We do NOT sell personal information for monetary consideration
  • We do NOT share personal information for cross-context behavioral advertising
  • We do NOT knowingly sell or share personal information of consumers under 16
    • If this changes, we will update this policy and provide an opt-out mechanism.

    Retention Periods

    We retain personal information:
  • Active accounts: Duration of service
  • Deleted accounts: Immediately upon app uninstallation (shop/redact webhook)
  • Financial records: 10 years (legal requirement)
  • Anonymized analytics: Indefinitely

    • Your CCPA Rights

    1. Right to Know (15 U.S.C. § 1798.100) Request information about:
  • Categories of personal information collected
  • Categories of sources
  • Business purposes for collection
  • Categories of third parties to whom we disclose
  • Specific pieces of personal information collected
    • 2. Right to Delete (15 U.S.C. § 1798.105) Request deletion of personal information we collected from you, subject to certain exceptions. 3. Right to Correct (15 U.S.C. § 1798.106) Request correction of inaccurate personal information. 4. Right to Opt-Out of Sale/Sharing (15 U.S.C. § 1798.120) We do not sell or share personal information, so no opt-out is necessary. 5. Right to Limit Use of Sensitive Personal Information (15 U.S.C. § 1798.121) We do not collect sensitive personal information as defined by CCPA. 6. Right to Non-Discrimination (15 U.S.C. § 1798.125) We will not discriminate against you for exercising your CCPA rights.

    How to Exercise Your Rights

    Submit a Request:
  • Email: info@marketmana.io
  • Subject: "CCPA Privacy Request"
  • Include: Your store URL, email, and specific request
    • Verification: We will verify your identity by:
  • Matching information you provide with information we have on file
  • Requesting additional documentation if necessary
    • Authorized Agents: You may designate an authorized agent to make requests on your behalf. We may require:
  • Written authorization signed by you
  • Verification of the agent's identity
  • Verification of your identity
    • Response Timeline:
  • Initial response: Within 10 business days acknowledging receipt
  • Substantive response: Within 45 days (extendable to 90 days with notice)
    • No Fee: We do not charge a fee for processing CCPA requests.

    California "Shine the Light" Law

    Under California Civil Code Section 1798.83, California residents can request information about disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

    Minors Under 16

    We do not have actual knowledge of selling or sharing personal information of consumers under 16 years of age. Our service is intended for adults operating businesses.

    XVI. Nevada Residents

    Under Nevada Senate Bill 220, Nevada residents have the right to opt out of the "sale" of certain personal information to third parties who will license or sell that information to others. We do NOT sell your personal information as defined by Nevada law. If our practices change in the future, we will:
  • Update this Privacy Policy
  • Provide notice to Nevada residents
  • Offer a clear opt-out mechanism
    • To exercise opt-out rights in the future (if applicable): Email: info@marketmana.io
    Subject: "Nevada Privacy Opt-Out Request"
    Include: Your name, Nevada resident address, and email address associated with your Market Mana account We will maintain your opt-out request and contact you if we begin selling personal information.

    XVII. Canadian Residents (PIPEDA)

    For users in Canada, Market Mana complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws.

    PIPEDA Principles

    We adhere to PIPEDA's 10 Fair Information Principles:
  • Accountability: We are responsible for personal information under our control
  • Identifying Purposes: Purposes for data collection are identified in this Privacy Policy
  • Consent: We obtain consent for collection, use, and disclosure
  • Limiting Collection: We collect only information necessary for identified purposes
  • Limiting Use, Disclosure, and Retention: Personal information is used only for stated purposes
  • Accuracy: We maintain accurate, complete, and up-to-date information
  • Safeguards: Security measures protect personal information
  • Openness: This Privacy Policy is readily available
  • Individual Access: You can access and verify your personal information
  • Challenging Compliance: You can challenge our compliance with PIPEDA

    • Your Rights Under PIPEDA

  • Right to Access: Request access to your personal information
  • Right to Correction: Request correction of inaccurate information
  • Right to Withdraw Consent: Withdraw consent (may affect service availability)
  • Right to File a Complaint: File a complaint with the Office of the Privacy Commissioner of Canada

    • Cross-Border Data Transfer

    Your personal information may be processed and stored outside Canada, including in the United States and the European Union. When transferred, it is subject to the laws of the destination country and may be accessible by government authorities under those laws. We implement safeguards to protect your information, including:
  • Standard Contractual Clauses
  • Encryption and security measures
  • Contractual obligations with service providers

    • Contact for PIPEDA Inquiries

    Email: info@marketmana.io
    Subject: "PIPEDA Privacy Inquiry"

    Filing a Complaint

    If you believe we are not complying with PIPEDA: Office of the Privacy Commissioner of Canada
    Website: https://www.priv.gc.ca/
    Phone: 1-800-282-1376
    Email: info@priv.gc.ca

    XVIII. Changes to This Privacy Policy

    Policy Updates

    We may update this Privacy Policy from time to time to reflect:
  • Changes in our data processing practices
  • New features or services
  • Changes in applicable laws and regulations
  • Feedback from users or regulators
  • Evolving privacy best practices

    • Notification of Changes

    Material Changes: For significant changes that affect your rights or how we process your data, we will:
  • Email Notification: Send an email to the address associated with your Market Mana account at least 30 days before the changes take effect
  • In-App Notice: Display a prominent notice within the Market Mana dashboard
  • Update Effective Date: Clearly indicate the new effective date at the top of this policy
    • Non-Material Changes: For minor changes (e.g., clarifications, formatting, contact information updates), we will:
  • Update the "Last Updated" date at the top of this policy
  • Post the revised policy on our website
  • Continue to make the policy available within the Market Mana app

    • Reviewing Changes

    We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. The current version is always available at:
  • Market Mana dashboard: Settings > Privacy Policy
  • Website: https://marketmana.io/privacy

    • Continued Use

    Your continued use of Market Mana after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes:
  • You may discontinue using Market Mana
  • You may contact us to discuss your concerns
  • You may exercise your data deletion rights

    • Version History

    We maintain a version history of this Privacy Policy. To request previous versions, contact us at info@marketmana.io.

    XIX. Additional Information

    Data Controller

    For GDPR purposes, the data controller is: eBerce d.o.o.
    Registration Number: 5787882000
    VAT ID: SI90207777
    Address: Dunajska cesta 106, Ljubljana, 1000 Ljubljana, Slovenia

    Supervisory Authority (Slovenia)

    Information Commissioner (Informacijski pooblaščenec)
    Address: Dunajska cesta 22, 1000 Ljubljana, Slovenia
    Phone: +386 1 230 97 30
    Email: gp.ip@ip-rs.si
    Website: https://www.ip-rs.si/

    EU Representative

    As eBerce d.o.o. is established in the EU (Slovenia), no separate EU representative is required under GDPR Article 27.

    UK Representative

    As Market Mana is available to UK residents through the Shopify App Store, we are required to appoint a UK representative under Article 27 of the UK GDPR. UK Representative (To Be Appointed): We are in the process of appointing a UK representative who will serve as our point of contact for:
  • UK data subjects regarding data protection matters
  • The UK Information Commissioner's Office (ICO) for regulatory communications
  • Maintaining records of processing activities for UK users

    • Once appointed, the UK representative's contact details will be updated in this section. In the interim, UK residents may contact us directly at info@marketmana.io for any data protection inquiries.

    Temporary UK Contact:
    Email: info@marketmana.io
    Subject: "UK GDPR Inquiry" This section will be updated with full UK representative details once the appointment is formalized.

    Accessibility

    We are committed to making this Privacy Policy accessible to everyone. If you have difficulty accessing or understanding any part of this policy:
  • Request an alternative format (e.g., large print, audio)
  • Ask for clarification on specific sections
  • Request a summary in plain language
    • Contact info@marketmana.io with accessibility requests.

    Language

    This Privacy Policy is provided in English. If translated into other languages, the English version controls in case of any conflict or discrepancy.

    Third-Party Links

    Market Mana may contain links to third-party websites, services, or resources (e.g., Shopify documentation, OpenAI privacy policy). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies when you leave Market Mana.

    Shopify Policies

    Market Mana operates within the Shopify ecosystem. Your use of Shopify and your Shopify store is subject to:

  • Shopify Privacy Policy: https://www.shopify.com/legal/privacy
  • Shopify Terms of Service: https://www.shopify.com/legal/terms
  • Shopify Acceptable Use Policy: https://www.shopify.com/legal/aup

    • OpenAI Policies

    Data sent to OpenAI for AI campaign generation is subject to:

  • OpenAI Privacy Policy: https://openai.com/policies/privacy-policy
  • OpenAI Terms of Use: https://openai.com/policies/terms-of-use
  • OpenAI API Data Usage: https://openai.com/policies/api-data-usage-policies

    • We have contractual assurances from OpenAI that they will not use your data to train their general-purpose models.

    XX. Questions and Contact Information

    If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please don't hesitate to contact us.

    General Privacy Inquiries

    Email: info@marketmana.io
    Subject Line: Privacy Policy Inquiry
    Company Information:
    eBerce d.o.o.
    Dunajska cesta 106
    Ljubljana, 1000 Ljubljana
    Slovenia
    Registration Details:
    Registration Number: 5787882000
    VAT ID: SI90207777

    Data Subject Rights Requests

    To exercise your rights under GDPR, CCPA, PIPEDA, or other applicable laws: Email: info@marketmana.io
    Subject Line: Data Subject Rights Request Include in your request:
  • Your full name
  • Email address associated with your Market Mana account
  • Store URL (yourstore.myshopify.com)
  • Specific right you wish to exercise (e.g., access, deletion, correction)
  • Any additional details to help us process your request

    • Support

    For technical support or account-related questions: Email: info@marketmana.io
    Subject Line: Support Request

    Response Time

    We aim to respond to all privacy inquiries within:
  • General questions: 5-7 business days
  • GDPR requests: 30 days (extendable to 60 days for complex requests)
  • CCPA requests: 45 days (extendable to 90 days with notice)
This Privacy Policy was last updated on November 11, 2025. Effective Date: November 11, 2025
© 2025 Market Mana. All rights reserved.