Privacy Policy

1. Who We Are

Maroon Pixel ("we", "us", "our") is a digital agency providing web development, SEO, paid advertising, brand development, content writing, email marketing, website management, and analytics services to businesses across the United States and European Union.

Registered address: Maroon Pixel, 45/4/K, EH, Dhaka, 1216

Data controller email: contact@maroonpixel.website

For EU residents, Maroon Pixel acts as a data controller under the General Data Protection Regulation (GDPR) (EU) 2016/679. For California residents, we comply with the California Consumer Privacy Act (CCPA) as amended by the CPRA.

2. Data We Collect

2.1 Information You Provide Directly

• Contact & inquiry data: Name, email address, phone number, company name, and message content when you fill out our contact or audit request forms.
• Client account data: Business information, billing details, project briefs, and communication records collected during our service relationship.
• Newsletter subscriptions: Email address and communication preferences when you subscribe to our marketing emails.
• Job applications: CV, cover letter, and professional background information if you apply for a position.

2.2 Information Collected Automatically

• Usage data: Pages visited, time spent, clicks, scroll depth, and referral source — collected via Google Analytics 4.
• Device & technical data: IP address, browser type and version, operating system, screen resolution, and timezone.
• Cookie data: See our Cookie Policy for full details of cookies in use.

2.3 Information From Third Parties

• LinkedIn, Google, or Meta data when you interact with our advertising campaigns or social profiles.
• Referral data from partner agencies or businesses who recommend our services.

3. How We Use Your Data

Purpose	Data Used	Basis
Responding to enquiries and audit requests	Contact form data	Legitimate interest / Contract
Delivering contracted digital services	Client account data	Contract performance
Sending marketing emails (with consent)	Email address, preferences	Consent
Improving our website and services	Analytics, usage data	Legitimate interest
Legal and compliance obligations	Any relevant data	Legal obligation
Preventing fraud and security threats	IP address, usage patterns	Legitimate interest
Sending service updates to existing clients	Email address	Legitimate interest

We do not use your data for automated decision-making or profiling that produces legal or significant effects.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process personal data on the following lawful bases under Article 6 of the GDPR:

• Consent (Art. 6(1)(a)): For marketing emails and non-essential cookies. You can withdraw consent at any time.
• Contract (Art. 6(1)(b)): For processing necessary to perform services you have engaged us for.
• Legal obligation (Art. 6(1)(c)): For processing required by applicable law (e.g. financial records, VAT obligations).
• Legitimate interests (Art. 6(1)(f)): For analytics, fraud prevention, and business communications — where our interests do not override your rights.

5. Who We Share Your Data With

We do not sell, rent, or trade your personal data. We share data only with trusted service providers who process it strictly on our behalf:

Provider	Purpose	Location
Google LLC (GA4, Workspace)	Analytics, email, file storage	USA (SCCs in place)
Meta Platforms Inc.	Advertising (where applicable)	USA (SCCs in place)
Stripe / PayPal	Payment processing	USA/EU (SCCs in place)
Mailchimp / ActiveCampaign	Email marketing delivery	USA (SCCs in place)
Cloudflare	CDN, security, performance	USA/EU
Notion / Basecamp	Project management	USA (SCCs in place)

All third-party processors are bound by Data Processing Agreements (DPAs) that restrict them from using your data for any other purpose.

6. International Data Transfers

Some of our service providers are based in the United States. Where personal data of EEA/UK residents is transferred to the US, we ensure appropriate safeguards are in place — specifically the Standard Contractual Clauses (SCCs) adopted by the European Commission. You can request a copy of the relevant SCCs by contacting us.

7. How Long We Keep Your Data

Data Type	Retention Period	Reason
Enquiry / contact data	3 years from last contact	Business relationship management
Client project data	6 years post-engagement end	Legal / financial compliance
Marketing email subscriptions	Until unsubscribed + 1 year	Consent-based; audit trail
Analytics data (GA4)	14 months (GA4 default)	Performance analysis
Financial/billing records	7 years	Legal obligation (tax law)
Job applications (unsuccessful)	6 months	Future opportunities consideration

8. Your Rights

Depending on your location, you have the following rights regarding your personal data:

EU/EEA Residents (GDPR)

• Right of access: Request a copy of all personal data we hold about you (Subject Access Request).
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): Request deletion of your data where there is no overriding legal obligation to retain it.
• Right to restrict processing: Ask us to pause processing while a dispute is resolved.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Withdraw marketing consent at any time without affecting prior lawfulness.

California Residents (CCPA/CPRA)

• Right to know what personal information is collected and how it is used.
• Right to delete personal information (with exceptions).
• Right to opt out of the sale or sharing of personal information (we do not sell data).
• Right to non-discrimination for exercising privacy rights.
• Right to correct inaccurate personal information.
• Right to limit use of sensitive personal information.

EU residents also have the right to lodge a complaint with their national supervisory authority — for example, the ICO (UK), DPC (Ireland), CNIL (France), or the relevant authority in your country.

9. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• HTTPS/TLS encryption on all data in transit
• Access controls and role-based permissions for internal systems
• Regular security audits and vulnerability scanning
• Two-factor authentication on all accounts with access to personal data
• Annual staff data protection awareness training

No method of transmission over the internet is 100% secure. In the event of a data breach that poses a risk to your rights, we will notify you and the relevant supervisory authority as required by applicable law.

10. Cookies

Our website uses cookies and similar tracking technologies. For full details of the cookies we use, their purpose, duration, and how to manage your preferences, please see our Cookie Policy.

11. Children's Privacy

Our services are intended for business owners and professionals. We do not knowingly collect personal data from individuals under the age of 16. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify existing clients by email.

We encourage you to review this page periodically. Continued use of our services after any changes constitutes your acceptance of the updated policy.

13. Contact & Data Protection Officer