1. Controller
The data controller responsible for your personal data is:
EcomHeld - a pathways digital brand
C/ Gremi de Sabaters 21, 07009 Palma
Spain
NIF: B13641428
Email: privacy@ecom-held.com
Website: https://ecom-held.com
2. Scope
This Privacy Policy applies to:
- Visitors of the EcomHeld website (ecom-held.com)
- Customers who register for and use the EcomHeld SaaS platform
- End users of customer-deployed chatbot instances (shop visitors interacting with the AI agent)
3. Data We Collect
3.1 Website Visitors
- Anonymized usage data (pages viewed, referrer, device type) via Plausible Analytics — no personal identifiers
- Ad interaction data (if you clicked an ad) via Google Ads or Meta Ads
3.2 Registered Customers (B2B)
- Business contact details: name, company name, email address, billing address, VAT ID
- Account credentials (email, hashed password)
- Shop data uploaded or synced: product listings, descriptions, categories
- Subscription and billing history (managed by Paddle)
3.3 End Users (Shop Visitors using your AI agent)
- Chat messages submitted to the AI agent
- Session identifiers (anonymous)
- No account creation or persistent profiling of end users
4. Legal Basis for Processing (GDPR)
| Processing activity | Legal basis |
|---|---|
| Account management & service delivery | Art. 6(1)(b) — performance of a contract |
| Billing & invoicing | Art. 6(1)(b) and Art. 6(1)(c) — legal obligation |
| Website analytics (Plausible) | Art. 6(1)(f) — legitimate interests (privacy-preserving analytics) |
| Marketing cookies (Google Ads, Meta Ads, Hotjar) | Art. 6(1)(a) — consent |
| Security, fraud prevention | Art. 6(1)(f) — legitimate interests |
5. Analytics: Plausible
We use Plausible Analytics (Plausible Insights OÜ, Estonia) for website analytics.
Plausible is a privacy-first analytics tool. It does not use cookies, does not track users across sites, and does not collect personal data or IP addresses. Data is aggregated and anonymized. No consent banner is required for Plausible under GDPR.
For more information: https://plausible.io/privacy
6. Advertising: Google Ads
We use Google Ads (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) for online advertising, including conversion tracking and remarketing.
When you interact with our ads or visit our website after clicking a Google Ad, Google may set cookies or use similar technologies to measure conversions and serve personalized ads. This processing is subject to your consent, which we obtain via our cookie consent banner.
Data may be transferred to Google servers, including in the United States, based on Standard Contractual Clauses (SCCs).
Google's privacy policy: https://policies.google.com/privacy Google Ads data processing terms: https://business.safety.google/adsprocessorterms
You can opt out of personalized advertising via: https://adssettings.google.com
7. Advertising: Meta Ads (Facebook/Instagram)
We use the Meta Pixel (Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland) to measure the effectiveness of our advertising on Facebook and Instagram, and for remarketing purposes.
The Meta Pixel may collect information about your browser, device, and actions on our website (e.g., page views, sign-ups). This processing is subject to your consent via our cookie consent banner.
Data may be transferred to Meta servers in the United States, based on Standard Contractual Clauses (SCCs).
Meta's privacy policy: https://www.facebook.com/policy.php
You can manage your ad preferences at: https://www.facebook.com/ads/preferences
8. Behavior Analytics: Hotjar
We use Hotjar (Hotjar Ltd., Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta) to understand how visitors interact with our website through heatmaps, session recordings, and feedback tools.
Hotjar may record mouse movements, clicks, scrolling behavior, and form interactions. Sensitive fields (e.g., passwords, payment fields) are automatically masked. This processing is subject to your consent via our cookie consent banner.
Hotjar's privacy policy: https://www.hotjar.com/legal/policies/privacy
To opt out of Hotjar tracking: https://www.hotjar.com/legal/compliance/opt-out
9. Payment Processing: Paddle
Payments are processed by Paddle (Paddle.com Market Limited, 15 Space NK, 2 Horatio Street, London N1 6BG, United Kingdom) as our Merchant of Record.
Paddle collects and processes billing information (card details, billing address, VAT ID) directly. We do not store your full payment card data. Paddle handles invoicing, VAT collection, and payment disputes.
Paddle's privacy policy: https://www.paddle.com/legal/privacy
10. Data Processors & Third Parties
We work with the following categories of processors:
| Processor | Purpose | Location |
|---|---|---|
| Paddle | Payment processing & invoicing | UK / Global |
| Plausible Analytics | Privacy-friendly website analytics | EU |
| Google (Google Ads) | Ad measurement & remarketing | EU/US |
| Meta | Ad measurement & remarketing | EU/US |
| Hotjar | Behavior analytics | EU |
| OpenAI | LLM inference for AI responses | US |
| Supabase (self-hosted) | Vector database per tenant | EU |
We do not sell your personal data to third parties.
11. International Data Transfers
Some of our third-party providers (Google, Meta, OpenAI) are located in or transfer data to the United States. Transfers are based on Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an adequate level of data protection.
12. Data Retention
| Data type | Retention period |
|---|---|
| Account data | Duration of the contract + 3 years |
| Billing records | 10 years (legal retention obligation) |
| Chat interaction logs | 90 days rolling, unless required for support |
| Analytics data (Plausible) | Aggregated, no personal retention |
| Cookie-based ad data | Per provider settings (typically 90–540 days) |
13. Your Rights (GDPR)
As a data subject under GDPR, you have the right to:
- Access (Art. 15): obtain a copy of your personal data
- Rectification (Art. 16): correct inaccurate data
- Erasure (Art. 17): request deletion ("right to be forgotten")
- Restriction (Art. 18): limit how we process your data
- Portability (Art. 20): receive your data in a machine-readable format
- Objection (Art. 21): object to processing based on legitimate interests
- Withdraw consent (Art. 7(3)): at any time for consent-based processing
To exercise any of these rights, contact us at: privacy@ecom-held.com
We will respond within 30 days. We may need to verify your identity before processing the request.
14. Complaints
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Spanish data protection authority:
Agencia Española de Protección de Datos (AEPD) C/Jorge Juan, 6, 28001 Madrid, Spain https://www.aepd.es
You may also contact the data protection authority in your country of residence (e.g., the Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI) in Germany).
16. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or via the platform. The date of the latest update is shown at the top of this document.
17. Contact
EcomHeld - a pathways digital brand
C/ Gremi de Sabaters 21, 07009 Palma
Spain
NIF: B13641428
Email: privacy@ecom-held.com
Website: https://ecom-held.com