Data Processing

DATA PROCESSING

Last Updated: April 2026

Marqueeteer is a Google Business Profile management service operated from the European Union. We are registered and regulated under GDPR. When you engage us, we process your Google Business Profile data as your data processor, strictly according to your instructions and within the framework of a Data Processing Agreement.

OUR ROLE: DATA PROCESSOR

Marqueeteer acts as a data processor under GDPR Article 28. You (the business owner or authorized representative) are the data controller. You own your Google Business Profile and authorize us to access and manage it on your behalf.

We process your data only for the specific purpose of:

  • Updating and optimizing your Google Business Profile
  • Publishing Google Posts (updates, offers, events)
  • Managing reviews and customer interactions
  • Monitoring profile performance and metrics
  • Maintaining accurate business information

We do not:

  • Use your data for our own marketing or advertising purposes
  • Sell or share your data with third parties
  • Make independent decisions about how your data is used
  • Access or process data beyond what you’ve authorized

You retain full control of your Google Business Profile and can revoke our access at any time.

DATA PROCESSING AGREEMENT (DPA)

All Marqueeteer clients must enter into a Data Processing Agreement before service begins. The DPA is a formal contract that defines:

  • Your role as controller; our role as processor
  • What data we process and for what purpose
  • How long we retain data
  • Security measures we implement
  • Your rights to audit, inspect, and require changes
  • Our obligations regarding subprocessors
  • Breach notification procedures
  • Data subject rights (if applicable)

A template DPA is provided during onboarding. If you require modifications (e.g., for multi-entity or multi-jurisdiction requirements), contact privacy@marqueeteer.com.

The DPA is legally binding and supersedes this page for contractual obligations.

DATA WE PROCESS

When you authorize Marqueeteer to manage your GBP, we access and process:

Google Business Profile Data

  • Business name, address, phone, website, hours, business hours variations
  • Business category, description, attributes, service area
  • Photos, videos, Google Posts, and published content
  • Customer reviews, ratings, and responses
  • Performance metrics, analytics, and insights
  • Chat messages and customer inquiries received via your GBP

Account & Service Data

  • Your email address and contact information
  • Login credentials (stored securely; see “Data Security” below)
  • Payment information (processed by third-party payment processors; we do not store full payment details)
  • Communication logs and support tickets
  • Service usage, activity logs, and access timestamps

We do NOT access or process:

  • Customer personal data beyond what appears publicly on your GBP
  • Your internal business systems, customer databases, or files
  • Passwords (we use OAuth authentication; you grant secure access directly)
  • Sensitive personal data (unless explicitly included in your GBP content)

HOW WE PROCESS YOUR DATA

Access & Permissions
You authorize Marqueeteer to manage your GBP through one of two methods:

  • Google OAuth: Direct authentication via your Google account (no password sharing)
  • Managed Service Login: You provide credentials once; we store them securely (encrypted at rest)

You remain the account owner and can revoke our access instantly through Google Business Profile settings or by contacting us.

Data Security

  • All data transmission is encrypted using TLS 1.2 or higher (industry standard)
  • Credentials are encrypted at rest using AES-256 encryption
  • Access to client data is restricted to authorized Marqueeteer staff on a need-to-know basis
  • Marqueeteer maintains separate, secure infrastructure for data storage and processing
  • We implement multi-factor authentication for staff access to systems
  • Regular security audits and penetration testing are conducted annually
  • Incident response procedures are documented and tested quarterly
  • We comply with GDPR Article 32 security requirements

Data Retention

  • During your service agreement: We retain access to and copies of your GBP data as necessary to deliver services
  • Historical reports and performance data: Retained for 24 months or duration of your contract, whichever is longer
  • After service termination: We cease all access to your GBP within 5 business days; we delete our copies of your data within 30 days (except where retention is required by law)
  • Operational logs and audit trails: Retained for 90 days for security and troubleshooting purposes
  • You retain all original data in your GBP—we do not store independent copies of your content beyond what’s necessary for service delivery

Subprocessors (Data Sub-processors)
To deliver our services, we engage the following third parties:

  • Google (GBP API, authentication, hosting)
  • Cloud infrastructure providers (Amazon AWS, Google Cloud; EU-based data centers only)
  • Payment processors (Stripe, PayPal; PCI-DSS compliant)
  • Email and communication tools (necessary for client support and notifications)

Each subprocessor is contractually bound to maintain:

  • Equivalent security standards
  • Confidentiality obligations
  • Compliance with data protection laws
  • Restrictions on further subcontracting without approval

You will be notified of any new subprocessors before they are engaged. You have the right to object to new subprocessors on reasonable grounds.

LEGAL BASIS & COMPLIANCE

European Union (GDPR)

Marqueeteer is registered and operates as a data processor under GDPR (Regulation (EU) 2016/679). The following applies to all Marqueeteer clients:

Your Rights as Data Controller
As the data controller, you have the right to:

  • Instruct us on what data to process and how
  • Access all personal data we hold (right of access, Art. 15)
  • Request correction of inaccurate data (right to rectification, Art. 16)
  • Request deletion of data under certain conditions (right to erasure, Art. 17)
  • Request restriction of processing (right to restrict processing, Art. 18)
  • Receive data in a portable format (right to data portability, Art. 20)
  • Object to processing (right to object, Art. 21)
  • Withdraw consent at any time (if consent is the basis for processing)

Marqueeteer’s Obligations as Processor
We are obligated to:

  • Process data only on your documented instructions
  • Ensure confidentiality of all staff who access your data (through binding confidentiality agreements)
  • Implement appropriate technical and organizational security measures (Art. 32)
  • Assist you in fulfilling data subject rights requests
  • Notify you of any personal data breach without undue delay (Art. 33)
  • Maintain records of processing activities (Art. 30)
  • Undergo audits and inspections of our processing activities
  • Ensure all subprocessors are contractually bound to equivalent obligations

Your Data Subject Rights
If your GBP contains personal data of individuals (e.g., customer reviews, messages), those individuals have rights under GDPR:

  • Right to access their data
  • Right to correction
  • Right to deletion
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision-making

As the controller, you are responsible for fulfilling these requests. Marqueeteer will assist by providing the relevant data or deleting it upon your instruction.

Data Processing Agreement
Your Data Processing Agreement with Marqueeteer specifically addresses:

  • The scope, nature, purpose, and duration of processing
  • The types of personal data and categories of data subjects
  • Marqueeteer’s specific obligations and your rights
  • Security measures and incident response procedures
  • Subprocessor management and notification procedures
  • Assistance with data subject rights requests
  • Audit and inspection rights
  • Liability and indemnification
  • Data transfer mechanisms (if applicable; see below)

INTERNATIONAL DATA TRANSFERS

Marqueeteer operates from the European Union and uses EU-based data centers for client data storage and processing.

If data is transferred outside the EU/EEA (e.g., to Google’s US-based GBP API infrastructure), we rely on:

  • Standard Contractual Clauses (SCCs) between us and subprocessors
  • Adequacy decisions (where available)
  • Your explicit consent (where required)

These mechanisms ensure your data receives adequate protection outside the EU. Details are included in your DPA.

DATA BREACHES & INCIDENT RESPONSE

In the event of a suspected or confirmed personal data breach, Marqueeteer will:

  1. Assess the breach within 24 hours (scope, nature, affected data, likely consequences)
  2. Contain the breach to prevent further unauthorized access
  3. Notify you immediately (without undue delay, and in no case later than 72 hours after discovery)
  4. Provide breach details including:
  • Nature and scope of the breach
  • Categories and approximate number of affected data subjects and personal data records
  • Likely consequences
  • Measures taken or proposed to address the breach
  1. Cooperate with authorities as required by GDPR and your local data protection authority
  2. Document the incident with full facts and remedial actions

You are responsible for:

  • Assessing whether the breach requires notification to affected data subjects
  • Notifying affected individuals and your local data protection authority (DPA) as required by law
  • Communicating the breach to third parties (e.g., your customers) as appropriate

Marqueeteer will provide all necessary information and documentation to support your notification obligations.

UNITED STATES (CCPA & STATE PRIVACY LAWS)

If you are a California resident or operate a business in California, you have rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information is collected
  • Right to delete personal information (subject to exceptions)
  • Right to opt out of the sale or sharing of personal information
  • Right to non-discrimination for exercising CCPA rights

Marqueeteer does not sell your data or use it for targeted advertising. If you are a California resident and wish to exercise CCPA rights, contact privacy@marqueeteer.com with “CCPA Request” in the subject line. We will respond within 45 days.

Other US State Laws
We comply with applicable state privacy laws (e.g., Colorado CPA, Virginia VCDPA, Utah UCPA, Connecticut CTDPA). Contact us if you have specific state-level compliance requirements.

CANADA (PIPEDA)

If you are a Canadian business or resident, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). You have the right to:

  • Access your personal information
  • Correct inaccurate information
  • Request deletion (subject to legal obligations)
  • Lodge complaints with the Privacy Commissioner of Canada

Requests should be directed to privacy@marqueeteer.com.

AUSTRALIA (PRIVACY ACT)

If you are an Australian resident or business, we comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). You have the right to:

  • Access your personal information
  • Correct inaccurate information
  • Lodge complaints with the Office of the Australian Information Commissioner (OAIC)

Contact privacy@marqueeteer.com for privacy requests or complaints.

COOKIES & WEBSITE TRACKING

Marqueeteer’s website (marqueeteer.com) uses:

  • Essential cookies (login, session management)
  • Analytics cookies (Google Analytics, to understand visitor behavior)
  • Optional marketing cookies (if you opt in)

We do not use cookies or tracking technologies to identify individual users for targeted marketing or profiling.

Your Rights:

  • You can disable cookies in your browser settings
  • You can withdraw consent to non-essential cookies at any time
  • Disabling cookies will not affect your ability to use Marqueeteer’s core GBP management services

Marqueeteer’s website is compliant with GDPR cookie requirements, including:

  • Clear consent mechanisms
  • Opt-in for non-essential cookies (not pre-ticked)
  • Easy withdrawal of consent
  • Transparent cookie policy (see marqueeteer.com/privacy-policy for details)

CONTACT US & DATA SUBJECT RIGHTS

For questions about data processing, to exercise your rights, or to request a copy of our DPA:

Email: privacy@marqueeteer.com
Contact Form: marqueeteer.com/contact
Mailing Address: [Insert Marqueeteer’s EU office address]

For GDPR-specific inquiries or complaints:
Email: dpo@marqueeteer.com
Data Protection Officer: [Name/Title, if applicable]

Response Time: We aim to respond to all data-related inquiries within 30 days. If your request is complex, we may extend this by an additional 60 days with notice.

If You Are Not Satisfied:
You have the right to lodge a complaint with your local data protection authority:

  • EU: Your national data protection authority (DPA)
  • UK: Information Commissioner’s Office (ICO)
  • California: California Attorney General
  • Other jurisdictions: Your applicable privacy regulator

We encourage you to contact us first so we can address your concerns directly.

CHANGES TO THIS PAGE

Marqueeteer may update this Data Processing page to reflect changes in our practices, legal requirements, or services. Material changes will be communicated to existing clients via email before taking effect.

Your continued use of Marqueeteer’s services after updates constitutes acceptance of the revised terms. If you object to material changes, you may terminate your service agreement.

LEGAL NOTES

This Data Processing page is provided for informational purposes. It is not a substitute for the Data Processing Agreement, which is the binding legal contract governing our relationship.

Marqueeteer is an EU-registered entity operating under GDPR and applicable EU/EEA data protection laws. We recommend consulting with a data protection attorney or officer in your jurisdiction to understand your specific compliance obligations.

For questions about whether your business is subject to GDPR, CCPA, or other privacy laws, consult with legal counsel in your jurisdiction.