POLICIES
Privacy Policy
This privacy policy applies to the websites, microsites and mobile applications that are owned, operated, or controlled by Marshall Group AB. The purpose of this privacy policy is for you, as a website visitor, customer or app user, to learn how Marshall processes your personally identifiable information (“Personal Data”) and for you to be able to feel secure that the processing is being carried out in accordance with the General Data Protection Regulation and other applicable data protection laws. When you visit our site, buy products, use our app, or sign up for our services, we collect and process Personal Data (e.g. your name, email, IP address, browsing data) to fulfill orders, improve our services, and personalize your experience. This includes showing targeted ads on platforms like Facebook, Google, and TikTok. We keep some Personal Data for up to 7 or 10 years to meet legal or accounting obligations, and we share relevant details with service providers (e.g. payment processors, shipping carriers). In some cases, data is transferred outside the EU/EEA, relying on safeguards such as the EU‐US Data Privacy Framework or Standard Contractual Clauses. You have rights under the GDPR (like accessing, erasing, or objecting to processing), and this policy explains how you can exercise them.
1. Who is responsible for your personal data?
The Swedish company Marshall Group AB, 556757-4610 (“Marshall”, “We”, “Us”) is the data controller. You may contact us at any time through customer service, or at: E-mail: support@marshall.com By mail: Marshall Group AB Att: Privacy, Centralplan 15, 111 20 Stockholm, Sweden
2. Processing and collecting Personal Data
When browsing the website, purchasing products, interacting with customer support, subscribing to newsletters, using the Marshall application on your phone and other interactions with us, we process your Personal Data. Do you need to provide the personal data to us? Yes, you do need to provide the personal data listed in the below tables where the legal ground is stated to be “Fulfilling the contract” or “Complying with legal obligations”. If you choose to withhold any Personal Data requested by Marshall for such purposes, it might not be possible for us to accept your purchase, provide your membership or fulfil our legal obligations.
2.1. If you use the website
2.1.1. Data analysis
| Purpose | Type of Personal Data | Legal Ground | When the Purpose Ends |
|---|---|---|---|
| Compiling aggregated tracking data to analyze how you interact with our website, communications, newsletters and social media. We do this to improve the functionality of our websites, to customise our websites to suit our visitors and to draw conclusions about how our users generally interact with our offerings. To do this we mainly use an analytic service from Google Analytics. The analytic service means that Google places a random ID on your device to distinguish your device from other visitors and to acknowledge patterns in how our website is used. We are only interested in how visitors interact with us on an aggregate level. We will not know who you are, and don’t take any measures to find out. | Your IP-address, data generated from cookies (products viewed and clicked, page visits, links in e-mail clicked), country, technical data (device type, browser settings), information on how you have interacted with us and other information that the third-party services as Google have about you, e.g., information about from which site you found us. | Consent, when consenting to our use of performance cookies. You can avoid Google Analytics by, for example, downloading and installing this browser application. | 14 months after your last website visit or until you withdraw your consent. |
Source of the Personal Data: The Personal Data is collected directly from you, your purchase history, browsing behaviour and your interaction with our websites, or from online sources that are publicly available, e.g. social media and Google.
2.1.2. Targeted advertising on third-party platforms and websites
| Purpose | Type of Personal Data | Legal Ground | When the Purpose Ends |
|---|---|---|---|
| Showing targeted ads to you on other websites you visit and third-party platforms such as Instagram, Facebook, Google, TikTok and YouTube, based on your behavior and browsing pattern (so called profiling). | Your IP-address, data generated from cookies (products viewed and clicked, page visits, links in e-mail clicked), country, technical data (device type, browser settings), information on how you have interacted with us and other information that the third-party services as Google have about you, e.g., information about from which site you found us. | Consent, when consenting to our use of advertising cookies. | Until further notice or until you withdraw your consent. |
Source of the Personal Data: The Personal Data is collected directly from you, your purchase history, browsing behaviour or from online sources that are publicly available, e.g. social media.
2.1.3. Necessary cookies for using our website
| Purpose | Type of Personal Data | Legal Ground | When the Purpose Ends |
|---|---|---|---|
| We process your Personal Data using necessary cookies to ensure our website functions properly. These cookies enable security features, remember your choices (such as preferred settings or items in your shopping cart), and keep you logged in. | Your IP-address, session ID, login credentials, technical data (device type, browser settings), information of how you have interacted with us and information that the marketing services we use have about you from before, e.g., information about from which site you found us. | Our legitimate interest to provide website functionality. | Usually after the duration of your session or as long as necessary to ensure the website’s basic functions. See our for more information. |
Source of the Personal Data: The Personal Data is collected directly from your device when you visit or interact with our website.
2.2. Purchasing products
| Purpose | Type of Personal Data | Legal Ground | When the Purpose Ends |
|---|---|---|---|
| Fulfilling our obligations related to the purchase, such as processing orders, delivering products, providing product warranty, sending you information about your order and handling payments. | Your name, shipping and billing address, phone number, e-mail address, order information and payment information. | Fulfilling the purchase contract between you and us. | When the purchase is completed and there no longer are any legal obligations (7 years for bookkeeping and up to 10 years for statutes of limitation). See more information about our legal obligations below. |
| Complying with accounting legislation. | Invoices, payments. | Complying with accounting legislation. | Seven years after the purchase. |
| Security and fraud prevention. | Your IP-address. | Our legitimate interest in fraud prevention. | When we have established that there is no fraud or security risk. |
Source of the Personal Data: The Personal Data is collected directly from you and your purchase history.
2.3. Newsletters, personalized marketing and offers
| Purpose | Type of Personal Data | Legal Ground | When the Purpose Ends |
|---|---|---|---|
| Sending personalized marketing materials such as newsletters, product information, offers, checkout reminders and surveys. | Your name, birthdate, country of residence and postal code, e-mail address, phone number and data related to how you interact with our website. | Consent. | When you withdraw your consent and no longer wish to receive newsletters and marketing or when you have not read our communication for six months. |
| We improve and develop our newsletters by analyzing how you open them and what you click on in the newsletters. We always perform such analysis on an aggregate level and do not look at how you specifically interact with our newsletters. | Information about how you open our newsletters and what you click on. | Consent. | When you withdraw your consent and no longer wish to receive newsletters and marketing. |
| Keeping track of those who do not wish to receive newsletter from us in an “unsubscribe register” to ensure that we do not market to you. This is not Personal Data we actively handle, so we do not look at your contact information and do not use it for anything else. | Your e-mail address. | Complying with legal obligations, such as marketing law which requires us to not send marketing material to individuals who have objected to receiving such marketing. | Six months after unsubscribing. |
Source of the Personal Data: The Personal Data is collected directly from you, your purchase history, browsing behaviour or from online sources that are publicly available, e.g. social media.
2.4. Contacting customer service, other communication and claims
| Purpose | Type of Personal Data | Legal Ground | When the Purpose Ends |
|---|---|---|---|
| We process your Personal Data when you contact us through our customer service. | Your e-mail address and other information you voluntarily provide upon contact with support or customer service. | Our legitimate interest in providing customer service. | Three years after the matter has been finally resolved. |
| Fulfilling our obligations and undertakings related to your purchase, such as handling claims, complaints, returns, refunds and your other legal rights, e.g. the right of withdrawal. | Your e-mail address and other information you voluntarily provide upon contact with support or customer service. | Fulfilling the purchase contract between you and us. | Three years after the matter has been finally resolved. |
| Sending you updates about our services or changes in our terms and conditions or privacy policies. | Your name and e-mail address. | Our legitimate interest in informing you about changes. | When you have not read our communication for six months. |
| Providing you with information and/or the Personal Data we process about you if you ask for it. | Any Personal Data we process about you. | Complying with legal obligations. | When we have complied with the legal requirements. |
Source of the Personal Data: The Personal Data is collected directly from you when providing it to us, or social media if you contact us through social media.
2.5. Leaving reviews
| Purpose | Type of Personal Data | Legal Ground | When the Purpose Ends |
|---|---|---|---|
| Allowing you to leave a review and publish it on our websites. | Your name, e-mail address, information you leave in your review and information about the products you bought for the purpose of your review. | Our legitimate interest in your leaving and us publishing your reviews. | Until further notice or until you ask for us to stop processing your Personal Data for this purpose. |
Source of the Personal Data: The Personal Data is collected directly from you.
2.6. Membership program
| Purpose | Type of Personal Data | Legal Ground | When the Purpose Ends |
|---|---|---|---|
| Managing your membership and allowing you to register your products, e.g. to have easy access to information about your purchases. | Your name and e-mail address. | Performance of a contract, fulfilling the membership terms. | Until further notice or until you delete your account. |
Source of the Personal Data: The Personal Data is collected directly from you, your purchase history, browsing behaviour or from online sources that are publicly available, e.g. social media.
2.7. Events and competitions
| Purpose | Type of Personal Data | Legal Ground | When the Purpose Ends |
|---|---|---|---|
| We process your Personal Data when you register for one of our events or competitions to manage your participation and to be able to contact you if you win a prize. | Depending on the time of event or competition, but we will most likely process your name and e-mail address, and your address if distribution a price. | Our legitimate interest in administrating your participation in an event or competition. | When the event or competition ends. |
Source of the Personal Data: The Personal Data is collected directly from you.
2.8. Using our App
| Purpose | Type of Personal Data | Legal Ground | When the Purpose Ends |
|---|---|---|---|
| We process your Personal Data when you use our App and sign up for newsletters. | E-mail address. | Consent. | Until further notice or until you withdraw your consent. |
Source of the Personal Data: The Personal Data is collected directly from you.
3. Third parties and Personal Data transfer outside the EU/EEA
Except as provided in this Privacy Policy, we will not intentionally disclose your Personal Data to third parties without your consent. We will however disclose information to third parties under the circumstances set out below.
When we share your Personal Data, we ensure that the recipient processes it in accordance with this notice, such as by entering into data transfer agreements or data processing agreements. Such agreements include all reasonable contractual, legal, technical and organizational measures to ensure that your information is processed with an adequate level of protection and in accordance with applicable law.
4. Transfer of Personal Data within the company group
We share your data with affiliated companies, including group companies. These recipients are only entitled to process your Personal Data on behalf of us while performing a service for us. We take all reasonable legal, technical and organizational measures to ensure that your data is handled securely and with an adequate level of protection when transferring it to, or sharing it with, such selected third parties.
5. Third parties on Marshall’s website
If you use our website and have given your consent, the following parties will process your Personal Data:
The service we use to analyse the website (mainly Google), and
The companies which provide the marketing services we use, i.e. Google (including YouTube) and Meta (Instagram and Facebook).
These recipients process Personal Data on our behalf as our data processors but also process your Personal Data as independent data controllers. These providers will inform you separately about the Personal Data processing they are responsible for themselves.
6. Marshall’s service providers
If you make a purchase with us:
Your Personal Data will be processed by Adyen N.V, PayPal (Europe) S.à r.l. et Cie, S.C.A, Kustom AB (Klarna Checkout) or IndiaIdeas.com Limited (BillDesk) when making a purchase on our website. The payment provider is independently responsible for the processing of your Personal Data and will inform you separately about how your Personal Data is processed.
Your Personal Data will be processed by the carrier of your choice, indicated in the selection you make at checkout. The carrier is independently responsible for the processing of your Personal Data and will inform you separately about how your Personal Data is processed.
We will store information necessary to comply with bookkeeping and accounting law with the use of a company that helps us archive such information and with other financial services. The information contains Personal Data but will only be processed on our behalf and on our instructions as stated in the parties’ data processing agreement.
If you receive our newsletters, we will share your Personal Data with Salesforce.com EMEA Ltd, the company which helps us send newsletters including services related to providing marketing. The information contains Personal Data but will only be processed on our behalf and on our instructions as stated in the parties’ data processing agreement.
If you interact with us on social mediaor visit our social media accounts, the social media platform that you use will process Personal Data about you as a user. The social media platforms are independently responsible for the processing of your Personal Data and will inform you separately about how they process your Personal Data.
Our IT suppliers will get access to Personal Data within our systems, e.g. website and application development, hosting, maintenance, e-mail servers, and other related services. However, these suppliers only process the Personal Data on our behalf and on our instructions to ensure good and secure IT operations. We only share your Personal Data with our IT suppliers if it is necessary for them to fulfil their obligations towards us according to the contract that we have with them and the data processing agreement.
7. Law enforcement and legal processes
Marshall will disclose Personal Data if required by applicable laws, court orders, judicial and government subpoenas or warrants, or otherwise to cooperate with law enforcement or other governmental agencies.
Marshall will also disclose Personal Data that Marshall believes is appropriate or necessary to take actions to protect Marshall and others from fraudulent, abusive or unlawful use or activity, to investigate and defend Marshall from third party claims or allegations and to protect Marshall’s business and legal rights, enforce contracts or protect the rights, property or safety of others.
8. General transfer of Personal Data
We will release your Personal Data to public authorities where we are obligated to do so by law.
If all or part of Marshall’s operations are sold, Marshall may transfer your Personal Data to a potential purchaser of the business, either in whole or in part, for the sole purpose of continuing the business subject to such sale and only if the recipient of such of the Personal Data commits to handle personal data on terms materially consistent with this Privacy Policy.
9. Personal Data transfers outside the EU
Marshall will transfer Personal Data to service providers, as stated in Section 1.2-3.3 above, located outside of the EU. Marshall will however always comply with GDPR requirements providing adequate protection for the transfer of such Personal Dara to such third countries and will try to minimize such transfer.
If your Personal Data is processed outside the EU/EEA, we will make sure that such processing is either based on a decision from the EU Commission establishing that the country in question ensures an adequate level of protection or appropriate safeguards that ensure that your rights are protected or if we conclude that such processing can be based on another ground for transfer in accordance with GDPR.
Your Personal Data will be transferred outside the EU/EEA in the following cases:
To our IT-suppliers that are located outside of the EU/EEA.
If you visit and communicate with us on our social media channels (e.g. Facebook), your Personal Data will be transferred outside the EU/EEA. One reason being that many of these companies are based in the United States.
If you visit our websites and have consented to analytics and/or marketing, your Personal Data will be transferred outside the EU/EEA to the companies which provide the service to analyse the website and provide the marketing services, e.g. TikTok, Google (including YouTube) and Meta (Instagram and Facebook). We have minimized the information that the services have access to and have taken several measures to reduce the risks of your Personal Data being transferred outside the EU/EEA – all to make it as difficult as possible for someone outside the EU/EEA to understand what Personal Data is involved.
For transfers to the US, we rely on an adequacy decision when our American suppliers are certified under the EU-US Data Privacy Framework. You can find the adequacy decision for the US here. Google (including YouTube) and Meta (Instagram and Facebook) are certified under the EU-US Data Privacy Framework. By searching their company names here, you will access their respective certificates.
In the absence of an adequacy decision, or when our transfer is not covered by one, we and our suppliers will rely on Standard Contractual Clauses (Article 46.2 c GDPR) module 1 and 2, along with supplementary security measures for the transfer of Personal Data outside of the EU/EEA. We will rely on the Standard Contractual Clauses when your personal data is processed through for example TikTok which can transfer your personal data to China. The use of Standard Contractual Clauses is intended to ensure the safe transfer of Your Personal Data. You can find the Standard Contractual Clauses here.
10. Balancing of interests assessments when processing Personal Data based on the legal basis “legitimate interests”
As we state in the tables above, for some purposes, we process your Personal Data based on our “legitimate interest”. By carrying out a balancing of interests’ assessment concerning our processing of your Personal Data, we have concluded that our legitimate interest for the processing outweighs your interests or rights which require the protection of your Personal Data.
If you want more information in relation to our balancing of interests’ assessments, please do not hesitate to contact us. Our contact information can be found at the beginning of this Privacy Policy.
11. Your rights when Marshal processes your Personal Data
You have the following rights regarding our processing of your Personal Data:
11.1. Right to lodge a complaint with a supervisory authority (Article 77 GDPR)
You have the right to lodge a complaint with a supervisory authority. The supervisory authority in Sweden is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, www.IMY.se)
In detail: Your right to complain exists without prejudice to any other administrative or judicial remedy. You have the right to lodge a complaint with a supervisory authority, in particular, in the EU/EEA member state of your habitual residence, place of work or place where the alleged infringement of applicable data protection laws has allegedly occurred. The supervisory authority has an obligation of informing you on the progress and the outcome of the complaint, including the possibility of a judicial remedy.
11.2. Right to withdraw consent (Article 7.3 GDPR)
You have the right to withdraw any consent at any time by contacting us.
In detail: The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
11.3. Right of access (Article 15 GDPR)
You have the right to obtain confirmation as to whether we are processing Personal Data concerning you or not. You can make a request by contacting us. If we process your Personal Data, you also have a right to obtain a copy of the Personal Data processed by us as well as information about our processing of your Personal Data.
In detail. The information we provide includes the following:
- the purposes of the processing,
- the categories of Personal Data concerned,
- the recipients or categories of recipients to whom the Personal Data have been or will be disclosed, in particular recipients in third countries or international organisations,
- where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period,
- the existence of the right to request rectification or erasure of Personal Data or restriction of processing of Personal Data concerning you or to object to such processing,
- the right to lodge a complaint with a supervisory authority,
- if the Personal Data are not collected from you, we provide you with available information about the source of the Personal Data,
- the existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the predicted consequences of such processing, and
- where your Personal Data are transferred to a third country or to an international organization, you have the right to information regarding the appropriate safeguards, pursuant to Article 46 GDPR, put in place for the transfer.
For any further copies of the Personal Data undergoing processing requested by you, we may charge a reasonable fee based on administrative costs. If you have made the request by electronic means the information will be provided to you in a commonly used electronic form, unless otherwise requested by you. Your right to obtain a copy referred to above shall not adversely affect the rights and freedoms of others.
11.4. Right to object (Article 21 GDPR)
You have the right to object to our processing of your Personal Data at any time.
In detail: Your right to object applies as follows:
- relating to your situation, you have the right to at any time object to processing of your Personal Data which is necessary for the purposes of our legitimate interest, including any profiling (Article 21.1). We shall in such case no longer process the Personal Data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims,
- where Personal Data are processed for direct marketing purposes, you have the right to object at any time to processing of your Personal Data for such marketing, including any profiling (Article 21.2). If you make such objection, you have an unconditional right to have the processing of your Personal Data for such purposes ceased, and
- in the context of the use of information society services, and regardless of Directive 2002/58/EC (ePrivacy Directive, or ePD), you may exercise your right to object by automated means using technical specifications.
11.5. Right to erasure (“the right to be forgotten”) (Article 17 GDPR)
You have the right to ask us to erase your Personal Data.
In detail: We have the obligation to erase your Personal Data without undue delay where one of the following grounds applies:
- the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
- you withdraw your consent on which the processing is based, and there is no other legal ground for the processing,
- you object to the processing pursuant to Article 21.1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21.2 GDPR,
- the Personal Data have been collected in relation to the offer of information society services referred to in Article 8.1 GDPR,
- the Personal Data have been unlawfully processed, or
- the Personal Data have to be erased for compliance with a legal obligation in Union or Member State law that applies to us.
Where we have made the Personal Data public and are obliged in accordance with the rights stated above to erase the Personal Data, we shall, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform other controllers which are processing the Personal Data that you have requested the erasure by such controllers of any links to, or copy or replication of, those Personal Data.
We will notify any erasure of Personal Data carried out in accordance with your rights stated above to each recipient whom the Personal Data have been provided to, unless this proves impossible or involves disproportionate effort. If you want information about those recipients, you are more than welcome to contact us.
Please note that our obligation to erase and inform according to above shall not apply to the extent processing is necessary according to the following reasons:
- for exercising the right of freedom of expression and information,
- for compliance with a legal obligation which requires processing by Union or Member State law which applies to us, or
- for the establishment, exercise, or defence of legal claims.
11.6. Right to rectification of processing (Article 16 GDPR)
You have the right to obtain, without undue delay, the rectification of inaccurate Personal Data concerning you.
In detail: Considering the purposes of the processing, you have the right to have incomplete Personal Data completed, including by providing a supplementary statement.
We will communicate any rectification of Personal Data to each recipient whom the Personal Data have been provided to, unless this proves impossible or involves disproportionate effort. If you want information about those recipients, you are more than welcome to contact us.
11.7. Right to restriction of processing (Article 18 GDPR)
You have the right to obtain from us restriction of the processing of your Personal Data.
In detail: Your right applies if:
- the accuracy of the Personal Data is contested by you, during a period enabling us to verify the accuracy of the Personal Data,
- you have objected to processing pursuant to Article 21.1 GDPR pending the verification whether our legitimate grounds override yours,
- the processing is unlawful, and you oppose the erasure of the Personal Data and instead request the restriction of their use, or
- you need the Personal Data for the establishment, exercise or defence of legal claims even though we no longer need the Personal Data for the purposes of the processing.
Where the processing has been restricted according to above, such Personal Data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
We will notify each recipient whom the Personal Data have been provided to about any restriction of processing according to above, if this do not occur to be impossible or entails a disproportionate effort. If you want more information about these recipients, you are welcome to contact us.
11.8. Right to data portability (Article 20 GDPR)
You have the right to receive your Personal Data (that you have provided to us) from us in a structured, commonly used and machine-readable format and, where technically feasible, have your Personal Data transferred to another data controller (“data portability”).
In detail: The right applies if:
- the processing is based on the lawful basis consent or on a contract, and
- the processing is carried out by automated means.
The exercise of the right to data portability shall be without prejudice to the right to erasure, i.e. Article 17.
Your right to data portability shall not adversely affect the rights and freedoms of others.
To enforce your rights, Marshall provides you access to a personal account where your Personal Data can be managed, reviewed, corrected, updated, and exported. If you haven’t created a login to your personal account, you can create it by using the same e-mail address as used during purchase. You may also contact Marshall regarding your rights via the customer service form, e-mail, or post.
When contacting customer service for this purpose, you may need access to the same e-mail address used during your purchase or registration with Marshall, for us to have the possibility of verifying your identity and right to access your Personal Data.
Please note that while changes or updates will usually be reflected in Marshall’s systems immediately, we may retain your Personal Data for backups, prevention of fraud or abuse, satisfaction of legal obligations, or where Marshall otherwise believes that Marshall has the legitimate or mandatory reason to do so.
Marshall is not able to correct or update any Personal Data in relation to orders for products being processed or being shipped to you.
12. Cookies and Analytics
We use cookies and other technologies to personalize your experience visiting the website, to provide customized advertisement, information, and content, and to monitor and analyze use of the website. Please see Marshall’s Cookies policy to obtain more information about the cookies and other technologies used.
Marshall also uses analytics technologies (Google Analytics) to measure and evaluate the access to and traffic on the website, and to generate navigation reports. Google operates independently from Marshall and has its own privacy policy. You may from some browsers opt out from the collection of navigation information by Google Analytics by using Google’s opt-out feature.
13. Additional Information for California Residents
If you are a consumer residing in California, you have additional rights under the California Consumer Privacy Act (CCPA). Please see our CCPA Privacy Notice for more information.
14. Changes and Updates
We may update our services and this Privacy Policy from time to time. If that happens, we will make the new Privacy Policy available on the website and indicate the date of the latest revisions made. If the update requires a notice or consent, you will be notified or given the opportunity to consent.
This Privacy Policy was last updated: 9 April 2025.