Privacy Policy
Last updated: April 24, 2026
Mainthread Holding B.V. (“Simmer”, “we”, “us”) operates the Simmer attribution platform (“Service”). This Privacy Policy explains what data we collect, how we use it, and your rights.
Who we are
Data controller: Mainthread Holding B.V.
Registered address: Scheveningseweg 106-30, 2584 AD Den Haag, Netherlands
KVK: 97090581
BTW-ID: NL867906364B01
Contact: letsimmer@toonverbeek.com
1. Data we collect
From merchants (our customers)
- Account data: name, email, organization details (via Clerk)
- Integration credentials: encrypted access tokens for connected platforms (HubSpot, Shopify)
- Configuration: project settings, channel rules, consent mode
From visitors to merchants' websites/stores
- Browsing events: page URLs, referrer, UTM parameters, timestamps, anonymous session identifiers
- Hashed email addresses: when a visitor identifies themselves (form submission, checkout), we hash their email with HMAC-SHA256 using a merchant-scoped secret. Plaintext emails are never stored.
- Conversion data: order IDs, revenue amounts, currency (from integrated commerce platforms)
We do not collect names, phone numbers, addresses, or payment details from visitors.
2. How we use data
- Match anonymous website visits to known customers (identity resolution)
- Calculate multi-touch attribution — which marketing channels contributed to each conversion
- Display aggregated analytics dashboards to the merchant
- Maintain and improve the Service
We do not use personal data for advertising, profiling, or automated decision-making that produces legal effects on individuals.
3. Legal basis (GDPR)
- Legitimate interest for attribution analytics (Article 6(1)(f))
- Contract performance for service delivery to merchants (Article 6(1)(b))
- Consent via merchant-deployed consent management (Article 6(1)(a)) for tracking cookies
Merchants are responsible for obtaining consent from their own visitors where required. Our pixel respects the Shopify Customer Privacy API and common consent management platforms (CookieYes, OneTrust, Cookiebot).
4. Data sharing and sub-processors
We do not sell personal data. We do not share it for advertising purposes.
We use the following sub-processors:
| Sub-processor | Purpose | Region | Compliance |
|---|---|---|---|
| Neon | Configuration database | US/EU | SOC 2 |
| Tinybird | Analytics storage | EU | SOC 2 |
| Upstash | Event processing queue | US/EU | SOC 2 |
| Vercel | Application hosting | Global | SOC 2 |
| Clerk | Authentication | US | SOC 2 |
5. International transfers
Data may be processed in the United States and European Union. We rely on Standard Contractual Clauses (SCCs) where transfers from the EU to third countries occur.
6. Retention
| Data | Retention |
|---|---|
| Browsing events, identity links, conversions | 13 months |
| Integration credentials | Until merchant disconnects the integration |
| Account data | Until account deletion |
| Server logs | 30 days |
7. Your rights
Under GDPR / CCPA you have the right to:
- Access the personal data we hold about you
- Request correction or deletion
- Object to or restrict processing
- Data portability
- Withdraw consent at any time
- Lodge a complaint with a supervisory authority (in the Netherlands: Autoriteit Persoonsgegevens)
For visitors: contact the merchant whose site you visited. They are the data controller for visitor data.
For merchants: email letsimmer@toonverbeek.com. We respond within 30 days.
8. Security
- Access tokens encrypted at rest with AES-256-GCM
- TLS for data in transit
- Email addresses hashed before storage with per-merchant secrets
- Multi-tenant isolation enforced at query level
- Internal retention, access, and incident response policies available on request
9. Changes
We may update this policy as the Service evolves. Material changes will be notified via email to merchant account holders.
10. Contact
Mainthread Holding B.V.
Scheveningseweg 106-30
2584 AD Den Haag
Netherlands
KVK: 97090581
Email: letsimmer@toonverbeek.com