Marlvel Logo
Marlvel.aiHome

Privacy Policy

How we handle your data at Marlvel

Last updated: May 7, 2026

1. Data Collection

We collect:

  • Account info (Email, Name).
  • Usage data (Logs, Feature interaction).
  • Input data (App Store URLs, connected integrations) to build your AppWiki.

2. AI & Data Usage

We use your data to power the AI Product Growth Engine.

  • We do NOT sell your data.
  • We do NOT use your private code/specs to train public models shared with other customers without your explicit consent.
  • Aggregated, anonymized data may be used to improve system performance.

3. Cookies & Tracking

We use a geo-aware two-level consent model. Whether you see a cookie banner on your first visit depends on your jurisdiction:

Where the banner is shown (opt-in)

  • EU 27 + EEA (Iceland, Liechtenstein, Norway), United Kingdom, Switzerland: GDPR / UK GDPR / FADP require explicit opt-in before non-essential analytics.
  • Visitors whose browser sends the Global Privacy Control signal (Sec-GPC: 1, default in Brave / DuckDuckGo, opt-in in Firefox 110+) regardless of jurisdiction.

Where the banner is not shown (opt-out)

  • United States and the rest of the world: enhanced analytics fire by default. You can opt out at any time using the "Cookie Settings" link in the footer.
  • This satisfies California CCPA / CPRA, Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and similar US state privacy laws, which require an opt-out mechanism rather than pre-tracking consent.

Level 1 — Always on (no consent required)

  • PostHog — Anonymous, aggregated usage analytics only. No personal profiles are created, no session recording.
  • Sentry — Error monitoring and crash reporting (legitimate interest). No personal data is collected beyond technical error details.

Level 2 — Enhanced analytics (consent required in regulated jurisdictions, default elsewhere)

  • PostHog — Identified user profiles for personalized analytics, including session recording with input masking (see §5 below for details).
  • Amplitude — Product analytics to understand feature usage.
  • Firebase Analytics / Google Analytics 4 — Event tracking for app performance insights.

You can change your consent at any time via the "Cookie Settings" link in the page footer. Clicking it re-opens the consent banner regardless of your jurisdiction so you can choose again.

4. Security & Bot Protection

We use Cloudflare Turnstile to protect our authentication pages against automated abuse (bots, credential stuffing, spam).

  • Turnstile runs in invisible mode — no CAPTCHA puzzle is shown to legitimate users.
  • Cloudflare may collect your IP address, browser type, and interaction data to determine whether you are a human visitor.
  • This data is processed by Cloudflare under their own privacy policy: cloudflare.com/privacypolicy.
  • Legal basis: Legitimate interest (security of our platform and users' accounts).
  • No consent is required as this is classified as a strictly necessary security measure.

5. Session Recording

Session recording is enabled only at Level 2 consent (when you click "Accept" on the cookie banner, or are auto-granted in non-regulated jurisdictions). It is delivered by PostHog and masks sensitive inputs by default.

  • What is recorded: page-level interactions (clicks, scrolls, navigation, viewport changes) for product improvement.
  • What is masked: all <input> values, with stricter masking on password and email fields. Form submissions are not captured.
  • What is excluded: recording is disabled at Level 1 (anonymous analytics only) and during admin sessions where sensitive content is rendered.
  • Storage: recordings live in PostHog's EU infrastructure (https://eu.i.posthog.com) and are deleted automatically after 90 days (see §8).
  • Opt-out: use the "Cookie Settings" link in the footer at any time to downgrade to Level 1, which disables session recording for the remainder of the session and on all future visits.

6. Your Rights (GDPR — EU/EEA)

Under the General Data Protection Regulation (GDPR), you have the right to:

  • Opt out — Dismiss the cookie banner to use Marlvel with minimal, anonymous analytics only.
  • Access — Request a copy of the personal data we hold about you.
  • Deletion — Request the erasure of your personal data from our systems.
  • Rectification — Request correction of any inaccurate personal data.
  • Portability — Request your data in a structured, machine-readable format.
  • Withdraw consent — Withdraw your analytics consent at any time via the "Cookie Settings" link in the page footer.

To exercise any of these rights, contact us at legal@marlvel.ai. We will respond within 30 days.

7. Your Rights (CCPA — California)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:

  • Right to Know — You can request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purpose, and the third parties with whom we share it.
  • Right to Delete — You can request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, ongoing service delivery).
  • Right to Opt-Out of SaleWe do NOT sell your personal information. We do not and will not sell, rent, or trade your personal data to third parties for monetary or other valuable consideration.
  • Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, quality, or service levels.
  • Right to Correct — You can request that we correct inaccurate personal information we maintain about you.

Categories of Personal Information Collected

  • Identifiers — Name, email address, account ID.
  • Internet activity — Browsing history within Marlvel, feature interactions, search queries (with consent).
  • Professional information — Organization name, role within the platform.
  • Inferences — Product usage patterns derived from analytics (with consent).

To opt out of enhanced analytics, use the "Cookie Settings" link in the page footer at any time. To exercise any other CCPA right, contact us at legal@marlvel.ai with the subject line "CCPA Request". We will verify your identity and respond within 45 days.

8. Data Retention

We retain your data for as long as necessary to provide our services:

  • Account data — Retained for the lifetime of your account. Deleted upon account deletion request.
  • Analytics data — Retained for up to 24 months, then automatically aggregated or deleted.
  • Session recordings — Automatically deleted after 90 days.
  • Server logs — Automatically deleted after 90 days.

9. International Transfers

Your data may be processed by our sub-processors in different regions:

  • EU-based — Amplitude (EU server zone).
  • US-based — Google Cloud Platform, Cloudflare, PostHog, Sentry, Firebase, Anthropic, Google, OpenAI.

Where data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable to ensure adequate data protection.

10. Third Parties

We use the following trusted sub-processors:

  • Google Cloud Platform — Hosting (Cloud Run), database (Cloud SQL), storage, and infrastructure.
  • PostHog — Product analytics and feature flags.
  • Amplitude — Product analytics (with consent).
  • Sentry — Error monitoring and performance tracking.
  • Firebase / Google Analytics — Event tracking (with consent).
  • Anthropic / Google / OpenAI — LLM providers for AI features.
  • Cloudflare — Bot protection (Turnstile) on authentication pages.
  • Resend — Transactional email delivery.

All sub-processors adhere to strict security standards (SOC2/GDPR where applicable).

11. Contact

For privacy inquiries, data access, or deletion requests: legal@marlvel.ai

Privacy Questions?

Contact our Data Protection Officer

legal@marlvel.ai

We typically respond within 24 hours