Privacy Policy

How we handle your data at Marlvel

Version v1.1 · Effective July 1, 2026

1. Data Collection

We collect:

  • Account info (Email, Name).
  • Usage data (Logs, Feature interaction).
  • Input data (App Store URLs, connected integrations) to build your AppWiki.

Providing your account information (email and name) is necessary to create an account and use the Service; without it we cannot provide the Service. Analytics and marketing data are optional and, where required, based on your consent — declining does not affect your access to core features.

3. AI & Data Usage

We use your data to power the AI Product Growth Engine.

  • We do NOT sell your data.
  • We do NOT train any model on your private code, specs, or connected data.
  • Aggregated, non-personal system metrics may be used to improve performance and reliability.
  • No solely-automated decisions with legal effect (GDPR Art. 22). Our AI features produce advisory insights and inferences about apps and product usage; we do not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you.

4. Cookies & Tracking

We use a geo-aware two-level consent model. Whether you see a cookie banner on your first visit depends on your jurisdiction:

Where the banner is shown (opt-in)

  • EU 27 + EEA (Iceland, Liechtenstein, Norway), United Kingdom, Switzerland: GDPR / UK GDPR / FADP require explicit opt-in before non-essential analytics.
  • Visitors whose browser sends the Global Privacy Control signal (Sec-GPC: 1, default in Brave / DuckDuckGo, opt-in in Firefox 110+) regardless of jurisdiction.

Where the banner is not shown (opt-out)

  • United States and the rest of the world: enhanced analytics fire by default. You can opt out at any time using the "Cookie Settings" link in the footer.
  • This satisfies California CCPA / CPRA, Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and similar US state privacy laws, which require an opt-out mechanism rather than pre-tracking consent.

Level 1 — Always on (no consent required)

  • PostHog — Usage analytics. For signed-out visitors this is anonymous and no personal profile is created. For signed-in users we create a first-party analytics profile linked to your account (functional analytics for your logged-in session — e.g. account ID, plan and organisation role); session recording remains off at this level.
  • Sentry — Error monitoring and crash reporting (legitimate interest). No personal data is collected beyond technical error details.

Level 2 — Enhanced analytics (consent required in regulated jurisdictions, default elsewhere)

  • PostHog — Identified user profiles for personalized analytics, including session recording with input masking (see §6 below for details).
  • Amplitude — Product analytics to understand feature usage.
  • Google Analytics 4 — Event tracking for app performance insights.

You can change your consent at any time via the "Cookie Settings" link in the page footer. Clicking it re-opens the consent banner regardless of your jurisdiction so you can choose again.

5. Security & Bot Protection

We protect our authentication endpoints and platform against automated abuse (bots, credential stuffing, spam) using rate-limiting and abuse-detection measures, rather than a visible CAPTCHA.

  • Network-level rate limiting at our infrastructure provider (Google Cloud Armor) throttles abusive request volumes before they reach the application.
  • Application-level rate limiting and same-origin request validation further restrict automated and cross-origin abuse of sensitive endpoints (sign-in, sign-up, account actions).
  • These controls process technical request metadata such as your IP address and user agent for the sole purpose of security.
  • Legal basis: Legitimate interest (security of our platform and users' accounts).
  • No separate consent is required as this is a strictly necessary security measure.

6. Session Recording

Session recording is enabled only at Level 2 consent (when you click "Accept" on the cookie banner, or are auto-granted in non-regulated jurisdictions). It is delivered by PostHog and masks sensitive inputs by default.

  • What is recorded: page-level interactions (clicks, scrolls, navigation, viewport changes) for product improvement.
  • What is masked: all <input> values, with stricter masking on password and email fields. Form submissions are not captured.
  • What is excluded: recording is disabled at Level 1 (anonymous analytics only).
  • Storage: recordings live in PostHog's EU infrastructure (https://eu.i.posthog.com) and are deleted automatically after 90 days (see §9).
  • Opt-out: use the "Cookie Settings" link in the footer at any time to downgrade to Level 1, which disables session recording for the remainder of the session and on all future visits.

7. Your Rights (GDPR — EU/EEA)

Under the General Data Protection Regulation (GDPR), you have the right to:

  • Opt out — Dismiss the cookie banner to use Marlvel with minimal, anonymous analytics only.
  • Access — Request a copy of the personal data we hold about you.
  • Deletion — Request the erasure of your personal data from our systems.
  • Rectification — Request correction of any inaccurate personal data.
  • Portability — Request your data in a structured, machine-readable format.
  • Restriction (Art. 18) — Request that we restrict the processing of your personal data in certain circumstances.
  • Objection (Art. 21) — Object to the processing of your personal data carried out on the basis of our legitimate interests.
  • Withdraw consent — Withdraw your analytics consent at any time via the "Cookie Settings" link in the page footer.

To exercise any of these rights, contact us at legal@marlvel.ai. We will respond within 30 days.

You have the right to lodge a complaint with a supervisory authority, in particular the CNIL (www.cnil.fr) in France, if you believe our processing infringes the GDPR.

8. Your Rights (CCPA — California)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:

  • Right to Know — You can request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purpose, and the third parties with whom we share it.
  • Right to Delete — You can request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, ongoing service delivery).
  • Right to Opt-Out of Sale or SharingWe do NOT sell your personal information for monetary consideration. Certain analytics cookies (for example Google Analytics) may constitute "sharing" for cross-context behavioral advertising under the CPRA. You can opt out of this sharing at any time via the "Cookie Settings" link in the page footer, and we honor the Global Privacy Control (Sec-GPC) browser signal as a valid opt-out-preference signal.
  • Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, quality, or service levels.
  • Right to Correct — You can request that we correct inaccurate personal information we maintain about you.

Categories of Personal Information Collected

  • Identifiers — Name, email address, account ID.
  • Internet activity — Browsing history within Marlvel, feature interactions, search queries (with consent).
  • Professional information — Organization name, role within the platform.
  • Inferences — Product usage patterns derived from analytics (with consent).
  • Sensitive Personal Information — Account log-in credentials, collected solely to authenticate you and secure your account (a business purpose exempt under CPRA §1798.121(d)). We do not use or disclose sensitive personal information to infer characteristics, so the Right to Limit does not apply.

To opt out of enhanced analytics, use the "Cookie Settings" link in the page footer at any time. To exercise any other CCPA right, contact us at legal@marlvel.ai with the subject line "CCPA Request". You may use an authorized agent to submit a request on your behalf. We will verify your identity and respond within 45 days.

9. Data Retention

We retain your data for as long as necessary to provide our services:

  • Account data — Retained for the lifetime of your account. Deleted upon account deletion request.
  • Analytics data — Retained for up to 24 months, then automatically aggregated or deleted.
  • Session recordings — Automatically deleted after 90 days.
  • Server logs — Retained for up to 90 days for security, debugging and reliability.
  • Billing, payment & tax / accounting records — Retained for the period required by applicable accounting and tax law (up to 10 years in France).
  • Security & abuse-prevention logs (IP address, user agent) — Retained for up to 12 months.

10. International Transfers

Your data may be processed by our sub-processors in different regions:

  • EU-based — Amplitude, PostHog (EU server zone), and Mistral AI (France).
  • US-based — Google Cloud Platform, Sentry, Anthropic, Google, OpenAI, Stripe, Resend, Slack (Salesforce), Meta / WhatsApp Cloud API, LangSmith (LangChain), Brave Search, Firecrawl.

Where data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable to ensure adequate data protection.

11. Third Parties

We use the following trusted sub-processors:

  • Google Cloud Platform — Hosting (Cloud Run), database (Cloud SQL), storage, and infrastructure (United States; SCCs / DPF).
  • PostHog — Product analytics and feature flags (European Union; processed in the EU).
  • Amplitude — Product analytics (with consent) (European Union; processed in the EU).
  • Sentry — Error monitoring and performance tracking (United States; SCCs).
  • Google Analytics 4 — Event tracking (with consent) (United States; SCCs / DPF).
  • Anthropic / Google / OpenAI — LLM providers for AI features (United States; SCCs / DPF).
  • Mistral AI — large language model provider for AI features (European Union (France); processed in the EU).
  • Resend — Transactional email delivery.
  • Stripe — payment processing and billing (United States; SCCs).
  • Slack (Salesforce, Inc.) — workspace messaging integration and operational alerting (United States; SCCs).
  • Meta Platforms, Inc. / WhatsApp Cloud API — messaging delivery for users who connect via WhatsApp (United States; SCCs).
  • LangSmith (LangChain, Inc.) — AI tracing and observability (debugging and quality monitoring) (United States; SCCs).
  • Brave Search (Brave Software, Inc.) — web search to answer in-product queries (United States; SCCs).
  • Firecrawl (Mendable, Inc.) — web content retrieval (United States; SCCs).

All sub-processors adhere to strict security standards (SOC2/GDPR where applicable).

12. Children

The Service is not directed to children under 16, and we do not knowingly collect their personal data; contact legal@marlvel.ai to request deletion.

13. Contact

For privacy inquiries, data access, or deletion requests: legal@marlvel.ai

Privacy Questions?

Contact our Data Protection Officer

legal@marlvel.ai

We typically respond within 24 hours

    Privacy Policy | Marlvel