marrow logomarrow

Legal

Privacy Policy

Last updated: January 2026

At marrow, we are committed to protecting your privacy and being transparent about how we handle your data. This policy explains how we collect, use, and safeguard your information when you use our AI-powered marketing platform. We comply with GDPR, CCPA, CPRA, and other applicable data protection laws.

1. Introduction

marrow ("Company," "we," "us," or "our") is committed to protecting your privacy and the security of your personal data.

Our Commitment

This Privacy Policy explains how we collect, use, disclose, transfer, and safeguard your information when you use our AI-powered marketing platform. We comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and other applicable data protection laws.

Effective Date

January 2026. This Privacy Policy applies to all individuals whose personal data we process, including residents of the European Economic Area (EEA), United Kingdom, Switzerland, California, and other jurisdictions with data protection laws.

California Residents

If you are a California resident, please see the California Privacy Rights section below for additional disclosures about your privacy rights under the CCPA and CPRA.

2. Information We Collect

We collect several types of information to provide our AI-powered marketing services.

Information You Provide Directly

Contact Information: Name, email address, phone number, company name, and job title. Account Information: Username, password, authentication credentials, and social login profile data (when you sign up with X/Twitter or other services). Payment Information: Credit card details, billing address, and transaction history (processed through third-party payment processors like Stripe). Business Information: Brand guidelines, marketing materials, documents, URLs, and content you upload for AI processing.

Information Automatically Collected

Log Data: IP address, browser type, device information, operating system, referring/exit pages, and timestamps. Usage Data: Features used, content generated, credits consumed, pages viewed, and time spent on our platform. Device Information: Device type, unique device identifiers, browser type, and mobile network information.

Content and Documents

When you use features like brand voice analysis, document chat, or content recycling, we process the documents and content you upload. This includes PDFs, text files, documents, URLs, and any other materials you provide for AI processing.

3. How We Use Your Information

We use your information for the following purposes, based on legal grounds including contract performance, legitimate interests, legal compliance, and your consent where required.

Service Provision

To provide, maintain, and improve our AI-powered marketing platform, including content generation, brand voice analysis, scheduling, and publishing features.

AI Processing

To process your uploaded content through AI models to generate marketing content, analyze brand voices, and provide personalized recommendations.

Communication

To respond to your inquiries, provide support, send important service notices, and (with your consent) promotional communications about our services and updates.

Analytics and Improvement

To analyze usage patterns, improve our AI models, develop new features, and enhance platform performance.

Legal Compliance

To comply with legal obligations, court orders, and government requests, and to detect, prevent, and address technical issues, fraud, abuse, and security threats.

4. Third-Party Services and AI Platforms

Our services integrate with leading AI platforms and third-party services to deliver our functionality.

AI Platform Integrations

Our platform integrates with AI services including OpenAI (GPT-4, ChatGPT), Anthropic (Claude), Google (Gemini), and other leading AI providers. When you use these integrations, your data may be processed by these third parties according to their own privacy policies.

Data Usage by AI Platforms

Some AI platforms may use data to improve their models by default. We configure these services to minimize data retention where technically feasible. For sensitive data, we recommend using enterprise versions of these services that offer stronger data protection guarantees.

Payment Processors

We use Stripe and other payment processors to handle payments. Your payment information is processed by these services and they have access to your payment information only as necessary to process transactions. We do not store your complete credit card information on our servers.

Cloud Infrastructure

Our services are hosted on cloud infrastructure providers. These providers process data only to deliver hosting and infrastructure services.

Data Processing Agreement

We offer a Data Processing Agreement (DPA) to all customers whose use of our services involves processing personal data on our behalf. To request a DPA, please contact support@marrow.sh.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances.

Service Providers

With trusted third-party vendors who perform services on our behalf under strict confidentiality obligations, including payment processors, cloud hosting providers, and analytics services.

Platform Publishing

When you authorize us to publish content to third-party platforms (Twitter/X, LinkedIn, Medium, etc.), we share only the specific content you designate for publication. Your account credentials for these platforms are encrypted and stored securely.

Business Transfers

In connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business, your information may be transferred as part of that transaction.

Legal Requirements

When we believe disclosure is necessary to comply with law, legal process, or government requests, or to protect our rights, property, or safety, or that of our users or the public.

With Your Consent

When you explicitly consent to the disclosure for a specific purpose.

6. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence.

Cross-Border Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have different data protection laws than your jurisdiction.

Appropriate Safeguards

When we transfer personal data from the EEA, UK, or Switzerland to other countries, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), UK Addendum, and Swiss safeguards where required.

Requesting Safeguards

To obtain more information about the appropriate safeguards we use for international data transfers, or to obtain a copy of these safeguards, please contact support@marrow.sh.

7. Data Security and Retention

We implement appropriate technical and organizational measures to protect your personal data.

Security Measures

Encryption of data in transit (TLS/HTTPS) and at rest (AES-256). Secure authentication and access controls using bcrypt for credential hashing. Regular security assessments and vulnerability scanning. Employee training on data protection and security practices. Incident response procedures and breach notification processes.

No Absolute Security

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee its absolute security.

Data Retention

Active Customer Data: While you are our customer or maintain an account with us. Business Communications: Up to 3 years after your last interaction with us. Transaction Records: As required by tax and commercial laws (typically 7 years). Marketing Data: Until you withdraw consent or request deletion. Legal Requirements: As required by applicable law.

Account Deletion

Upon your request to delete your account, we will delete or anonymize your personal data unless retention is necessary for legal or legitimate business purposes.

8. Your Privacy Rights

Depending on your location and applicable law, you may have certain rights regarding your personal information.

GDPR Rights (EEA, UK, Switzerland)

Right to Access: Request a copy of the personal data we hold about you. Right to Rectification: Request correction of inaccurate or incomplete personal data. Right to Erasure: Request deletion of your personal data in certain circumstances. Right to Restrict Processing: Request that we limit how we use your personal data. Right to Data Portability: Receive your personal data in a structured, machine-readable format. Right to Object: Object to certain processing activities based on legitimate interests. Right to Withdraw Consent: Withdraw consent at any time where we rely on consent. Right to Lodge a Complaint: Lodge a complaint with a supervisory authority in your jurisdiction.

California Privacy Rights (CCPA/CPRA)

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you. Right to Delete: Request deletion of your personal information, subject to certain exceptions. Right to Correct: Request accurate personal information. Right to Opt-Out: Direct us not to sell or share your personal information (note: we do not sell personal information). Right to Limit Use: Limit our use of your sensitive personal information. Right to Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights. Right to Authorize an Agent: Designate an authorized agent to make requests on your behalf.

How to Exercise Your Rights

To exercise any of these rights, please contact us at support@marrow.sh. We will respond to your request within the timeframe required by applicable law (typically 30 days for GDPR requests, 45 days for CCPA requests). We may need additional information to verify your identity before processing your request.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect information about your browsing activities.

Types of Cookies

Essential Cookies: Required for the operation of our services (authentication, security). Analytics Cookies: Help us understand how users interact with our services. Functional Cookies: Remember your preferences and settings. Marketing Cookies: Track engagement with our marketing campaigns.

Controlling Cookies

You can control cookie settings through your browser preferences. However, disabling cookies may affect the functionality of our services.

Third-Party Tracking

We do not allow third-party advertisers to track you across websites for advertising purposes.

10. Children's Privacy

Our services are not intended for children under the age of 13.

Age Restriction

We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@marrow.sh. We will delete such information promptly upon verification.

Under 18 Users

If you are between 13-18 years old, you must have parent or guardian permission to use marrow. By using our services, you represent that you have such permission.

11. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you without undue delay.

Notification Timeline

For EU residents, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by GDPR. For California residents, we will notify you in accordance with CCPA requirements.

Notification Content

Notifications will include a description of the breach, the categories of personal information concerned, steps we've taken to address the breach, and steps you can take to protect yourself.

12. Changes to This Policy

We may update this Privacy Policy from time to time.

Notification of Changes

The updated version will be indicated by a revised Last Updated date and the new version will be effective as soon as it is accessible. We will provide notice of material changes through email or prominent notice on our website.

California Residents

Under California law, you may be entitled to notice of material changes in a manner reasonably designed to provide actual notice. We will provide notice by email (if provided) or through other reasonable means.

Acceptance of Changes

Your continued use of our services after the effective date of the revised Privacy Policy constitutes acceptance of the changes.

13. Governing Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with applicable laws.

Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the State of California, without regard to its conflict of law principles. Any legal action or proceeding arising under this Privacy Policy shall be brought exclusively in the federal or state courts located in San Francisco, California.

International Users

For individuals in the European Economic Area, United Kingdom, or Switzerland, you also have the right to lodge a complaint with your local data protection supervisory authority.

14. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us.

Support

Email: support@marrow.sh

Mailing Address

73101 CA-111 Unit 5, Palm Desert, CA 92260

By using marrow, you agree to this Privacy Policy. If you do not agree with this policy, please do not use our services.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.

By clicking "Accept", you agree to our use of cookies.

Learn more