Privacy Policy

Effective Date: April 11, 2026

This Privacy Policy explains how Marlo ("Marlo", "we", "us") collects, uses, stores, and protects information when you use the Marlo platform at mymarlo.ai (the "Platform"). By using the Platform, you agree to the practices described below.

1. Information We Collect

We collect the following categories of information:

Account information — your name, email address, profile picture, and organization details, provided via our authentication provider (Clerk) when you sign up.
Content you provide — business information, brand context, goals, team details, uploaded files, and any text or voice input you enter into onboarding, strategy, planning, or chat features.
Third-party integration data — when you explicitly connect a Google Analytics, Google Ads, Google Search Console, or HubSpot account, we access data from those accounts as described in the "Google User Data" and "Other Third-Party Integrations" sections below.
Usage data — login events, feature interactions, page views, and AI generation requests, used to operate and improve the Platform.

2. How We Use Information

We use your information to:

Provide, operate, and improve the Platform's features
Generate AI-powered marketing strategies, plans, and recommendations inside your own Marlo workspace
Display integration data (Google Analytics, Google Ads, etc.) in dashboards you explicitly authorize
Communicate with you about your account, support requests, and product updates
Monitor platform health, prevent abuse, and comply with legal obligations

3. Google User Data

When you choose to connect a Google account to Marlo (from Settings → Integrations or during onboarding), Marlo requests the minimum OAuth scopes required to power your chosen integration. This section describes Marlo's use of Google user data and complies with the Google API Services User Data Policy, including the Limited Use requirements.

3.1 Scopes Requested and Why

https://www.googleapis.com/auth/analytics.readonly (Google Analytics, read-only) — Used to (a) list your GA4 properties so you can pick which property to connect, and (b) read aggregated traffic, acquisition, conversion, and landing page performance metrics to display in your Marlo dashboard and provide context for AI-generated marketing recommendations. Marlo never writes to Google Analytics.
https://www.googleapis.com/auth/adwords (Google Ads) — The Google Ads API does not publish a read-only OAuth scope; this is the only scope Google offers. Marlo uses it exclusively for read operations: listing your accessible customer accounts so you can pick which ad account to connect, resolving manager/child account relationships, and reading historical campaign performance metrics (impressions, clicks, cost, conversions, CTR, CPC) for display in your Marlo dashboard and AI recommendations. Marlo does not create, modify, pause, or delete campaigns, ad groups, ads, keywords, budgets, or any other Google Ads resource.
https://www.googleapis.com/auth/webmasters.readonly (Google Search Console, read-only) — Used to list your verified sites and read search performance metrics (impressions, clicks, average position, top queries) for display in your Marlo dashboard and AI recommendations. Marlo never writes to Search Console.

3.2 How Google User Data Is Used

Google user data obtained via the scopes above is used solely to provide the specific integration features you explicitly authorize inside your Marlo workspace. Specifically, Marlo:

Fetches data on-demand from the specific Google account you connected, at the time you or your team trigger an action inside Marlo (viewing a dashboard, running an AI generation, etc.).
Displays the retrieved data only inside the Marlo organization that authorized the connection. Marlo enforces strict multi-tenant isolation — data from one organization is never visible to another.
Supplies the retrieved data as grounding context to AI-generated strategy and plan recommendations that appear only in that same authorized workspace.

3.3 Limited Use Commitment

Marlo's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

Marlo will only use Google user data to provide and improve user-facing features that are prominent and clearly visible inside the Marlo application.
Marlo will not transfer Google user data to third parties except as necessary to provide or improve these user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
Marlo will not use Google user data for serving advertisements, including retargeting, personalized advertising, or interest-based advertising.
Marlo will not allow humans to read Google user data unless (a) you have given explicit consent to read specific data, (b) it is necessary for security purposes such as investigating abuse, (c) it is required to comply with applicable law, or (d) the data has been aggregated and anonymized and is used for internal operations.
Marlo will not use Google user data to develop, improve, or train generalized machine learning models. Data is supplied only as real-time context to existing AI models (OpenAI) to generate recommendations for the authorizing user; no training, fine-tuning, or model development occurs on Google user data.

3.4 Data Storage and Security for Google User Data

OAuth access tokens and refresh tokens are encrypted at rest in our Postgres database using AES-256-GCM with keys stored in a separate server-side environment.
Data fetched from Google APIs is used to render the user-facing feature that triggered the request; aggregated and cached metrics may be stored transiently in our database to power dashboards you revisit.
All data transfers to and from Google APIs occur over HTTPS/TLS.
Access to production systems is restricted to authorized engineering personnel using multi-factor authentication.

3.5 Revoking Access and Deleting Your Google Data

You can disconnect any Google integration at any time by navigating to Settings → Integrations inside Marlo and clicking "Disconnect" next to the integration. Disconnection:

Immediately revokes and deletes the OAuth tokens Marlo stored for that integration
Stops any further API calls by Marlo to that Google account
Clears cached data tied to that integration from your workspace

You can additionally revoke Marlo's access directly from Google at https://myaccount.google.com/permissions. To request full deletion of your Marlo account and all associated data (including any cached Google data), contact us at support@mymarlo.ai.

4. Other Third-Party Integrations

Marlo also offers an optional HubSpot CRM integration. When you connect HubSpot, Marlo reads company, contact, and deal data from your connected HubSpot portal under the scopes you authorize (crm.objects.companies.read, crm.objects.contacts.read, crm.objects.deals.read) and uses it to display pipeline information and provide AI recommendation context inside your workspace. HubSpot data is handled under the same Limited Use principles described in Section 3.3 and can be disconnected from Settings → Integrations at any time.

5. Sharing and Sub-processors

We do not sell your data. We share information only with trusted service providers strictly necessary to operate Marlo:

Clerk — authentication and user identity
Neon (Postgres) — primary database hosting
Vercel — application hosting and file storage
OpenAI — AI model inference for strategy, planning, and chat features. Prompts sent to OpenAI may include content you entered into Marlo and aggregated integration data. OpenAI processes this data under its API terms, which prohibit use of API inputs for model training.
Resend — transactional email delivery

We may also disclose information if required by law, legal process, or to protect the rights, safety, or property of Marlo, our users, or the public.

6. Data Storage, Retention, and Security

Your data is stored in our Postgres database (hosted by Neon) and on Vercel infrastructure. We retain your data for as long as your account is active. You may request deletion of your account and associated data at any time by contacting support@mymarlo.ai. We implement industry-standard security safeguards including encryption at rest for sensitive credentials, TLS for all data in transit, and access controls on production systems. No system is completely secure; please use the Platform with appropriate judgment.

7. Your Rights

You may:

Request a copy of the personal data Marlo holds about you
Request correction or deletion of your personal data
Disconnect any integration at any time from Settings → Integrations
Delete your Marlo account, which deletes your associated data
Withdraw consent to any specific processing at any time

To exercise any of these rights, contact support@mymarlo.ai.

8. AI Processing

Marlo uses third-party AI providers (currently OpenAI) to process your inputs and generate outputs such as marketing strategies, plans, personas, and chat responses. By using AI features, you acknowledge that your inputs may be sent to these providers for processing under their respective terms. We do not use Google user data obtained via Google API scopes to train AI models (see Section 3.3).

9. Sensitive Information

You agree not to upload the following to Marlo:

Protected health information (PHI) subject to HIPAA
Payment card data subject to PCI DSS
Personally identifiable sensitive data beyond what is necessary to use the Platform
Confidential client data without proper authorization

10. Children's Privacy

Marlo is intended for use by businesses and individuals aged 18 or older. We do not knowingly collect personal information from children under 13.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users and noted with an updated Effective Date at the top of this page.

12. Contact Us

If you have questions about this Privacy Policy or Marlo's data practices, please contact us at support@mymarlo.ai.