Privacy Policy

Last updated: March 9, 2025

Marque ("we", "us", "our") operates the marque.app website and the Marque application (the "Service"). This Privacy Policy explains how we collect, use, store, and protect your information when you use our Service.

We take your privacy seriously. Our business model is built on subscriptions, not your data. We never sell, share, or monetize your personal information.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address
• Name (as provided by your OAuth provider)
• OAuth tokens (encrypted, used solely to access your email with your permission)

1.2 Email Data

When you connect your email account, we access your sent folder only. We do not access your inbox, drafts, spam, or any other folder. Specifically:

• We read the text content of your sent emails
• We do not read email attachments
• We do not access emails sent to you by others
• We do not store recipient email addresses beyond what is needed for processing

1.3 Generated Content

Text you generate using Marque is stored temporarily to provide generation history. You can delete your generation history at any time.

1.4 Usage Data

We collect minimal, anonymized usage data (page views, feature usage) to improve the Service. We do not use third-party analytics trackers. We do not use advertising cookies.

2. How We Use Your Data

Your email data is used for one purpose: training a personal voice model unique to you. This means:

• Your sent emails are processed to extract writing style patterns (vocabulary, sentence structure, tone, rhythm)
• These patterns are used to fine-tune a language model adapter specific to your account
• The resulting model adapter captures statistical writing patterns — it does not memorize or reproduce your emails
• Your voice model is used only to generate text at your request

We do not:

• Use your emails to train any shared or general-purpose model
• Share your voice model with other users
• Use your data for advertising or marketing
• Sell or license your data to third parties
• Allow our employees to read your emails — only automated systems process your data

3. Data Storage and Encryption

3.1 Encryption

• In transit: All data is transmitted over TLS 1.2+
• At rest: Email data and OAuth tokens are encrypted using AES-256-GCM with per-user encryption keys
• OAuth tokens: Encrypted at rest with keys derived from a server-side secret and your user ID

3.2 Data Retention

• Raw email text: Deleted automatically after voice model training is complete. Typical retention: less than 24 hours.
• Processed training data: Retained while your account is active. Contains cleaned text samples — not complete emails.
• Voice model adapter: Retained while your account is active. Contains numerical model weights, not personal information.
• Generation history: Retained for 90 days, then automatically deleted. You can delete it manually at any time.
• Account data: Retained while your account is active.

3.3 Infrastructure

Our infrastructure is hosted on servers located in the European Union (Hetzner, Germany) and uses Cloudflare for CDN and DDoS protection. GPU processing for model training occurs on secure, isolated compute instances.

4. Third-Party Services

We integrate with the following third-party services:

• Google (Gmail API): To access your sent emails with your permission. Governed by Google API Services User Data Policy. Our use complies with the Google API Services User Data Policy, including the Limited Use requirements.
• Microsoft (Outlook/Graph API): To access your sent emails with your permission, if you use Outlook.
• Cloudflare: For DNS, CDN, and security. Cloudflare may process IP addresses as part of their service.
• Stripe: For payment processing. We do not store credit card numbers. See Stripe's privacy policy.

5. Google API Services Disclosure

Marque's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We only request access to the Gmail send scope (read-only access to sent messages)
• We do not use Google user data for serving advertisements
• We do not allow humans to read your data unless: (a) we have your explicit consent, (b) it is necessary for security purposes, (c) it is required by law, or (d) the data is aggregated and anonymized for internal operations
• We do not transfer Google user data to third parties except as necessary to provide the Service, as required by law, or in a merger/acquisition with equivalent privacy protections

6. Your Rights

You have the following rights regarding your data:

• Access: Request a copy of all data we hold about you
• Deletion: Delete your account and all associated data at any time from your account settings. This is an immediate, hard delete — not a soft delete or deactivation.
• Revocation: Disconnect your email account at any time, which revokes our access to your email
• Export: Export your voice model and generation history
• Correction: Request correction of any inaccurate personal data
• Restriction: Request that we limit processing of your data
• Portability: Receive your data in a structured, machine-readable format

To exercise any of these rights, contact us at privacy@marque.app or use the controls in your account settings.

7. GDPR Compliance

For users in the European Economic Area (EEA), we process your data under the following legal bases:

• Consent: When you connect your email account, you explicitly consent to us accessing your sent folder for voice model training
• Contract: Processing necessary to provide the Service you have requested
• Legitimate interest: Minimal usage analytics to improve the Service

You may withdraw consent at any time by disconnecting your email account or deleting your account.

8. Cookies

We use only essential cookies required for the Service to function:

• Session cookie: HttpOnly, Secure, SameSite=Strict. Used to maintain your login session. Expires when you close your browser or after 30 days.

We do not use advertising cookies, tracking cookies, or third-party analytics cookies.

9. Children's Privacy

Marque is not intended for use by anyone under the age of 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. Your continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact

For privacy-related questions or requests:

• Email: privacy@marque.app