Marellio
Sign inBook a conversation

Legal

Privacy Policy

Effective 2026-05-07

This Policy explains what Marellio collects, why, where it goes, how long it stays, and what rights you have over it. We try to write it in plain language. If anything is unclear, ask.

1. The two kinds of people in this Policy

Users are the people who sign up for Marellio, pay for dossiers, and read the output. Users have an account.

Subjectsare the people written about in a dossier. Subjects do not have an account with Marellio and have not directly given us their information — we assemble it from public sources at a User's request.

Some sections below apply only to Users; others apply to both. We flag the difference where it matters.

2. What we collect about Users

  • Account data: email, name (if provided), authentication identifiers from Supabase Auth (including Google OAuth tokens if used).
  • Payment data: processed by Stripe. We store the Stripe customer ID and payment-intent IDs. We never see or store full card numbers.
  • Dossier inputs:the subject's name and identity anchors (LinkedIn URL, company, city, free-text notes) you submit for each pull.
  • Dossier outputs: the rendered report (markdown, HTML, PDF) attached to your account.
  • Operational logs: per-pull token counts, cost totals, error messages, timestamps.

3. What we collect about Subjects

Public information about the Subject from sources such as LinkedIn (via cached and aggregator views), public press, podcasts, brand and company sites, public social-media accounts, and similar. We do not bypass authentication, scrape behind login walls, or buy private data.

We do not collect Subject information except in response to a User pull. We do not maintain a standing database of profiled people.

4. How we use information

  • To run and deliver the dossier you paid for.
  • To bill, refund, and otherwise manage payments (Stripe).
  • To send transactional notifications (sign-up, dossier-ready, refund, takedown receipt) over Resend.
  • To detect abuse and enforce these Terms.
  • To improve the methodology in aggregate. We may review samples of dossier outputs to tune prompts; we do not use a User's dossier inputs to train any third-party model.

We do not sell personal information. We do not share Subject data with advertisers.

5. Service providers we share data with

  • Supabase — authentication and Postgres database. Hosted in the United States.
  • Stripe — payment processing. Card data never reaches our servers.
  • Vercel — web hosting and PDF storage (Vercel Blob).
  • Anthropic— the language-model provider that powers research, synthesis, and disambiguation. Inputs are sent in encrypted transit and processed under Anthropic's commercial terms; we have configured zero retention where that option is available.
  • Inngest — background job orchestration.
  • Resend — transactional email delivery.

6. How long we keep data

  • Account and dossier records: retained while your account is active and for up to 12 months after deletion, for billing and audit purposes. Then permanently deleted.
  • Takedown records: retained indefinitely so we can keep refusing future pulls of that Subject.
  • Operational logs: 90 days.

7. Your rights as a User

Depending on where you live, you may have rights to access, correct, export, or delete information we hold about you. To exercise any of these, email us. We respond within 30 days.

8. Your rights as a Subject

If you are a Subject of a (potential) Marellio dossier:

  • File a takedown at marellio.com/takedown. Once recorded, future pulls matching your identity are refused.
  • Email us to request a copy of any dossier already generated about you, or to request its deletion. We honor reasonable requests promptly.
  • GDPR, UK GDPR, and CCPA rights apply where you live in those jurisdictions; the takedown form is the fastest path for right-to-be-forgotten requests.

9. Security

Data is encrypted in transit (TLS) and at rest (Supabase, Vercel Blob). Access to production systems is limited to operators who need it. We are a small team, so we will not pretend to operate a SOC 2 program; but we follow the obvious hygiene (separate prod/dev credentials, no plaintext secrets in source, time-bound OAuth tokens).

10. Children

Marellio is not for anyone under 18. We do not knowingly accept accounts from minors or generate dossiers about them. If you believe a minor's information has been processed, contact us and we will delete it.

11. International users

We process data in the United States. By using the Service from outside the United States, you consent to that processing.

12. Changes to this Policy

Material changes will be announced by email to the address on your account at least 14 days before they take effect. The effective date at the top reflects the latest revision.

13. Contact

Privacy questions, takedown follow-ups, or rights requests: kealangreeninvestments@gmail.com.