Privacy Policy

In this document

Overview
Data we collect
How we use it
Third-party processors
Cookies & local storage
Your rights
Data retention
Security
Children's privacy
International transfers
Changes to this policy
Contact

1. Overview

Marky ("we", "us", "our") is a Chrome extension and accompanying web service. This Privacy Policy explains what personal data we collect when you use Marky, why we collect it, how it's stored, who we share it with, and the choices you have over your information.

Marky is bundled with an AI Systems Club membership. Some of the data described below is shared between the two products because they run on the same authentication backbone.

2. Data we collect

2.1 Account information

When you sign in to Marky we store:

Your email address (used as your account identifier).
Your AI Systems Club card ID (a short identifier like ASC-0042).
The display name on your AISC profile, if you've set one.
Authentication tokens (a short-lived access token and a refresh token), stored locally in your browser via chrome.storage.local.

2.2 Content you create in Marky

Saved bookmarks ("marks"): URLs, page titles, your notes, tags, categories.
Saved AI prompts: titles, prompt body, categories, tags, favorites, usage counts.
Custom collections and category settings (names, colors, icons, ordering).

2.3 Service-usage metadata

A timestamped row in our tool_access_log table each time you open Marky while signed in. We use this for product analytics and to detect abuse.
Subscription status (active / inactive / canceled) — read from the AI Systems Club billing record to check whether your access is current.

2.4 Technical data

Standard server logs from Cloudflare (our CDN / web host) when you visit marky.so: IP address, user agent, referrer, request path. Retained for 30 days, used only for security monitoring.
Standard request logs from Supabase when the extension talks to our backend, retained per their policy.

We do not use third-party analytics platforms, advertising IDs, marketing cookies, or browser fingerprinting.

3. How we use your data

Provide the core features — save, organize, search, and retrieve your marks and prompts.
Sync across devices — your library follows you when you sign in on another Chrome profile.
Verify membership — confirm your AI Systems Club subscription is active before unlocking the full library.
Detect and prevent abuse — rate-limiting and anomaly detection on server logs.
Communicate — service-critical messages (sign-in links, security notices, breaking changes). We do not send marketing emails unless you opt in to the newsletter on marky.so.

4. Third-party processors

We share data with the following sub-processors strictly to operate Marky:

Supabase (Singapore region, ap-southeast-1) — database, authentication, magic-link email delivery. Hosts your account, marks, prompts, and access logs. SOC 2 Type 2 compliant.
Cloudflare (United States, global edge) — hosts marky.so and processes web requests. Standard server logs may include your IP for 30 days for abuse prevention.
Stripe (United States, via AI Systems Club) — processes membership billing. Marky itself never stores payment card data.
Google Fonts & cdn.simpleicons.org (used on the marky.so website only) — font and icon CDNs. They may log standard request metadata.

We do not sell, rent, trade, or otherwise transfer your personal information to data brokers, advertisers, or analytics vendors.

5. Cookies and local storage

5.1 In the Chrome extension

The extension uses your browser's chrome.storage.local to:

Keep you signed in (auth token, refresh token).
Cache your prompts and categories for instant access.
Remember UI preferences (last selected category, favorites).

This storage is local to your browser, never sent to anyone except our Supabase backend during sync.

5.2 On the marky.so website

No marketing cookies, no tracking pixels, no advertising scripts.
Cloudflare may set a __cf_bm bot-management cookie that expires after 30 minutes. It's strictly necessary for security.

6. Your rights

You have the right to:

Access — see everything we hold about you, either from within the extension's UI or by emailing privacy@marky.so.
Export — download all your marks, prompts, and categories as JSON from inside the extension.
Correct — edit your marks, prompts, categories, or profile at any time.
Delete — uninstall the extension to clear local data; email us to permanently delete your cloud-side account and content.
Object / restrict processing — ask us to stop processing your data for specific purposes.
Portability — receive your data in a machine-readable format (JSON).
Withdraw consent — at any time, by signing out or deleting your account.

EU / UK residents: additional rights under GDPR, including the right to lodge a complaint with your local data protection authority.

California residents: rights under the CCPA, including the right to know what data is collected, the right to delete, and the right to opt out of "sales" (we don't sell data, so this is moot, but the right exists).

7. Data retention

While your AISC membership is active: your account and all marks/prompts are retained.
Membership canceled: your data is retained for 30 days in case you reactivate, then archived for an additional 60 days, then permanently deleted. You can request immediate deletion at any time.
Browser local storage: cleared when you uninstall the extension or clear your browser's site data for Chrome.
Server access logs: 30 days at Cloudflare, then deleted.

8. Security

We use:

HTTPS for every connection to marky.so and the Supabase API.
Encryption at rest for all database storage (Supabase / AWS).
Row-Level Security (RLS) policies on every Marky table — your data can only be read by you, never by other authenticated users.
OS-level encryption for the local browser storage (provided by Chrome).
Short-lived auth tokens (1 hour) with refresh-token rotation.
No password-based logins (we use magic-link email, eliminating credential-stuffing risk).

No system can be 100% secure. If we ever discover a security incident that affects your data, we'll notify you by email within 72 hours of discovery, in line with GDPR Article 33.

9. Children's privacy

Marky is not intended for users under 13 years of age. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact privacy@marky.so and we'll delete it promptly.

10. International data transfers

Marky's database is hosted on Supabase's ap-southeast-1 (Singapore) region. Our infrastructure (Cloudflare) operates a global edge network. Our company is registered in the United States (New Mexico). By using Marky, you consent to your data being processed in these jurisdictions.

We rely on Standard Contractual Clauses for any cross-border transfers involving EEA personal data.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we bump the "Last updated" date at the top of this page. Material changes (e.g., new categories of data collected, new sub-processors) are communicated via email to active AISC members at least 14 days before they take effect.

12. Contact

For privacy questions, data access requests, or to exercise any of the rights above:

Marky
Privacy: privacy@marky.so
General contact: hello@marky.so

We aim to respond to all privacy requests within 30 days.