Privacy Policy

1. Introduction

CAIO LLC ("CAIO," "we," "us," or "our") operates Marca (the "Platform"), a software-as-a-service platform for visual feedback on web applications and conversion of that feedback into specifications and code changes for AI coding agents. This Privacy Policy explains how we collect, use, disclose, and protect information when you use the Platform, when the Marca Script runs on a Subscriber's website, when you visit our website, or when you interact with us.

This policy applies to three categories of individuals:

• Subscribers: Organizations and individuals who create accounts on Marca and pay for the Service.
• Operators: Team members invited into a Subscriber's Workspace who hold a seat. Operators interact with the Marca dashboard and manage Pins.
• Reviewers: Individuals who interact with the Marca Script on a Subscriber's website and leave Pins. Reviewers may be internal to the Subscriber's organization (e.g., teammates) or external (e.g., stakeholders, clients, beta testers).

For Reviewers: your interaction with the Marca Script is initiated and controlled by the Subscriber who installed the Script on their site. The Subscriber is the data controller for Reviewer-related data. Refer to that Subscriber's privacy policy for information about how they handle your data. We process Reviewer data on behalf of Subscribers as described in our Data Processing Addendum.

2. Information We Collect

2.1 Subscriber and Operator Account Information

• Name, email address, and (where provided) phone number and business name
• Billing address and payment information (processed by Stripe; we do not store full payment card numbers)
• Account credentials (passwords are hashed)
• SSO identity tokens where SSO is configured
• Operator records (names, emails, role assignments) and audit log activity

Operator personal information is processed solely to provide access to the Workspace and deliver the Service.

2.2 Workspace Data

• Pins (annotations on web pages), comments, threads, status, and assignment
• Screenshots, DOM snapshots, console output, and browser metadata captured at the time of Pin creation
• Briefs exported from Pins
• Canvas state, tags, integration configurations, and Workspace settings

2.3 Reviewer Data Captured by the Marca Script

When a Reviewer interacts with a Subscriber's Marca Script, the Platform may collect:

• Reviewer attribution: email address (if the Subscriber requires it), display name, or SSO identity, depending on the Subscriber's configuration; Reviewers may also be anonymous
• Pin coordinates, target element selector, and the Reviewer's note text
• Screenshot of the visible viewport and DOM snapshot of the page at the time of Pin creation
• Console log entries and network errors captured by the Script
• Browser and device information (user agent, viewport size, OS) and IP address. IP addresses are truncated to a /24 prefix (IPv4) or /48 prefix (IPv6) before persistent storage
• Page URL and route metadata

This data is captured only at the moment a Reviewer creates a Pin or explicitly initiates a capture. The Marca Script does not employ session replay, continuous screen recording, keystroke logging, or background DOM mutation tracking.

No credential interception. The Marca Script does not copy, store, transmit, or log passwords, authentication tokens, payment card numbers, or other credentials present on the page. Where the Marca Script captures DOM state or console output, credential-bearing form fields (e.g., <input type="password">) and known sensitive-input patterns are excluded from the capture. If a Subscriber's page displays credentials or sensitive data in plain text outside such fields, those values may appear in a screenshot or DOM snapshot; the Subscriber is responsible for sanitizing such pages before enabling the Marca Script (see Terms of Service, Section 7).

This data is collected on behalf of the Subscriber and stored in the Subscriber's Workspace. We process it as a data processor (see our Data Processing Addendum).

2.4 Automatically Collected Information (Dashboard and Marketing Site)

• IP address, browser type and version, operating system, and device identifiers
• Pages visited on marca.dev and within the dashboard, features used, time spent, and navigation paths
• Referring URLs and search terms
• Cookies and similar tracking technologies (see Section 6)
• Error logs and performance telemetry

Data minimization: We collect only the automatically collected data necessary for operating, securing, and improving the Platform. We do not employ session replay tools, keystroke logging, or screen recording on the marca.dev dashboard or marketing site. Click and navigation analytics are collected in aggregate and are not used to reconstruct individual user sessions.

2.5 Information from Third Parties

• Payment and billing data from Stripe (transaction confirmations, subscription status)
• Authentication data if you sign in via third-party providers (Google, GitHub, Microsoft, etc.)
• OAuth tokens and basic identity claims from connected integrations (only what is necessary to provide the requested integration)

3. How We Use Information

3.1 Subscriber and Operator Data

We use Subscriber and Operator data to provide the Service (operating your Workspace, generating Briefs, managing integrations), to process payments, to send account and service communications, to send marketing communications with your consent, to analyze aggregated usage for product improvement, and to comply with applicable laws.

Legal bases under the GDPR and UK GDPR. Where applicable, we rely on Article 6(1)(b) (performance of a contract) to provide the Service; Article 6(1)(f) (legitimate interests) to operate, secure, and improve the Platform and prevent abuse; Article 6(1)(a) (consent) for marketing communications and optional analytics; and Article 6(1)(c) (legal obligation) to comply with applicable law. For processing of Reviewer Data, the Subscriber (as controller) is responsible for identifying the lawful basis under applicable law.

AI/ML training prohibition. We do not use Subscriber data, Workspace content (Pins, screenshots, DOM snapshots, Briefs, comments), Operator interaction data, or any identifiable derivative thereof to train, fine-tune, or develop artificial intelligence or machine learning models. Platform improvements referenced above are limited to traditional software development practices (e.g., analyzing aggregated feature adoption metrics; identifying systematic bugs from anonymized error logs).

3.2 Reviewer Data

We process Reviewer data on behalf of Subscribers solely for the purpose of providing the Service. We do not use Reviewer data for our own marketing purposes. We do not contact Reviewers directly unless required by law or to assist with a Reviewer privacy rights request that the Subscriber has been unable to fulfill (see Section 8). See our Data Processing Addendum for details on our role as a data processor.

4. How We Share Information

We do not sell personal information. We share information with:

• Sub-processors: Third-party vendors that help operate the Platform (hosting, billing, transactional email, error monitoring, and AI inference for the optional "Check with AI" QA feature). Each is contractually obligated to protect your information and process it only on our instructions; our AI inference provider is used via its API with no training on inputs. The current list is at marca.dev/sub-processors.
• Subscriber-initiated integrations: When a Subscriber connects a third-party tool (GitHub, Linear, Cursor, Slack, etc.) and initiates an export, the relevant content is transmitted to the third party under the Subscriber's account.
• Subscriber Workspace access: Reviewer data captured through a Subscriber's Marca Script is accessible to that Subscriber within their Workspace. We do not share Reviewer data across Workspaces.
• Legal requirements: When required by law, court order, or to protect our rights or others' safety.
• Business transfers: In a merger, acquisition, or asset sale (with at least 30 days' notice to Subscribers).
• Aggregate data: Anonymized, aggregated data that does not identify any Subscriber, Operator, Reviewer, or individual, used only for internal research and product improvement, never with entities that are direct competitors of our Subscribers.

5. Data Isolation and Security

5.1 Workspace Isolation

Each Subscriber's Workspace is logically isolated. Your data — including Pins, screenshots, DOM snapshots, and Briefs — is not accessible to other Subscribers. Our multi-tenant architecture enforces access controls at the application and database layers.

5.2 Marca Script Isolation

The Marca Script attaches to a Subscriber's site under the Subscriber's domain. Pin captures from that domain flow only into the Workspace that owns the Script. We do not co-mingle captures across Workspaces, and the Script does not transmit data to any Workspace other than the configured one.

5.3 Security Measures

• HTTPS/TLS encryption for all data in transit
• Encryption at rest for stored data, including screenshots and DOM snapshots
• Secure payment processing through Stripe (PCI-DSS compliant)
• Role-based access controls within Workspaces
• Multi-factor authentication (MFA) required for administrative access to production systems
• Regular dependency updates and vulnerability scanning
• Secure authentication with hashed password storage
• Logging of access to production systems
• Secrets management for integration credentials

No system is 100% secure. While we implement industry-standard safeguards, we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials.

6. Cookies and Tracking

We use cookies and similar technologies on the marca.dev marketing site and dashboard for:

Type	Purpose	Duration
Essential	Authentication, session management, core functionality. Cannot be disabled.	Session / 30 days
Preferences	Settings and preferences across sessions (e.g., theme).	1 year

We do not use advertising or cross-site tracking cookies on the Platform, and we do not run a third-party analytics tag on marca.dev as of the Effective Date. If we later add a privacy-respecting analytics provider, it will be listed at marca.dev/sub-processors before activation. You may control cookies through your browser settings; disabling essential cookies may prevent the Platform from functioning.

6.1 The Marca Script and Cookies on Subscriber Sites

The Marca Script sets a small number of cookies or uses local storage on the Subscriber's domain solely to identify a Reviewer's draft Pins and prevent duplicate capture across the same session. The Script does not set cross-site tracking cookies, does not load advertising pixels, and does not transmit data to advertising networks.

The Subscriber is responsible for disclosing the presence and purpose of the Marca Script in its own privacy notice and obtaining any consents required by applicable law (e.g., GDPR Article 6 lawful basis, ePrivacy/cookie consent, CPRA notices). Subscribers that require an in-page consent step before the Marca Script activates should implement it through their existing consent management platform; sample notice and consent snippets are published at marca.dev/docs/reviewer-notice.

7. Data Retention

• Active accounts: Data is retained for the duration of your subscription.
• After cancellation: Workspace data is retained in read-only state for 90 days, then permanently deleted (see Terms of Service, Section 5.3). Backup copies are purged within an additional 30 days.
• Billing records: Retained for 7 years for tax and legal compliance.
• Automatically collected data: Retained for a maximum of 13 months from collection, then deleted or irreversibly anonymized.
• Reviewer data within Workspaces: Retained for the duration of the Subscriber's account, subject to any earlier deletion the Subscriber configures or requests.
• Aggregated analytics: May be retained indefinitely (does not identify individuals).
• Support correspondence: Retained for 3 years after the last interaction.

8. Your Rights

Depending on your location and relationship to Marca, you may have rights to access, correct, delete, export, object to, or restrict certain processing of your personal information.

Subscribers and Operators. You may access and export Workspace data through the Platform, update account information directly, or contact [email protected] to delete your account. Workspace administrators control Workspace data and access.

Reviewers. If you interacted with a Subscriber's Marca Script and want to exercise privacy rights, contact that Subscriber directly — they control your data. If you cannot reach them, contact [email protected] and we will assist, including by relaying requests to the Subscriber and exercising targeted deletion functionality available to us as processor where appropriate.

California (CCPA/CPRA). California residents have rights to know, delete, correct, and (where applicable) opt out of sale or sharing of personal information. We do not sell personal information or share it for cross-context behavioral advertising.

Other U.S. states (Colorado, Connecticut, Virginia, Utah, Oregon, Texas, Montana, and others). Similar rights to access, correct, delete, and port personal data may apply under your state's privacy law.

EEA, UK, and Switzerland (GDPR / UK GDPR / FADP). You have rights to access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. You may also lodge a complaint with your local supervisory authority.

To exercise any of these rights, contact [email protected]. We will verify your identity before processing requests and respond within the timeframes required by applicable law (typically 30–45 days, with possible extensions where permitted).

EU/UK representative. Where required by Article 27 of the GDPR or UK GDPR, CAIO will appoint a representative in the EEA or UK and publish their contact details on this page. As of the Effective Date, no such appointment is required.

9. Children's Privacy

The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected such information, we will delete it promptly. Contact us at [email protected] if you believe we have inadvertently collected information from a minor.

10. International Data

The Platform is hosted in the United States. If you access the Platform from outside the U.S., your information will be transferred to and processed in the U.S. We apply the same security protections to all data regardless of origin. For Subscribers subject to the GDPR, UK GDPR, or Swiss FADP, see the Data Processing Addendum for transfer mechanisms.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and/or in-app notification at least 30 days before taking effect. We encourage you to review this policy periodically.

12. Security Incident Notification

We will notify affected Subscribers without undue delay after becoming aware of a confirmed security incident involving their personal data, and where legally required, within 72 hours. We will provide information reasonably available to us about the nature of the incident and cooperate with Subscribers as required by applicable law. For incidents affecting Subscriber Processed Data (where CAIO is the processor), see the Data Processing Addendum.

13. Contact Us

For privacy questions, data requests, or concerns:

CAIO LLC

Email: [email protected]

Website: https://marca.dev