Privacy Policy

Last updated: April 2026

Data Controller

Marmalaid is operated by [LEGAL ENTITY NAME], a company incorporated in the United States. Contact: hello@marmalaid.ai

EU/EEA Representative

For users in the European Union or European Economic Area, our designated EU representative is: [EU REPRESENTATIVE NAME AND ADDRESS — to be appointed prior to EU user onboarding]. You may contact our EU representative for any GDPR-related enquiries.

What we collect

When you use Marmalaid, we store:

• Your WhatsApp phone number (used as your account identifier)
• Messages you send and the responses we generate
• Personal facts you share — name, timezone, preferences, dietary restrictions, contacts, calendar events
• Location data — precise GPS coordinates (retained for up to 48 hours, then reduced to city-level) and city-level location (retained while your account is active)
• Voice transcriptions of voice notes you send
• Restaurant booking history and preferences
• Google Calendar and Gmail data, if you connect your Google account
• A persistent memory of your conversations, used to personalise future responses

How we use your data

Your data is used solely to provide your personal Marmalaid experience. We do not sell, rent, or share your data with third parties, except as described below.

Lawful basis (for EU/EEA users)

We process your data on the following lawful bases under GDPR:

• Consent (Art. 6(1)(a)) — for memory storage, profiling, and location tracking. You provide consent during onboarding and may withdraw it at any time.
• Contract performance (Art. 6(1)(b)) — for the core assistant function: receiving your messages and sending responses.

Third-party processors

Your data is processed by the following sub-processors:

• Anthropic (US) — generates AI responses via Claude API. Does not train models on API data. Privacy policy.
• OpenAI (US) — indexes your memories and transcribes voice notes. Does not train on API data by default. Privacy policy.
• Supabase (EU region) — hosts our database. Data stored within the EU.
• Hetzner (US) — hosts our application server. Data stored in the United States (Ashburn, Virginia).
• Meta — provides WhatsApp Business API infrastructure for message delivery.
• Google — provides Calendar and Gmail integration if you choose to connect your Google account.

International data transfers

Anthropic and OpenAI are US-based companies. When your messages are processed for AI responses or memory indexing, data is transferred to the US. These transfers are governed by Standard Contractual Clauses (SCCs) as provided under each company's data processing terms. Supabase and Hetzner are US-based and store data in the United States.

Data retention

• Conversation memory: retained for 2 years from your last active use
• Structured facts and preferences: retained while your account is active
• Precise location coordinates: reduced to city-level after 48 hours
• Booking history: retained for 3 years
• System logs: deleted after 90 days
• All data: permanently deleted within 30 days of an erasure request

Your rights

You have the following rights regarding your personal data:

• Right to access — say "what do you know about me?" in Marmalaid
• Right to erasure — say "delete my data" in Marmalaid to permanently delete everything
• Right to withdraw consent — say "delete my data" at any time; withdrawal does not affect the lawfulness of prior processing
• Right to portability — contact us to request a copy of your data in a machine-readable format
• Right to lodge a complaint — EU/EEA users may lodge a complaint with their national supervisory authority. US users may contact the FTC or their state attorney general.

Security

Your data is encrypted in transit (TLS) and at rest (AES-256). Sensitive credentials are encrypted at the application level. Each user's data is strictly isolated — no other user can access your information.

Contact

For privacy questions, data access requests, or deletion requests: hello@marmalaid.ai