Privacy Notice
Effective 12 July 2026
This notice explains how Marrow handles personal data when you use our websites, Console, APIs, command-line tools, local integrations, documentation, and related services (together, the Service).
Our Terms of Use govern your use of the Service.
Who is responsible for your data
MARROW TECHNOLOGIES LTD is the data controller for account, usage, security, communications, and other personal data where we determine why and how it is used. We are a private limited company registered in England and Wales under company number 17288650.
Where an organisation supplies personal data in Your Content for its own purposes, that organisation is the controller and Marrow processes the data on its instructions to provide the Service. If your data was supplied by an organisation that uses Marrow, contact that organisation about your rights in the first instance; we assist it with applicable requests.
For privacy questions or requests, contact [email protected].
Data we collect
The personal data we handle depends on how you use Marrow:
- Account data: email address, display name, sign-in method, account status, password hash where you use password sign-in, and the verification-code records needed to confirm an email address. We also keep the credential records needed to complete a password reset you request. Verification and password-reset credentials expire and cannot be reused.
- Google or Apple sign-in data: the provider account identifier and the email, verification status, or name the provider supplies for the sign-in. Marrow uses provider authorization data to establish the session and, where required, keeps protected credential material so a connected Apple account can be revoked during account deletion. Provider tokens are not shown in Console or returned through the customer API.
- Credentials and session data: browser and command-line session records, API key metadata, permissions, creation and last-use information. Secret API keys are shown when created; Marrow stores the material needed to verify them rather than displaying the secret again.
- Your Content: URLs, files, text, conversations, records, instructions, updates you make, and other context you choose to connect, together with information produced while processing that material.
- Usage and technical data: requests, feature use, job status, credit use, timestamps, IP address, error records, and security events.
- Communications: messages and other information you provide when you contact us.
We collect this data from you, from the devices and software you use to access Marrow, from Google or Apple when you choose that sign-in method, and from sources you direct Marrow to connect.
How we use data and our lawful bases
We use personal data only where we have a lawful basis:
| Purpose | Lawful basis |
|---|---|
| Create and manage your account; provide the features you request; process Your Content; authenticate requests; and respond to service messages | Performance of our contract with you |
| Secure, maintain, troubleshoot, and improve the Service; prevent misuse; understand feature performance; and support users | Our legitimate interests in operating and improving a secure, useful service, balanced against your rights |
| Keep records, respond to lawful requests, protect legal rights, and meet regulatory duties | Compliance with legal obligations and our legitimate interests in establishing, exercising, or defending legal rights |
Where we need personal data to provide the Service and you do not provide it, we may be unable to create an account or provide the requested feature.
Marrow does not make solely automated decisions about you that have legal or similarly significant effects.
How we share data
We share personal data only as needed for the purposes above:
- with infrastructure, hosting, database, storage, communications, and security services that help us operate Marrow, including an email-delivery service that sends account emails such as verification and password-reset instructions;
- with Google or Apple when you choose the corresponding sign-in method;
- with AI model and embedding services when a feature needs them to process Your Content;
- with professional advisers, auditors, insurers, or potential transaction partners where necessary and subject to appropriate confidentiality duties;
- with courts, regulators, law enforcement, or other authorities where required or permitted by law; and
- in connection with a corporate reorganisation, financing, acquisition, or sale, subject to appropriate protections.
Some service providers may process personal data outside the United Kingdom. You can contact us for information about relevant processing locations and safeguards.
Retention and deletion
We decide how long to keep personal data by considering how long the account remains open, whether the data is needed to provide the Service, and our legal, security, dispute, and operational needs. Different records therefore have different retention periods; we do not apply one fixed period to every category.
When you request account deletion, we begin the Service’s account-deletion process. Deletion is not necessarily instantaneous: limited copies may remain for a period in backups, logs, or service providers, and we may retain records where required by law or reasonably needed to establish, exercise, or defend legal rights. We restrict the use of retained data to those purposes and continue to protect it under this notice.
Security
We use technical and organisational measures intended to protect personal data against unauthorised access, loss, alteration, or disclosure. No internet or storage system can be guaranteed completely secure. Keep your credentials confidential and contact us if you believe your account or data has been compromised.
Your rights
Depending on the circumstances, UK data protection law may give you the right to:
- access personal data we hold about you;
- correct inaccurate or incomplete data;
- ask us to delete data;
- restrict how we use data;
- object to processing based on legitimate interests;
- receive data you provided in a portable format (data portability); and
- complain to a supervisory authority.
These rights are not absolute and may depend on the lawful basis and the circumstances. To exercise a right, contact [email protected]. We may need to verify your identity before acting on a request.
You can complain to the Information Commissioner’s Office (ICO) through its website at ico.org.uk or by writing to Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. We would appreciate the opportunity to address your concern first, but you do not have to contact us before contacting the ICO.
Cookies and local storage
Marrow uses account-session cookies and limited browser storage to keep you signed in, preserve local connection settings, and operate requested features. These technologies are used for service functionality and security, not advertising.
Children
The Service is not directed to anyone under 18, and we do not knowingly collect personal data from children through the Service. Contact us if you believe a child has provided personal data to Marrow.
Changes to this notice
We may update this notice to reflect changes to the Service, law, or our data practices. We will post the effective date with the notice and take reasonable steps to notify account holders of a material change.
Contact
Privacy questions and rights requests can be sent to [email protected] or to MARROW TECHNOLOGIES LTD, 19c Highgate West Hill, London, United Kingdom, N6 6NP.