Privacy Policy

Effective date: February 28, 2026 · Last updated: February 28, 2026

1. Introduction

Marqy, Inc. ("Marqy," "we," "us," or "our") is a Delaware C-corporation that operates the Marqy platform, an AI-native marketing intelligence and execution platform available at marqy.app (the "Service").

This Privacy Policy describes how we collect, use, store, share, and protect information when you use our Service. It also explains your rights regarding your personal data and how to exercise them.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, organization name, and authentication credentials (managed via Firebase Authentication). We may also collect your profile photo if provided by your identity provider.

2.2 Connected Platform Data

Marqy connects to third-party advertising and analytics platforms on your behalf. When you authorize a connection, we access and store data from those platforms to provide our Service. This includes:

  • Meta (Facebook) Ads: Ad account identifiers, campaign structures (campaigns, ad sets, ads), ad creative content (images, videos, text, URLs), targeting parameters, budget and scheduling information, and performance metrics (impressions, clicks, spend, conversions, reach). We access this data using Meta Marketing API permissions including ads_read, ads_management, and pages_read_engagement.
  • Google Analytics: Website traffic data, audience demographics, acquisition sources, user behavior metrics, and conversion data from your connected Google Analytics properties.
  • Google Ads: Ad account identifiers, campaign structures, keywords, ad creatives, quality scores, budget data, and performance metrics.
  • Social Media Platforms: Account profile data, post content, engagement metrics, follower demographics, and publishing schedules from connected social media accounts.

2.3 Usage Data

We automatically collect certain information when you use the Service, including your IP address, browser type, operating system, referring URLs, pages viewed, features used, timestamps, and general interaction patterns. This data is collected through server logs and analytics tools.

2.4 AI-Generated and Processed Data

Our Service uses artificial intelligence to generate marketing recommendations, creative content, and strategic insights. In the course of providing these features, we process your connected platform data, brand information, and marketing context through AI models. The outputs (recommendations, generated creatives, strategy suggestions) are stored as part of your account data.

2.5 Competitive Research Data

When you use our competitive analysis features, we collect and process publicly available information about competitor brands, including publicly accessible web content, search engine results, and publicly visible advertising data. This data is gathered through authorized web search APIs and publicly available sources.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and maintain the Service: Display your marketing data, create and manage advertising campaigns, generate creative content, and deliver AI-powered recommendations.
  • Campaign management: Create, modify, and manage ad campaigns on connected platforms (e.g., Meta Ads) on your behalf, including uploading creative assets, setting targeting parameters, and managing budgets.
  • Analytics and reporting: Aggregate and visualize performance data from your connected platforms to provide cross-channel insights and reporting.
  • AI-powered features: Process your marketing data to generate strategic recommendations, creative suggestions, audience insights, and performance optimizations using AI models.
  • Improve the Service: Analyze usage patterns and aggregate, de-identified data to improve product features, performance, and user experience.
  • Communications: Send transactional emails (account verification, password resets), service announcements, and, with your consent, product updates.
  • Security and fraud prevention: Detect, prevent, and respond to security incidents, fraudulent activity, and terms of service violations.
  • Legal compliance: Comply with applicable laws, regulations, legal processes, and government requests.

4. Third-Party Services and Integrations

Marqy integrates with various third-party services to provide its functionality. Each integration involves specific data sharing:

4.1 Meta (Facebook) Ads

When you connect your Meta ad account, we use the Meta Marketing API to read campaign performance data and create or manage ad campaigns on your behalf. We store your Meta access token (encrypted at rest), ad account identifiers, and campaign data in our database. We do not sell, license, or rent your Meta ad data to any third party. Your Meta data is used solely to provide you with Marqy's marketing features. We comply with Meta's Platform Terms and Developer Data Use Policy.

4.2 Google Analytics and Google Ads

When you connect your Google Analytics or Google Ads accounts, we access your analytics and advertising data through Google's APIs using OAuth 2.0 authorization. We store the data necessary to provide cross-channel reporting and insights. We comply with Google's API Services User Data Policy.

4.3 Social Media Platforms

Marqy may connect to social media platforms (such as Instagram, LinkedIn, and X/Twitter) to read engagement data, schedule or publish content, and provide unified social media management. Each connection uses the platform's official API with OAuth authorization. We only access data you explicitly authorize.

4.4 AI Service Providers

We use third-party AI models (including services from Anthropic and OpenAI) to power our marketing intelligence features, such as creative generation, strategic recommendations, and content analysis. When processing your data through these AI services:

  • We send only the data necessary to generate the requested output.
  • We do not allow AI providers to use your data to train their general models. Our agreements with AI providers include data processing terms that prohibit this.
  • AI-generated outputs are stored in your Marqy account and treated as your confidential data.

4.5 Web Search and Competitive Research APIs

We use authorized web search APIs and publicly available data sources to provide competitive intelligence features. These services return publicly accessible information only. We do not scrape or crawl websites in violation of their terms of service.

5. Data Sharing and Disclosure

We do not sell your personal data. We share information only in the following circumstances:

5.1 Service Providers (Subprocessors)

We use the following categories of service providers to operate the Service. Each provider is bound by written data processing agreements:

  • Cloud infrastructure: Google Cloud Platform (GCP) — Cloud SQL for PostgreSQL, Cloud Run for compute, Google Cloud Storage for file storage. All data is hosted in the United States.
  • Authentication: Firebase Authentication (Google) for identity management.
  • AI processing: Anthropic and OpenAI for AI-powered features (creative generation, recommendations, analysis).
  • Error monitoring: Sentry for application error tracking and performance monitoring.
  • Email: Transactional email service providers for account-related communications.

5.2 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5.3 Business Transfers

In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.

5.4 Aggregated and De-identified Data

We may use aggregated, de-identified data that cannot reasonably be used to identify you for product improvement, research, and analytics purposes. This data is not considered personal data under applicable privacy laws.

6. Data Storage and Security

6.1 Infrastructure

All data is stored on Google Cloud Platform (GCP) infrastructure located in the United States. Our infrastructure includes:

  • Database: Cloud SQL for PostgreSQL with encryption at rest (AES-256) and in transit (TLS 1.2+).
  • Application servers: Cloud Run with automatic scaling, running in isolated containers.
  • File storage: Google Cloud Storage with server-side encryption for uploaded media (ad creatives, images, videos).
  • Secrets management: Google Cloud Secret Manager for API keys, access tokens, and other sensitive credentials.

6.2 Security Measures

We implement administrative, technical, and physical safeguards to protect your data, including:

  • Encryption at rest and in transit for all data.
  • OAuth 2.0 token-based authentication for all third-party platform connections. We never store your third-party platform passwords.
  • Access tokens for connected platforms are encrypted and stored in our database. They are never exposed to the frontend application.
  • Role-based access controls within the application.
  • Regular security updates and dependency patching.
  • Application error and audit logging.

While we use commercially reasonable measures to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

6.3 Data Breach Notification

In the event of a data breach that affects your personal data, we will notify you and any applicable regulatory authorities within the timeframes required by applicable law (within 72 hours for GDPR, without unreasonable delay for other jurisdictions).

7. Data Retention

We retain your data for as long as necessary to provide the Service and fulfill the purposes described in this policy. Specific retention periods:

  • Account data: Retained for as long as your account is active. Deleted within 30 days of account deletion request.
  • Connected platform data (e.g., Meta Ads, Google Analytics): Retained while your account is active and the platform connection is enabled. Campaign and performance data is deleted within 60 days after you disconnect a platform or delete your account.
  • Access tokens: Encrypted and stored while the connection is active. Immediately invalidated and deleted upon disconnection.
  • AI-generated content: Retained for as long as your account is active. Deleted when you delete your account.
  • Usage logs: Retained for up to 90 days for security and debugging purposes, then automatically purged.
  • Backup data: Database backups are retained for up to 90 days and then automatically deleted.

8. Data Deletion

You may request deletion of your data at any time by:

  • Disconnecting a specific platform integration through the Marqy dashboard (Settings > Integrations), which removes stored data for that platform within 60 days.
  • Deleting your Marqy account through Settings, which initiates deletion of all your data within 30 days.
  • Emailing us at support@marqy.app to request data deletion.

When you remove the Marqy app from your Facebook account settings, we receive a data deletion callback from Meta and will delete all Meta-related data associated with your account within 30 days. We will provide a confirmation code and a URL where you can check the status of your deletion request.

We may retain de-identified, aggregated data that cannot be used to identify you even after your account is deleted.

9. Your Rights

9.1 European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following rights under the General Data Protection Regulation:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete personal data.
  • Right to erasure: Request deletion of your personal data, subject to certain exceptions.
  • Right to restrict processing: Request that we limit how we use your data in certain circumstances.
  • Right to data portability: Receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object: Object to processing of your personal data based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent, withdraw your consent at any time.

Legal basis for processing: We process your data based on (a) your consent (for optional features and marketing communications), (b) performance of our contract with you (to provide the Service), (c) our legitimate interests (to improve the Service and ensure security), and (d) compliance with legal obligations.

You may exercise these rights by emailing support@marqy.app. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

9.2 California (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

  • Right to know: Request disclosure of the categories and specific pieces of personal information we collect, the purposes for collection, and the categories of third parties with whom we share it.
  • Right to delete: Request deletion of your personal information, subject to certain exceptions.
  • Right to correct: Request correction of inaccurate personal information.
  • Right to opt out of sale or sharing: We do not sell or share your personal information for cross-context behavioral advertising.
  • Right to non-discrimination: We will not discriminate against you for exercising your rights.

To exercise your rights, email support@marqy.app or use the account deletion feature in Settings. We will verify your identity before processing requests.

10. International Data Transfers

Our Service is operated from the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States, where our infrastructure is hosted on Google Cloud Platform.

For transfers from the EEA, UK, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, as well as any applicable adequacy decisions. Our subprocessors (including Google Cloud) maintain their own data transfer mechanisms, including participation in the EU-U.S. Data Privacy Framework where applicable.

11. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal data, please contact us at support@marqy.app.

12. Cookies and Tracking Technologies

We use cookies and similar technologies to operate the Service:

  • Essential cookies: Required for authentication, security, and core Service functionality. These cannot be disabled.
  • Analytics cookies: Help us understand how you use the Service so we can improve it. You can opt out of analytics cookies.

We do not use third-party advertising cookies or tracking pixels. We do not engage in cross-site tracking for advertising purposes.

13. Sensitive Data

The Service is not designed to process or store sensitive personal information, including but not limited to: government identification numbers (Social Security numbers, passport numbers), financial account numbers (bank accounts, credit card numbers), health or medical data, biometric data, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, or trade union membership. Please do not submit sensitive personal data to the Service.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice within the Service or sending you an email at least 30 days before the changes take effect. Your continued use of the Service after the changes become effective constitutes your acceptance of the updated Privacy Policy.

15. Contact Us

If you have questions about this Privacy Policy, your data, or wish to exercise your rights, please contact us:

For Meta-specific data inquiries, you may also review Meta's own privacy documentation at facebook.com/privacy/policy.