Privacy Policy

Marklet ("we", "us", "our") is the data controller for the personal data you provide when using this service. Full company details will be published here once finalised.

For data protection enquiries, contact us at privacy@marklet.io.

We collect the following categories of personal data:

• Account data: your name, email address, and role within your block (e.g. leaseholder, committee member, managing agent).
• Block data: your flat or unit number, block name, and address - used to scope your access to the correct organisation.
• Issue content: descriptions and comments you submit when logging block issues.
• Email messages: where you connect a Google Group or email address, we sync message content and metadata (sender, subject, date, thread) into your Marklet workspace.
• Service charge data: financial records you upload or that your managing agent imports, including invoice amounts, vendor names, and budget figures.
• Chat messages: where you use the AI assistant ("Ask Mark"), your conversation messages are processed together with a summary of your block's current data (issue titles, email thread subjects, service charge figures, and relevant page content) to generate responses. Chat history is stored in your browser's local storage only and is not retained on Marklet servers.
• Bank transaction data: where you connect a bank account via Open Banking (TrueLayer), we import read-only transaction records including amounts, dates, descriptions, counterparty names, and payment references. We do not access your login credentials or have the ability to initiate payments. Access is subject to a 90-day consent window, after which you must re-authorise.
• Accounting integration data: where you connect an accounting provider (Xero, QuickBooks Online, Sage Business Cloud, or FreeAgent), we read and write invoice records, service charge demand data, and payment status between Marklet and your accounting organisation. The data exchanged reflects what you have authorised via that provider's OAuth flow.
• Usage data: which pages you visit within the app, used solely for internal product analytics. No IP addresses, device identifiers, or location data are collected.

We rely on the following lawful bases under UK GDPR:

• Performance of a contract - processing your account data and block data is necessary to provide the Marklet service you have signed up for.
• Legitimate interests - internal usage analytics (page access events, no PII), security monitoring, and product improvement. We have conducted a legitimate interest assessment and concluded that these interests are not overridden by your rights and freedoms.
• Compliance with a legal obligation - retaining records where required by applicable law (e.g. financial regulations, tax obligations).

• Providing, operating, and improving the Marklet platform.
• Sending transactional emails such as account verification and password reset links (via Supabase Auth).
• Processing issue content and email threads through AI models (Anthropic Claude) to generate automatic categorisation and summaries, and powering the "Ask Mark" AI assistant for interactive queries about your block. Data sent to Anthropic is used solely for inference. Under Anthropic's commercial API terms, input and output data is not used to train Anthropic models.
• Syncing invoice, demand, and payment data with your connected accounting provider - Xero, QuickBooks Online, Sage Business Cloud, or FreeAgent - to keep your accounting records consistent with the service charge data in Marklet.
• Importing bank transactions via TrueLayer Open Banking (where enabled) and matching them against service charge demands and invoices for reconciliation purposes. Transaction data is used solely within your block workspace and is not shared with other users or third parties beyond what is described in this policy.
• Internal analytics to understand feature adoption - no third-party analytics services are used.
• Detecting and preventing abuse, fraud, or security incidents.

Marklet uses AI (Anthropic Claude) in two ways: automated background processing, and an interactive assistant.

Automated processing - issue content and email threads are automatically categorised and summarised without human review at the point of generation. These outputs are assistive suggestions only and do not produce legal effects or significantly affect you. Issue categories and summaries do not determine your rights, obligations, access to services, or any contractual outcome. You may review, override, or disregard any AI-generated categorisation or summary at any time.

AI assistant ("Ask Mark") - available on Pro and Enterprise plans, this is a user-initiated conversational assistant. When you send a message, it is processed alongside a summary of your block's current data to generate a response. The assistant does not take any actions on your behalf and its responses are informational only. Your conversation history is stored locally in your browser and is not retained on Marklet servers.

If you believe any AI-generated output has adversely affected you, please contact us at privacy@marklet.io and we will arrange for a human review.

Marklet's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

When you connect a Google Group or Gmail account, Marklet requests the https://www.googleapis.com/auth/gmail.readonly scope. This grants read-only access to your Gmail messages and metadata. Marklet does not request permission to send, modify, or delete emails.

We access the following Gmail data:

• Message content: the body of emails sent to your Google Group, imported into your Marklet workspace for display in the Email Tracker.
• Message metadata: sender address, recipient address, subject line, date, and thread ID - used to organise emails into threads and link them to issues.

How we use Gmail data: solely to populate the Email Tracker within your Marklet workspace, and to link email threads to block issues. Gmail data is displayed to authorised members of your organisation only.

What we do not do with Gmail data:

• We do not use Gmail data to serve advertisements or for any advertising purpose.
• We do not sell, transfer, or share Gmail data with third parties except as described in this policy.
• We do not use Gmail data to train AI or machine learning models (including Anthropic Claude).
• We do not allow humans to read your Gmail data except where you have given explicit permission, or where required for security investigation or legal compliance.

One-off import: the Gmail OAuth flow is a one-time operation used solely to import historical emails into your Marklet workspace. Marklet does not store your OAuth tokens or refresh tokens after the import completes. No ongoing or background access to your Google account is retained.

We use the following sub-processors who handle personal data on our behalf. All are bound by data processing agreements consistent with UK GDPR requirements.

• Supabase Inc. (USA / EU) - authentication, database hosting, and storage. Your data is stored in the EU region. Supabase is certified under the EU-US Data Privacy Framework.
• Anthropic PBC (USA) - AI inference for issue categorisation, email summarisation, and the "Ask Mark" interactive assistant. Issue content, email content, and chat messages (with block context summaries) are transmitted for processing. Under Anthropic's commercial API terms, input and output data is explicitly not used to train Anthropic models. Our use of the Claude API is governed by Anthropic's Commercial Terms of Service, which includes a Data Processing Addendum (DPA) covering UK/EU data transfer obligations.
• Google LLC (USA / EU) - where you use the Google Group email import, your email metadata and message content is accessed via the Gmail API using OAuth. This uses your existing Google account relationship. Transfers are covered by Google's Standard Contractual Clauses.
• Xero Limited (New Zealand / UK) - accounting software integration. Where you connect Xero, invoice records, demand data, and payment statuses are exchanged between Marklet and your Xero organisation via the Xero API. Xero acts as an independent data controller for data held within your Xero account. Transfers are covered by Xero's Standard Contractual Clauses and their UK GDPR commitments.
• Intuit Inc. (USA) - QuickBooks Online integration. Where you connect QuickBooks Online, invoice records, demand data, and payment statuses are exchanged via the QuickBooks API. Intuit acts as an independent data controller for data held within your QuickBooks account. Transfers are covered by Intuit's Standard Contractual Clauses and their UK GDPR commitments.
• Sage Group plc (UK) - Sage Business Cloud integration. Where you connect Sage Business Cloud, invoice records, demand data, and payment statuses are exchanged via the Sage API. Sage acts as an independent data controller for data held within your Sage account.
• FreeAgent Central Ltd (UK) - FreeAgent integration. Where you connect FreeAgent, invoice records, demand data, and payment statuses are exchanged via the FreeAgent API. FreeAgent acts as an independent data controller for data held within your FreeAgent account.
• TrueLayer Limited (UK) - Open Banking provider. Where you connect a bank account, TrueLayer facilitates read-only access to your bank transaction data under FCA authorisation. TrueLayer is regulated as an Account Information Service Provider (AISP) and acts as an independent data controller for the consent flow. Your access token is stored server-side for the duration of your 90-day consent window and deleted when you disconnect. See TrueLayer's Privacy Policy.
• Railway Inc. (USA) - infrastructure and hosting provider. Railway processes server logs and environment data necessary to run the application. Data transfers rely on Standard Contractual Clauses.

We do not sell your personal data or share it with advertisers. We will not share your personal data with any third party except as described in this policy or where required by law.

Some of our sub-processors are based in the United States. Where personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place in accordance with UK GDPR, including:

• Standard Contractual Clauses (UK International Data Transfer Agreement or EU SCCs with the UK Addendum).
• Transfer impact assessments to evaluate the level of data protection in the recipient country.
• Certification under recognised frameworks (e.g. EU-US Data Privacy Framework) where applicable.

• Account and block data: retained for as long as your organisation account is active, plus 30 days after deletion to allow for account recovery.
• Issue and email data: retained for the lifetime of your subscription tier's history limit, then automatically purged.
• Usage analytics: aggregated event data retained for 12 months, then permanently deleted.
• Bank transaction data: imported transactions are retained for the lifetime of the bank connection. When you disconnect your bank account, transaction data and the associated access token are deleted from our systems within 30 days.
• Integration connection tokens: OAuth access and refresh tokens for all accounting integrations (Xero, QuickBooks Online, Sage Business Cloud, FreeAgent) and TrueLayer are stored encrypted server-side and deleted immediately when you disconnect the integration or revoke consent.
• Billing records: retained for 7 years as required by UK financial regulations (e.g. Companies Act 2006, HMRC requirements).

When data is deleted, it is permanently removed from our active systems. Backups containing deleted data are overwritten within 30 days.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

• Encryption in transit: all data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest - uploaded documents and email attachments: files uploaded to Marklet (including service charge documents and email attachments) are encrypted before storage using AES-256-GCM, an authenticated encryption algorithm. Each file is encrypted with its own unique Data Encryption Key (DEK). That DEK is itself encrypted with a per-block Key Encryption Key (KEK), which is stored in a hardware-backed secrets vault (Supabase Vault, powered by pgsodium/libsodium). This pattern - known as envelope encryption - means that even if the underlying file storage were compromised, the files would remain unreadable without access to the vault.
• Access controls: all data is scoped to your organisation. No user can access data from another block. Role-based permissions restrict what each user can view or modify within their organisation.
• Isolated storage: files are stored in private, organisation-scoped storage buckets. Direct access to file URLs is not possible - all file downloads are served through authenticated API routes that verify your membership before decrypting and returning the file.

While we take reasonable steps to protect your data, no system is completely secure. We cannot guarantee absolute security but will notify affected users and the ICO of any personal data breach in accordance with UK GDPR requirements (within 72 hours of becoming aware, where the breach is likely to result in a risk to individuals' rights and freedoms).

Under UK GDPR you have the right to:

• Access - request a copy of the personal data we hold about you.
• Rectification - correct inaccurate or incomplete data.
• Erasure - request deletion of your data where we have no legal obligation to retain it.
• Restriction - ask us to limit how we process your data in certain circumstances.
• Portability - receive your data in a structured, commonly used, machine-readable format.
• Object - object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Automated decision-making - request human review of any decision made solely by automated means (see section 5).

To exercise any of these rights, email us at privacy@marklet.io. We will respond within one calendar month. In complex cases, we may extend this by a further two months, but we will inform you of any extension within the initial month.

These rights are provided free of charge, except where requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request in accordance with UK GDPR.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. We would appreciate the opportunity to address your concerns before you contact the ICO.

See our Cookie Policy for full details of how we use browser storage.

Marklet is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will take steps to delete it promptly.

We may update this policy from time to time. Material changes will be communicated to users via email or an in-app notice at least 14 days before they take effect. We recommend reviewing this policy periodically. Continued use of the service after the effective date constitutes acceptance of the updated policy.

For any privacy-related questions, data subject requests, or concerns, please contact us at privacy@marklet.io.