Privacy Policy
Marmalaid ("we," "our," or "us") operates a personal AI assistant service accessible via WhatsApp. This Privacy Policy explains how we collect, use, and protect your information, including data accessed through Google APIs (Gmail, Google Calendar, Google Drive, Google Docs, Google Sheets, Google Slides, Google Contacts, and Google Photos).
By using Marmalaid, you agree to the practices described in this policy.
1. Information We Collect
Account and contact information. When you request access to Marmalaid, we collect your name, phone number (WhatsApp), and email address.
Messages and instructions. We receive and store the messages you send to Marmalaid in order to fulfill your requests and improve the service.
Google account data (with your explicit consent). If you choose to connect your Google account, we may access the following data through Google APIs:
- Gmail: Email message content, subject lines, sender/recipient information, labels, vacation responder settings, and signature — used to help you search, read, draft, send, archive, label emails, and manage your vacation responder and signature on your behalf.
- Google Calendar: Event titles, dates, times, locations, attendees, descriptions, and calendar access control lists — used to check for scheduling conflicts, create events, update events, delete events, send invites, manage calendar sharing, and create dedicated Marmalaid-managed calendars at your direction.
- Google Drive: File metadata (names, types, modification dates) and file contents (for files you ask Marmalaid to open) — used to help you search, read, and reference files in your Drive. Marmalaid also creates new files in Drive at your request and only has write access to files it creates.
- Google Docs, Sheets, and Slides: Document, spreadsheet, and presentation content for files you ask Marmalaid to create or work with — used to create, populate, and edit documents at your direction (e.g., "draft a meeting agenda doc", "create a spreadsheet of my expenses").
- Google Contacts: Names, email addresses, phone numbers, organizations, and roles from both your saved contacts and "Other Contacts" (people you have corresponded with) — used to look up contact details, find people you know, and create or update contact records at your direction.
- Google Photos: Photos you explicitly send to Marmalaid via WhatsApp for the purpose of uploading them to your Google Photos library. Marmalaid uses the appendonly (write) capability to add photos you send and the readonly capability to confirm uploads succeeded. Marmalaid does not browse or scan your existing photo library.
Important: Marmalaid's use of data obtained through Google APIs is limited to providing and improving the features you explicitly request. We do not use Google user data to serve advertising, and we do not share or transfer Google user data to third parties except as described in this policy or as required to operate the service (e.g., our AI processing infrastructure).
Memory and preferences. We store facts and preferences you share with us (e.g., your preferred restaurants, seating preferences, and past bookings) to personalize future responses.
Usage data. We collect basic usage logs, including timestamps of interactions and feature usage, for reliability and debugging purposes.
2. How We Use Your Information
We use the information we collect to:
- Fulfill your requests — book restaurants, send emails, create calendar events, arrange rides, and other tasks you ask Marmalaid to handle
- Check your calendar for conflicts before confirming reservations or scheduling
- Remember your preferences so you don't have to repeat yourself
- Provide customer support and respond to your questions
- Improve the accuracy, reliability, and features of the service
- Comply with legal obligations
We do not use your data to train general AI models shared with third parties, serve advertisements, or build profiles for sale.
3. Google API Data — Specific Limitations
Our use of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, data obtained from Google APIs (Gmail, Calendar, Drive, Docs, Sheets, Slides, Contacts, and Photos) is used only to:
- Provide the features you have explicitly requested (e.g., "send an email to X," "check if I'm free Thursday at 6 PM," "book a table and add it to my calendar," "find the contract in my Drive," "add Jordan to my contacts," "save this photo to Google Photos")
- Improve the feature you are using (e.g., understanding your scheduling patterns to avoid conflicts)
We do not:
- Use Google user data to serve targeted advertising
- Sell Google user data to third parties
- Allow humans to read your Google user data except for security purposes, to comply with applicable law, or with your explicit consent
- Use Google user data for purposes unrelated to providing the assistant service
- Use Google user data to train generalized machine learning models
4. Data Sharing and Disclosure
We do not sell your personal data. We may share data only in these limited circumstances:
- Service providers: We use third-party services to operate Marmalaid, including cloud hosting (server infrastructure), AI processing (Anthropic; and OpenAI for voice transcription and text embeddings), isolated code-execution environments for document parsing and file generation (E2B), database storage (Supabase), and communication (Meta / WhatsApp Business API). These providers process data only as necessary to deliver the service and are bound by data processing agreements.
- Booking platforms: When you ask Marmalaid to make a reservation, we interact with booking platforms (such as Google Reserve, Tock, OpenTable, Resy) on your behalf. These interactions are limited to what is necessary to complete your request.
- Legal requirements: We may disclose data only when we are legally required to do so — for example, in response to a valid court order, subpoena, search warrant, or other lawful request from a government or law enforcement authority with jurisdiction. We do NOT voluntarily provide data to government agencies. When we receive such requests, we evaluate them carefully, push back on overbroad or improper requests, and disclose only the specific data legally required. We will notify you of any government request affecting your data before disclosure unless we are legally prohibited from doing so (for example, a non-disclosure order accompanying a subpoena).
- Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.
5. Data Retention
We retain your data for as long as your account is active or as needed to provide the service. You may request deletion of your data at any time by contacting us at hello@marmalaid.ai. We will fulfill deletion requests within 30 days.
Google API data (Gmail, Calendar, Drive, Docs, Sheets, Slides, Contacts, and Photos) is not retained beyond what is needed to fulfill your specific request, except for information you explicitly ask Marmalaid to remember (e.g., "remember that I prefer outdoor seating"). Files you ask Marmalaid to ingest from external sources (Gmail attachments, photos sent via WhatsApp) are stored in encrypted form using per-user encryption keys until you delete them or your account.
6. Data Security and Encryption
We take data protection seriously and use layered encryption to protect your data:
- Files and photos: per-user encryption (no team access). When you send Marmalaid a photo, attachment, or any file, we encrypt it with a unique encryption key derived for your account ("per-user Fernet encryption") before it ever leaves the Marmalaid application. The file is then stored in our cloud storage provider (Supabase Storage) as encrypted bytes. Our storage provider can never see the unencrypted content, and no member of the Marmalaid team can read your files without your specific encryption key. This includes photos you send to Marmalaid via WhatsApp, files Marmalaid ingests from Gmail attachments at your request, and any file you ask Marmalaid to store on your behalf.
- OAuth tokens and credentials: per-user encryption. Your Google OAuth tokens, refresh tokens, and any other connected-account credentials are encrypted in the database using a key dedicated to your account.
- Conversation history and memory: encrypted at rest. Your messages to Marmalaid and the facts Marmalaid remembers about you (preferences, contacts, notes you ask it to remember) are stored in our database encrypted at rest by our database provider. These records are decrypted only when queried by the Marmalaid application to serve your requests. Access to production database systems is restricted to a small number of authorized personnel under formal access controls, with all access logged.
- Data in transit: All connections between you, Marmalaid, our cloud services, and third-party APIs use TLS encryption.
- Access discipline: Production data access is logged. We do not allow human reading of your data except (a) for security investigations (e.g., suspected account compromise), (b) to comply with applicable law as described in Section 4, or (c) with your explicit, contemporaneous consent (e.g., a support ticket where you ask us to look at something specific).
- Vendor diligence: Our infrastructure providers (Hetzner for compute, Supabase for database and file storage, Anthropic for AI processing, Meta for WhatsApp messaging) are reviewed for security practices and bound by data processing agreements that prohibit them from using your data for their own purposes.
No system is perfectly secure. If you believe your data has been compromised, please contact us immediately at hello@marmalaid.ai. We will investigate promptly and, where required by law or where reasonably needed to protect you, notify affected users without undue delay.
7. Your Rights and Choices
You have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Delete your data (subject to legal retention requirements)
- Revoke Google account access at any time via your Google Account settings
- Object to or restrict certain types of processing
- Data portability — receive a copy of your data in a structured format
To exercise any of these rights, contact us at hello@marmalaid.ai.
If you are located in the European Economic Area or United Kingdom, you may also have the right to lodge a complaint with your local data protection authority.
California residents (CCPA/CPRA). If you are a California resident, you have the right to know what personal information we collect and how it is used (as described in this policy), to access, correct, or delete your personal information, and to not be discriminated against for exercising these rights. We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined by the CPRA. You may exercise your rights, or authorize an agent to do so on your behalf, by emailing hello@marmalaid.ai; we will verify your request using the contact details associated with your account.
8. Children's Privacy
The Service requires users to be at least 18 years old. Marmalaid is not directed to children, and we do not knowingly collect personal data from anyone under 18 (and in no event from children under 13, consistent with COPPA). If you believe we have collected data from a minor, contact us and we will delete it promptly.
9. International Data Transfers
Your data may be processed in the United States or other countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses where required under GDPR.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new effective date. For significant changes, we may also notify you directly via WhatsApp or email.
11. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:
- Email: hello@marmalaid.ai
- General: hello@marmalaid.ai