1. Overview
This Privacy Policy describes how MARC27 ("we," "us," or "our") collects, uses, shares, and protects information when you use the MARC27 platform ("Platform"), including our website, API, CLI tools, and associated services.
We are committed to protecting your privacy and handling your data transparently. We process personal data in accordance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.
2. Information We Collect
We collect information from three sources: directly from you, automatically through your use of the Platform, and from third parties.
Information you provide
- •Account information — name, email address, username, and profile details when you create an account
- •Organization and project data — names, descriptions, member lists, and configurations for workspaces you create
- •Resources and content — ML models, datasets, plugins, code, documentation, and other materials you upload or publish
- •Job inputs and outputs — data, parameters, and results associated with compute jobs you submit
- •Payment information — billing address and payment method details, processed by our payment provider (we do not store full card numbers)
- •Communications — messages you send to us through support channels, feedback, or other correspondence
- •ORCID iD — your ORCID identifier if you choose to link it for scientific attribution
Information collected automatically
- •Usage data — pages visited, features used, API endpoints called, jobs submitted, and interactions with the Platform
- •Device and browser information — device type, operating system, browser type and version, screen resolution
- •Network information — IP address, approximate geographic location derived from IP, referring URL
- •Performance data — API response times, error rates, and service availability metrics
- •Authentication tokens — session identifiers and token metadata necessary for maintaining your authenticated session
Information from third parties
- •OAuth providers — when you sign in with GitHub, Google, or ORCID, we receive your name, email address, profile picture, and unique identifier from the provider. We request only the minimum scopes necessary for authentication.
- •SAML/SSO providers — for enterprise single sign-on, we receive identity attributes as configured by your organization's identity provider
3. How We Use Your Information
We use the information we collect for the following purposes:
- •Providing and operating the Platform — hosting your content, executing jobs, managing your account and organizations
- •Authentication and security — verifying your identity, detecting and preventing fraud, abuse, and unauthorized access
- •Communication — sending you service notifications, security alerts, and support responses. We will not send marketing emails without your explicit consent.
- •Improvement and analytics — understanding how the Platform is used, identifying performance issues, and improving features. We use aggregated, anonymized data for this purpose wherever possible.
- •Legal compliance — complying with applicable laws, regulations, and legal processes
- •Audit logging — maintaining an immutable record of security-relevant actions for compliance and incident investigation purposes
We process your personal data on the following legal bases under GDPR: performance of our contract with you (providing the Platform), legitimate interests (security, analytics, improvement), legal obligations (audit logging, compliance), and consent (where specifically requested).
4. Your Content & Research Data
We treat Your Content (models, datasets, job inputs/outputs, and other materials you upload) differently from Platform usage data.
You retain full ownership of Your Content. We access Your Content only as necessary to provide the Platform services you have requested — for example, to execute a job or serve a published Resource.
We do not use Your Content to train our own models, algorithms, or services. We do not share Your Content with third parties for their own purposes, except where you have explicitly made it public through the marketplace or where required by law.
Aggregated, anonymized statistics derived from Platform usage (such as total jobs executed, resource download counts, and API call volumes) may be used to improve the Platform. These statistics do not contain personally identifiable information or your proprietary data.
5. How We Share Your Information
We share your information only in the following circumstances:
Service providers
- •Cloud infrastructure providers — for hosting, storage, and compute services
- •Authentication providers — OAuth identity providers you choose to sign in with
- •Payment processors — for billing and payment processing (they receive only the data necessary to process your payment)
- •Analytics providers — for aggregated usage analytics (we use privacy-respecting tools and minimize data shared)
Other circumstances
- •With your Organization members — other members of your Organizations can see your profile, role, and activity within shared Projects, as determined by the Organization's access controls
- •Public marketplace — information you choose to publish to the marketplace (Resource metadata, descriptions, your username) is visible to all Platform users
- •Legal requirements — we may disclose information when required by law, subpoena, court order, or government request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others
- •Business transfers — in connection with a merger, acquisition, or sale of assets, your information may be transferred to the successor entity. We will notify you of any such transfer.
We do not sell your personal information. We do not share your personal information with third parties for their own marketing or advertising purposes.
6. Cookies & Tracking Technologies
We use cookies and similar technologies to operate the Platform. Here is what we use and why:
Category
Provider
Purpose
Retention
Strictly necessary
Platform
Session management, authentication, CSRF protection
Session to 30 days
Strictly necessary
Supabase Auth
Authentication tokens and session state
Session to 7 days
Analytics
Privacy-respecting analytics
Aggregated usage patterns, page views, feature adoption
Up to 12 months
Strictly necessary cookies cannot be disabled as they are required for the Platform to function. You can manage analytics cookies through your browser settings or our cookie preferences. We honor Do Not Track browser signals.
7. Data Retention
We retain your information for the minimum period necessary to fulfill the purposes described in this policy. Specific retention periods include:
- •Account data — retained while your account is active, plus 60 days after account closure to allow for reactivation
- •Your Content — retained while your account is active. Upon account deletion, Your Content is removed within 90 days, except for Resources published to the marketplace that may be retained in a read-only state as described in our Terms of Service
- •Audit logs — retained for a minimum of 2 years for security and compliance purposes. Audit log entries are anonymized upon account deletion (your personal identifiers are replaced with anonymous references)
- •Job execution data — job metadata and results are retained for up to 12 months after execution. Job inputs may be deleted sooner based on storage policies
- •Usage analytics — aggregated analytics data is retained for up to 24 months. Individual-level usage data is anonymized within 12 months
- •Payment records — retained for the period required by applicable tax and financial regulations (typically 7 years)
When data is no longer needed, it is securely deleted or irreversibly anonymized.
8. Data Security
We implement industry-standard technical and organizational measures to protect your information, including:
- •Encryption of data in transit (TLS 1.2+) and sensitive data at rest (AES-256)
- •Cryptographic hashing of API keys (SHA-256) — we never store your API keys in plaintext
- •Role-based access controls within the Platform and our internal systems
- •Regular security assessments and monitoring of our infrastructure
- •Immutable audit logging of security-relevant actions
No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and API keys.
9. International Data Transfers
The Platform is operated from the United States. If you are accessing the Platform from outside the United States, your information will be transferred to, stored, and processed in the United States.
For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses approved by the European Commission and the UK Information Commissioner's Office, as applicable.
We ensure that any third-party service providers who process personal data on our behalf provide adequate data protection safeguards in accordance with applicable law.
10. Your Rights
Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:
European Economic Area, United Kingdom & Switzerland (GDPR)
- •Right of access — request a copy of the personal data we hold about you
- •Right to rectification — request correction of inaccurate or incomplete data
- •Right to erasure — request deletion of your personal data (subject to legal retention obligations)
- •Right to restrict processing — request that we limit how we use your data
- •Right to data portability — receive your data in a structured, commonly used, machine-readable format
- •Right to object — object to processing based on legitimate interests, including for direct marketing
- •Right to withdraw consent — where processing is based on consent, withdraw it at any time
- •Right to lodge a complaint — file a complaint with your local data protection authority
California (CCPA/CPRA)
- •Right to know — request disclosure of the categories and specific pieces of personal information we have collected
- •Right to delete — request deletion of your personal information
- •Right to correct — request correction of inaccurate personal information
- •Right to opt out of sale/sharing — we do not sell or share your personal information for cross-context behavioral advertising
- •Right to non-discrimination — we will not discriminate against you for exercising your privacy rights
To exercise any of these rights, contact us at privacy@marc27.com. We will respond within 30 days (EEA/UK) or 45 days (California). We may request verification of your identity before processing your request.
11. Children's Privacy
The Platform is not directed to children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly.
If you believe we have inadvertently collected information from a child under 16, please contact us at privacy@marc27.com.
12. Third-Party Services
The Platform integrates with third-party services for authentication, payment processing, and compute execution. These services have their own privacy policies governing their collection and use of your data. We encourage you to review their policies.
When you use the LLM proxy feature, your prompts and inputs are transmitted to the third-party AI provider you have selected. We do not retain copies of LLM proxy inputs or outputs beyond what is necessary for job execution logging. The third-party provider's privacy policy governs their handling of that data.
Links to third-party websites or services that may appear on the Platform are not governed by this Privacy Policy. We are not responsible for the privacy practices of third-party sites.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on the Platform with a revised effective date.
For material changes that affect how we process your personal data, we will provide at least 30 days' notice before the changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy.
