Legal Documentation

Privacy Policy

Last updated: July 10, 2026. At MarklyKit, we build with a Privacy-By-Design philosophy. Your research belongs to you alone.

Secure Data Processing

01

Introduction

Welcome to MarklyKit SaaS. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our data annotation platform.

By accessing or using our Service, you signify that you have read, understood, and agree to our collection, storage, use, and disclosure of your personal information as described in this Privacy Policy and our Terms of Service.

02

Data Collection

Account Information

Email address and profile details required to manage your seat, subscription status, and authentication. Stored in Supabase.

Device-Local Research

Free accounts: all annotations live only in your browser's local storage. Pro accounts: freehand drawings and blur regions also remain device-local since they're tied to a page's exact layout.

Cloud-Synced Research (Pro)

On Pro plans, your highlights, sticky notes, folders, and tags sync to your private MarklyKit cloud so they're available to PDF exports and AI connectors. Each row is owned by you and protected by row-level security.

Search Embeddings

For semantic search and AI connector retrieval, MarklyKit generates vector embeddings of your highlighted text and notes. Embeddings stay attached to your account and are never used to train shared models.

Page Access & URLs (Extension)

The MarklyKit browser extension runs on every web page you visit so its tools (highlighting, sticky notes, drawings, and blur regions) are ready when you need them. To place and restore your annotations it reads the current tab's URL and title, the text you select, and a short snippet of the text surrounding each selection (up to ~300 characters) so the annotation keeps its context.

Free accounts. Everything stays on your device. Your annotations, and the page URLs and titles they attach to, are stored only in your browser via chrome.storage.local. Nothing — no URLs, no page content, no annotations — is sent to MarklyKit or any third party.

Pro accounts (signed in with an API key). To keep your research in sync across devices and available to exports and AI connectors, the extension communicates with MarklyKit servers:

  • On each page you open, it sends that page's URL to MarklyKit to load any annotations you previously saved there, along with your API key to confirm your subscription. This means the URLs of pages you visit while signed in are transmitted to MarklyKit.
  • When you create or edit a highlight or sticky note, its full contents sync to your private cloud: the page URL, page title, the page's meta description, your highlighted or note text, the surrounding-text snippet, folder names, and tags. Freehand drawings and blur regions stay on your device.
  • The text of your highlights and notes is sent to OpenAI to generate the search embeddings described above. It is never used to train shared models.

In every case the extension reads page content only to power annotation and export — it does not scrape pages for advertising, build a marketing profile, or sell your data. When you export, it captures a screenshot of the visible tab on your device to build the PDF or image; those screenshots are not uploaded to MarklyKit. Your API key is stored locally in chrome.storage.local.

03

How We Use Your Data

We use the information we collect exclusively to deliver, maintain, and improve MarklyKit. Specifically:

Provide the Service

Authenticate your account, sync your highlights and notes across devices (Pro), and power PDF export and AI connector features.

Semantic Search & Retrieval

Generate vector embeddings from your highlighted text so you can search your own research with natural language and so AI connectors can fetch relevant snippets on your request.

Security & Fraud Prevention

Detect and prevent unauthorized access to your account, verify OAuth tokens, and audit API key usage.

Billing & Subscription Management

Process payments, manage your Pro subscription status, and issue receipts via Dodo Payments. We do not store full card numbers.

We do not use your data to train AI models, build advertising profiles, or infer characteristics about you beyond what is necessary to operate the service.

04

Sharing & Third Parties

Your Data is Not for Sale.

MarklyKit does not share, sell, rent, or trade your personal information or research with advertisers, data brokers, or any third parties for marketing purposes. Your research remains under your exclusive ownership.

All Third-Party Sub-processors

The following is a complete list of every third party that may receive user data as part of operating MarklyKit. No other parties receive your data.

Third PartyData ReceivedPurpose
Supabase (supabase.com)Email address, account metadata, cloud-synced highlights, notes, folders, tags, embeddings (Pro accounts only)Database, authentication, and row-level-secure cloud storage
Vercel (vercel.com)IP address, browser user-agent, request URLsWeb hosting and CDN for the MarklyKit website and API
Dodo Payments (dodopayments.com)Billing name, email, payment card details (handled directly by Dodo — MarklyKit never sees raw card numbers)Payment processing and subscription management
OpenAI (openai.com)Text of your highlights and notes, sent to the text-embedding-3-small API to generate vectorsSemantic search and AI connector retrieval for Pro accounts
Anthropic — Claude (anthropic.com) [optional]Matching highlights, notes, and folder names — only the snippets retrieved by your queryAI connector: you authorize this connection via OAuth; data is pulled on your request only
OpenAI — ChatGPT (openai.com) [optional]Matching highlights, notes, and folder names — only the snippets retrieved by your queryAI connector: you authorize this connection via OAuth; data is pulled on your request only
xAI — Grok (x.ai) [optional]Matching highlights, notes, and folder names — only the snippets retrieved by your queryAI connector: you authorize this connection via OAuth; data is pulled on your request only

AI Connectors (Claude, ChatGPT & Grok)

MarklyKit Pro lets you optionally connect Claude, ChatGPT, or Grok to your research via our hosted Model Context Protocol (MCP) server. This is the one situation where your research can leave MarklyKit's systems — and it only happens when you authorize it.

  • You initiate the connection. Each connector is added by you in Claude, ChatGPT, or Grok and authorized with OAuth. We never push data to AI providers on your behalf.
  • Pull-only, on-demand.The AI calls scoped tools (search, get-folder, get-highlights-for-url) and receives only the matching highlights and notes — not your full account.
  • Subject to the AI provider's terms. Once the AI receives your research, that provider's privacy policy governs how they handle it. We recommend reviewing Anthropic's, OpenAI's, and xAI's policies.
  • Revocable any time.Revoke a connector from Settings → API Keys and the AI's access stops immediately.
05

Security Protocol

Encryption

All data is encrypted in transit via TLS 1.3 and at rest using AES-256 standards, managed by your cloud provider's hardware security modules.

Row-Level Isolation

Every cloud-synced table enforces row-level security tied to your user ID. Cross-account access is structurally impossible — not just policy-blocked.

OAuth & API Keys

API keys are stored as SHA-256 hashes — we cannot recover them, only verify them. OAuth tokens issued to Claude, ChatGPT, or Grok carry a single scope (read) and are revocable from Settings.

Offline-First

The extension writes to your device first and syncs in the background, so a server compromise can't silently delete your local research. You always retain your offline copy.

06

Your Rights

Under global data protection laws (including GDPR and CCPA), you hold specific rights over your digital presence on our platform:

  • Right to Access Data
  • Right to Portability
  • Right to Erasure
  • Right to Object to Processing
07

Account Deletion & Data Retention

You can delete your account at any time from Dashboard → Account → Danger zone. We do not retain copies of your data after deletion.

If you have an active Pro subscription, please cancel it before deleting your account. After you cancel, Pro features remain available until the end of your current billing period. Your account and all data continue to exist during that grace period so you can keep using MarklyKit — but once the billing period ends and you delete the account, everything is removed.

When you delete your account, the following is permanently and irreversibly removed within 24 hours:

  • Your profile and authentication record
  • All highlights and attached notes
  • All sticky notes
  • All folders and tags
  • All API keys and OAuth client grants
  • All AI-embedding vectors generated from your data

We keep only minimal billing records required by tax and accounting law (invoice number, amount, date — no annotations, no content). These are anonymised from your identity and retained for the period required by applicable regulation.

Deletion is irreversible. We cannot restore deleted accounts or recover your highlights, notes, or folders after the deletion completes.

08

Cookies & Local Storage

The MarklyKit website uses strictly necessary cookies and browser storage for authentication session management (Supabase auth tokens). We do not use advertising cookies, cross-site tracking cookies, or fingerprinting.

Session Cookies

Short-lived cookies set by Supabase Auth to maintain your login session on the website. Cleared when you sign out or after session expiry.

Extension Local Storage

The browser extension stores your annotations in Chrome's chrome.storage.local API (Free) or syncs them to your MarklyKit cloud account (Pro). No third-party cookies are used by the extension.

You can clear extension storage at any time via the MarklyKit sidebar → Settings → Clear local data, or by removing the extension from Chrome.

Questions about our privacy practices? Reach out to our team at info@marklykit.com