Legal Documentation

Privacy Policy

Last updated: May 12, 2026. At MarklyKit, we build with a Privacy-By-Design philosophy. Your research belongs to you alone.

Secure Data Processing

01

Introduction

Welcome to MarklyKit SaaS. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our data annotation platform.

By accessing or using our Service, you signify that you have read, understood, and agree to our collection, storage, use, and disclosure of your personal information as described in this Privacy Policy and our Terms of Service.

02

Data Collection

Account Information

Email address and profile details required to manage your seat, subscription status, and authentication. Stored in Supabase.

Device-Local Research

Free accounts: all annotations live only in your browser's local storage. Pro accounts: freehand drawings and blur regions also remain device-local since they're tied to a page's exact layout.

Cloud-Synced Research (Pro)

On Pro plans, your highlights, sticky notes, folders, and tags sync to your private MarklyKit cloud so they're available to PDF exports and AI connectors. Each row is owned by you and protected by row-level security.

Search Embeddings

For semantic search and AI connector retrieval, MarklyKit generates vector embeddings of your highlighted text and notes. Embeddings stay attached to your account and are never used to train shared models.

Page Content Access (Extension)

The MarklyKit browser extension injects into all web pages you visit solely to power annotation features (highlighting, sticky notes, drawings). It reads the page DOM and the current tab URL to identify where to store and retrieve your annotations. This content is processed locally on your device; it is never transmitted to MarklyKit servers. The extension does not track your browsing history, collect URLs for analytics, or send page content off-device.

03

How We Use Your Data

We use the information we collect exclusively to deliver, maintain, and improve MarklyKit. Specifically:

Provide the Service

Authenticate your account, sync your highlights and notes across devices (Pro), and power PDF export and AI connector features.

Semantic Search & Retrieval

Generate vector embeddings from your highlighted text so you can search your own research with natural language and so AI connectors can fetch relevant snippets on your request.

Security & Fraud Prevention

Detect and prevent unauthorized access to your account, verify OAuth tokens, and audit API key usage.

Billing & Subscription Management

Process payments, manage your Pro subscription status, and issue receipts via Dodo Payments. We do not store full card numbers.

We do not use your data to train AI models, build advertising profiles, or infer characteristics about you beyond what is necessary to operate the service.

04

Sharing & Third Parties

Your Data is Not for Sale.

MarklyKit does not share, sell, rent, or trade your personal information or research with advertisers, data brokers, or any third parties for marketing purposes. Your research remains under your exclusive ownership.

AI Connectors (Claude, ChatGPT & Grok)

MarklyKit Pro lets you optionally connect Claude.ai, ChatGPT, or Grok to your research via our hosted Model Context Protocol (MCP) server. This is the one situation where your research can leave MarklyKit's systems — and it only happens when you authorize it.

  • You initiate the connection. Each connector is added by you in Claude, ChatGPT, or Grok and authorized with OAuth. We never push data to AI providers on your behalf.
  • Pull-only, on-demand.The AI calls scoped tools (search, get-folder, get-highlights-for-url) and receives only the matching highlights/notes/folders — not your full account.
  • Subject to the AI provider's terms. Once the AI receives your research, that provider's privacy policy governs how they handle it. We recommend reviewing Anthropic's, OpenAI's, and xAI's policies.
  • Revocable any time.Revoke a connector from Settings → API Keys and the AI's access stops immediately.
  • Sub-processors.We use Supabase (database & auth), Vercel (hosting), Dodo Payments (payments), and an embedding provider for semantic search. None receive your raw research for marketing or training purposes.
05

Security Protocol

Encryption

All data is encrypted in transit via TLS 1.3 and at rest using AES-256 standards, managed by your cloud provider's hardware security modules.

Row-Level Isolation

Every cloud-synced table enforces row-level security tied to your user ID. Cross-account access is structurally impossible — not just policy-blocked.

OAuth & API Keys

API keys are stored as SHA-256 hashes — we cannot recover them, only verify them. OAuth tokens issued to Claude, ChatGPT, or Grok carry a single scope (read) and are revocable from Settings.

Offline-First

The extension writes to your device first and syncs in the background, so a server compromise can't silently delete your local research. You always retain your offline copy.

06

Your Rights

Under global data protection laws (including GDPR and CCPA), you hold specific rights over your digital presence on our platform:

  • Right to Access Data
  • Right to Portability
  • Right to Erasure
  • Right to Object to Processing
07

Account Deletion & Data Retention

You can delete your account at any time from Dashboard → Account → Danger zone. We do not retain copies of your data after deletion.

If you have an active Pro subscription, please cancel it before deleting your account. After you cancel, Pro features remain available until the end of your current billing period. Your account and all data continue to exist during that grace period so you can keep using MarklyKit — but once the billing period ends and you delete the account, everything is removed.

When you delete your account, the following is permanently and irreversibly removed within 24 hours:

  • Your profile and authentication record
  • All highlights and attached notes
  • All sticky notes
  • All folders and tags
  • All API keys and OAuth client grants
  • All AI-embedding vectors generated from your data

We keep only minimal billing records required by tax and accounting law (invoice number, amount, date — no annotations, no content). These are anonymised from your identity and retained for the period required by applicable regulation.

Deletion is irreversible. We cannot restore deleted accounts or recover your highlights, notes, or folders after the deletion completes.

08

Cookies & Local Storage

The MarklyKit website uses strictly necessary cookies and browser storage for authentication session management (Supabase auth tokens). We do not use advertising cookies, cross-site tracking cookies, or fingerprinting.

Session Cookies

Short-lived cookies set by Supabase Auth to maintain your login session on the website. Cleared when you sign out or after session expiry.

Extension Local Storage

The browser extension stores your annotations in Chrome's chrome.storage.local API (Free) or syncs them to your MarklyKit cloud account (Pro). No third-party cookies are used by the extension.

You can clear extension storage at any time via the MarklyKit sidebar → Settings → Clear local data, or by removing the extension from Chrome.

Questions about our privacy practices? Reach out to our team at info@marklykit.com