Privacy Policy
MARZ ("we," "us," "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit mymarz.com, use our cloud platform, or interact with our services.
This policy applies to the MARZ platform (the commercial SaaS product). The open-source MARZ annotation library for Java/Spring is separately licensed under the Apache License 2.0 and does not collect any personal data.
1. Information we collect
Information you provide directly
Account information: Name, email address, company name, job title, billing address.
Payment information: Credit card details processed by Stripe. We do not store full card numbers.
Communications: Support requests, feedback, and survey responses.
Information collected automatically
Usage data: Pages visited, features used, timestamps, session duration, configuration changes.
Device and connection data: IP address, browser type and version, operating system, device type, referring URL.
Configuration Data: Runtime variable states, annotation metadata, RBAC configurations, and audit logs managed through the platform.
Information from third parties
Single Sign-On (SSO): Name, email, and profile information from identity providers (Google, GitHub, SAML/OIDC).
2. How we use your information
To provide and operate the Service — processing Configuration Data, managing accounts, authenticating users, delivering subscription features.
To process payments — charging fees, issuing invoices, managing billing.
To communicate with you — service notifications, security alerts, support responses.
To improve the Service — analyzing usage patterns, identifying bugs, developing features.
To ensure security — detecting and preventing fraud, abuse, and unauthorized access.
To comply with legal obligations — tax reporting, regulatory requirements, lawful government requests.
We do not use personal information for automated decision-making or profiling that produces legal effects.
3. Lawful basis for processing (GDPR)
For individuals in the EU/EEA/UK:
Performance of contract: Processing necessary to provide the Service.
Legitimate interests: Improving the Service, ensuring security, preventing fraud. Balanced against your rights.
Legal obligation: Tax reporting, financial regulations, lawful government requests.
Consent: Where required by law. Withdrawable at any time via [email protected].
4. How we share your information
We do not sell, rent, or trade personal information.
We may share data with: payment processors (Stripe), cloud infrastructure providers (AWS/GCP, under DPAs), analytics services (anonymized data), professional advisors, and law enforcement when required by law. In a merger or acquisition, data may transfer to the acquiring entity with 30 days' notice.
5. International data transfers
MARZ is based in Ontario, Canada. Data may be processed in Canada, the US, or other countries.
Canada: EU adequacy decision in place under PIPEDA.
US and others: Standard Contractual Clauses (SCCs) or other recognized transfer mechanisms.
6. Data retention
| Data type | Retention period |
|---|---|
| Account information | Duration of account + 3 years (tax/legal compliance) |
| Payment information | Per financial reporting requirements (Stripe's own policies apply) |
| Usage data and logs | 12 months from collection |
| Configuration Data | Deleted within 60 days of account termination (30-day export window) |
| Support communications | 2 years after last interaction |
7. Your rights
Depending on your location: right of access, rectification, erasure, restriction of processing, data portability, objection, and withdrawal of consent. Contact [email protected]. Response within 30 days.
8. CCPA-specific disclosures (California residents)
Categories collected in the past 12 months:
| Category | Examples |
|---|---|
| Identifiers | Name, email, IP address, account ID |
| Commercial information | Subscription tier, payment history, billing records |
| Internet or electronic activity | Usage logs, feature interactions, browser type |
| Professional information | Job title, company name |
We do not sell personal information. We do not share personal information for cross-context behavioural advertising. California residents have rights to know, delete, correct, opt out, and non-discrimination. Submit requests to [email protected] with "CCPA Request" in the subject line.
9. PIPEDA compliance (Canadian residents)
MARZ complies with Canada's PIPEDA. We obtain meaningful consent for collection, use, and disclosure. You may withdraw consent at any time via [email protected], subject to legal or contractual restrictions. Access requests responded to within 30 days. Our Privacy Officer is reachable at [email protected]. Complaints may be filed with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.
10. Cookies and tracking technologies
Essential cookies: Authentication, session management, security. Cannot be opted out.
Analytics cookies: Aggregated, anonymized usage data. Opt out via cookie preferences on our website.
We do not use advertising or tracking cookies. We honour Do Not Track (DNT) signals.
11. Security
TLS 1.2+ in transit, AES-256 at rest, role-based access controls, regular security assessments, vulnerability scanning, incident response procedures. No method of transmission is completely secure; we cannot guarantee absolute security.
12. Children's privacy
The Service is not directed to children under 16. We do not knowingly collect data from children. Contact [email protected] if you believe we have.
13. Changes to this Privacy Policy
Material changes communicated via email or in-platform notification at least 30 days before taking effect. Effective date updated at the top of the page.
14. Contact us
MARZ — Privacy Officer
Email: [email protected] | Website: mymarz.com | Ontario, Canada
GDPR inquiries: contact your local data protection authority.
PIPEDA complaints: Office of the Privacy Commissioner of Canada at www.priv.gc.ca.
CCPA requests: [email protected] with "CCPA Request" in the subject line.