Privacy Policy

The product may process the following categories of information when you use relevant features:

This section also serves as the current notice at collection for first-party platform data.

• Account identifiers such as name, email address, user id, sign-in provider, and profile state.
• Authentication and security state, including session metadata and encrypted Supabase tokens kept server-side in httpOnly session cookies.
• Saved product records such as dashboards, widgets, watchlists, watchlist alert settings, notifications, workspace preferences, and account profile choices.
• Billing and entitlement metadata needed to connect a signed-in account to Stripe Checkout, Stripe Portal, subscription status, plan access, invoices, and administrative grants.
• Marco assistant input, such as messages you send, saved signed-in conversation history, the current page path, request-level source cards, source availability notes, and limited profile context such as a sanitized first name when available.
• When you explicitly ask Marco about your own dashboards, watchlist, or workspace objects, scoped summaries of those saved records, such as title, indicator names, widget count, project status, saved-run metadata, capped workspace snippets, and updated date. Raw dashboard configuration is not intentionally sent in the request context.
• Support, feedback, academic-access, or administrative messages you send directly to the operator.
• Operational telemetry such as route, event, device/browser, performance, error, abuse-prevention, and rate-limit signals.

Macro by Mark uses browser storage for local interface state and drafts. Examples include dashboard drafts, saved local dashboards, watchlist preferences, account workspace settings, simulator sessions, chart or model preferences, dismissed notices, and other device-local product state.

Local browser storage normally remains on your device. It syncs to account-backed services only when the product feature is built to do that, such as signed-in dashboard sync, watchlist sync, saved Marco conversation history, account preferences, notifications, or alert delivery state.

The current account architecture uses Auth.js for site sessions and Supabase for account-backed user data. Supabase access and refresh tokens are kept inside the encrypted httpOnly Auth.js session boundary and are not exposed to browser JavaScript. Server account routes use the signed-in user id to scope account/profile, dashboard, watchlist, Marco conversation, notification, workspace, entitlement, and password-related operations.

This design reduces token exposure in the browser while still allowing signed-in users to maintain account-backed state. No security design is perfect; users should protect their email account, avoid shared-device sessions, and report suspicious account activity.

Macro by Mark relies on service providers to operate the product. Depending on the feature, those providers may include hosting and deployment platforms, Supabase, Auth.js-compatible identity providers, Google sign-in, Stripe, Resend, Upstash Redis, Trigger.dev, analytics and performance tools, Anthropic for Marco assistant responses, and official or commercial economic data providers.

Stripe handles payment card collection and card processing. Macro by Mark receives billing and subscription metadata from Stripe, but does not store full card numbers. Public economic data providers remain responsible for their own systems and terms.

The product uses limited product analytics and operational events to understand reliability, feature use, account flows, paywall interactions, dashboard activity, indicator usage, watchlist activity, sync behavior, and error conditions. Event properties are sanitized and capped before being sent to analytics infrastructure.

Macro by Mark does not use product analytics to sell personal information. If advertising, cross-context behavioral advertising, or a broader tracking stack is added later, this policy and the site controls should be updated before that launch.

The standalone Cookie Policy describes required cookies, optional analytics, consent refresh, and Global Privacy Control handling.

Where GDPR, UK GDPR, or similar law applies, Macro by Mark evaluates processing under the lawful basis that fits the specific activity: contract performance for account, subscription, and requested product features; legitimate interests for security, abuse prevention, reliability, and basic product operations; consent for optional analytics; and legal obligation for tax, accounting, valid legal requests, and required notices.

Macro by Mark is operated from the United States and uses providers with U.S. or global processing paths. For EEA, UK, or Swiss institutional reviews, transfer terms, DPAs, and Standard Contractual Clauses are reviewed through the vendor and buyer contract path rather than implied by this public page.

Macro by Mark does not intentionally use Marco messages, saved dashboards, watchlists, or workspace records to train a Macro by Mark foundation model. Marco requests may be sent to the configured model provider when the server cannot answer through a deterministic fallback.

Provider handling follows the provider terms and data-processing terms in force for the relevant account. Do not enter regulated, confidential, or highly sensitive information into Marco unless the applicable provider and contract terms have been reviewed for that use.

Information is used to:

• Operate the website, account system, dashboards, watchlists, alerts, billing, and support workflows.
• Maintain saved state, preferences, entitlements, notifications, and security controls.
• Run Marco, including source-backed answer context, rate limiting, abuse prevention, and safety checks.
• Debug errors, improve reliability, measure feature quality, and protect the service.
• Comply with law, enforce terms, investigate misuse, and respond to valid legal or platform requests.

Information may be shared with service providers acting on behalf of Macro by Mark, at a user's direction, during a business transfer, to comply with law, or to protect rights, safety, security, or service integrity. Macro by Mark does not sell personal information for monetary consideration.

Signed-in Marco conversation history is saved as capped account-backed threads so it can follow the user across browser sessions. Visitors keep tab-local chat history only. Server logs for Marco are designed to record operational fields such as tier, route mode, source availability, model, latency bucket, tool status, and error class, rather than raw private message text or raw saved-object contents.

Account-backed records are retained while needed to provide the product, maintain security, resolve billing or support issues, comply with law, or preserve legitimate operational records. Users can delete device-local browser storage through their browser. Account deletion or data requests can be sent to privacy@macrobymark.com.

Depending on location and legal thresholds, users may have rights to access, delete, correct, opt out of certain sales or sharing, limit sensitive personal information use, object to or restrict certain processing, portability, and non-discrimination for exercising privacy rights. Macro by Mark will evaluate requests under applicable law, including Nevada privacy law, the CCPA/CPRA where applicable, and GDPR/UK GDPR-style requests where applicable.

The Privacy Choices page lists current self-service export, correction, deletion, cookie, and manual request paths.

Nevada residents may submit a verified request not to sell covered information. Macro by Mark does not sell covered information, but the same privacy contact is the designated request path for Nevada privacy questions.

When a browser exposes a Global Privacy Control signal, the site treats it as an opt-out from non-essential analytics and marketing categories in the local consent store.

Macro by Mark is not directed to children under 13 and does not knowingly collect personal information from children under 13. If you believe a child under 13 provided information through the site, contact the operator so it can be reviewed and deleted where appropriate.

This policy may be updated as the product, providers, or legal requirements change. The effective date will be updated when material changes are made. Privacy, browser storage, account sync, analytics, and data-request questions can be sent to privacy@macrobymark.com.

If a security incident creates a legally required personal-data notice, Macro by Mark follows the incident-response runbook and applicable notification windows.