Privacy Policy
Last updated: July 10, 2026. At MarklyKit, we build with a Privacy-By-Design philosophy. Your research belongs to you alone.
Secure Data Processing
Introduction
Welcome to MarklyKit SaaS. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our data annotation platform.
By accessing or using our Service, you signify that you have read, understood, and agree to our collection, storage, use, and disclosure of your personal information as described in this Privacy Policy and our Terms of Service.
Data Collection
Account Information
Email address and profile details required to manage your seat, subscription status, and authentication. Stored in Supabase.
Device-Local Research
Free accounts: all annotations live only in your browser's local storage. Pro accounts: freehand drawings and blur regions also remain device-local since they're tied to a page's exact layout.
Cloud-Synced Research (Pro)
On Pro plans, your highlights, sticky notes, folders, and tags sync to your private MarklyKit cloud so they're available to PDF exports and AI connectors. Each row is owned by you and protected by row-level security.
Search Embeddings
For semantic search and AI connector retrieval, MarklyKit generates vector embeddings of your highlighted text and notes. Embeddings stay attached to your account and are never used to train shared models.
Page Access & URLs (Extension)
The MarklyKit browser extension runs on every web page you visit so its tools (highlighting, sticky notes, drawings, and blur regions) are ready when you need them. To place and restore your annotations it reads the current tab's URL and title, the text you select, and a short snippet of the text surrounding each selection (up to ~300 characters) so the annotation keeps its context.
Free accounts. Everything stays on your device. Your annotations, and the page URLs and titles they attach to, are stored only in your browser via chrome.storage.local. Nothing — no URLs, no page content, no annotations — is sent to MarklyKit or any third party.
Pro accounts (signed in with an API key). To keep your research in sync across devices and available to exports and AI connectors, the extension communicates with MarklyKit servers:
- On each page you open, it sends that page's URL to MarklyKit to load any annotations you previously saved there, along with your API key to confirm your subscription. This means the URLs of pages you visit while signed in are transmitted to MarklyKit.
- When you create or edit a highlight or sticky note, its full contents sync to your private cloud: the page URL, page title, the page's meta description, your highlighted or note text, the surrounding-text snippet, folder names, and tags. Freehand drawings and blur regions stay on your device.
- The text of your highlights and notes is sent to OpenAI to generate the search embeddings described above. It is never used to train shared models.
In every case the extension reads page content only to power annotation and export — it does not scrape pages for advertising, build a marketing profile, or sell your data. When you export, it captures a screenshot of the visible tab on your device to build the PDF or image; those screenshots are not uploaded to MarklyKit. Your API key is stored locally in chrome.storage.local.
How We Use Your Data
We use the information we collect exclusively to deliver, maintain, and improve MarklyKit. Specifically:
Provide the Service
Authenticate your account, sync your highlights and notes across devices (Pro), and power PDF export and AI connector features.
Semantic Search & Retrieval
Generate vector embeddings from your highlighted text so you can search your own research with natural language and so AI connectors can fetch relevant snippets on your request.
Security & Fraud Prevention
Detect and prevent unauthorized access to your account, verify OAuth tokens, and audit API key usage.
Billing & Subscription Management
Process payments, manage your Pro subscription status, and issue receipts via Dodo Payments. We do not store full card numbers.
We do not use your data to train AI models, build advertising profiles, or infer characteristics about you beyond what is necessary to operate the service.
Sharing & Third Parties
Your Data is Not for Sale.
MarklyKit does not share, sell, rent, or trade your personal information or research with advertisers, data brokers, or any third parties for marketing purposes. Your research remains under your exclusive ownership.
All Third-Party Sub-processors
The following is a complete list of every third party that may receive user data as part of operating MarklyKit. No other parties receive your data.
AI Connectors (Claude, ChatGPT & Grok)
MarklyKit Pro lets you optionally connect Claude, ChatGPT, or Grok to your research via our hosted Model Context Protocol (MCP) server. This is the one situation where your research can leave MarklyKit's systems — and it only happens when you authorize it.
- You initiate the connection. Each connector is added by you in Claude, ChatGPT, or Grok and authorized with OAuth. We never push data to AI providers on your behalf.
- Pull-only, on-demand.The AI calls scoped tools (search, get-folder, get-highlights-for-url) and receives only the matching highlights and notes — not your full account.
- Subject to the AI provider's terms. Once the AI receives your research, that provider's privacy policy governs how they handle it. We recommend reviewing Anthropic's, OpenAI's, and xAI's policies.
- Revocable any time.Revoke a connector from Settings → API Keys and the AI's access stops immediately.
Security Protocol
Encryption
All data is encrypted in transit via TLS 1.3 and at rest using AES-256 standards, managed by your cloud provider's hardware security modules.
Row-Level Isolation
Every cloud-synced table enforces row-level security tied to your user ID. Cross-account access is structurally impossible — not just policy-blocked.
OAuth & API Keys
API keys are stored as SHA-256 hashes — we cannot recover them, only verify them. OAuth tokens issued to Claude, ChatGPT, or Grok carry a single scope (read) and are revocable from Settings.
Offline-First
The extension writes to your device first and syncs in the background, so a server compromise can't silently delete your local research. You always retain your offline copy.
Your Rights
Under global data protection laws (including GDPR and CCPA), you hold specific rights over your digital presence on our platform:
- Right to Access Data
- Right to Portability
- Right to Erasure
- Right to Object to Processing
Account Deletion & Data Retention
You can delete your account at any time from Dashboard → Account → Danger zone. We do not retain copies of your data after deletion.
If you have an active Pro subscription, please cancel it before deleting your account. After you cancel, Pro features remain available until the end of your current billing period. Your account and all data continue to exist during that grace period so you can keep using MarklyKit — but once the billing period ends and you delete the account, everything is removed.
When you delete your account, the following is permanently and irreversibly removed within 24 hours:
- Your profile and authentication record
- All highlights and attached notes
- All sticky notes
- All folders and tags
- All API keys and OAuth client grants
- All AI-embedding vectors generated from your data
We keep only minimal billing records required by tax and accounting law (invoice number, amount, date — no annotations, no content). These are anonymised from your identity and retained for the period required by applicable regulation.
Deletion is irreversible. We cannot restore deleted accounts or recover your highlights, notes, or folders after the deletion completes.
Questions about our privacy practices? Reach out to our team at info@marklykit.com