Legal & Compliance

Privacy Policy

We believe privacy should be simple to understand. Here's exactly what data we collect, why we collect it, and how you can control it.

Effective March 13, 2026 ~8 min read marvy.me/privacy
1

Introduction

Who we are and what this policy covers

Marvy (marvy.me) is a B2B SaaS platform that uses artificial intelligence to help marketing teams generate Instagram content strategies. We analyze publicly available competitor posts and trends to surface actionable insights and content recommendations.

This Privacy Policy explains what information we collect when you use Marvy, how we use it, who we share it with, and the rights you have over your data. It applies to all users of the Marvy platform, website, and related services.

Marvy is committed to Meta's Platform Policy and Instagram's Platform Policy. We use Instagram API access solely for the features described in this document and request only the minimum permissions required.

If you have questions about this policy, contact us at hey@marvy.me at any time.

2

Data We Collect

What we access from Instagram and from you directly

We collect the following categories of data to provide our service. For each item, we've specified exactly why it's needed.

Data type What it includes Why we need it
Instagram Username Your @handle and Instagram user ID To authenticate your account and associate content strategy data with your profile
Public Profile Info Display name, bio, follower count, profile picture (public fields only) To personalise your dashboard and tailor content recommendations to your brand
Your Public Posts Captions, media type, posting time, engagement metrics (likes, comments) for posts you've published To analyse your content performance and generate improvement suggestions
Competitor Public Posts Publicly visible captions, hashtags, posting patterns of competitor accounts you add To power the competitor analysis engine and surface content strategy insights
OAuth Access Token A short-lived, encrypted token issued by Meta during Instagram login To make authorised API calls on your behalf without storing your password
Usage Analytics Pages visited, features used, session duration, error logs (no personal content) To improve platform reliability, fix bugs, and understand how features are used
Account Info Email address, name, billing details (if subscribed) To manage your account, send service notifications, and process payments
We do NOT collect
  • Passwords or credentials
  • Private or direct messages
  • Unpublished / draft content
  • Data from private accounts (competitor)
  • Payment card numbers (handled by Stripe)
  • Sensitive personal data (health, religion, etc.)
3

How We Use Your Data

Specific purposes for each type of data we hold
AI Content Generation
Your post history and public profile data are analysed by our AI models to generate personalised content ideas, caption suggestions, and posting schedules tailored to your audience and brand voice.
Competitor Analysis
Publicly available posts from competitor accounts you manually add are processed to identify content trends, posting frequencies, hashtag strategies, and engagement patterns.
Product Improvement & Analytics
Anonymised, aggregated usage data helps us understand which features are most valuable, diagnose technical issues, and prioritise our development roadmap.
Account & Service Management
Your email and account information is used to provide access to the platform, send transactional notifications (password resets, billing receipts), and respond to support requests.

We never use your Instagram data for advertising, profiling, or any purpose beyond operating Marvy's core features. We do not sell, license, or share your data with advertisers or data brokers.

4

Data Sharing

Who we share data with and strict conditions for doing so
🚫
We do not sell your data. Ever.
Your information is never sold, rented, or traded to third parties for commercial purposes.

We share limited data only with the sub-processors required to run the platform. All sub-processors are contractually bound to protect your data and may not use it for their own purposes.

SB
Supabase
Database & authentication — stores your account data and encrypted tokens securely. Hosted on AWS in the United States.
VCL
Vercel
Cloud hosting & edge CDN — serves the Marvy application. Does not have access to your Instagram data.
ANT
Anthropic
AI processing — processes content data to generate strategy recommendations. Data is not retained by Anthropic beyond the API call.
STR
Stripe
Payment processing — handles billing for paid plans. Marvy never sees or stores your card number.

Other cases where we may share data:

  • Legal compliance: If required by law, court order, or to protect the safety of our users or the public, we may disclose data to relevant authorities.
  • Business transfer: In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you beforehand and your rights remain unchanged.
  • With your consent: We may share data in other ways if you explicitly request or consent to it.
5

Data Retention

How long we keep your data and when it gets deleted
Active account
Retained
Data is kept for the duration of your active subscription to provide you with the service.
After account deletion
≤ 30 days
All personal data and Instagram data are purged within 30 days of a deletion request.
OAuth tokens
Per-session
Tokens are refreshed each session and can be revoked anytime via Instagram's App Settings.
Billing records
7 years
Financial records are retained as required by applicable accounting and tax laws.

Anonymised, aggregated analytics data (with no personal identifiers) may be retained indefinitely to improve our service. This data cannot be linked back to any individual.

To revoke Marvy's Instagram access at any time, go to Instagram → Settings → Apps and Websites and remove Marvy. This immediately invalidates our access tokens.

6

Your Rights & Data Deletion

How to access, correct, or delete your data

Depending on your location, you may have rights under GDPR (European users), CCPA (California residents), or similar privacy laws. These include:

Right to Access

Request a copy of all personal data we hold about you.

Right to Correction

Ask us to correct inaccurate or incomplete data about you.

Right to Deletion

Request erasure of your personal data ("right to be forgotten").

Right to Portability

Receive your data in a structured, machine-readable format.

Right to Object

Object to processing your data for specific purposes.

Right to Restrict

Ask us to limit how we process your data while a dispute is resolved.

How to Delete Your Data

Meta's app review guidelines require that we provide clear, accessible data deletion instructions. You can delete all your Marvy data using either method below:

A
In-app deletion (recommended)
Log in to Marvy → click your avatar in the top-right corner → go to Settings → scroll to Account → click "Delete my account and data". Your account and all associated data will be permanently deleted within 30 days.
B
Email request
Send an email to hey@marvy.me with the subject line "Data Deletion Request" and include the email address associated with your account. We will confirm receipt within 5 business days and complete the deletion within 30 days.
C
Revoke Instagram access only
If you only want to disconnect Marvy from Instagram (without deleting your Marvy account), go to Instagram → Settings & privacy → Apps and websites, find Marvy, and click "Remove". This revokes our access token immediately.
7

Security

How we protect your data

We implement industry-standard security measures to protect your data against unauthorised access, alteration, disclosure, or destruction.

Encryption in Transit — TLS 1.3
All data transmitted between your browser and our servers is encrypted using TLS 1.3, the current industry standard for secure communication.
Encryption at Rest — AES-256
Sensitive data including Instagram OAuth tokens is encrypted at rest using AES-256. We never store passwords or raw credentials.
Regular Security Audits
We conduct regular security reviews of our infrastructure and code. Access to production systems is limited to authorised personnel only.
Breach Notification — Within 72 Hours
In the unlikely event of a data breach affecting your personal data, we will notify affected users and relevant authorities within 72 hours of discovery, as required by GDPR.
8

Meta Platform Compliance

Our commitments regarding Instagram API usage

Marvy integrates with Instagram through Meta's official APIs (Instagram Graph API and Instagram Basic Display API). Our use of these APIs is strictly governed by Meta's policies.

Our Meta Compliance Commitments

  • We comply fully with Meta's Platform Policy and all applicable Instagram Platform Terms.
  • We request only the minimum Instagram API permissions necessary to operate Marvy's core features.
  • We do not use Instagram data for targeted advertising or ad-targeting purposes.
  • We do not sell or otherwise transfer Instagram data to third parties for advertising or data broker purposes.
  • We do not use Instagram data to build user profiles for purposes unrelated to Marvy's content strategy service.
  • We do not access private Instagram accounts or content that users have not authorised us to access.
  • We store Instagram data only as long as necessary to provide the service, and provide clear deletion mechanisms.
  • We promptly honour requests to delete Instagram data and will complete deletion within 30 days.

Instagram permissions we request and their specific justification:

  • instagram_basic — to read your username and public profile to personalise your Marvy dashboard.
  • instagram_content_publish (if enabled) — to schedule and publish content on your behalf only when you explicitly initiate a publish action.
  • pages_read_engagement — to retrieve engagement metrics on your business content for performance analysis.

For questions about our Meta API usage or to report a concern, contact hey@marvy.me.

9

Policy Changes

How we notify you of updates to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or new features. We distinguish between two types of changes:

Material changes (30-day notice)
For changes that significantly affect your rights or how we use your data (e.g. new data types, new sharing partners), we will notify you by email and display a prominent in-app banner at least 30 days before the changes take effect. Continuing to use Marvy after that date constitutes your acceptance of the updated policy.
Minor changes (silent update)
For minor corrections such as typo fixes, clarifications, or formatting changes that do not affect your rights, we will update the policy silently and revise the "Effective Date" at the top of this page.

The current version of this policy is always available at marvy.me/privacy. We recommend reviewing it periodically.

10

Contact Us

Reach us for any privacy-related request or question

For any questions, concerns, or requests regarding this Privacy Policy or how we handle your data — including data access, correction, and deletion requests — please contact us:

Email
hey@marvy.me
Response time
Within 5 business days
Company
Marvy — marvy.me

For data deletion specifically, you can also use the in-app flow: Settings → Account → Delete my account and data. See Section 6 for full instructions.

Questions about your privacy?

Our team is here to help. Reach out any time and we'll get back to you within 5 business days.

hey@marvy.me