Privacy Policy

Last Updated: October 26, 2025

This policy explains how GTM Bot Inc. ("WithMarsha," "we," "us," or "our") collects, uses, and protects information when you use the WithMarsha apps and websites. We build WithMarsha to help people practice DBT skills, and we apply strong technical safeguards to keep your information safe.

WithMarsha Disclaimer

WithMarsha helps you learn and practice Dialectical Behavior Therapy (DBT) skills. It is not therapy, medical care, or a crisis service. Marsha's AI guidance is for education and reflection only—it cannot diagnose, assess risk, or provide emergency help.

If you feel unsafe or in crisis, call 911 or 988 (U.S.) or use local emergency services.

By continuing, you acknowledge that you are responsible for your own decisions and wellbeing, that WithMarsha is an AI-powered educational companion, and that your data is protected and never sold. WithMarsha is designed to complement professional care, not replace it. Keep working with qualified clinicians and use Marsha as a practice tool between sessions.

Privacy Policy

This Privacy Policy explains how GTM Bot Inc. ("WithMarsha," "we," "us," or "our") collects, uses, and protects information when you use the WithMarsha apps and websites (the "Service"). WithMarsha is not a covered entity under HIPAA; however, we voluntarily apply strong technical and organizational safeguards to protect user information. We never sell your personal data.

1. Information We Collect

Account Information. Email address, display name, and authentication data (passwords are hashed).

Usage Data. Feature usage, skills practiced, session timing and duration, app version, interaction events.

Conversation Data. Your chats and reflections with Marsha are stored to provide personalization and improve the Service; we apply row-level security (RLS) to restrict access by user. For model quality, we may use de-identified and aggregated conversation data.

Device/Technical Data. Device type, operating system, app version, crash/error logs, and basic diagnostics.

Cookies/Analytics (web). We use minimal first-party cookies and privacy-respecting analytics to understand product performance. We do not use third-party advertising cookies.

2. How We Use Information

  • Provide, personalize, and secure the Service.
  • Deliver skill guidance, progress insights, and reminders you opt into.
  • Improve model quality, safety guardrails, and product performance (using de-identified/aggregated data where possible).
  • Communicate important service or policy updates.
  • Prevent abuse, fraud, and security incidents.

Legal bases (GDPR/UK GDPR): your consent; performance of our contract (provide the Service); our legitimate interests in product improvement and security; and compliance with legal obligations.

3. When We Share Information

We do not sell personal information. We disclose data only:

  • Service Providers. Hosting, storage, analytics, security, and AI processing vendors who are bound by confidentiality and data-protection terms.
  • Legal/Safety. When required by law or to protect users, our rights, or others' safety.
  • Aggregate/De-identified. Research, safety, and product insights that cannot identify you.
  • International Transfers. If data moves across borders (for example, to subprocessors), we use Standard Contractual Clauses or equivalent safeguards.

4. Your Choices & Rights

You may access, correct, export, and delete your personal data, and you can opt out of non-essential emails.

California (CPRA). You have rights of access, deletion, correction, portability, and to limit certain uses of sensitive data. We do not "sell" personal data as defined by CPRA.

EU/UK (GDPR). You may object to or restrict certain processing and lodge a complaint with your local supervisory authority.

To exercise rights, email [email protected]. We will verify and respond in a timely manner.

5. Data Security (What We Actually Do)

We employ multiple layers of security:

  • Transport Security. TLS 1.3/1.2 with modern cipher suites (AES-GCM and ChaCha20-Poly1305), forward secrecy (X25519), OCSP stapling, and HTTP Strict Transport Security (HSTS) with preload: max-age=63072000; includeSubDomains; preload.
  • Independent Scan Result. As of Oct 26, 2025, withmarsha.app received an A+ on Qualys SSL Labs' SSL Server Test (includes TLS 1.3 support, strong ciphers, HSTS, stapling).
  • At Rest. Industry-standard encryption for stored data; RLS constraints enforce per-user row access in our databases.
  • Access Controls. Role-based access, least-privilege, MFA for admin accounts, audit logging, and short-lived credentials.
  • Isolation & Proxying. API proxies, token scoping, and environment segregation (prod/staging).
  • Monitoring. Centralized logging, anomaly detection, and incident response runbooks.
  • Reviews. Regular security reviews and dependency patching; periodic third-party testing as resources permit.

Despite our efforts, no system is 100% secure. If we discover a breach affecting your data, we will notify you consistent with applicable laws.

6. Data Retention

We retain personal data only as long as needed to provide the Service or as required by law. When you delete your account, we delete or irreversibly de-identify your personal data within 30 days (backups may persist for limited periods and are then purged on a rolling schedule). We may retain aggregate/de-identified data for product safety and research.

7. Children's Privacy

WithMarsha is intended for ages 16+ (or local equivalent). We do not knowingly collect personal data from children under 13. If you believe a child provided data, contact us for deletion.

8. International Users

We operate in the United States. By using the Service, you understand your information may be transferred to and processed in the U.S. and other countries with safeguards described above.

9. Changes to This Policy

If we make material changes, we will notify you in-app or by email at least 14 days before they take effect. Continued use after the effective date signifies acceptance.

10. Contact Us

GTM Bot Inc.

6311 Ames Ave, #1102, Omaha, NE 68104, USA

Email: [email protected]

Also review our Disclaimer and Terms of Service to understand how WithMarsha is intended to be used.