Privacy Policy

Account Information. Email address, display name, and authentication data (passwords are hashed).

Usage Data. Feature usage, skills practiced, session timing and duration, app version, interaction events.

Conversation Data. Your chats and reflections with Marsha are stored to provide personalization and improve the Service; we apply row-level security (RLS) to restrict access by user. For model quality, we may use de-identified and aggregated conversation data.

Device/Technical Data. Device type, operating system, app version, crash/error logs, and basic diagnostics.

Cookies/Analytics (web). We use minimal first-party cookies and privacy-respecting analytics to understand product performance. We do not use third-party advertising cookies.

• Provide, personalize, and secure the Service.
• Deliver skill guidance, progress insights, and reminders you opt into.
• Improve model quality, safety guardrails, and product performance (using de-identified/aggregated data where possible).
• Communicate important service or policy updates.
• Prevent abuse, fraud, and security incidents.

Legal bases (GDPR/UK GDPR): your consent; performance of our contract (provide the Service); our legitimate interests in product improvement and security; and compliance with legal obligations.

We do not sell personal information. We disclose data only:

• Service Providers. Hosting, storage, analytics, security, and AI processing vendors who are bound by confidentiality and data-protection terms.
• Legal/Safety. When required by law or to protect users, our rights, or others' safety.
• Aggregate/De-identified. Research, safety, and product insights that cannot identify you.
• International Transfers. If data moves across borders (for example, to subprocessors), we use Standard Contractual Clauses or equivalent safeguards.

You may access, correct, export, and delete your personal data, and you can opt out of non-essential emails.

California (CPRA). You have rights of access, deletion, correction, portability, and to limit certain uses of sensitive data. We do not "sell" personal data as defined by CPRA.

EU/UK (GDPR). You may object to or restrict certain processing and lodge a complaint with your local supervisory authority.

To exercise rights, email privacy@withmarsha.app. We will verify and respond in a timely manner.

We employ multiple layers of security:

• Transport Security. TLS 1.3/1.2 with modern cipher suites (AES-GCM and ChaCha20-Poly1305), forward secrecy (X25519), OCSP stapling, and HTTP Strict Transport Security (HSTS) with preload: max-age=63072000; includeSubDomains; preload.
• Independent Scan Result. As of Oct 26, 2025, withmarsha.app received an A+ on Qualys SSL Labs' SSL Server Test (includes TLS 1.3 support, strong ciphers, HSTS, stapling).
• At Rest. Industry-standard encryption for stored data; RLS constraints enforce per-user row access in our databases.
• Access Controls. Role-based access, least-privilege, MFA for admin accounts, audit logging, and short-lived credentials.
• Isolation & Proxying. API proxies, token scoping, and environment segregation (prod/staging).
• Monitoring. Centralized logging, anomaly detection, and incident response runbooks.
• Reviews. Regular security reviews and dependency patching; periodic third-party testing as resources permit.

Despite our efforts, no system is 100% secure. If we discover a breach affecting your data, we will notify you consistent with applicable laws.

GTM Bot Inc.

6311 Ames Ave, #1102, Omaha, NE 68104, USA

Email: privacy@withmarsha.app