Privacy Policy

1. Introduction

Marktic, Inc. (“Marktic,” “we,” “us,” or “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered marketing platform (“Service”), our marketing website (“Website”), or otherwise interact with us.

This policy applies to all users of our Service, visitors to our Website, and anyone who otherwise interacts with us. We comply with the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA), United Kingdom, and Switzerland, and with the California Consumer Privacy Act (CCPA) for California residents. As a matter of policy, we extend the rights afforded by these regulations to all users regardless of jurisdiction.

2. Data Controller

The entity responsible for determining how and why your personal data is processed (the “data controller”) is:

Marktic, Inc.
169 Madison Ave STE 74213
New York, NY 10016
United States

Email: [email protected]

3. Information We Collect

3.1 Information You Provide

To provide our Services, answer your questions, manage your account, and deliver on our obligations to you, we collect information you voluntarily submit throughout your use of our Service and Website and in interactions with us, including, but not limited to:

• Account Information: Name, email address, password, company name, job title
• Profile Information: Business details and platform settings
• Payment Information: Billing address, payment method details (processed by our payment provider), invoices and receipts
• Communications: Messages, feedback, and support inquiries you send us outside of the Service, such as through email or other support channels
• Integration Credentials: Authentication credentials necessary to connect third-party services, which may include OAuth access tokens, bearer tokens, API keys, remote MCP server URLs, and any other configuration required by a particular integration (for example, a Google Analytics Property ID)

With your consent, we may also use the information you provide to deliver in-service notifications (such as updates on work agents have completed or recommendations they may have), service-related notifications (such as product updates, scheduled downtime, or similar operational communications), and marketing communications (such as newsletters).

3.2 Information Generated Through Use

To deliver the core functionality of the Service and fulfill our contractual obligations to you, we collect and process data generated through your use of the platform, including, but not limited to:

• User Content: Messages you send to agents and human experts, any attachments to such messages, voice memos, files you upload, tasks you create, and content generated by agents for you or in collaboration with you, such as marketing materials, campaigns, copy, and other outputs
• Agent-Generated Data: Strategies, memories, to-do items, insights, web search results, data retrieved from connected integrations, and any other data agents generate or autonomously discover through tool use in the course of providing the Service
• Knowledge Graph: The Service generates a private graph database of entities and relationships discussed or discovered during your use, which agents can reference to provide context-aware responses
• Outcome Data: For each user, in an isolated and private manner, the Service builds cause-and-effect relationships between actions agents suggest or take and the outcomes they produce, in order to improve the system’s performance for you over time
• User Database: As part of the Service, you share a database with your agents. Anything stored here — whether by you, your website, a third-party integration, or an agent — is considered information generated through use

Legal Basis (GDPR): Performance of a contract

Optional data use with your consent

Separately from the above, and only with your prior and explicit consent, you may allow us to use information generated through your use of the Service for the following purposes:

1. Industry and shared knowledge databases. With your consent, we may incorporate insights derived from your data into shared knowledge resources — such as industry-level knowledge graphs and outcome databases — that are accessible to other users of the Service.
2. Analytics on interactions and Service performance. With your consent, we may generate analytics on your interactions with agents and how the Service performs for you, in order to identify usage patterns, improve the quality of agent recommendations, and better understand how the Service is used across different industries and use cases.
3. Service and model improvement. With your separate consent, we may use information generated through your use of the Service to train and improve our Services and the AI models that power them.

When processing your data for any of the above purposes, we apply a multi-stage, privacy-preserving process: insights are first extracted and abstracted using AI models rather than human review, then aggregated across multiple users, and finally verified by automated systems to confirm that no personally identifiable information, trade secrets, or data attributable to any individual user remains. We enforce minimum frequency thresholds to ensure that insights derived from a small number of users are not surfaced in shared or aggregate contexts. These processes are reviewed and refined on an ongoing basis to reflect improvements in anonymization techniques. While we take reasonable measures to ensure the effectiveness of these safeguards, no process is guaranteed to be perfect in every case, and we are transparent about this limitation.

Because these processes involve irreversible transformations — anonymized insights incorporated into aggregate databases, or patterns learned by AI models during training, cannot be traced back to or individually extracted from their source — we are unable to reverse this processing once it has occurred. This is a technical limitation, not a restriction on your rights: you may withdraw your consent at any time, which will prevent any future use of your data for these purposes, but will not affect data that has already been anonymized and incorporated. You will be clearly informed of this before being asked to consent, and choosing not to consent will not affect your access to the core Service.

Legal Basis (GDPR): Consent

3.3 Information Collected Automatically

Functional data collection

To ensure the functionality, security, and integrity of our Service and Website, we automatically collect:

• Device and Connection Information: Browser type, operating system, device identifiers, session identifiers, IP address, access times, and HTTP request method and path

Legal Basis (GDPR): Legitimate interests (security and service functionality)

Consent-based data collection

With your consent, we may additionally collect and generate:

• Log Data: IP address, access times, pages viewed, referring URLs
• Usage Data: Interactions with the Service, feature usage, and clickstream data
• Platform Activity: Features used, actions taken, and interactions with experimental features (such as feature flags and A/B tests)
• Cross-site Activity: We may share data regarding your activity on our Website with advertising partners (such as Meta) using shared identifiers and tracking technologies such as pixels or scripts they provide. You can opt out of this sharing on a vendor-by-vendor basis or entirely through your consent preferences.

Legal Basis (GDPR): Consent

4. How We Use Your Information

This section summarizes the purposes for which we process your personal data. For details on what data we collect and the legal bases for collection, see Section 3.

4.1 To Provide and Operate the Service

• Create and manage your account
• Deliver the core functionality of the platform, including executing work you have requested, accepted, or delegated to agents within the Service
• Process transactions and send billing information
• Enable and maintain third-party integrations
• Provide customer support and respond to your inquiries

Legal Basis (GDPR): Performance of a contract

4.2 To Improve and Develop the Service

• Analyze usage patterns and trends
• Develop new features and functionality
• Fix bugs and optimize performance
• Conduct research, run experiments, and perform analytics (including A/B testing and feature flag interactions as described in Section 3.3)

Legal Basis (GDPR): Legitimate interests

4.3 To Communicate With You

• Send operational notifications necessary for the functioning of the Service, such as security alerts, downtime notices, or changes to our terms
• Deliver in-service notifications, such as updates on agent activity, task completions, or recommendations (with your consent)
• Send marketing communications, product announcements, and newsletters (with your consent)

Legal Basis (GDPR): Legitimate interests (operational notifications) / Consent (in-service and marketing communications)

4.4 To Ensure Security and Compliance

• Detect and prevent fraud, abuse, and security threats
• Enforce our Terms of Service
• Comply with applicable legal obligations

Legal Basis (GDPR): Legal obligation / Legitimate interests

5. Automated Decision-Making and Human Oversight

Our Service uses AI agents that take actions on your behalf. We distinguish between two categories of actions:

Consequential actions are those that have an effect outside the platform — such as interacting with your customers, publishing to social media, modifying data in connected integrations, or any other non-read interaction with external services. These actions require your prior approval or are designed to be easily revertible. You can configure the level of human oversight for consequential actions in your platform settings.

Internal actions are those that occur within the platform’s environment — such as generating content, analyzing data, updating your knowledge graph, or organizing tasks. These actions do not require individual approval, as they do not affect external systems and are necessary for the normal operation of the Service.

Given this approach, we consider that the Service does not engage in solely automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 of the GDPR. Consequential actions are subject to human oversight, and internal actions do not produce effects outside the platform.

Limitations

AI agents within the Service operate in sandboxed environments where they may generate and execute code as part of fulfilling your requests. While we implement technical safeguards to ensure that agents respect the boundaries described above, we cannot guarantee that programmatically generated actions will be intercepted in every case. We continuously monitor and improve these safeguards and are committed to transparency about their limitations.

Requesting human review

Regardless of the above, you have the right to request human review of any action taken by an agent, or an explanation of the logic behind any decision an agent has made. To exercise this right, contact us through our support channels or at [email protected].

6. Third-Party Service Providers (Sub-processors)

We share your data with third-party service providers who assist us in operating the Service and Website. We select providers that maintain appropriate data protection practices and enter into Data Processing Agreements (DPAs) or equivalent contractual arrangements to ensure your data is protected. Where a formal DPA is not yet in place, we assess the provider’s privacy policy, contractual commitments, and data handling practices to ensure an adequate level of protection. A current list of sub-processors and their roles is maintained below.

6.1 Infrastructure and Hosting

• Cloudflare: CDN, DNS, and security services (Website and Service)
• Hetzner: Cloud hosting and infrastructure (Website and Service)
• Postmark: Transactional email delivery (Service and Website)
• Sentry: Pseudonymized error logging and monitoring (Service)

6.2 Analytics

• PostHog: Product analytics and user behavior tracking (Website and Service)

6.3 AI and Machine Learning Providers

To power the AI features of the Service, we transmit data necessary to generate requested outputs to upstream model providers, including:

• OpenAI
• Anthropic
• Google
• Groq
• Replicate
• OpenRouter, which may route requests to additional upstream model providers

These providers have varying data retention and training policies. The Service allows you to choose to use only zero data retention (ZDR) models, which do not retain or train on your data beyond what is needed to fulfill the immediate request. Choosing ZDR-only mode may affect your usage limits, available models, and feature selection due to differences in provider costs, which are passed through without markup.

6.4 Payment Processing

Payment processing is handled by third-party payment providers. We do not store complete payment card information on our servers.

6.5 Business Tools

• Google Workspace: Internal business operations, including email communications (e.g., support correspondence)

6.6 Third-Party Integrations

When you connect third-party services (such as Google Analytics, Google Ads, Meta, Wix, Notion, Zapier, or others) to the Service, data flows between Marktic and those services according to the permissions you grant. We may store copies of data retrieved through these integrations for the duration of your account in order to provide the Service. Your use of connected third-party services is governed by their respective privacy policies.

7. International Data Transfers

Our primary infrastructure is hosted within the European Economic Area. However, some of the third-party service providers we use to operate the Service — including AI model providers, analytics services, and business tools listed in Section 6 — are based in or process data in countries outside the EEA, including the United States.

When your data is transferred outside the EEA, the United Kingdom, or Switzerland, we rely on the following safeguards to ensure an adequate level of protection:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with our service providers
• European Commission adequacy decisions, where applicable
• Other legally recognized transfer mechanisms

Where a formal DPA or SCCs are not yet in place with a provider, we conduct and document our own assessment of the provider’s privacy policies, contractual commitments, data handling practices, and applicable legal framework to satisfy ourselves that an adequate level of protection is provided. We are committed to formalizing these arrangements through recognized transfer mechanisms as our relationships with providers mature.

For details on the specific providers we use and their roles, see Section 6.

If we introduce additional hosting regions in the future, you will be able to choose your data residency region, and your data will be stored and processed in accordance with the safeguards applicable to that region.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. After you request account deletion:

• Personal data is erased within thirty (30) days. This includes your account information, profile data, user content, agent-generated data, integration credentials, and any other data described in Section 3 that is attributable to you.
• Anonymized and aggregate data that has been processed in accordance with the consent-based purposes described in Section 3.2 — such as contributions to shared knowledge databases, analytics, or model training — is retained indefinitely, as it can no longer be attributed to you or individually extracted. For more information on this process and its limitations, see Section 3.2.
• Legal and compliance retention. We may retain specific data beyond the deletion period where required by applicable law or where necessary to establish, exercise, or defend legal claims, prevent fraud, or resolve disputes. In such cases, we retain only the minimum data necessary and only for as long as the legal basis for retention applies.

Data held by third-party service providers listed in Section 6 is subject to their respective retention policies. When you disconnect a third-party integration, we delete our stored copies of data retrieved through that integration within thirty (30) days, unless retention is required for the reasons described above.

9. Your Rights

Regardless of where you are located, you have the following rights with respect to your personal data:

• Access. You have the right to request a copy of the personal data we hold about you.
• Correction. You have the right to request that we correct inaccurate or incomplete personal data. You can also update certain information directly in your account settings.
• Deletion. You have the right to request deletion of your account and personal data, subject to the retention provisions described in Section 8.
• Data Portability. You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
• Restriction. You have the right to request that we limit the processing of your personal data in certain circumstances.
• Objection. You have the right to object to processing of your personal data that is based on legitimate interests.
• Withdrawal of Consent. Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal, and is subject to the limitations described in Section 3.2 regarding anonymized data.
• Lodge a Complaint. If you are located in the EEA, United Kingdom, or Switzerland, you have the right to lodge a complaint with your local data protection authority. If you are located elsewhere, you may contact the relevant regulatory body in your jurisdiction.

Exercising Your Rights

You can exercise some of these rights directly within the Service — for example, updating your profile information, managing consent and notification settings, or disconnecting integrations. For requests that cannot be handled through the Service, contact us at [email protected].

We will acknowledge your request within seven (7) days and resolve it within thirty (30) days. For complex requests — such as those involving large volumes of data, multiple systems, or coordination with third-party providers — we may extend the resolution period by up to an additional twenty-eight (28) days. We will notify you of any such extension and the reasons for it.

We may need to verify your identity before processing your request. Where possible, we will verify your identity through an action within the Service or by communicating through a channel you have previously verified ownership of (such as your registered email address). In cases where these methods are insufficient, we may request additional documentation. We will work with you to verify your identity in a privacy-preserving manner that fulfills our obligation to protect your data from unauthorized access.

10. Data Security

We implement technical and organizational measures designed to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

• Encryption of data in transit (TLS) and at rest
• Access controls and role-based permissions for internal systems
• Authentication mechanisms for user accounts and API access
• Sandboxed execution environments for AI agent operations
• Secure storage of integration credentials, encrypted at rest and accessible only to the systems and agents that require them to perform authorized actions
• Infrastructure hosted within the European Economic Area (see Section 7)
• Pseudonymized error logging (see Section 6)
• Regular review of security practices and infrastructure
• Confidentiality obligations for all employees and contractors with access to personal data

Where we process your data for the consent-based purposes described in Section 3.2, the multi-stage anonymization process described in that section — including AI-driven extraction, aggregation, minimum frequency thresholds, and automated PII verification — serves as an additional technical safeguard against the disclosure of personal data.

In the event of a personal data breach that poses a risk to your rights, we will notify affected users and, where required, the relevant supervisory authority, in accordance with applicable law.

While we strive to protect your data, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

11. Children’s Privacy

The Service is not intended for anyone under 18 years of age. You must be at least 18 years old and legally capable of entering into contracts in your jurisdiction to use the Service. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected personal data from a person under 18, we will delete it promptly. If you believe we have inadvertently collected data from a person under 18, please contact us at [email protected].

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, the revised policy will be posted on our Website and, where applicable, within the Service, and the effective date at the top of this document will be updated.

For all changes, we will provide timely notice through one or more channels we consider appropriate for the nature of the change, which may include a notice within the Service, a notice on our Website, email, or other direct or indirect means of communication.

For material changes — such as the introduction of new categories of data processing, changes to the purposes for which your data is used, changes to your data residency, or significant changes to the third-party providers we share your data with — we will notify you at least seven (7) days before the changes take effect. Where a material change affects processing that is based on your consent, we will seek your renewed consent before the change takes effect and will not apply the change to your data until consent is obtained.

Your continued use of the Service after non-material changes become effective constitutes acceptance of the revised policy. If you do not agree with any changes, you may stop using the Service and request deletion of your data in accordance with Section 8.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: [email protected]

Address:
Marktic, Inc.
169 Madison Ave STE 74213
New York, NY 10016
United States

14. Data Protection Contact

For questions or concerns specifically related to data protection, privacy rights, or GDPR-related inquiries, you may contact our data protection contact at [email protected].

We are committed to appointing a Data Protection Officer (DPO) if and when required by applicable law, and will update this section accordingly.

15. Summary of Your Choices