Plain-English summary
You give Marcus a description of a website or app you want built. Marcus stores that description, the generated code, and a record of every change you make. We need that to build, host, and let you edit.
We do not sell your data, we do not run advertising on your behalf, and we do not feed your prompts or your generated code into model training. Your data lives in EU regions by default. You can export everything as a ZIP at any time and walk away.
If you want any of this in writing as a Data Processing Agreement, mail dpa@aimarcus.love and we'll send the current DPA the same day.
1. What we collect
Account data. Email address, optional display name, hashed password (or OAuth subject if you sign in with Google). Created when you first save a project.
Project data. Every prompt you send to Marcus, the HTML the model returns, every revision, file uploads, and the configuration of any integrations you wire up (Stripe keys, custom domain DNS, contact-form recipients).
Operational data. Server access logs (IP, user-agent, path, status code, timestamp) retained for 14 days for abuse and incident investigation. Anonymised request-rate counters retained 90 days.
Billing data. If you become a paying customer, Stripe stores your card details — we never see them. We store your Stripe customer ID, subscription state, and invoice history.
2. What we don't collect
- No third-party advertising or marketing trackers on this domain.
- No fingerprinting, no session replay, no behavioural cookies.
- No reading or processing of email content, social-media accounts, or other personal data outside what you explicitly type into Marcus.
- No location data beyond the country derived from your IP for region routing.
3. Where your data lives
Production data is hosted in the EU. Database, file storage, off-site backups, and log aggregation all run in the same region. We do not move data between regions without a written request, and we will tell you when, where, and why.
The single exception is the Anthropic Claude API call that generates your code: prompts are sent to Anthropic for inference and returned to us. Anthropic processes prompts according to its own policy, and per its current commercial terms it does not retain or train on commercial API content. The full chain is described in the sub-processor list at /subprocessors/.
4. Model training
Your prompts, your code, and your end-users' inputs are never used to train any AI model — ours or anyone else's. This is in the contract, not the FAQ. If a future Marcus feature ever requires opt-in training data, it will be opt-in, individually consented, and clearly compensated.
5. Sharing
We share data with the minimum number of sub-processors needed to operate Marcus: hosting (Hetzner), Anthropic (model inference), Stripe (billing), Resend (transactional email), and a logging provider. Each is named at /subprocessors/ with the exact data category they touch.
We do not share your data with advertisers, analytics resellers, or government agencies absent a court order specific to the requested account. If we receive such an order, we will challenge it where lawful and notify the affected user the moment the gag, if any, expires.
6. Your rights (GDPR)
If you are in the EU, EEA, UK, or Switzerland, you have the right to request:
- Access — a copy of every record we hold about you.
- Portability — your data in a machine-readable format (we send a JSON + ZIP bundle).
- Correction — fix anything wrong.
- Deletion — wipe your account and projects, subject to a 30-day window for accidental restore.
- Restriction — pause processing while a complaint is investigated.
- Objection — opt out of any processing that's not strictly necessary.
Mail privacy@aimarcus.love. We acknowledge inside one working day and complete inside 30 days. Real human, not a chatbot.
7. Cookies
We set a single first-party cookie, marcus_owner, when you create a project anonymously. It identifies your browser as the owner of that project so you can return and edit it without signing up. It expires after 365 days.
If you sign up, we set a session cookie marcus_session with a sliding 30-day expiry. Both cookies are HttpOnly and SameSite=Lax.
That's the entire cookie list on this domain. No third-party cookies. No banner.
8. Children
Marcus is not designed for users under 16. If you believe a child has signed up, mail privacy@aimarcus.love and we'll delete the account.
9. Changes to this policy
If we change anything material, we email everyone with an account 30 days before the change takes effect, and we post the diff at /legal-changelog/. The version of this page is dated at the top.
10. How to reach us
Marcus is operated by Prismestonia OÜ, registered in Estonia. The data controller for this domain is the same entity. Postal address available on request.
Privacy contact: privacy@aimarcus.love. Security disclosures: security@aimarcus.love. Press and complaints: hello@aimarcus.love.