Legal
Privacy Policy
How we collect, use, and protect your personal data — with GDPR, CCPA, and LGPD coverage.
1. Quick summary
If you don't want to read 5,000 words of legal, here's the honest summary:
- What we collect: your account data, your business data, and your customers' data when they book (processed on your behalf).
- What we use it for: running the service (bookings, reminders, microsite), keeping it secure, billing, and meeting legal obligations.
- Who we share with: sub-processors needed to operate (Twilio, Cloudflare, Railway, Resend, Meta via Twilio). Full list below.
- We never sell your data. Period.
- Your rights: access, rectification, deletion, portability, objection, withdraw consent. Email privacy@marcly.app.
2. Who is responsible for your data
Marcly, with address at 75 avenida norte, local 3, San Salvador, El Salvador, is the data controller (under GDPR / controller under LGPD) for data collected directly through the public site and account-holder accounts.
For your end-customers' data (those who book appointments), Marcly acts as a data processor and you are the controller. This is governed by the contract implicit in our Terms; if you need a formal DPA for regulatory reasons, write to legal@marcly.app.
Privacy contact: privacy@marcly.app
3. What data we collect
We collect only the data needed to operate the service:
| Category | Examples | Legal basis (GDPR) |
|---|---|---|
| Account holder data | name, email, hashed password, phone, preferred language | Contract performance (GDPR 6(1)(b)) |
| Business data | trade name, slug, logo, address, hours, services and prices | Contract performance (GDPR 6(1)(b)) |
| End-customer data (processed on behalf of the account holder) | name, WhatsApp number, optional email, appointment history | Contract performance and/or holder's legitimate interest (GDPR 6(1)(b)/(f)) |
| WhatsApp messages and metadata | message content, timestamps, Twilio identifier | Contract performance (GDPR 6(1)(b)) |
| Technical data | IP address (salted hash), browser, OS, login events | Legitimate interest: security and fraud prevention (GDPR 6(1)(f)) |
| Payment data | card last-4, plan, renewal date. We do NOT store the full card — the payment processor handles it. | Contract performance (GDPR 6(1)(b)) |
We don't collect special categories of data (racial origin, health, religion, sexual orientation, etc.). If your business needs to process this kind of data, contact us first — it requires additional safeguards.
4. How and why we use the data
- Provide the service: schedule appointments, send confirmations and reminders via WhatsApp/email, display the public microsite.
- Security: detect abuse, prevent fraud, log access attempts (with hashed IPs).
- Product improvement: aggregated and anonymized metrics to understand usage. Never at individual level.
- Communications: operational emails (verification, plan changes, security alerts). Product newsletter only with explicit opt-in.
- Legal compliance: billing, accounting, response to valid judicial requests.
Automated decisions: we don't use algorithms to make decisions with legal or significant effects on you or your customers. The WhatsApp bot is conversational assistance — it doesn't approve or reject requests with legal effects.
5. Who we share the data with
To operate the service we rely on these sub-processors. Each is contractually bound to process your data only per our instructions and with adequate technical and organizational measures:
| Sub-processor | Purpose | Location | Policy |
|---|---|---|---|
| Railway Corp. | Application hosting and PostgreSQL database | Estados Unidos | View policy |
| Cloudflare, Inc. | File storage (R2), CDN, DNS, Turnstile (anti-bot) | Global / Estados Unidos | View policy |
| Twilio, Inc. | WhatsApp Business message delivery | Estados Unidos | View policy |
| Meta Platforms, Inc. | WhatsApp Business API platform (via Twilio) | Estados Unidos / Irlanda | View policy |
| Resend, Inc. | Transactional email delivery (verification, reminders) | Estados Unidos | View policy |
If we add or change a sub-processor with material impact for you, we'll email you at least 30 days in advance.
We don't sell data to third parties. We don't share data with ad networks either (no Google Ads, Facebook Pixel, etc. in the app).
6. International data transfers
Marcly operates primarily from infrastructure located in the United States (Railway, Cloudflare, Twilio, Resend). If you are in the European Union, United Kingdom, Brazil, or another jurisdiction with restrictions on international transfers, your data may be transferred outside your country.
These transfers are covered by:
- Standard Contractual Clauses (SCCs) from the European Commission where applicable (GDPR).
- Sub-processor adherence to the EU-US Data Privacy Framework where applicable.
- For LGPD: contract performance and data subject consent.
7. How long we keep the data
| Data type | Period |
|---|---|
| Account data | Until deletion request or 30 days after account closure |
| Appointments | 2 years for accounting and dispute resolution |
| WhatsApp messages | 12 months, then anonymized |
| Login attempts | 30 days for abuse detection |
| Security events | 90 days for incident investigation |
| Invoices | 5 years per Salvadoran tax law |
When you request deletion, we anonymize the data within 30 days (except what we must retain by legal obligation — e.g., invoices).
8. Your rights over your data
Depending on your jurisdiction, you have some or all of these rights:
- Access: get a copy of the data we hold on you.
- Rectification: correct inaccurate or incomplete data.
- Erasure / right to be forgotten: ask us to delete your data (subject to legal obligations).
- Portability: receive your data in a structured, machine-readable format (JSON).
- Objection: object to processing based on legitimate interest.
- Restriction: limit processing while a dispute is resolved.
- Withdraw consent: when processing is based on consent.
- Non-discrimination: exercising rights won't affect service quality.
To exercise them, write to privacy@marcly.app from your account email. We respond within the applicable legal period (30 days GDPR, 45 days CCPA, 15 days LGPD).
If you're not satisfied with our response, you can file a complaint with your competent data protection authority.
10. Children's data
Marcly is not directed at children under 16 years old and we don't knowingly collect data from children under that age. In jurisdictions with higher thresholds (some US states under COPPA: 13; some EU countries: 16), we apply the stricter one.
If we discover that we've collected data from a minor without verifiable parental consent, we'll delete it immediately. If you're a parent/guardian and believe we have your child's data, write to privacy@marcly.app.
11. Notice for EU / UK residents (GDPR / UK GDPR)
If you reside in the European Economic Area, Switzerland, or United Kingdom, in addition to general rights above, you have the right to:
- File a complaint with your data protection authority (e.g., AEPD in Spain, CNIL in France, ICO in the UK).
- Know the specific legal basis for each processing (see table in section 3).
- Know if we transfer your data outside the EEA and under what safeguards (section 6).
Marcly does not have an EU representative at this time (we don't exceed Art. 27 GDPR thresholds). For regulatory inquiries, write to privacy@marcly.app.
12. California residents notice (CCPA / CPRA)
If you reside in California, you have the right to:
- Know what categories of personal information we collect, the purposes, sources, and third parties we share with.
- Delete your personal information (subject to legal exceptions).
- Correct inaccurate information.
- Opt out of sale or sharing of your personal information.
- Limit use of sensitive personal information.
- Non-discrimination for exercising these rights.
To exercise these rights, write to privacy@marcly.app from the registered email or use an authorized agent with signed power of attorney.
13. Brazil residents notice (LGPD)
Under the Brazilian General Data Protection Law (LGPD, Lei 13.709/2018), you have the right to:
- Confirmation of processing existence.
- Access to data.
- Correction of incomplete, inaccurate, or outdated data.
- Anonymization, blocking, or deletion of unnecessary or LGPD-non-compliant data.
- Portability to another provider.
- Deletion of data processed with consent.
- Information about with whom we share the data.
- Information about consequences of withholding consent.
- Revocation of consent.
Data Protection Officer (DPO / Encarregado): privacy@marcly.app
You can file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).
14. Changes to this policy
We may update this policy. If changes materially affect your rights, we'll email you at least 30 days in advance. Previous versions are available on request to privacy@marcly.app.
15. Contact
For any privacy matter:
- Privacy / DPO: privacy@marcly.app
- Legal matters: legal@marcly.app
Marcly · 75 avenida norte, local 3, San Salvador, El Salvador