Privacy Policy

Marvin (“Marvin,” “we,” “us,” or “our”) is a personal observation tool operated by Cody Blair, an individual sole proprietor based in Dallas, Texas, United States. This Privacy Policy explains what data we collect when you use marvinapp.co, how we use it, who processes it on our behalf, and the choices you have. Use of the Service is governed by both this Privacy Policy and the Terms of Service.

For questions or requests, contact us at hello@marvinapp.co.

We collect the following categories of information directly from you, or automatically when you use the Service:

Account data. Email address, hashed password (managed by our auth provider), and any optional profile fields you choose to fill in. We may also store your time zone and locale to render dates correctly.

Daily entries and tracking data. Whatever you log into your modules, including habit check-ins, routines, journal entries, mood ratings, sleep notes, hydration, supplements, nutrition notes, reading minutes, meditation minutes, workouts, goals, and custom tags. This is the core content of your account.

AI chat content.The text of your prompts to the AI coaching layer and the AI’s responses to you, stored so you can scroll your own history and so the AI has the context it needs to be useful across sessions.

Subscription and billing data. Plan, trial state, subscription status, and renewal dates. Payment card details are submitted directly to Stripe and never touch our servers; we receive only a tokenized customer reference, last four digits, expiration, and card brand.

Device and usage data. IP address, browser type and version, operating system, referring URL, pages viewed, links clicked, approximate location derived from IP, and interaction events (clicks, scrolls, time on page). Some of this is captured for product analytics and session replay (see Processors).

Cookies and similar technologies. Strictly necessary cookies for authentication and session management; analytics cookies for product analytics and session replay; preference cookies for theme and design settings stored locally in your browser. See Cookies and analytics below for detail.

We use the data we collect to:

• provide the Service, including showing you your dashboard, trends, streaks, and AI reflections derived from your own entries;
• operate the AI coaching, weekly review, and pattern-insight features by sending your relevant tracking data to our AI provider for inference;
• send transactional emails (signup confirmation, password reset, billing notices, trial reminders, and onboarding messages);
• process subscriptions and prevent payment fraud through our payment provider;
• understand how the Service is used in aggregate, fix bugs, and improve the product;
• protect the Service, our users, and Cody Blair against abuse, security threats, and misuse;
• comply with applicable law and respond to lawful requests.

We do not sell your personal information. We do not share your content with advertisers. We do not use your content to train third-party AI models. Anthropic, our AI provider, contractually does not use API inputs or outputs to train its public models.

If you are in the European Economic Area, the United Kingdom, or another region with a similar legal framework, we process your personal data on the following legal bases:

• Contract. Processing necessary to provide the Service you signed up for.
• Legitimate interests. Processing necessary to operate the Service, secure it, prevent abuse, and improve it, balanced against your rights and interests.
• Consent. Where required, processing carried out only after you opt in (such as non-essential cookies).
• Legal obligation. Where we must process data to comply with law.

We rely on the following independent providers to operate Marvin. Each is bound by its own terms and privacy commitments and acts as a data processor under our direction:

• Supabase— account authentication, database storage, and cross-device sync for your tracking entries and AI chat history.
• Anthropic (Claude API)— AI inference for the coaching chat, weekly review, and pattern insights. Relevant tracking data and chat messages are sent to Anthropic to generate the response shown to you. Anthropic does not use API content to train its public models.
• Stripe— payment processing, subscription management, and tax calculation. Payment card details are submitted directly to Stripe and never reach our servers.
• Resend— transactional email delivery (account, billing, trial sequence). Resend processes your email address and the content of the message we send to you.
• Vercel— web hosting, edge delivery, and the underlying infrastructure that serves marvinapp.co. Vercel processes standard request logs.
• Microsoft Clarity— product analytics and session replay used to understand how people use the Service, find bugs, and improve the interface. Clarity may capture clicks, scroll, mouse movement, and page navigation. Sensitive form fields (passwords, payment fields) are masked.
• PostHog— additional product analytics, session replay, heatmaps, and autocapture used for the same purposes as Clarity. Password fields are masked. PostHog requests are proxied through marvinapp.co so they keep working even when ad blockers block PostHog’s public endpoint.

We may swap, add, or remove sub-processors as the Service evolves. The current list is the one published on this page.

Marvin uses cookies and similar local storage technologies for three purposes:

• Strictly necessary. Authentication, session, and security. Without these the Service cannot work.
• Preference. Theme selection, light or dark mode, custom design tokens, and module ordering, stored locally in your browser via localStorage so the app remembers how you have set things up.
• Analytics and session replay. Microsoft Clarity and PostHog drop cookies and local identifiers to measure usage, replay anonymized sessions, and aggregate behavior. Sensitive fields are masked.

Most browsers let you control cookies through their settings. Blocking all cookies will break authentication. You can opt out of Microsoft Clarity tracking from your browser settings or by visiting Microsoft’s consent documentation. PostHog respects the “Do Not Track” browser signal where it is set.

We retain your account and tracking data for as long as your account is active. If you delete your account from your account settings, your content is removed from our active systems within a reasonable period (typically 30 days), subject to encrypted backups that age out on their own retention schedule.

Billing records, tax records, and certain operational logs are retained for the period required by law and accounting practice (typically up to seven years), even after account deletion.

Depending on where you live, you may have one or more of the following rights regarding your personal data:

• Access. Ask for a copy of the personal data we hold about you.
• Export. Download your tracking data as a CSV file from the settings page at any time, with no support request required.
• Correction. Ask us to correct inaccurate or incomplete data.
• Deletion. Delete your account from settings, or email hello@marvinapp.co to request deletion. We honor verified deletion requests under the GDPR, the CCPA / CPRA, and similar laws worldwide.
• Restriction or objection. Ask us to restrict or object to certain processing, where the law allows.
• Withdraw consent. Where processing is based on consent, withdraw consent at any time without affecting prior processing.
• Lodge a complaint. Lodge a complaint with your local data protection authority. We would appreciate the chance to address your concerns first; you can reach us at hello@marvinapp.co.

We do not discriminate against users who exercise these rights. Verification of identity may be required before we act on a request, to prevent unauthorized disclosure.

If you are a California resident, you have the rights described above under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including the right to know, the right to delete, the right to correct, and the right to opt out of the “sale” or “sharing” of personal information.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. The data we share with sub-processors (Supabase, Anthropic, Stripe, Resend, Vercel, Microsoft Clarity, PostHog) is shared only as needed to operate the Service.

To exercise any California right, email hello@marvinapp.co with the subject “California Privacy Request” and a description of your request. You may also authorize an agent to make a request on your behalf, subject to verification.

Marvin is not directed to children under 13. We do not knowingly collect personal information from anyone under 13. If you are a parent or guardian and believe your child has provided us with personal information, contact us at hello@marvinapp.co and we will delete it. If you are between 13 and 17, you must have permission from a parent or legal guardian to use the Service.

Marvin is operated from the United States. Our sub-processors may store and process data in the United States and other countries where they operate. If you are accessing the Service from outside the United States, you understand that your data will be transferred to, stored in, and processed in the United States and elsewhere as needed to operate the Service. Where required by law, we rely on appropriate safeguards (such as Standard Contractual Clauses) for international transfers.

We use reasonable technical and organizational safeguards to protect your data, including encryption in transit (TLS), encryption at rest where supported by our providers, scoped database access through Row Level Security, and secure password hashing. No system is perfectly secure. If we become aware of a security incident that materially affects your data, we will notify you in accordance with applicable law.

The AI coaching, weekly review, and pattern-insight features are generated by large language models operated by Anthropic. The output is informational and self-reflective. It is not a medical diagnosis, treatment, prescription, or any other form of professional advice. The Service does not make automated decisions that produce legal or similarly significant effects on you.

Your data is sent to Anthropic only as needed to generate the response you requested. Anthropic does not use API content to train its public models.

We may update this Privacy Policy as the Service evolves or as the law requires. The version in effect is the one most recently posted on this page, with the effective date shown above. If a change materially reduces your rights, we will provide reasonable notice (typically by email or in-app banner) before it takes effect.

For questions, requests, or complaints about this Privacy Policy or your data, contact us at hello@marvinapp.co. The business address on file is Dallas, Texas, United States.