Privacy Policy

Last updated: April 21, 2026

Draft in progress. This is a placeholder while our legal review finishes. If you need the current, signed version before that lands, reach out to us.

1. What this policy covers

[Placeholder] This policy describes how Markspot handles personal data when you create an account, upload content, publish embeds, or otherwise use the service at markspot.app.

2. Information we collect

  • Account data — email, name, hashed password (for legacy accounts) or an opaque identifier from our identity provider.
  • Content you upload — images, hotspot metadata, organization and project structure.
  • Usage & analytics — impression and click counts on published embeds, rate-limit telemetry, audit logs for security-relevant actions.
  • Billing data — handled by Stripe; we store only a customer identifier and the subscription state.

3. How we use information

[Placeholder] To operate and secure the service, enforce plan limits, render your published embeds, process billing, respond to support requests, and improve the product. We don't sell personal data.

4. How we share information

[Placeholder] With subprocessors that help us run the service — currently Supabase (database, authentication, storage), Stripe (billing), Resend (transactional email), and Vercel (hosting) — and when required by law. Your published embeds are publicly accessible by design.

5. Cookies & local storage

[Placeholder] We use first-party cookies to keep you signed in and to remember your session. Free-tier images live in your browser's IndexedDB so they never leave your device until you upgrade and sync. We don't use third-party advertising cookies.

6. Retention & deletion

[Placeholder] Account data is retained while your account is active. Organizations paused for 30 days are queued for deletion, and queued orgs are hard-deleted after 60 more days — see the in-app billing page for the current state.

7. Your rights

[Placeholder] Depending on your region you may have rights to access, correct, delete, export, or restrict processing of your personal data. You can delete your account from your profile or contact us to exercise these rights.

8. Security

[Placeholder] We use TLS in transit, encryption at rest, and least-privilege access controls. No system is perfect — if you believe you've found a vulnerability, please report it via support.

9. Children

[Placeholder] Markspot isn't directed to children under 13 (or the minimum age in your jurisdiction) and we don't knowingly collect data from them.

10. International transfers

[Placeholder] Our infrastructure runs in multiple regions; personal data may be transferred to and processed in countries other than yours, protected by appropriate safeguards.

11. Changes to this policy

[Placeholder] When we make material changes we'll update the "Last updated" date and notify active accounts in-app or by email.

12. Contact

Reach us via the contact page for any privacy-related questions.